When people find out I'm a security expert, I can almost guarantee the ensuing conversation will evolve in one of three ways. If they are technologically illiterate, I'll have to explain I don't know anything about trading securities and can't help them with any hot tips. If they use Windows, I'll tell them to back up their data and reformat the system. But if they use Macs, the discussion usually becomes a little more complicated.
There is a misperception among much of the security community that Mac users don't care about security. Since joining TidBITS I've learned that Mac users are just as concerned about their security as their Windows brethren, but they aren't really sure what they need to know. Even the most naive Windows user understands that their system is under a constant barrage of attacks, but the Mac user rarely encounters much beyond the occasional pop-under browser ad and, of course, oodles of spam.
When people find out I'm a Mac security expert, they ask, "Oh, so do I need to worry more about security?", quickly followed by, "Do I need antivirus software?" While the antivirus answer isn't completely straightforward, it's also not all that difficult.
The reality is that today the Mac platform is relatively safe. Hundreds of thousands of viruses and other malicious software programs are floating around for Windows, but less than 200 are known to target the Mac, and many of those are aimed at versions of the Mac OS prior to Mac OS X (and thus have no effect on a modern Mac).
It's not that Mac OS X is inherently more secure against viruses than current versions of Windows (although it was clearly more secure than Windows prior to XP SP2); the numerous vulnerabilities reported and patched in recent years are just as exploitable as their Windows equivalents. But most security experts agree that malicious software these days is driven by financial incentives, and it's far more profitable to target the dominant platform.
Desktop antivirus software is also only a limited defense, and one that's typically very resource intensive. By even the most positive assessments, antivirus software catches only 85 to 95 percent of known malicious software (viruses, worms, trojans, and other nasty stuff) in the wild. This leaves a significant level of exposure, especially considering you're running software that brings your system to its knees whenever you have a full scan scheduled. Antivirus tools are intrusive by nature, don't offer nearly the security they advertise, and can be costly to maintain over time. I personally rely on other defenses to prevent malicious code from ending up on my computers in the first place, and so far (fingers crossed) have never had antivirus software find anything on any of my Windows XP systems. I don't even bother to run it on my Windows Vista systems, due to that platform's stronger security and the limited number of malicious programs that target Vista. When I've tested Macintosh antivirus programs, they typically only find infected attachments in my spam folders. Scanning all your incoming mail at the gateway, maintaining safe browsing habits, and using a browser plug-in or two can be more effective than desktop antivirus software, as I'll discuss.
Even if Mac OS X is no more secure, we Mac users are currently at a lower level of risk than our Windows counterparts. It's reasonable to assume that this dynamic could change, but considering the current level of risk, and the resource intensity of most antivirus software, it's hard to recommend antivirus except under limited circumstances. Here are the factors I suggest you consider before using antivirus software.
- I do not recommend desktop antivirus software for the average Mac user, but you need to take other precautions. While desktop antivirus software isn't necessary (I don't use it), make sure you use email accounts that support spam and virus filtering, such as Gmail, Yahoo Mail, or Hotmail. Spam is one of the major vectors for malicious code propagation, and gateway protection will reduce your risk should an email-driven Mac virus appear. Consider switching to the Firefox Web browser with the NoScript plug-in. NoScript selectively, and non-intrusively, blocks all scripts, plug-ins, and other code on Web pages that could be used to attack your system during visits. I also recommend you keep your eyes open and subscribe to a news source like TidBITS so if something does change, you'll know sooner rather than later.
- If you engage in risky online behavior, use antivirus software and definitely switch to Firefox with NoScript. Risky behavior isn't just limited to browsing Web sites you might want to avoid at work. Installing strange software from non-standard locations, failing to filter for spam, installing any random social networking plug-in you find, or creeping around unusual corners of the Internet can also lead to a malicious code infection. Some other examples of risky behaviors include online gambling, hacker research, illegal file sharing (or legal file sharing on the same network that supports illegal activity), browsing media-heavy sites other than brand names like YouTube, or downloading software posted to forums or lesser-known sites. It's hard to determine exactly where to draw the line, but my general advice is if you download a lot of content, engage in clearly risky behavior, or spend a lot of time browsing fringe sites (especially forums), you should take extra precautions. If you let your children, including teenagers, use an unmonitored Mac you should also take these precautions and make sure they use a non-administrative account.
- If you exchange large numbers of potentially risky files (especially forwarded email messages with attachments that aren't otherwise scanned) with Windows users, and your email isn't scanned at your mail server, consider antivirus software for their protection. If you like to pass on every email joke and greeting card that hits your inbox, you should either change your habits or consider antivirus software so you don't spread something to your Windows-using friends. If you use an email service that includes outbound filtering, and don't exchange files other than through email, you can skip the desktop filtering.
- If you use your Mac in an enterprise environment with antivirus policies, you still need to use antivirus software. Ideally, this should be provided by your company's IT department so it is compatible with corporate standards and is centrally managed. Use of antivirus software in the corporate environment is often required for a variety of reasons, including compliance or as a response mechanism in case of an internal infection. Even though your Mac might be safer, you don't want it used to spread an infection to Windows systems or become a compliance deficiency. If you're in corporate IT, some major enterprise antivirus tools support Macs and can be deployed with policies consistent with your Windows systems. While you might have reasons for not supporting Macs in the enterprise, lack of available antivirus software isn't one of them.
- If you run Windows on your Mac, via Boot Camp or virtualization, install Windows antivirus software. Even if you're running Mac antivirus tools, they won't help you when you're running Windows. You need to protect that partition or virtual machine just as if it were any other Windows system.
At some point, assuming Apple continues to make appealing products, we Mac users will become bigger targets and face a higher level of risk. Adam J. O'Donnell, Ph.D., is the Director of Emerging Technologies at Cloudmark and has recently been using game theory to analyze at what point Macs become more targeted for malicious attack. He states, "Game theory shows that an inflection point will come when the rate at which a malware author can reliably compromise a PC rivals that of the Mac market share. It is at this time you will see monetized, profitable Mac malware start popping up." For example, Windows Vista is a dramatically more secure product than its predecessor. As it's deployed more widely, we could hit an inflection point where the combination of growing Mac market share, and increased difficulty in exploiting Windows, makes the Mac a more profitable target.
How can we avoid this? That's mostly up to Apple. In Mac OS X 10.5 Leopard, Apple began implementation of a number of anti-exploitation technologies that could increase the difficulty in exploiting the platform, but most features weren't fully completed and don't provide the necessary protection to limit attack effectiveness (see "How Leopard Will Improve Your Security," 2007-10-22). If Mac OS X maintains even just security parity with Windows, yet Mac market share stays in the low double digits, Windows should remain the dominant target. We need to continue to pressure Apple for a more secure platform so these technologies are fully implemented before the malicious software market dynamics shift. Better library randomization, sandboxing, and QuickTime and Safari security features will go a long way to protect Mac users.
In short, at this point in time, I don't recommend desktop antivirus for the average Mac user. You only need to deploy it if you engage in risky behavior, need to protect friends on Windows, or comply with corporate policies. It's quite probable this will change in time, so it makes sense to take some reasonable precautions today and stay aware of the world around you. Better yet, let's continue to pressure Apple for stronger security so we can completely avoid resource leaching desktop antivirus in the long term.