/ Malware

Do I need AntiVirus on macOS?

I often get asked "Should I use Antivirus software on my Mac?" The answer is: it depends.

Note: This is a multipart article, Part 1 is available here

The risk of getting infected on macOS is significantly lower than on Windows. But it is not completely zero. It is hard to find any good study on this topic (here is one), but this is a widely accepted fact at the moment. There are many factors which contribute to this lower risk:

  1. Fewer people use macOS than Windows
  2. macOS upgrades (major releases) are typically free for a longer time than the Windows, therefore more Mac users update their OS than Windows users. Microsoft started the free upgrade from Windows 7 to Windows 10 some years ago, but previously, an upgrade like this was not free.
  3. People using macOS tend to pay for their software and are less likely to pirate it from shady sites. Pirated software may contain adware, backdoors and hidden Bitcoin miner software that may harm your computer.

Personally, I am not a fan of macOS Antivirus. macOS Antivirus never was the focus of development at AV companies. It is mostly reactive, and there are a lot less proactive features in it than in the Windows counterpart. For example, on Windows, AV can warn when a program accesses the webcam. On macOS, the AV can turn off the webcam, but it can’t warn when a program accesses the webcam.

When looking at independent tests of macOS Antivirus, you have to know that most labs do not have access to the latest macOS threats, so they tend to test with old and known malware. Which means the gap between synthetic test results (100%) and real life are even wider than in the case of Windows Antivirus tests. In other words, anti-malware tests you may read in magazines can be very misleading, as these tests are far from representing the real-life situation.

Also, macOS includes its own AV called GateKeeper, which does a basic job of preventing the user from running malicious programs. GateKeeper prevents known malware from starting and warns the user if (s)he tries to execute unsigned stuff.

GateKeeper

But there are ways around GateKeeper. For example: scripts (e.g. Python). Or Microsoft Office macros. Or in-memory malware. Or probably tens (hundreds?) of other ways. These techniques all can circumvent the built-in protection on Mac, which the more sophisticated malware products frequently do.

So then how do I protect myself?

Instead of focusing on Antivirus, I recommend people install software which can restrict unauthorised access to critical parts of the operating system.

Networking

One of the best security tools for macOS is Little Snitch. It is a software firewall which will notify the user every time an unknown application starts to communicate over the Internet. Training it in the first few days can be a bit time consuming, but after this time it performs nicely.

Little Snitch

Problems can arise with application updates themselves not causing rules to not work anymore. Online meeting applications (GoToMeeting, Webex) can be particularly troublesome – these are updated frequently, and they may try to communicate with hosts on arbitrary ports.

Little Snitch

File Access

Another great macOS tool is F-Secure X-Fence (formerly Little Flocker), which monitors read and write file access. The same training concept applies as with Little Snitch – after the initial training period, it just works.

F-Secure X-Fence

On the above screenshot, Microsoft Word tried to read/write/execute the 133t_0day.sh. If the user blocks on Deny, this exploit is blocked.

Persistence

BlockBlock is a tool which alerts users when a program is installed that tries to execute itself every time the computer boots. Most malware uses some form of persistence to stay on a host after a restart. Because malware at some point in time has it to register itself with the OS; there are few ways to persist in an OS and most malware uses the same techniques, so this can be detected by AV software.

Note that I have not had first-hand experience with BlockBlock.

BlockBlock

On the screenshot, the osxMalware application tried to install itself, so it starts with every boot of the system. By clicking on 'Block', the user can block this action.

Conclusion

By supervising the network communication, file access and persistence, users can create a safe environment, where totally new and unknown malware can be blocked. But these solutions can be a pain for novice users.

But trusting AV on macOS is not as a good choice as it is on Windows. For example, the following article details a malware campaign targeting macOS users, which went unnoticed by most macOS AV engine.

If you are a novice user, you can try to protect yourself with AV designed for macOS, but don’t expect much.

If you are a security conscious macOS user with some experience in IT, there are steps you can take to sleep better at night without AV (see Little Snitch, X-Fence or BlockBlock). While a determined attacker may find ways around your defences, whitelisting network, file access and OS service persistence is a good start against common threats.

Sabri on Twitter

CIA bypassed Little Snitch by injecting its malware into the browsers. Could have still been spotted with activity monitor

Zoltan (@zh4ck) is a full-time AntiVirus bypasser and public speaker from Hungary. He frequently rants on Twitter about how people should try things harder. He has experience from both blue and red side, and enjoys the cat and mouse game between attackers and defenders.

Peer review: AC

Photo courtesy of Jose

Zoltan Balazs

Zoltan Balazs

Zoltan is the Chief Technology Officer at MRG Effitas, a company focusing on AV testing

Read More