55

There are some people saying that people should use an antivirus software on Mac. And there are thousands of people claiming that Macs don't get viruses (under this term I mean spyware / malware as well), some even say that it's just a trick from antivirus companies to say that there is a need for antivirus.

Honestly, I'm a bit confused. I don't want to waste resources on a possible unnecessary antivirus software, but I want to have my computer safe.

If it's common knowledge that Macs don't get viruses for quite some years now, shouldn't there be some bad people thriving to prove this wrong?

( Edit, here is a quite recent reference on people dismissing antivirus softwares on mac: https://discussions.apple.com/message/24714586. )

gen
  • 1,660
  • 2
  • 18
  • 18
  • 15
    Every system has flaws, and then I'm not even counting humans. Get antivirus software! – Darsstar Jul 10 '14 at 07:02
  • Do you have any recommendations? I am about to choose Avast. – gen Jul 10 '14 at 08:28
  • If you don't want viruses then you should install anti-virus software. A virus will waste a lot more resources than the anti-virus software will. – ewatt Jul 10 '14 at 07:37
  • Coponents like Safari can be targeted by malware rather than classical windows worms spread from USB sticks. As a multi layer defence, it is better to have one. Have a look in to this. http://nakedsecurity.sophos.com/2014/03/14/pwn2own-day-two-chrome-and-safari-join-the-losers/ – Kasun Jul 10 '14 at 19:37
  • 2
    @Darsstar and lots of antivirus software systems have flaws (never met a PC I liked that was running Norton, for example... :) – DA. Jul 11 '14 at 06:54
  • 3
    One of the Mac users in my office just recently took their laptop off the network and managed to contract CryptoLocker. Luckily it didn't start trying to fetch its private key until it was back behind our firewall, so we caught it before it wrecked our whole network, but still it's pretty clear the game is changing when one of the most infamous modern viruses is now infecting Macs as well. We will be installing AV clients on ALL Macs from now on. – thanby Jul 11 '14 at 13:37
  • @thanby that sounds pretty interesting. I just looked up wikipedia for cryptolocker, it states at the beginning that it's Windows exclusive – gen Jul 11 '14 at 15:22
  • Sounds like Wikipedia needs to be updated ;) All I know is what our network admin told me he saw on the firewall, which was definitely CL and definitely coming from a newer MacBook Pro – thanby Jul 11 '14 at 15:52
  • 1
    don't let me be misunderstood; I believe what you've said ;) – gen Jul 11 '14 at 15:56
  • 2
    @thanby - It wasn't cryptolocker. (List of all known Mac malware: http://www.thesafemac.com/mmg-catalog/ ) It may have been a ransomware hoax, which is a bit of javascript annoyance and not an actual trojan or virus - http://www.macrumors.com/2013/07/16/os-x-users-hit-by-ransomware-websites-posing-as-fbi-notices/ – RI Swamp Yankee Jul 11 '14 at 16:05
  • 3
    @RISwampYankee there are two kinds of things: known and unknown. What is more interesting here is the lost of all unknown malwares for OSX, isn't it? ;) – gen Jul 11 '14 at 16:22
  • 2
    @RISwampYankee It wasn't a browser hijack, it was our firewall logging the ZBot injector trying to download the rest of the components for CryptoLocker. I'll see if my network admin still has the logs from our firewall so I can send them to that guy and he can update his list. – thanby Jul 11 '14 at 16:23
  • 1
    @gen - AV companies are going to be as blindsided as Apple is by "unknowns." This still smells like a false positive - no Zbot in the wild for a Mac. Was the user running a PC environment under emulation? Discovering an in-the-wild Zeus clone for the Mac, esp. a Cryptolocker variant, if confirmed, will make you *famous.* – RI Swamp Yankee Jul 11 '14 at 16:45
  • @RISwampYankee Was it addressed to me? If is true, the credit belongs to @ thanby as for as I am concerned. – gen Jul 11 '14 at 17:43
  • 1
    Seems I wasn't the first to notice it: http://www.decodedscience.com/two-week-window-gameover-zeus-botnet-seized-cryptolocker-blocked/46269 The bottom paragraph reads "...but antivirus experts have found CryptoLocker on Macs..." – thanby Jul 11 '14 at 19:19
  • 1
    @thanby: that's enough for me, I'll use an AV – gen Jul 11 '14 at 19:26
  • 1
    @gen note that MacBooks can run windows just fine. In that sense, it very well *could* have been a windows virus and yea, if you're running windows on your mac, you want anti-malware on windows. – DA. Jul 12 '14 at 21:58

8 Answers8

53

There is no clear evidence that third party anti-malware security software (AV software) is more effective than Apple's own security solutions to protect Macs. Rich Mogull on the Mac TidBITS blog explains:

Far less malware exists for Macs, but even there we see limited effectiveness across tools. For example, in a recent test by Thomas Reed, even the best Mac malware tool detected only 90 percent of the known malware samples used. This is a poor showing — we only see dozens of Mac malware variants per year, compared to 65,000 per day for Windows.

Despite Flashback being used as a call to arms to encourage people to adopt antivirus tools, most of those tools failed to detect Flashback for weeks — until it was highly publicized.

AV Vendors make a number of dubious claims with little real-world verification; if a widespread "zero day" attack did hit, there is no reason to expect third party software, which relies on signature databases, to be able to identify and stop it. Some third party Mac AV packages didn't recognize well documented Flashback variants for more than a year after it first hit.

More, Apple has its own security features, Xprotect and Gatekeeper, which do a good job of identifying and preventing known and potential malware from executing on your system. Apple keeps these up to date, and is generally good about patching known security issues quickly.

Third party AV software does have some (limited) utility in protecting non-Mac systems from infected files sourced from other non-Mac systems (sharing documents, etc.)

RI Swamp Yankee
  • 3,471
  • 2
  • 13
  • 9
  • 9
    I like this answer because it is evidence-based, up-to-date (anecdotes about the state of Mac anti-virus in 2003 aren't relevant), and most importantly it notes that there is already anti-malware software included with OS X. – ghoppe Jul 10 '14 at 15:35
  • 2
    @ghoppe, And modern Windows comes equipped with native anti-malware tools as well. In order to consider the position of "just use the native tools," I'd want to see a comparison of the efficacy of native Windows tools to the third-party AM tools. If the difference between native and third-party AM tools on Windows is much greater (in favor of the third-party tool) compared to the difference between Mac tools (especially if the difference is in favor of the native tools), then there might be a point here. Otherwise, I would still recommend getting an AV for Mac. – Brian S Jul 10 '14 at 18:39
  • @BrianS Exactly. Which is what was stated in this answer: current third-party antivirus tools aren't updated as regularly as the native OS X tools and effectively don't give any extra protection. – ghoppe Jul 10 '14 at 18:56
  • @ghoppe, But there's no comparison to native vs. third-party Windows tools, while it is an accepted fact that Windows users need AM software. If there's a difference in favor of native Mac tools, then sure. use the native tools. But if the difference mirror the difference on Windows, why wouldn't you use the third-party tools for the same reason as people use them on Windows? – Brian S Jul 10 '14 at 18:58
  • 3
    @BrianS *"we only see dozens of Mac malware variants per year, compared to 65,000 per day for Windows."* There is a several orders of magnitude difference in the rate at which anti-virus software in Windows needs to be updated. If native OS X tools are updated more regularly than third-party tools and the odds of getting malware are so small, what's the point of extra overhead and complexity? – ghoppe Jul 10 '14 at 19:15
  • @BrianS As an aside, I also don't use third-party anti-malware tools regularly on my PC. Since Windows 8, I believe native anti-malware is simply good enough for my comfort level, and keeping an extra anti-malware software running and up-to-date isn't worth the hassle. – ghoppe Jul 10 '14 at 19:18
  • 7
    @BrianS - Mac AV software has proven to be *at least as* ineffective as the built-in Mac security tools, as explained in the linked articles. There is no demonstrable benefit to running them - so why bother? You really can't directly compare the Mac to the PC here, as they employ different security models vs. malware, and so have different requirements and threats to contend with. – RI Swamp Yankee Jul 10 '14 at 20:28
  • 1
    @BrianS is that true? What I've read is that MS's own tools have been fairly highly regarded--and compare well to 3rd party tools. – DA. Jul 11 '14 at 06:25
  • thank you for your answer. supposing I'd like to take extra measures to enhance my mac's security, what would you recommend? (apart from not clicking at every link, etc...) – gen Jul 11 '14 at 15:24
  • @RISwampYankee as for "zero day" attacks I understand that AVs use signature databases, but don't they also have some AI built in? – gen Jul 11 '14 at 21:27
  • Rich Mogull can't be trusted. "65,000 malware variants per day for Windows"? The guy is clearly an idiot. – user25221 Jul 14 '14 at 09:44
  • @MoJo - Yeah, he's lowballing it: http://www.pcworld.com/article/2109210/report-average-of-82-000-new-malware-threats-per-day-in-2013.html – RI Swamp Yankee Jul 14 '14 at 12:48
  • The 30 million new viruses a year claim is clearly nonsense. It would require at least 10 million skilled programmers to create them all, and a similar supply of zero day vulnerabilities to make them effective and valuable. Think of all the money that would need to be paid to these programmers. What the really mean is that 30 million very slightly different copies of the same virus are out there, and code morphing/encryption key morphing have been around for decades and are not considered "new" viruses each time. In other words, they are all speaking from profound ignorance and stupidity. – user25221 Jul 14 '14 at 16:39
  • @MoJo - Agreed! Most of the 80k/day are generated programmatically rather than coded by hand. Yet, the Mac doesn't have the same torrent of *new signatures* to contend with daily as on Windows. Different platform, different threat environment. Kind of the point, here. – RI Swamp Yankee Jul 14 '14 at 17:53
  • Technological update: [System Integrity Protection](https://support.apple.com/en-us/HT204899) (SIP) provides additional protection for the UNIX underpinnings of the system, preventing tampering and malware "persistence" there, and I have some experience with how effective some of the kernel improvements have been in regards to unauthorized inter-process memory access… even "running as root". (Process record deleted, no signals, at a random point after identification each time. It's amazing to watch. _Segfaults debuggers watching the process._) – amcgregor May 28 '20 at 17:15
36

This is a little long but this exact argument has been rehashed for the last 14 years. I want to put it to bed.

I worked for Apple Tech support from 1992-2001 and have been an Apple developer since. So, I have a very good historical view of Apple ecosystem malware security.

My conclusion? 3rd party anti-malware software on the Mac is unnecessary and as Ari Trachtenberg noted, can cause more problems that it solves.

It's akin to swallowing a hand full of antibiotics whenever you get the slightest sniffle. The antibiotics are going to do more damage than they prevent. In my professional opinion, installing anti-malware on the Mac is far more likely to cause crashes, lost data, slowed workflows and security problems than they prevent.

If you ask Apple technical professionals like myself e.g. programmers and technical support types, you won't find more than few percent that bother with 3rd party anti-malware software. By contrast, you won't find any Microsoft technical professionals that don't. That alone says everything.

Apple operating systems are the most secure of all mass market operating systems. Why? Because Apple made the core design decision over 15 years ago to prioritize security over data flow openness. Microsoft and later Google set the opposite priority.

That's it. Whether that tradeoff is the right one or the right one for any particular user is matter of subjective opinion. What is not subjective is that Apple products are massively secure compared to their competitors.

They are so secure than they require no additional anti-malware protection except in certain very raw use cases.

Almost everything Lucas Kauffman said is true in the vaguely general but wrong in the specifics. And an analysis of the tradeoffs is in the details.

Macs do get viruses,

There's never been a an actual Mac OS X or iOS virus in the wild that infected any end user's computer. Viruses are malware that can auto replicate without human interaction. All the malware listed in the 10 years of Malware for OSX article are actually trojans. Trojans require that a human being intentionally install the malware and give it permissions to run.

The Mac already comes with Apple's File Quarantine system, which has a trojan blacklist built-in that Apple maintains and updates. Since most trojans now are encrypted, I doubt a 3rd party app will do a better job than the OS.

To use a 3rd party anti-malware program, you have to give that program itself the run of your system and that causes it's own problems and opens its own potential security holes. The tradeoff just isn't worth it in the vast majority of cases.

There have been numerous vulnerabilities published which affect both OS:X or software running on OS:X.

Don't mistake "vulnerabilities" for actual operating threats. Security companies and the media make a lot of noise about this or that "vulnerabilities" discovered on operating but that doesn't mean any end user actually gets hit by malware using the vulnerabilities.

Neither do the number of vulnerabilities have any relationship to threat potential they poise. One bad vulnerability can cause more damage than hundreds of minor ones. It's vulnerability of your front door that a rouge locksmith could pick the lock. That is not the same level of threat as someone malicious having your house keys.

To actually cause harm to end users, Malware authors have to find the vulnerabilities, then come up with an economic model to exploit them, develop the malware and then distribute it, all before Apple patches the vulnerability. After 14 years, nobody has been able to do that.

...the main reason why there were historically so few viruses around for Mac is because their market share was so small.

That's a common assertion but its not true. In the mid-1990s, Macs running Mac OS Classic had a 2% marketshare and around 50% of the viruses. Before the internet got big, Macs exchanged files on disk a lot more than PCs which tended to be linked to specific big iron databases with little infection potential. Mac OS Classic had virtually no built security so when malware got in the mac went down like, "an Aztec sneezed on by a Spaniard" as one of colleques colorfully put it.

I worked at Apple Tech support back then and we all ran Anti-Virus and encouraged our customers to do so. Macs that came with software bundles shipped with 3rd party anti-malware software preinstalled.

We were getting hammered with viruses and worms and then the switch to MacOS X came and it all stopped cold. But we all believe that as soon as MacOSX had been around a year or so that the malware authors would hammer us again.

But it never happened.

I ran anti-viral software on my Macs for 5 years on MacOS X without a single active hit. (lots of .exe files from the internet though.) Finally, I just gave up.

It's implausible that after 14 and two platforms that not a single virus managed to hit an Apple OS and only a literal handful of trojans. Even if Apples has a smaller market share, there are still hundreds of millions of Apple devices out there 90% of them running no 3rd party anti-malware software. That's a big potential payday for anyone.

Moreover, because Mac users specifically don't run anti-virus, once a machine got infected, it would stay that way for longer than a Windows machine offering a much bigger payout per infected machine. Yet, still, nothing.

Clearly something technical happened in the shift form MacOS classic to MacOS X. MacOS X was simply more secure.

The low market share myth was utterly destroyed by the rise of iOS and Android. iOS dominated the smartphone market for 4-5 years at least, yet no one wrote successful viruses for it. When Android came out, viruses appeared almost immediately. Neither does the ratio of malware in the wild correlate with market share. Android has 2-3 times the market share of iOS but whopping 112 times the percentage (79% vs 0.7%) of the active malware.

Compared to iOS, Android at present is at present massively infected.

The simple truth is that Google, like Microsoft before them, made a design decision to emphasize openness of data flow more than security. That openness and freedom is pretty much like the openness and freedom of having a house, or worse a bank, with no locking doors. It has it's advantages but security isn't one of them.

Apple by contrast is rabid about security to the point where it is a severe headache for developers. Most Apple users are totally unaware how hard developers have to work to make apps share data and still comply with Apple's security requirements.

Even if the low market share myth were true, it would still mean that Mac end user was still more secure than a Windows users, it just wouldn’t be for technical reasons.

Remember there are numerous malware instances which will work as well on Mac as they work on Windows.

Well, no. You can pick up malware from Microsoft products but unlike on Windows, the infections remain isolated within the app. I've searched for proven losses from Windows cross platform infections and, somewhat to my surprise, can't seem to find them. In the real world worst case is that you pass the malware onto to someone with a Windows machine where it causes trouble.

Java malware are hard for 3rd party anti-virus programs to detect because may Java files are encrypted these days. The recent Java malware was a risk and it took Oracle so long to patch it that Apple choose to switch off Java by default just in case. Still, there don't seem to have been any serious losses associated with it on the Mac.

Likely because writing cross platform exploits is very hard, and increases the size of the piece of malware which makes it harder to spread and easier to detect. Even it you get it running on a faulty app on the Mac, it's unlikely that it do anything. For example, you can't hijack the Mac's mail app from Word the way you can hijack Entourage.

Still, if you deal with receiving and then resending a large number of Microsoft app files, then using a 3rd party anti-virus might be worth the while just to protect the people you resend to.

Generally OS:X, because of its architecture already has decent protection, but this does not mean it's completely safe.

Nothing is perfectly safe. This is about tradeoffs. On Windows, the tradeoffs are clear. Even with a thoroughly updated version of the OS, if you put a new clean unit online it will be infected in days, if not hours. 3rd party anti-malware is clearly worth the tradeoffs.

By contrast, if you put a clean new Mac online it can go for years or decades without being infected. Why bother with all the tradeoffs, including increased security risk, for a microscopic chance it will pay off despite all the evidence it won't?

There is already an increase in malware development for OS:X and the attacks are also becoming more advanced.

Maybe true, but they that doesn't mean the attacks are becoming more successful or that end users are being harmed more. The numbers just don't show actual real world harm.

Microsoft is like an army in a bunker which is constantly under attack and at high rate. They have been so for 10 years and this allowed them to increase their capabilities in responding to vulnerabilities. Apple, on the other hand, is more like a bunker which gets some pesky attackers every once in a while but nothing too serious.

Well, I'd say that Microsoft's design decisions put them in the place of Poland while Apple's put them in the position of Switzerland.

In any case, the analogy is flawed because there are quite a lot of vulnerabilities being constantly reported for Apple just like Microsoft and Google. If Apple were like an army that hadn't any battle expense, then those vulnerabilities would eventually translate into serious malware problems for end users. Yet, after 14 year they haven't.

The simple truth is that Apple is simply far more concerned about security and more adept at securing vulnerabilities than Microsoft or Google. Apple decided 14 years ago that when security and data openness conflicted, security would trump openness. In the last few years, they've emphasized it even more.

Like I said, I believe that this is going to shift soon.

Well, "soon" is obviously longer than 14 years because that's how long this exact same argument has been made. I gave up on the idea 9 years ago.

Remember, Apple isn't sitting still on security either. Apple has the most aggressive security design of any platform right now and its getting more secure with every release. The Mac is evolving to a system like iOS where apps are completely isolated by default. Moreover, the apps themselves are actually more and more composite applications themselves composed of isolated sub applications. You have to use at least two separate and unrelated exploits to penetrate a single app under this system (sandbox) and even then you've still only subverted a single isolated app.

Therefore, AV software might be also a good thing because they can often also help mitigate issues if Apple fails to address severe vulnerabilities fast enough.

Given Apples excellent track record, which is based on their core design decisions, I would bet on Apple based on 14 year of real world experience. I haven't been able to find a case in which 3rd party software defeated a problem before Apple did. Apple has the same information on emerging threats as 3rd party developers combined with the detailed knowledge of their operating system. Apple can usually patch any exploit before the anti-malware developers can roll out an update to merely detect the problem.

When you get a Mac, you lose some benefits of the Windows world, no doubt. But as a tradeoff you also get some benefits. One of those benefits is a huge boost in security so massive that most Windows users can’t even believe it. That’s were all this “any day now” prediction of a malware apocalypse for Apple comes from.

Based on Apples proven track record to date, if you use Macs, you can expect to go another 14 years without a malware problem. I'd say that obviates the need for the expense and hassle of additional software.

Just don't download installers from porn sites, then ignore the security warning, then run the installer and then give it your password, and you'll be fine.

TechZen
  • 477
  • 3
  • 4
  • 4
    Wow ... quite a comprehensive response. I can't fact check it all, but I think that the view of iOS security is a bit optimistic (although generally on the right track). Lacoon claims (based on proprietary methods and data I cannot check) that some 47% of spyphone-infected devices are iOS devices (http://www.lacoon.com/dev/wp-content/uploads/2013/08/BH-USA-2013-Attacks-Against-MDM-Lacoon.pdf). It's just that anti-virus isn't likely to help. – Ari Trachtenberg Jul 11 '14 at 01:41
  • 2
    Gave you an upvote, despite one quibble: Android's problem is not its lack of a security model, (though there's some room for improvement there) but its [glacial pace of updates](http://www.citeworld.com/article/2143625/mobile-byod/heartbleed-android-jelly-bean-disaster.html) to counter threats, something that's [expected to continue](http://www.zdnet.com/android-l-will-mean-more-fragmentation-hell-for-both-users-and-developers-7000031293/) into the foreseeable future. The addition of SELinux into KitKat will certainly help in the future, though. – Michael Hampton Jul 11 '14 at 03:52
  • 1
    "In the mid-1990s, Macs running Mac OS Classic had a 2% marketshare and around 50% of the viruses." - this is patently untrue. MacOS Classic was, if anything, *more* hostile to malware, with the possible exception of Macro viruses. There was one AV vendor at the time, pretty much a one-man show, and he stopped supporting the product as no significant threats emerged - Clam AV was the only AV package for a while (we won't discuss Norton), and was more for disinfecting files in a mixed Mac/PC environment where the Mac was a server/distributor. – RI Swamp Yankee Jul 11 '14 at 11:45
  • @AriTrachtenberg - According to your link, the the iOS devices that comprise the 47% of spyphone-infected devices are all jailbroke. Jailbreaking destroys iOS security, that's rather the point of jailbreaking. – TechZen Jul 11 '14 at 13:57
  • @Michael Hampton - The slow upgrade pace is a direct result of Android's open model. By surrendering almost all control over who, how, and how long any one uses Android, Google also surrender control over updates and security. People stuck with older hardware actually can't upgrade the OS until they get a new phone. Apple still patches older versions of its OS. Also, why were the older version so vulnerable in the first place. Google's CEO admitted the tradeoff between openness and security designs in the link above. – TechZen Jul 11 '14 at 14:03
  • 2
    @RI Swamp Yankee - I can't disagree more. I was there. I was the individual who discovered the Autostart worm was crashing Appleshare File Servers by overwriting the Desktop.db file. Until MacOS 9, MacClassic had zero permissions control. Any process could write to anywhere. Worse, it's shared memory model meant that a process could actually write into another processes' active memory. It was a security sieve. It's core architecture had been laid down long before anyone gave much thought to desktop security. – TechZen Jul 11 '14 at 14:11
  • @ RI Swamp Yankee -- BTW, Clam-AV was originally only for Unix systems and therefore only showed up on the Macs after the transition to OSX. It never ran on classic. It was Norton's and Symantec for years then Symantec bought Norton's. Easy to misremember. That was a long time ago in computers. – TechZen Jul 11 '14 at 14:13
  • 1
    @TechZen - Here's a list of known malware for "Classic Mac" Compare to a list of PC malware from the same period. http://lowendmac.com/virus/classic-mac-virus-list.html - Also, here's a contemporaneous (2000) paper on the topic - http://www.faqs.org/faqs/computer-virus/macintosh-faq/ – RI Swamp Yankee Jul 11 '14 at 14:44
  • @TechZen thank you for the incredible answer. Could you please take a look at here: http://security.stackexchange.com/questions/62941/apple-id-phishing-lead-to-my-router-infected? – gen Jul 11 '14 at 15:38
  • 1
    @TechZen My understanding is that the malicious code jailbreaks the phone for you, not that they target already jailbroken phones. – Ari Trachtenberg Jul 11 '14 at 18:16
  • @TechZen, please see the comments (thanby's) under the original question: it seems Macs do get infected by CryptoLocker – gen Jul 11 '14 at 19:28
  • @gen: I read those comments. The author of that article made an unsupported claim. Googling for the subject turns up a few allegations but nothing substantiated. 10 months ago, at worst, you had to restart safari. I wouldn't call that being "infected" – NotMe Jul 11 '14 at 19:35
  • 1
    Thanks for this detailed answer. I appreciate it when it involves such a strong conclusion. – Andrew Grimm Oct 13 '14 at 22:16
  • 1
    "Nothing is perfectly safe. This is about tradeoffs. On Windows, the tradeoffs are clear. Even with a thoroughly updated version of the OS, if you put a new clean unit online it will be infected in days, if not hours. 3rd party anti-malware is clearly worth the tradeoffs." Now where did that come from ? :) As much as your post is mostly right, this is uber-BS. Putting a patched Windows machine on the net won't yield the infection you describe.. – niilzon Feb 23 '16 at 13:57
  • Oh, `nVIR`. There remain some holes, though. Things Apple may in some way consider features, which have unfortunate consequences. Luckily, there are targeted tools for these specific areas requiring coverage, such as those provided freely by [Objective-See](https://objective-see.com). I've helped report and thus improve the security of several apps I frequently use via the DyLib Hijack Scanner, and truthfully, use most of their tools that apply to the current OS version. – amcgregor May 28 '20 at 17:32
26

I'll answer in the form of an anecdote.

Back in 2003, I was working in tech support for a Mac-based organisation. We were essentially a government contractor and, as such, nearly all our money came from sending Microsoft Word documents to the government to document what we had done and what we should be paid for.

Someone managed to bring a Word macro virus into the system. It executed only within Microsoft Word but the macro language is the same across Windows and Mac computers so it ran just fine. As well as documents, it could infect the preferences file and after that, any Word document you opened up on that same computer. As files were shared around, more and more computers were infected. Shortly, we found that we couldn't submit the Word documents to the government agency responsible for paying us because they were rejected at their email gateway.

On a Windows machine, the virus in question also attempted to deleted the C: drive. Of course, that didn't work on a Mac so we were unaware that we even had the virus. It didn't affect us until we sent it to the government.

The clean up was a big pain. The computers were spread from Cairns to Adelaide and there were only three of us in the IT department.


The key point here is that even malware that doesn't affect your Mac can still affect your life and/or business.


Native Mac malware is rare but is getting less so all the time. Many malware authors are creating cross-architecture payloads and targeting multiple vulnerabilities now because ignoring that portion of potential victims that don't use Windows is leaving money on the table.

However, antivirus is still a mixed bag. Both signatures and heuristics have their flaws (false positives and false negatives) and in some cases the antivirus software itself contains flaws that the malware can exploit. Even without malware to exploit flaws, anti-virus flaws can still cause problems on your computer.

In most cases, normal users are better off running some brand of antivirus.

(Note that this includes Apple's own File Quarantine system. If your version of Mac OS X has that, you already have anti-virus protection and I wouldn't recommend getting another one.)

Ladadadada
  • 5,163
  • 1
  • 24
  • 41
  • Do the current Mac anti-* applications catch the MS Office macro infection vector? – dotancohen Jul 10 '14 at 10:02
  • @dotancohen They did back in 2003. We had several options to choose from. I don't think they would have regressed that badly in the last decade. – Ladadadada Jul 10 '14 at 10:21
  • Would any exiting anti-virus have caught that word "virus"? – sixtyfootersdude Jul 10 '14 at 20:32
  • @sixtyfootersdude There were several anti-virus offerings at the time that solved our particular problem. The cleanup was a pain due to the spread-out nature of the company but cleaning up any single office was easy. – Ladadadada Jul 11 '14 at 07:22
25

Despite the common wisdom, I would not recommend running anti-virus for two reasons:

  1. Anti-virus does not really work. Though it might catch trivial or well-known viruses, it mostly just gives you a false sense of security.
  2. Anti-virus can cause problems. In order to function, anti-virus programs have to situate themselves quite low on the computer abstraction hierarchy, often below the operating system. This means that when they malfunction, they cause problems that you cannot necessarily fix simply by deleting or reinstalling the program. These problems might even not be easily attributable to the programs (e.g. random crashes, slowing down of your system).

The bottom line is that there is a cost to using inadequate security, and, in my opinion, anti-virus is inadequate.

Ari Trachtenberg
  • 822
  • 6
  • 14
  • 2
    "By design, antivirus products introduce a vast attack surface to a hostile environment. … Many of the vulnerabilities described in this paper could have been severely limited by correct security design, employing modern isolation and exploit mitigation techniques. However, Sophos either disables or opts-out of most major mitigation technologies, even disabling them for other software on the host system. This makes the exploitation process straightforward, […]" Tavis Ormandy, Information Security Engineer at Google. [PDF link](https://lock.cmpxchg8b.com/sophailv2.pdf). – Daniel Beck Jul 12 '14 at 21:51
22

Macs do get viruses, the main reason why there were historically so few viruses around for Mac is because their market share was so small.

When someone writes a virus, most of the time they want to infect as many targets as possible. So 10 years ago this would result in almost only Windows viruses since they had such large market share. Recently, however, the market share for Mac has been growing, which means sooner or later it will start attracting even more attention from malware developers. Remember there are numerous malware instances which will work as well on Mac as they work on Windows. Ladadadada already talked about Word macros, but there are also Java applets which get loaded into the browser that can be used by an attacker to execute commands on your machine.

There have been numerous vulnerabilities published which affect both OS X or software running on OS X. Generally OS X, because of its architecture already has decent protection, but this does not mean it's completely safe. There is already an increase in malware development for OS X and the attacks are also becoming more advanced. A good read on this is the 10 years of Malware for OS X article.

So do you need AV software? Yes!

There is also another reason you should take into account. This is my personal opinion:

I always make the comparison between two armies and their bunkers. Microsoft is like an army in a bunker which is constantly under attack and at high rate. They have been so for 10 years and this allowed them to increase their capabilities in responding to vulnerabilities. Apple, on the other hand, is more like a bunker which gets some pesky attackers every once in a while but nothing too serious. Like I said, I believe that this is going to shift soon. Therefore, AV software might be also a good thing because they can often also help mitigate issues if Apple fails to address severe vulnerabilities fast enough.

Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196
  • @Lucas : Isn’t the same comparison also valid for anti-virus software? On Windows being constantly under attack they develop advanced protection and detection feature and enough experience to shorten the analysis and reaction time at the minimum. Are Mac anti-virus as advanced technically speaking as Windows anti-virus, or are they mostly dedicated to detect Windows virus signatures in files which would not actually hurt a Mac machine itself (see Ladadadada comment below)? – WhiteWinterWolf Jul 10 '14 at 11:03
  • The companies behind them are often already in the field for several years both Windows and Linux. For instance Kasperksy, AVAST, Sophos, Symantec,... – Lucas Kauffman Jul 10 '14 at 12:02
  • Anti-virus products these days are primarily an engine that runs heuristics and matches signatures. Updates to the heuristics and signatures are pushed out frequently, independently of the engine updates. I see no reason why the engines for both Mac and Windows (and Linux for that matter) wouldn't all use the same signature files. (Anti-virus products usually also do more than just that though. They also try to harden the host and hook themselves in at the lowest level possible. This part will most certainly differ between Mac and Windows.) – Ladadadada Jul 10 '14 at 18:47
  • 7
    References for `[...] there were historically so few viruses around for Mac is because their market share was so small.` please? I had understood that it had to do more with, *historically*, windows being run as admin and \*nix systems not being *root* by default. – Francisco Presencia Jul 10 '14 at 19:28
  • 1
    Do you have any evidence or quantitative data to back up your advice to use anti-virus? How large is the risk (quantitatively) if you do use anti-virus, vs if you don't? – D.W. Jul 10 '14 at 23:25
  • @FranciscoPresencia http://gizmodo.com/5101337/giz-explains-why-os-x-shrugs-off-viruses-better-than-windows and also http://apple.stackexchange.com/questions/86869/why-is-mac-malware-less-frequent-than-on-windows-systems It's also just logical I guess. – Lucas Kauffman Jul 11 '14 at 06:05
  • 1
    @LucasKauffman that article is an advertisement. I'll grant you that a couple of those might be universally considered viruses (most of them are Trojans) but using a article written by and anti-virus software company as an argument for getting anti-virus software isn't the most unbiased citation. :) – DA. Jul 11 '14 at 06:36
  • No it's not, but you can verify each of them seperately. Also there is a similar PC Mag article http://securitywatch.pcmag.com/none/295168-the-ten-most-dangerous-mac-viruses – Lucas Kauffman Jul 11 '14 at 06:39
  • 2
    @LucasKauffman I think that link illustrates the basically non-existent threat by malware on OS X quite well by showing a bunch of screenshots of *installers prompting for the administrator password*. Don't install any random piece of software, get rid of Java in the browser, and what's left? Very different from what the situation seems to be on Windows. – Daniel Beck Jul 12 '14 at 21:54
  • Flash? And to be honest, normal users don't disable Java. Normal users also click right about anything when coerced. – Lucas Kauffman Jul 13 '14 at 05:38
  • And the question was about getting an AV. You can disagree with my points if you do not think those risks are high enough to invest in AV software. – Lucas Kauffman Jul 13 '14 at 05:40
4

For all the tl;dr people,

No.

What you should do though is this:

  1. Install nifty browser plugins like AdBlock, FlashBlock, and Disconnect.me
  2. Set restrictive Flash and Java permissions
  3. Firewall: on
  4. prevent execution of non-identified Applications (and whitelist apps at your discretion)
  5. stop telling your friends Windows is bad because it gets viruses and Macs don't
greenland
  • 149
  • 2
1

Here was my situation about 3 months ago. Processor running at 95C, fans on full. Puzzled I start trying to dig into whats doing it. Google Chrome had web workers (6) running at 100%. I had installed a series of colored themes for the browser so I could run profiles for contracts I had. Personal, Work, and Work2. One of the themes I had installed was malicious via googles own theme site and was using some key logging action.

I didn't find this out until after I decided to try out Kaspersky for the mac. At the same time it also found a series of malicious .htaccess files that were a sign one of the customers I had was also infected. All the re-directs to porn sites, cache modifications etc .. for a web server to essentially fall victim to. Since this content is deployed to schools it was kind of a big deal.

I reported the malicious activity by the theme (rather pretty beach scene), and was able to alert the customer there server and or one of there staff's computers had obviously become infected.

So in my respects I think it was worth it, but I had ran for 6 years prior without any. I still continue to have the web workers overheating my computer using Chrome so I just dropped it altogether.

Mark
  • 111
  • 2
  • Interesting, but a single anecdote is not data and not enough to resolve the answer to the original question. – D.W. Jul 12 '14 at 02:14
  • In my case I had to change all my passwords due to this key logger that was running thru a Google Chrome theme. I never would of known of the intrusion otherwise. It greatly depends on your usages, the internet and whether you install apps from unidentified developers or install 3rd party in-app themes. – Mark Jul 14 '14 at 18:10
-2

I don't see anyone bringing up this explanation yet so I will. You may or may not already know that the Mac OSX kernel started as a fork of the BSD kernel. Over the years, the Mac OSX kernel has evolved into a hybrid kernel. The BSD and GNU kernels are considered Monolithic. The difference between a monolithic kernel and hybrid kernel is basically that the kernel varies (usually depending on the distro) whereas the hybrid stays the same. With that said, this difference causes how software can be executed.

If you downloaded the same exact binary/executable file (in ELF format) on a couple different Ubuntu systems, you would not be able to execute it on all of them. This is because of the fact that the executable requires the exact modules it was compiled with in order for it to work. This is an advantage and a reason why running an OS with a monolithic kernel is more secure and some what unnecessary to have antivirus software.

Now, if you downloaded the same exact binary/executable file (in APP format) on a couple different Mac OSX systems, you would see that it can be executed on all of them. This also goes with EXE files on Windows. It may also not work if its a 64 bit program trying to be run on a 32 bit system (or vise versa). This is a disadvantage and makes it easier for hackers to write and distribute viruses for these systems.

I should note too that the monolithic kernels with the highest privileges, whereas, the hybrid kernels don't and are more protected. Now on to my point. The advantage and a reason why people running an OS with a monolithic kernel

SameOldNick
  • 729
  • 3
  • 10
  • 22