On 21-Nov-08, a short support article appeared on Apple's Web site, likely placed there by someone with no idea of the chain of events he or she was about to initiate. The article summary was, "Learn about antivirus utilities available for the Mac OS." The bombshell statement in the article? "Apple encourages the widespread use of multiple antivirus utilities so that virus programmers have more than one application to circumvent, thus making the whole virus writing process more difficult." The article went on to list three of the major antivirus programs for the Mac.
At first, no one really noticed. Then, on 01-Dec-08, the note gained the attention of Brian Krebs at the Washington Post, who wondered if this statement signified a notable shift in Apple policy. Apple has never formally recommended third party security software for Mac OS X, so what was responsible for this seemingly major shift in policy? The rest of the industry press and blogs quickly picked up on the story, filling the Internet with a storm of conjecture and, based on the number of questions we received here at TidBITS, concern among Mac users wondering if they were suddenly less secure.
Early investigation indicated that the odds were high this was merely an overview article put out by a low-level employee in Apple's support organization, and never signified either any change in Apple's stance or the security of Mac users. The article was actually an update of an earlier note from 2007, changed to include the latest versions of the antivirus programs. Even the wording was awkward, allowing the interpretation that Apple was recommending users install all three programs. Within hours after the news hit, Apple removed the support article, thus creating a second round of coverage speculating that negative press pressured the company into reversing their new position on antivirus.
Based on the evidence I've been able to gather, I believe this updated technical note was never seen or approved by senior management. It was likely meant to highlight which antivirus programs supported Mac OS X for those users interested in installing the software. Although Apple hasn't detailed the exact chain of events, Apple spokesman Bill Evans told me:
"We have removed the KnowledgeBase article because it was old and inaccurate. The Mac is designed with built-in technologies that provide protection against malicious software and security threats right out of the box. However, since no system can be 100% immune from every threat, running anti-virus software may offer additional protection."
In short, Apple isn't telling users they all need to run out and buy antivirus software (much less multiple programs), but they also admit that antivirus software may offer some additional protection. This is consistent with my article, "Should Mac Users Run Antivirus Software?" (2008-03-18), in which I recommend that the average Mac user avoid antivirus software.
The reality remains that although Macs are far from immune to security issues, there is very little malicious software that targets them. Macs can be affected by malware on occasion; I've been contacted twice in the past year by people who downloaded and manually installed malicious software onto their systems. I also work extensively with security researchers who tell me that Mac OS X's built-in protection technologies can be circumvented by an experienced attacker. But neither I nor the security researchers with whom I work know of any widely deployed exploits for Macs. Unless you are either specifically targeted by a knowledgeable bad guy, or spend a lot of time downloading software from risky sites, the odds are extremely low you'll ever encounter malicious software. Macs aren't inherently more secure than PCs, but they are practically never targeted, dramatically reducing the risk a Mac user will be compromised.
Thus I'd like to reiterate our previous advice:
- Everyone should use an email service that filters spam, viruses, and other malicious software (such as MobileMe, Hotmail, Yahoo! Mail, or Google Mail).
- Enterprise users often need to install antivirus software to comply with corporate policies and avoid being a vector to infect their Windows-based coworkers. Any of the major antivirus solutions work well, and you should work with your corporate IT department to determine what to install.
- If you visit risky sites (adult, gambling, and file sharing sites are the major ones) and download software from them, you should consider installing antivirus software. Of the two major pieces of malicious software we've seen this year, one disguised itself as a plug-in to view adult videos, the other as a poker program.
- If you are running Windows on your Mac, via Boot Camp or a virtualization tool like VMware Fusion or Parallels Desktop, you still need to install Windows-based antivirus software to protect your Windows installation.
- Generally, other Mac users don't need to install antivirus software at this time, but I advise you to stay abreast of security news in TidBITS, just in case the situation does change. Email filtering will likely protect you if there is some sort of sudden outbreak, but it's entirely possible that Macs could become a more common target in the future.
Neither I nor the security researchers with whom I work run antivirus software on our Macs, but I'll be the first to change my position and recommend wide use of Mac antivirus tools should the situation change. Until then, there's simply no reason for non-enterprise users who avoid risky behavior to bog down their Macs with antivirus software.