When people find out I'm a security expert, I can almost guarantee the ensuing conversation will evolve in one of three ways. If they are technologically illiterate, I'll have to explain I don't know anything about trading securities and can't help them with any hot tips. If they use Windows, I'll tell them to back up their data and reformat the system. But if they use Macs, the discussion usually becomes a little more complicated.
There is a misperception among much of the security community that Mac users don't care about security. Since joining TidBITS I've learned that Mac users are just as concerned about their security as their Windows brethren, but they aren't really sure what they need to know. Even the most naive Windows user understands that their system is under a constant barrage of attacks, but the Mac user rarely encounters much beyond the occasional pop-under browser ad and, of course, oodles of spam.
When people find out I'm a Mac security expert, they ask, "Oh, so do I need to worry more about security?", quickly followed by, "Do I need antivirus software?" While the antivirus answer isn't completely straightforward, it's also not all that difficult.
The reality is that today the Mac platform is relatively safe. Hundreds of thousands of viruses and other malicious software programs are floating around for Windows, but less than 200 are known to target the Mac, and many of those are aimed at versions of the Mac OS prior to Mac OS X (and thus have no effect on a modern Mac).
It's not that Mac OS X is inherently more secure against viruses than current versions of Windows (although it was clearly more secure than Windows prior to XP SP2); the numerous vulnerabilities reported and patched in recent years are just as exploitable as their Windows equivalents. But most security experts agree that malicious software these days is driven by financial incentives, and it's far more profitable to target the dominant platform.
Desktop antivirus software is also only a limited defense, and one that's typically very resource intensive. By even the most positive assessments, antivirus software catches only 85 to 95 percent of known malicious software (viruses, worms, trojans, and other nasty stuff) in the wild. This leaves a significant level of exposure, especially considering you're running software that brings your system to its knees whenever you have a full scan scheduled. Antivirus tools are intrusive by nature, don't offer nearly the security they advertise, and can be costly to maintain over time. I personally rely on other defenses to prevent malicious code from ending up on my computers in the first place, and so far (fingers crossed) have never had antivirus software find anything on any of my Windows XP systems. I don't even bother to run it on my Windows Vista systems, due to that platform's stronger security and the limited number of malicious programs that target Vista. When I've tested Macintosh antivirus programs, they typically only find infected attachments in my spam folders. Scanning all your incoming mail at the gateway, maintaining safe browsing habits, and using a browser plug-in or two can be more effective than desktop antivirus software, as I'll discuss.
Even if Mac OS X is no more secure, we Mac users are currently at a lower level of risk than our Windows counterparts. It's reasonable to assume that this dynamic could change, but considering the current level of risk, and the resource intensity of most antivirus software, it's hard to recommend antivirus except under limited circumstances. Here are the factors I suggest you consider before using antivirus software.
At some point, assuming Apple continues to make appealing products, we Mac users will become bigger targets and face a higher level of risk. Adam J. O'Donnell, Ph.D., is the Director of Emerging Technologies at Cloudmark and has recently been using game theory to analyze at what point Macs become more targeted for malicious attack. He states, "Game theory shows that an inflection point will come when the rate at which a malware author can reliably compromise a PC rivals that of the Mac market share. It is at this time you will see monetized, profitable Mac malware start popping up." For example, Windows Vista is a dramatically more secure product than its predecessor. As it's deployed more widely, we could hit an inflection point where the combination of growing Mac market share, and increased difficulty in exploiting Windows, makes the Mac a more profitable target.
How can we avoid this? That's mostly up to Apple. In Mac OS X 10.5 Leopard, Apple began implementation of a number of anti-exploitation technologies that could increase the difficulty in exploiting the platform, but most features weren't fully completed and don't provide the necessary protection to limit attack effectiveness (see "," 2007-10-22). If Mac OS X maintains even just security parity with Windows, yet Mac market share stays in the low double digits, Windows should remain the dominant target. We need to continue to pressure Apple for a more secure platform so these technologies are fully implemented before the malicious software market dynamics shift. Better library randomization, sandboxing, and QuickTime and Safari security features will go a long way to protect Mac users.
In short, at this point in time, I don't recommend desktop antivirus for the average Mac user. You only need to deploy it if you engage in risky behavior, need to protect friends on Windows, or comply with corporate policies. It's quite probable this will change in time, so it makes sense to take some reasonable precautions today and stay aware of the world around you. Better yet, let's continue to pressure Apple for stronger security so we can completely avoid resource leaching desktop antivirus in the long term.