One of the most heated arguments you’ll hear within the Mac community is whether or not “antivirus” software should be used.
I use quote marks because that’s still the most frequently used term, even though things have moved on and such software detects a wider range of malware than just viruses. In some cases it addresses non-malware threats, but AV is a convenient abbreviation.
The anti side typically points to the scarcity of Mac malware and the difficulty of producing malware that can slip under the operating system’s defences without the user noticing. They also tend to assert that AV puts an unnecessary load on a system, though that’s usually based on experience from an earlier era when Macs had a small fraction of the performance of today’s systems and the AV software hadn’t been through so many cycles of optimisation.
Another somewhat outdated view is that AV can only protect against known malware. Modern AV has gone beyond simple pattern matching (largely in order to cope with the huge variety of Windows malware) and uses multiple techniques in order to detect malicious code.
Those favouring AV - and I should reveal that I’m in that camp - agree that while there are no actual viruses affecting OS X, there’s enough malware around to make it worth adding to the protection that Apple has built into the operating system such as XProtect (the old school definition-based blocker that gets updated after a major outbreak), Gatekeeper (which displays a warning the first time you run a piece of unsigned software), and the restricted rights granted to non-administrator accounts.
It’s all very well to say you can spot a Trojan when you see one, but a single variant of the Flashback malware infected more than 650,000 Macs in April 2012. The exact effects of Flashback varied between variants, but included password stealing and click fraud. Crucially, some versions installed completely invisibly: were no fake Flash update dialogs, no requests for an admin username and password - Flashback installed silently if you visited a web page that had been designed or hacked to deliver it. Yes, it did exploit a Java vulnerability and not all Macs have that installed, but Java isn’t an especially exotic piece of software.
Modern malware gives no obvious indication that a Mac had been infected. That’s a survival characteristic: stealthiness means the user is unlikely to notice that anything’s wrong, so the malware can remain on the computer quietly dribbling out spam or phoning home when it captures a new set of credentials. Without AV software, how do you know there’s a problem? In some cases the tech media publicises the names and locations of files associated with malware, but that probably doesn’t come to the attention of the average user. (Conversely, if you do experience a problem with a Mac it is unlikely to be related to malware.)
These ruminations were prompted by the latest Mac Security Review from ,a href="http://www.av-comparatives.org">AV-Comparatives. This report tests various aspects of eight packages including Kaspersky and Sophos, but not Norton or the programs available from the Mac App Store. The latter may have been a deliberate omission, as Apple’s requirements rule out security software that performs on-access/real-time scanning. In my opinion, AV that only tells you when you’re already infected is very much second best to software that can detect malware before it has a chance to run.
The good news is that seven of the eight provided 100% detection of AV-Comparatives’ collection of Mac malware, and six provided 100% detection of “very prevalent” Windows malware. Passing Windows malware to a colleague or client is best avoided, and that’s another reason why you may want to install AV on a Mac.
I would be happier if the Mac Security Review placed more emphasis on the products’ ability to detect phishing attempts, as in my experience a dodgy email is more often an attempt to steal your credentials for a web site (especially Internet banking) than to install malware on your computer. Only three of the packages passed what was arguably the most elementary test of phishing protection.
Again, a reasonably aware user may be able to spot phishing attempts, but is everyone that uses your Mac “reasonably aware”? Can you honestly say you’ve never clicked on a link in an email without first checking that it leads where you expected? Wouldn’t you prefer your computer to step in when you click on a link that takes you to a known phishing site? The Safari, Chrome and Firefox browsers include phishing protection, but apparently they all use Google’s Safe Browsing service. I’d feel happier with an additional line of defence from a security vendor: “That email has been quarantined because it links to a known phishing page.”