Apple Antivirus Thing: Much Ado About Nothing

Written by rmogull | Filed under Apple, Non-Geek, Tools | 8 comments



All right, people, here’s the deal.

I just published my take on the whole “Apple he said/she said you do/don’t need antivirus” thing over at TidBITS. Here’s my interpretation of what happened:

  1. Back in 2007 some support guy posted a list of major AV products supported on the Mac.
  2. On November 21st, it was updated to reflect current version numbers.
  3. Whoever wrote it a) is a shitty writer, and b) didn’t realize how people would interpret it.
  4. The press found it and trumpeted it to the world.
  5. Apple management went, “WTF?!? We don’t tell people they should install three different AV programs all at once. Hell, we never tell them they need AV at all. Not that we’re going to tell them *not* to use it…”
  6. The support article was pulled and statements issued.
  7. Some people called it a conspiracy, because they like that sort of thing.
  8. Somewhere deep in the bowels of 1 Infinite Loop, there is a pike, holding a bloody head, on prominent display.

So no, most of you don’t need antivirus. You can read my article on this from back in March if you want more help deciding if you should take a look at AV on your Mac.

Alan Shimel is one of a group of people who think it’s about time Mac users payed attention to security and installed AV. I like to break that argument into two sections. First, as I’ve learned since writing for TidBITS and Macworld, the average Mac user is definitely worried about security. But (second) this doesn’t mean desktop AV is the right answer. Right now, the risk of malware infection on the Mac is so low for the average user that AV really doesn’t make sense. That can change- heck, it probably will change- but that’s the situation today. Thus I recommend most people use mail filtering and browse safely rather than installing desktop AV.

Not recommending AV isn’t Apple’s ego speaking- and I don’t deny they have an ego and an image to protect- it’s a realistic policy based on the current risks to Apple’s users. Now the odds are we Mac security types will recommend AV long before Apple does, but that day isn’t here yet.

Apple didn’t reverse their policies- something slipped out from the lower levels by accident, and all the hubbub is much ado about nothing.

The day will likely come when Mac users need additional malware protection, but even then desktop AV may not be the answer. Read my older article on this, and keep up with the news so you’ll know when the time comes.

Posted on December 3

8 comments

  1. kurt wismer Dec 3

    the chance of exposure to mac malware is at least equal to (though probably somewhat greater than) the chance of exposure to the rather popular zlob trojan for the windows platform… the reason being that the zlob gang ported their successful windows malware campaign over to the mac os x platform over a year ago and have been pushing their malware for both platforms on their download sites…

    there’s a lot of talk about the risk of mac malware being low but it hasn’t seemed to be to be based on anything but gut feeling and the lack of a blaster-style outbreak for the platform… the above should at least put a somewhat concrete lower bound on the risk…

  2. rmogull Dec 3

    Kurt,

    We don’t see the infection rates- even my contacts in the filtering industry don’t see a lot of Mac malware floating around (again, I’m not one of those people saying it isn’t there, just that it’s a low risk).

    If you can show me I’m wrong, I will change my advice. I’m not religious about this, but trying to provide the best risk analysis I can. Right now, the risk of infection doesn’t support the investment in an AV tool.

  3. kurt wismer Dec 3

    y’know what, i’m actually not saying you are wrong, nor am i saying you’re right… i’m proposing a model for coming up with a lower bound for the risk…

    you can try using infection rates too, but that depends on accurate measurement of the infection state of a statistically significant sample… since making that measurement sort of implies using anti-virus software and since anti-virus deployment is hardly ubiquitous or uniform across the mac platform, i worry that unseen bias will skew those results…

    i also worry that people are looking at raw rates instead of per capita rates within the relevant population, but that’s just me not trusting measurements without knowing a lot more about them…

  4. LonerVamp Dec 5

    Are you speaking to home consumers or enterprise Apple users?

    I assume home consumers since you’d otherwise be saying enterprise Apple users can go about their day unprotected in the business? While I don’t challenge that the risks are lower on a Mac, but are they low enough to eschew it all on that gamble? At some point, Windows was treated like that once too…

    It has not been my experience that you can tell Apple users to “browse safely,” and they will browse any better off than normal Windows people. I know we have more than several security geeks with Macs these days, but that is not what I have found to be the norm amongst Mac users I’ve known. The only thing “protecting” them is less focus on the Mac as a target. And I just don’t necessarily accept that risk valuation at face value (e.g. it could change tomorrow) and would rather just throw an AV on the desktop and be done with it for now.

    I would, however, love to hear from someone who manages and administers an enterprise filled with Macs. Every place I’ve worked only a handful of designers who make up a tiny fraction of the computer base has been on a Mac. I wonder what the experience is for a few thousand Macs under one collective roof would be?

  5. rmogull Dec 5

    Loner,

    Yes- in the article and the TidBITS article it references I make it clear that you still need AV in enterprise environments- no argument there.

    I’ve talked with multi-Mac admins and haven’t found anyone with an AV problem yet; just the occasional trojan. There aren’t many Mac trojans right now, and even unaware users encounter them VERY infrequently, thus the basis for my advice.

    It’s going to change someday, and when it does I’ll try and be one of the first to spread the word.

    Then again, I’m not sure signature based desktop AV will really help once it *does* happen.

  6. Mark Dec 5

    Rich,
    I’m glad you made the enterprise desktop clarification. The fact is that if the mac is on a network where credit cards are processed PCI now requires they have antivirus.

    I personally have mixed feelings about whether or not I really need it. My default stand, as a security, guy is you need antivirus. Period. Im a Mac user and run Symantec on my mac. I do penetration tests and include Mac’s in those tests. I have a folder that is full of backdoors, trojans an other tools that go undetected. And today they are all largely undetected by ALL mac av products. Lets face it AV on windows sucks at detecting threats, but AV on macs is a waste of CPU cycles. Why run av that is full of signatures for threats on windows? Its not that threats aren’t there for mac, they just aren’t detected. Why cant a heuristics engine detect a single metasploit payload on a mac? If the general consensus among mac users is “i am immune, I don’t need av” then what incentive is there for any company to invest R&D in real desktop protection on the mac. I suspect that when we all agree the threats are there (whether it has manifested itself or not) and every mac user starts buying antivirus, I can expect those backdoors I have to get quarantined.

  7. rmogull Dec 5

    Mark,

    Before I became so involved with the Mac community as a writer, I also thought Mac users were just egotistical and considered themselves immune. What I’ve learned since then is that Mac users *do* care about security, and that immunity characterization only represents a small (yet vocal) part of the community.

    Mac users ask me all the time what they need to do to secure their systems, including questions about AV. The problem is that exploitation levels are so low, and Mac AV so limited, that it’s hard to recommend it. That of course means that AV vendors are less interested in investing resources into the Mac.

    I don’t think we’ll see wider use, or product improvements, until there’s more malware, and Mac users are more often exploited. Intego is about the only dedicated Mac AV company and does well on the signature side.

    To be honest, I think desktop AV sucks in general and isn’t nearly as effective as everyone would like us to think.

  1. does av really suck that badly? | VistaSpyware.com

Leave a reply

Related Posts

Do Mac Users Need Antivirus?
It Ain’t Over- Apple Responds to Ou/Toorcon Showdown?
Excel Sort-of-0day Affects Mac And Windows