Apple Officially Recommends Antivirus Software

« Previous article.
Next article. »

Nov
25

By: switchtoamac at: 10:26 AM on November 25, 2008 | Comments (9)

Apple has issued a support article titled 'Mac OS: Antivirus utilities' in which they recommend the use of antivirus software on Mac OS.  Here's what Apple states:

"Apple encourages the widespread use of multiple antivirus utilities so that virus programmers have more than one application to circumvent, thus making the whole virus writing process more difficult."
The note then goes on to mention three antivirus programs including Intego VirusBarrier X5, Symantec Norton Anti-Virus 11 for Macintosh, and McAfee VirusScan for Mac.

In April, we posted an article titled 'Apple endorses anitvirus and security software on Macs' after we noticed that Apple posted their recommendation on their 'Get a Mac' site.  Apple then removed that information from the site but you can view it at the Internet Archive.

Why the Recommendation?
In Apple's successful 'Get a Mac' advertising campaign, the firm has made the point that Macs don't suffer from the widespread virus and malware issues that plague the Windows operating system.  One must now question why Apple is encouraging the use of 'Antivirus utilities'.  Perhaps it's an acknowledgment that no platform is 100% safe and that computer users must take action to protect their systems, including Macs.  What's your take?

You can read the Apple Support Article: HT2550 here.

Update - Apple's Virus Utility Stance
In 2008 Apple encouraged Mac users to install virus and security software on Macs. The page on which the recommendation was made no longer exists on Apple's web site but the page can be viewed at the Internet archive as indicated above.  Scroll down and look for the following statement at the very bottom of the page:

"A Mac running with factory settings will protect you from viruses much better than a PC, but it's never a bad idea to run extra virus and security software."
Apple used to have an Apple Support Article referenced above and it was most recently updated on November 21, 2008 but that too has been removed.  You can view a copy of the document here.

9 Reader Comments

The Mac users are advised that, even if they can't get infected yet, they can pass on an infected email or document if they don't have an AV scan.

Mac users not concerned with passing on received files to Windows users and not running Windows themselves should be advised that in the history of OS X, anti-virus utilities have created more problems and more data loss than protection, and have had a negative 100% cost benefit.

The Apple article you refer to smells like it was written by lawyers, not engineers. "It doesn't matter how good third party AV really is; tell the customers they should have it, and Apple is off the hook if any customer ever becomes infected."

Once upon a time, Apple gave McAfee's Virex free to dotMac subscribers. Then they stopped, and with the removal of Virex, my Mac became noticeably more stable and responsive.

Anyway, on reading your article, I went to McAfee's Mac page to check out their current AV offerings.
[ http://shop.mcafee.com/Products/Virex.aspx ]
On their *Mac* page there is a button offering a Free Scan to Check Your Machine Instantly. Clicking on this button will take you to a page that tells you "Your current browser is not supported. To download and install McAfee software, your computer must be running Microsoft Internet Explorer 5.0 or later. To upgrade to the latest version of Internet Explorer, visit the Microsoft Web site at: http://www.microsoft.com/downloads."

Internet Explorer? GFR.

These losers at McAfee are too STUPID to understand what browsers are current for the Mac, and I am to trust them with protecting me from the latest and greatest malware?

Fool me once, shame on you; fool me twice, shame on me.

As for the eternal BS about passing along Windows viruses to Windows users, there are NO uninfected, unprotected Windows PCs to pass them along to. An unprotected Windows PC is an infected PC.

Mac users are in a real bind. But they don't know it yet.

Antivirus on the Mac OS X platform is in shambles. We tested offering from Symatec, Intego, Sophos, ClamAV, Network Associates (VirusScan), and several other lesser-known products. Only one - ONE - of them reliably identified, handled (repaired or quarantined), and reported infections correctly. One. Every other offering suffered from one or more of the following:

(All testing was performed using a Microsoft Word document infected with a Word Macro virus)
- Failed to properly identify the infected file as infected, file was not repaired
- Failed to properly identify the infected file, but the infection was actually removed
- Properly identified the infected file, reported that the file could not be repaired, but the infection was silently removed
- Properly identified the infected file, reported that the file could not be repaired, did not repair the file
- Properly identified the infected file, reported that the file had been repaired, but infection remained

Additionally, several of these antivirus solutions used a substantial amount of the computer's CPU and disk I/O resources, making a noticeable and frustrating impact on overall performance.

Right now, Mac users are understandably complacent. Macro virus infections are low, largely due to antivirus scanning at the email gateway. Combine this with the fact that there are almost no Mac OS X viruses, trojans, or worms in the wild at the moment, and you have a scary picture. From a purely pragmatic perspective, currently, depending on the antivirus solution implemented, it is far more likely to cause problems than prevent an infection. As a result, almost no one is buying antivirus for the Mac.

This has two effects:

- Some staggeringly small percentage of Macs are protected by antivirus
- Antivirus software developers, who must justify the resources required for development, are marketing to a very small market segment (with a correspondingly small allotment of resources for development)

Here's the problem:

- The Mac market is the fastest growing segment of the PC market
- Vista is, in fact, making it harder on virus writers who are now focusing their efforts on third party software, a lot of which is cross-platform

So we've got a huge vacuum in the Mac market segment of the computer market, just waiting to be infected. And if you learned anything in your science classes you learned that nature abhors a vacuum. With virtual zero Macs protected, a Windows OS that is increasingly difficult to write viruses for, a Mac user-base that is largely ignorant of the various avenues of infection (unlike their PC brethren), and lots of money to be made from zombie networks, we're sitting on a volatile situation. It doesn't matter if writing viruses for Mac OS X is harder than Windows (a dubious claim, anyway). Even if it were significantly harder to write a virus for the Mac, all it will take is one well-written virus and virtually no Mac will be safe. Mac users - 10's of millions of them - simply couldn't respond fast enough. Even if there were one obvious choice of antivirus software that worked well and was easy to install and use, this would be an overwhelming event. But as I've mentioned, most of the antivirus solutions are abominable and extremely frustrating. Now imagine a virus-ignorant user-base that hasn't used any antivirus before using terribly written software to repair damage to an infected Mac.

Three things are nearly certain:
- Someone is going to fill this vacuum, no matter how hard it is - it's just to tempting a target
- There are very few Mac antivirus solutions that work well
- Mac users will be almost entirely unprepared when a virus hits

In fact, the widespread use of antivirus on PC's and networks - not on Macs - may be the largest factor limiting the spread of a real Mac virus, when it comes.

Watchdogging is and should best be handled as a community. The most stable AV experiences I've had across any platform is the open source clamAV and I find that it is updated nearly as quickly, and in some cases FASTER than, the commercial offerings, with none of the gouging. There is a now a lovely GUI front end for OS X.

http://www.clamxav.com/

This is not an Apple saying they have a virus problem. It is apple saying that having multiple virus programs available to users makes it even more difficult for virus writers to succeed. Thus encouraging them to not even try in many cases.

The threat is still very small and the existence of virus software just ensures that it stays small.

Andrew M. made some interesting, though unsubstantiated claims. To summarize, Mac antivirus s/w sucks. Mac users don't use antivirus. I might add that we also don't concern ourselves with avoiding spyware. (Guess why.) Any day now, the Mac will be hacked and attacked and sacked. By virus writers who have been confounded by teh Vista (let me add Window 7 to be topical). We have only our more protected and mainstream PC using peers to protect us from a certain demise.

Now, everyone bow down to the mainstream PC users. They, after all, selected the best platform. Look how well they've been served over the years w/r/t security. Sure, XP was Swiss chez, but what can you do?

Any. Day. Now. We will be smitten for our hubris.

Mac EUZERS!!! UNTIL THAT DAY WE MUST PARTY!!!!! GO TO EVERY SITE ON THE WEB THAT'S INFECTED. DOWNLOAD EVERY PIECE OF DRIPPING, INFECTED S/WARE YOU CAN GET YOUR GRUBBY MAC MITTS ON AND FEEL THE BURN!!*

Whoa. Sorry about that. Good discussion. Appreciate the insight. Well crafted argument. Thoughtful. Keep up teh good work. Carry on. Anticipating your next sagacious, wise, judicious, shrewd, sharp, sharp-witted, razor-sharp, keen, incisive, acute, imaginative, appreciative, intelligent, thoughtful, sensitive, deep, profound; visionary, farsighted, prescient; savvy posts at this fine web address.

Bot
Mac Fanbot (running self-diagnostic)

* highly discouraged, unrecommended, cautionary note, flee

Andrew M, would you mind sharing with us the AV program that did work well with the Mac? Thank you. I don't presently run AV software on my Mac, but am considering doing so...

I definitely made some claims that I didn't back up. I should have posted this on my own blog, where I could have done so with links, etc. But since I didn't back up much of what I claimed, keep doing your research. =) I guess that's why we all ended up here.

Before I tell you which solution we liked best, PLEASE REMEMBER: This testing was done a few months ago (mid 2008). Antivirus software will VERY LIKELY go through significant upgrades. Additionally, with the imminent release of 10.6, another round of testing will be in order as software developers provide compatibility revs.

So... make sure you do your own homework on this one.

That said, the AV solution we found that worked was the first one we tried: Norton AntiVirus v10. Since the release of Mac OS X, we have had less-than wonderful experiences with Norton Antivirus. This summer, with the threat of a viral infection looming ever closer, I set out a mandate for us to find a solution we could recommend or a reason for not having a recommendation. So we went looking for an alternative.

Our only real problem with viruses and malware at the moment is Word Macro viruses. The most common scenario is that a client calls us to report that they cannot send an email because the attachment they are sending has a virus. They don't have antivirus because we hadn't at this point found one that we could support. It was cheaper for our clients to pay us to remove infections (which are very rare), than to pay us for the support costs of installing, maintaining, and troubleshooting problems with or related to poorly-written antivirus software. But, once a computer is infected, several other computers are likely to be infected, as well as several documents on their file server. If the infection goes unnoticed for long enough, there could be hundreds of infected files. So we're looking for more than a solution that can identify and quarantine infected files. We're looking for a way to clean infected volumes. This is an important distinction which I'll get back to shortly.

Scanning the boot volume for viruses on a Mac OS X computer can take hours, given the large number of very small files that make up the Unix-based OS. In our scenario, the easiest way to check a computer for infection, then, is to check the 'Normal' file in Microsoft Word with an antivirus scanner. It's quick, easy, and effective. If the 'Normal' file is infected, scan the volume. If not, schedule a scan for later and come back to it. We bill by the hour. So this can potential be a significant cost savings. But even for those that do not charge by the hour, your time is still valuable.

The Evaluation
I'm going to quickly go through what we found on some of the major packages. I don't have my notes in front of me. So I'm pulling some of this from long-term memory. Bare with me.

The worry about Norton AV was largely based on longstanding worries about having kext's floating around in the System, especially around OS upgrades. In the end, however, it was the only solution that was able to consistently repair a Word Macro infected file. Apple has made significant changes to the way kernel extensions work. With this new architecture, we feel more secure with kext-based applications. NAV v11 has several improvements. We are very happy with NAV at the moment. OS updates have not been a problem, when upgrading within the same 'cat': e.g. 10.4.10 to 10.4.11, and 10.5.3 to 10.5.5.

Intego is a very pretty application. I know they just released a new version very recently. That would well be worth keeping an eye on.

ClamAV worked pretty well. The biggest problem was repairing viruses: it doesn't. But in many environments that may not be an issue. With good perimeter antivirus and comprehensive coverage with ClamAV inside your network, you can prevent infections with ClamAV and simply delete infected documents as they come in, requiring clean documents. But we don't have that level of control over our clients. If we used ClamAV, we would be unable to clean infections. This could leave hundreds (or more) documents unusable. Manually disinfecting a file is possible, but tedious.

The only thing impressive about Sophos has been their aggressive sales staff. For the last several years, their Mac product has not been able to scan a selected file for infection. The only choice is to scan a volume. As per my discussion above, that would have been unacceptable behavior for an antivirus solution 15 years ago. To be honest, once we discovered this limitation, we didn't even bother to test it. It simply didn't matter if it could find a virus and repair it. We couldn't afford to run it.

VirusScan has been around almost since day 1 on Mac OS X. And it hasn't really progressed much. We found this to be very CPU intensive and had difficulty getting it to identify and repair viruses.

In the interest of full disclosure, I just intentionally downloaded and installed one of the few trojans available in the wild for Mac OS X. This is the one that pretends to be a missing ActiveX component. On a computer running Mac OS X 10.5.5 and NAV 11 with all software and virus def updates, I was able to install the trojan without any difficulty. NAV never caught it. In fact, the only difficulty I had installing it was actually downloading it. Both Safari 3.2.1 and Firefox 3.0.4 would not let me download the file without first acknowledging that I was downloading malware. Little Snitch caught the outgoing web GET request. But NAV did nothing.

Speak your mind - Leave a Comment