The Safe Mac

Follow The Safe Mac on Twitter to stay advised of the latest Mac security news!


Mac Malware Guide : Do I need anti-virus software?

Published June 17th, 2012 at 8:38 PM EDT, modified March 27th, 2014 at 12:02 PM EDT

There is no simple yes or no answer to this question. The answer will depend on many factors, the biggest of which is your own opinion on security. However, I do have some recommendations. Before we get to those, we need to examine some basic facts about anti-virus (AV) software.

Most people who say Macs don’t need anti-virus software do so on the belief that Mac OS X protects you against all threats already. This has never been entirely true, and there have been recent findings that suggest that security features mentioned in the previous section are not as bulletproof as most people want to believe. There have been a number of recent cases of malware failing to be blocked by XProtect [12, 3].

Perhaps the biggest fact that often gets swept under the rug is that no AV software (XProtect included) catches 100% of all viruses. It is known that AV software in the Windows world recognizes at best 90% of all malware. Although some Mac anti-virus software does better than that (see my latest round of anti-virus testing), none is perfect, and some is actually pretty awful.

Another important thing to know is that no AV software is capable of intercepting a brand-new virus. When a new virus appears, that virus must become widespread enough to be noticed by the companies publishing AV software. Then they must find a copy of the virus, examine it and add it to the list of virus definitions used by their software. And, of course, none of that does you any good until you actually download the update, which doesn’t happen immediately. This means that, even if a particular AV program worked with 100% efficiency, it still would be completely useless for a period of time after the introduction of a new virus. In the case of the MacDefender outbreak, frequent name changes and minor tweaks to the “packaging” kept the MacDefender trojan variants one step ahead of all anti-virus software, for a day at a time here and there.

Trojans also make extensive use of what is called “social engineering”. Much like phishing scams and other online fraud, they are often carefully designed to use fear, greed, lust and other emotions to fool you into doing what they want. The MacDefender trojans are a perfect example: a malicious JavaScript injected into a legitimate site redirects you to a page that tries to fool you into thinking viruses have been detected on your machine, and from there fools you into downloading and installing “anti-virus software”. In reality, that software is a trojan that will do its best to make you think you’ve got real viruses (even faking some symptoms), all while pestering you to buy the software to remove them. If you “buy” the software, you have given the criminals your credit card number.

Because of all this, blind usage of AV software can often make one more susceptible to infection by the right malware. If you become complacent, assuming that your AV software will protect you, it is unlikely that you will be as cautious as you should be, and something will eventually slip past your AV software. This is not just a theoretical concern, it has been documented to actually happen. I have personally seen reports from people with AV software who nonetheless got infected with something.

This doesn’t mean that AV software is worthless, but it does mean that you can’t just install it and then do whatever you like in perfect safety, as most people believe. As security experts say, the biggest flaw in a computer’s security is between the keyboard and the chair. It is extremely important to be careful and think carefully about what is downloaded. AV software should be thought of more like a safety net to catch anything that slips past your own defenses.

I don’t use AV software for more than testing. This is a personal choice, based on my knowledge of Mac OS X and security issues affecting it. Others can also do without AV software as well. However, there are some cases where AV software may be needed. For example:

  • If you need to use older software containing known vulnerabilities, such as older versions of Java or Flash.
  • If you are using a Mac in an environment where AV software is required
  • If you frequently trade files with Windows users and don’t want to be accused of passing on a Windows virus
  • If you want the peace of mind and don’t mind installing software that may interfere with the normal operation of your system
  • If you can’t be bothered to give any thought to what you download, though this is a very dangerous attitude on today’s internet
  • If you are not at all tech savvy and have trouble accurately determining what is trustworthy and what is not
  • If there is a major change in the malware affecting Mac users (in which case I will note it here)

If you decide to install anti-virus software, do some research before installing it. There is a lot of very bad anti-virus software out there. Some of the commercial AV packages are renowned for their ability to bring a healthy Mac to its knees. Others are practically scams, detecting very little Mac malware (or even none). Beware of anti-virus “review” sites, which are often fake or paid “advertorials.”

I have done some basic testing of detection rates in 2013 and 2014. I have been paid nothing for these tests. They provide one metric – and only one metric – for evaluating this software. Some of the software that tests well may cause system instability, false positive problems or other issues.

Based on less formalized testing, Sophos Anti-Virus for Mac Home Edition is probably the best choice for most users who are looking for an active scanner. It only looks at files that are being opened, and in my experience, it works well and does not impact performance noticeably. There is the potential for problems, though, with any such app. If you choose to use Sophos, be sure to keep the app up-to-date, especially when you update your system.

Those who just want something that will do manual scans of selected files would also do well with Dr. Web Light, available for free in the App Store. Because of restrictions imposed by the App Store, this app cannot do active scanning, but it also cannot cause system-wide stability issues, and cannot affect performance when it is not running.

<- How does Mac OS X protect me? How can I protect myself? ->

Post to Twitter


This page and all contents (unless otherwise noted) copyright 2011-2014 by Thomas Reed.
For questions or comments, please contact me.