Network News

X My Profile
View More Activity

Anti-Virus On A Mac?

Every other week, I host a Security Fix Live chat with readers, and almost invariably, one of the questions that comes up is: "Hi. I'm a Mac user. Should I be using anti-virus software?" I usually answer that while there are very few recent examples of malicious software in the wild built for Mac users, no amount of protective software should be seen as a substitute for using your head when surfing the 'Net.

One of the more amusing statements I've heard from at least a couple of Mac users who are also Windows users is that they only do the stereotypically "risky" online activities -- such as surfing random porn sites -- from their trusty Macs.

This is interesting because it looks like some of the same tactics that malware writers have used to install malicious software via porn sites on Windows PCs have taken a step into the Mac world. For years, scam artists have been using the demand for online porn as a way to trick Windows users into installing fake video "codecs," malicious software disguised as a program that supposedly enables the user to view protected video content (probably no one has covered this trend more exhaustively than the corporate blog from anti-spyware firm Sunbelt Software.)

According to an alert issued Monday by Intego, a company that sells anti-virus software for the Mac, a number of Mac user forums are being spammed with links to video porn sites that prompt Mac users to install one of these magic codecs. Intego says the trade-off is hardly worth it, as Mac users who agree to install the software don't get to view any additional racy material, and yet they're left with a nasty little rash on their machine to boot.

Intego says the bogus codec silently changes the user's DNS settings so that when they visit certain financial sites -- such as eBay, PayPal, and those of several banks -- the victim is routed to a counterfeit look-alike site designed to swipe their credentials. In addition, it appears that undoing the damage wrought by this Trojan horse program is fairly tough.

So what lessons can we learn from this? Whether you use a Mac or a PC or a Linux box for that matter, it pays to avoid risky behaviors, period. For Mac users, the riskiest of those actions includes installing software of dubious origin.

That said, my Macbook Pro came with the corporate edition of Symantec's anti-virus software installed (by our IT folks). But I'm wondering how many other Mac readers have installed anti-virus software, and if so -- what software you've settled upon?

By Brian Krebs  |  October 31, 2007; 6:00 PM ET
 
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: 'Net Governance Body Punts On WHOIS Privacy
Next: Deconstructing the Fake FTC E-mail Virus Attack

Comments

I have a copy of ClamXav installed on my iMac, set to automatically scan my mail and downloads. It's free and doesn't hog the CPU like the stuff from Symantec and McAfee.

I only do it to keep from passing on all the Windows viruses that I get from my Windows-using correspondents.

Posted by: D T Nelson | October 31, 2007 6:50 PM | Report abuse

I've got NAV installed on my iMac -- been using it for 18 months and it does not slow things down at all. NAV has never found a virus, which I assumed would be the case. (My college requires me to have NAV installed on my computer, so that's why I did it initially.) No regrets, though, as I use Office 2004 for Mac and send a lot of Word documents, Power Point presentations, back and forth with colleagues.

Posted by: rjrjj | October 31, 2007 8:01 PM | Report abuse

Brian, I'm a computer security professional in the corporate world. I concur with your statement. I tell people their own behavior is their best weapon when on the Internet. Keep up the good work informing the masses.

Posted by: B Smith | October 31, 2007 8:59 PM | Report abuse

Great blog post, Brian. I think very few Mac users run anti-virus, and hopefully that won't need to change in the future (after all, that's why many of us use a Mac). But to help avoid social engineering attacks like this one, it's a good idea for most people to disable the automatic opening of "safe" files after downloading in Safari, since Safari has no idea what's really safe. And secondly, it's a good idea to run as a regular User, and not an Admin user. If nothing else, having additional steps to install a malicious "codec" might cause more people to pause.

Posted by: K Martin | November 1, 2007 12:05 AM | Report abuse

A guest blogger on Sciencetext.com discusses a recent alleged attack on her Mac from errant search engine results...at least one commentator on the post was not convinced this was possible in the way she described.

What do you think?

The item is here http://www.sciencetext.com/google-bugs-and-newbie-traps.html

db

Posted by: David Bradley | November 1, 2007 4:56 AM | Report abuse

What's worth pointing out is that stuff downloaded from the internet doesn't just work straight away.

Nor do installers or other application-related tools for the Mac.

The user has to enter their Username & Password for these things to be able to do anything.

Typically, for any application that's downloaded, the system warns the user and asks them if they want to run the application.

Much like many of the so-called hacked Macs, they invariably involve someone actually sat in front of the Mac with access to a user account on that machine...

Posted by: Wayne Smallman | November 1, 2007 5:00 AM | Report abuse

"But I'm wondering how many other Mac readers have installed anti-virus software, and if so -- what software you've settled upon?"

None. But then I don't have what you call "risky behaviors". And, if I did, as you so rightly comment in the first paragraph "no amount of protective software should be seen as a substitute for using your head ". Apart from anything else, anything new is likely to need to get into a virus signature database before AV software will help you (although there is some more-or-less effective heuristics in some products).

I do like to run AV software on Windows. I have NOD32 antivirus (and Windows Defender anti-spyware) running on my Windows machine. They never find anything. But then again I know what not to do. ...

On Windows I think one knows there's so much malware out there and so much interest in the platform among the bad guys that it's best to make assurance doubly sure by running it. On the Mac there's currently so little that it's pretty much worthless even as a safety net. It's also expensive. But I agree that someone who needs to exchange Office documents that contain macros with Windows users had best use something, because there are Windows macro viruses and those could harm Windows users. If that covers your usage scenario, it's best to pay up. There is a free product but it is, apparently, pretty ineffective at finding and dealing with Windows macro viruses; so those who fall in this camp had best buy a professional product.

I suppose "risky behaviors" doesn't cover it all. For example, I imagine some innocent who isn't trying to view pornography and who has the sense not to install software from untrusted sources could still get caught by a "drive by download". Web-searching with keywords is a scattergun approach and could take you *anywhere*. It would be easy enough for someone to follow a link from a Web search to a website without realizing it was nefarious and get something auto-downloaded to his machine. I play safe there by using Firefox with the NoScript extension. I notice Google is checking websites and marking some links as bad now -- good for them.

Posted by: Mike | November 1, 2007 5:17 AM | Report abuse

I think it is very important to have Anti-Virus software on a Mac. It is an added layer of security. We have seen Mac systems get compromised on our Campus via various vectors (third party application weakness, weak passwords, etc). In a couple of cases the system owner did not know that someone had broken into the system (over 6 months!). The intruder had planted some tools on the computer that would have been detected by Anti-Virus.

This goes for Linux and Solaris boxes and the like. We see compromises that go undetected for months. It is due dilligence to use AV software.

Of course AV software isn't considered 100% protection. The end user needs to be careful as well.

Posted by: D Taylor | November 1, 2007 5:51 AM | Report abuse

Ok, so HOW does one "be carefull" on the Internet?

Use NoScript & AdBlock Plus with Firefox. They work on Windows, Mac & Linux and will keep most malware away from your system.

Posted by: Dan | November 1, 2007 11:55 AM | Report abuse

It should be stated again and again, the best defense is a layered one, REGARDLESS of what operating system is in use! Basically, those layers include, use of a non-admin (or non-root) account, a firewall, Antivirus software that is updated DAILY, keep ALL software patched and practice safe computing (aka, be smart).

Missing one of these layers only increases your risk.

One last layer I have used on my Windows systems is a blocking "hosts" file from http://www.mvps.org/winhelp2002/hosts.htm
which stops many malware dead in its tracks (even browsing porn sites).

Posted by: TJ | November 1, 2007 2:13 PM | Report abuse

Count me as one of those who thought I was totally safe on a Mac. Not that I engaged in risky behavior, mind you, but I did not think I needed anti-virus software.

However, I figured why take the risk? Also, it is possible, according to a developer I know, that if I forwarded an e-mail containing a virus to a PC user, it might not affect me, but it could cause havoc on the recipient's computer.

So I bought Norton. There wasn't much else available on the market, and I've always trusted Norton.

It's better to spend a few bucks and be safe rather than sorry.

Posted by: Elizabeth Weintraub | November 1, 2007 3:23 PM | Report abuse

I just bought a Intel based Mac mini (with OS X Tiger). A friend who has had four Macs over a 12-year span said that he had never gotten a virus, Trojan, etc. - and advised against installing AV on my Mac. The Mac has an internal firewall, as does the WiFi router that is used to connect it to the Internet.

I surf only major news, info, and search sites on the Mac (mostly with Firefox) and still use one Win XP box for e-mail. Waiting for OS X open-source Eudora. Then I might get AV to scan mail. I will never install a Microsoft program on my Mac mini, as that is the one major vendor I am trying to avoid! I don't use MS Office stuff on any Win XP machines.

I surf only one free porn site. I use Opera, filtered through DropMyRights, never download any suggested add-on or click on boxes that say you have won something. Opera has a setting that deletes all Cookies from the last current session.

I use ZoneAlarmPro, Bitdefender AV, SuperAntiSpyware Pro and run root-kit detectors and other malware programs from time to time. Have never detected a virus, a Trojan, etc. on the Win XP box.

But I will not use Mac for any risky site. If I am going to get a computer trashed, I prefer that it be one of my three Win XP boxes, which are a nightmare to keep current and "clean." They could all use a reformat and Win XP reinstall. The Mac boots in 30 seconds, never crashes, and is a delight to use. And I spend Zero time updating and running security software on the Mac versus hours a week on the Win XP machines.

Posted by: Mac V | November 1, 2007 5:55 PM | Report abuse

Mike wrote, "Web-searching with keywords is a scattergun approach and could take you *anywhere*. It would be easy enough for someone to follow a link from a Web search to a website without realizing it was nefarious."

There is a source of advice: A freeby, SiteAdvisor , now owned by McAfee, who have done nothing to change its look and feel. It is a browser add-on, hence should work on any OS. It flags search engine results Green or Red (or Gray for untested), according to whether you are likely to get spammed &c after going there. It gives you a basis for exercising your judgment.

Posted by: Solo Owl | November 1, 2007 11:19 PM | Report abuse

Here is a new release from Dell, an integrated support suite with a number of new features:

http://support.dell.com/support/index.aspx?c=us&l=en&s=gen&~ck=bt

Posted by: PJ | November 2, 2007 6:29 PM | Report abuse

Bk> Intego says the bogus codec silently changes the user's DNS settings so that when they visit certain financial sites -- such as eBay, PayPal, and those of several banks -- the victim is routed to a counterfeit look-alike site designed to swipe their credentials.

One wonders why the malware doesn't also install a bogus CA certificate in the user's certificate store so that a forged certificate (signed by the bogus CA) is indistinguishable from a legitimate one.

Posted by: antibozo | November 3, 2007 8:19 PM | Report abuse

>>In addition, it appears that undoing the damage wrought by this Trojan horse program is fairly tough.

Here's how; decide for yourself...
http://www.macworld.com/2007/10/firstlooks/trojanhorse/index.php

Posted by: Mark Odell | November 4, 2007 4:11 PM | Report abuse

The Intego alert is about a scam - not an exploit. I don't know what Intego are up to: at times they claim they're sitting on 0days for OS X but do they send them in? This is no 0day or any other kind. It's a /scam/. It's classic Mitnick Social Engineering 101.

Posted by: Rick | November 4, 2007 6:50 PM | Report abuse

Rick> The Intego alert is about a scam - not an exploit.

Nobody called it an "exploit".

It is, in fact, an exploit, in the sense that it exploits a vulnerability in people's behavioral defenses. It is not an exploit in the very limited sense you seem to be thinking of: a program or tactic that exploits a vulnerability in a piece of software.

But the correct technical term for this form of attack is "Trojan horse". That's how everyone here has referred to it, so I'm not sure what you think you're protesting.

Posted by: antibozo | November 4, 2007 8:36 PM | Report abuse

If the protection of your computer really comes down to Norton Anti-Virus, you're a lost cause anyway. Running Norton on any computer (of McAfee) is the equivalent of removing 1/2 the memory and slowing it down to half speed. Plus, you can never remove these products.

We've used Macs at home for over a decade, and we run... nothing. And we've never gotten infected, despite my kids (I'm sure) going to every kind of web site you can imagine.

Incidentally, I use PC's too, and there are free anti-virus products that work better than the paid-for services. AVG is a good one to start with. There are others.

Posted by: Skeptic | November 5, 2007 5:32 AM | Report abuse

In all fairness, I think I should bring your attention to this simple tool that will guarantee surfing everywhere: VMWARE.

What is it? It is Virtual Machine Ware.
What is it? It helps you surf anywhere, everywhere.
What is the main idea (technically)? Before you surf, you spend 1 minute (to save whatever you have), then, you surf. Once done with surfing, your computer will go back to whatever you had. What does it mean? Any new things will be gone. Virus, spyware....

What is it for? I used it for surfing hacker's sites, porn sites... places that I do not want be hurt.

Can it run on my machine? I am running it successfully on a computer with total of 512 megabytes of MEMORY.

How do I get it?
Ask a friend, a co-worker...whoever that is interested in computer to research about VMWARE for you. Then, you will benefit by: your friend will give you a copy of the product. Here's how: Your friend will get the software VMWARE, create a baby machine. Then, your friend will give you a player to run that baby machine, and you will just have to click on the simple icon to surf.

Another way: there it a product that will do the same thing: and it is free, from Microsoft itself. The product is called VIRTUALPC. Because it is free, it may fit your budget. However, because it is free, I did not think it would receive lots of human hours in upkeeping it with the current market, that's why I went with VMWARE. I wanted to spend time to learn a product that will be commercial and will be financially supported in fixing its own bugs, and errors, and mistakes...Free Products, to me, does not have that much of supports behind it (as compared to the Sold Products.)

Back to you, your benefits:

(Before I make point, let's clear the name: VIRTUAL COMPUTER is like a FAKE COMPUTER running inside a MAIN COMPUTER, a BABY COMPUTER running inside a MOMMY COMPUTER. When you actually meet the software: The computer you have now is called HOST COMPUTER. In the computer you have now, you will run a smaller computer called GUEST COMPUTER.)

Here's the point: When you run a BABY COMPUTER, bad things do not spread to your MOMMY COMPUTER. The technology made sure of that. They made sure it worked that way so this concept could work in big companies, not just for home users like us. It worked even for DATA CENTERS, not just for home user like us.

The concept is amazing. The products are:
VMWARE (www.vmware.com) (Cost your friend, free to you.)

VIRTUALPC (Microsoft) (Free for your friend and you.) (But I do not use, so, I can not say.)

The concept is like that. In the BABY, ANY NEW THINGS WILL BE LOST. What does it mean? Virus gone. Spyware, gone. Trojan, gone. Rootkit, gone.

You can surf anywhere, try any new software, and do anything you want to do. No damage to your MAIN COMPUTER.


Please don't just flat out trash my ideas. For your benefits, see through my lines, forgive my writing errors, squeeze out the main idea, go check it out, and then, take action for your life, thank you.

Posted by: ''Hear me, check fact, take action'' | November 5, 2007 9:42 AM | Report abuse

From: ''Hear me, check fact, take action''.
To: "Mac V | November 1, 2007 05:55 PM ".
About: "They could all use a reformat and Win XP reinstall."

Why Re-Install?
My way of the last 8 years: Re-Load.
My tool of the last 8 years: Re-Load with Norton Ghost.

To anyone that does not know Ghost:

Ghost is a software that is like SUPER COPIER.

When you computer is still good, you use SUPER COPIER TO COPY, so you have a "GOOD COPY".

When you computer is not good, you use SUPER COPIER TO RE-LOAD, so you bring back the "GOOD COPY".

It's the main idea.

Any products out there that will do this?

"Ghost" by Symantec (www.symantec.com): Sometimes, free after rebate. (Good to the point that my company, of 500 employees, also uses this. Ghost has corporate version.)

"True Image" by Acronis (www.acronis.com): I honestly do not recall seeing it as free.
(Also, "True Image" has corporate version.)

There are more in the same class of products like this, but, if the product does not have corporate version, I would not use it. Why? With 8 years of using Ghost, I have Re-loaded my computer over 14 times, tried over 100 new software, and rescued over 10 friends by saving a copy of their good computer and then reloading it after disaster. With that much usage, I like Ghost, I need Ghost, yet, I have to SHARE WITH YOU THAT GHOST SOMETIMES HAS PROBLEM BEYOND EXPECTATION. Now, I still use Ghost, because I learn the problem and I learn the solution. I still use Ghost because they have corporate versions, huge teams of workers, big discussion group. I realize everything has a little downside of it. To me, total benefits FAR OUTWEIGHT total costs. Would I trust my data to companies that do not have corporate version? Not right now, not until I try them out for some time. Until then, I am still using Ghost by Symantec. I heard "True Image" (by Acronis) has many comparable features; I will try it, too.

The concept is SUPER COPY = TRUE COPY = EXACT COPY = IMAGING = RUN-ABLE COPY (Not a Non-run-able copy like copy of a picture or a music.)

Posted by: ''Hear me, check fact, take action'' | November 5, 2007 10:08 AM | Report abuse

Hear me, check fact, take action> Here's the point: When you run a BABY COMPUTER, bad things do not spread to your MOMMY COMPUTER. The technology made sure of that.

There have been a number of vulnerabilities allowing programs running in a virtualized environment to alter the host operating system, including on VMWare. So don't count on virtualization as your sole security measure.

Posted by: antibozo | November 5, 2007 11:06 AM | Report abuse

"I think very few Mac users run anti-virus, and hopefully that won't need to change in the future"

Ok, dream on.

Posted by: In the real world... | November 6, 2007 8:22 AM | Report abuse

I haven't run any AV software on my Mac since moving to OS X and don't have any plans to do so. I've heard about more problems caused by AV software than I have about these programs actually stopping malware.

I am not ignorant of the dangers. I never give my password for installing anything unless I am absolutely sure about the source. I read Mac news sites daily to keep abreast of any security-related news. I do regular backups. I pay attention to what processes my machine is running.

Down the road, I might change my mind. For the present, however, I don't see the benefits of AV software on the Mac. Most security holes are things that need to be fixed by Apple, not third parties.

Posted by: No AV | November 6, 2007 10:13 AM | Report abuse

I haven't run any AV software on my Mac since moving to OS X and don't have any plans to do so. I've heard about more problems caused by AV software than I have about these programs actually stopping malware.

I am not ignorant of the dangers. I never give my password for installing anything unless I am absolutely sure about the source. I read Mac news sites daily to keep abreast of any security-related news. I do regular backups. I pay attention to what processes my machine is running.

Down the road, I might change my mind. For the present, however, I don't see the benefits of AV software on the Mac. Most security holes are things that need to be fixed by Apple, not third parties.

Posted by: No AV | November 6, 2007 10:13 AM | Report abuse

I use Intego's VirusBarrier X on OS X, simply because a) VBX was far less intrusive and troublesome than Virex was, and b) I wanted NetBarrier X and PersonalBackup anyway, and the three were available in a package deal.

VBX has worked fine for me. ClamAV's Mac OS X version is also solid (though doesn't handle background scanning quite as nicely), and has the added bonus of being free.

Posted by: Rachel | November 6, 2007 7:41 PM | Report abuse

I am a 20 yearlong Apple user and IT security expert and have been exploited in OSX 2 years ago by malicious javascript loaded from a russian fake laptop shop website named http://sell-laptops.us/

it had one of those common " live chat is currently available" boxes and I thought: "Im on a mac what can happen?"

Immediately after accepting the java app, my Safari was keylogged! Within minutes the sysadmin of my security website with ssl, on which I was in the forum, asked my via private chat why I was registering an account on my own website with a russian email address from MY IP !!!!!

It was pure coincidence that the sysadmin was in the control panel at this moment and that was my luck !

I pulled all wires and rebooted and of course checked with various methods which files were altered in those last 10 minutes. CLAM AV found nothing.....

Since it was a javascript exploit, I suppose closing the browser kills it but you never know what files were altered or uploaded.

btw: the java script app was originally written by an australian company and altered by the hackers.

Posted by: RodFlem | November 7, 2007 4:23 PM | Report abuse

My question to all of you who are proud that you don't have AV on your Macs for years and are saying that you don't have any malware on your machines, is simple.
Without AV on your machines- How exactly do you now that you absolutely positively don't have any Trojans or Keyloggers or other Spyware running silent, running deep?
Like someone said here- you feel safe just because your Mac is still white?

Posted by: Confused | November 8, 2007 5:26 AM | Report abuse

My question to all of you who are proud that you don't have AV on your Macs for years and are saying that you don't have any malware on your machines, is simple.
Without AV on your machines- How exactly do you now that you absolutely positively don't have any Trojans or Keyloggers or other Spyware running silent, running deep?
Like someone said here- you feel safe just because your Mac is still white?

Posted by: Confused | November 8, 2007 5:29 AM | Report abuse

My question to all of you who are proud that you don't have AV on your Macs for years and are saying that you don't have any malware on your machines, is simple.
Without AV on your machines- How exactly do you now that you absolutely positively don't have any Trojans or Keyloggers or other Spyware running silent, running deep?
Like someone said here- you feel safe just because your Mac is still white?

Posted by: Confused | November 8, 2007 5:31 AM | Report abuse

Wow!
3X in a row? You must be confused. Or is something up with Windows?

I run OX 10.3 on a G3 iMac. I've never encountered any problems with my machine in the time that I've had it, except for once when I tried to install Office for Mac.
I am positive that my Mac doesn't have any viruses now or in the past because, this computer has never had ANY of the countless problems I've seen on the WIN based PCs I use at home or at work, that have encountered some sort of virus, spyware, adware...

My Mac happens to be blue;)

Posted by: can't remember | November 10, 2007 6:20 PM | Report abuse

there are not enough users of mac than pc, so most of the computer geeks,hackers and crackers and the virus makers mainly focus on developing windows virus rather than mac since they have more knowledge in that field. that is the reason which i think mac doesn't have as many viruses as pc. if anybody has knowlege of mac in great extent i don't think developing a virus is that hard for those people.

Posted by: thomas | November 17, 2007 4:10 AM | Report abuse

f macs

Posted by: Anonymous | December 22, 2007 1:26 PM | Report abuse

OS X don't have as many malware as Windows does, which is a fact that stems from two points:

1. The OS X software is leaner and less complex, code-wise and operationally, than Windows, which means there are fewer avenues of attack on OS X.

2. Adoption of OS X, while increasing, is still very small compared to the majority of share that Windows has. This means there's greater incentive for malicious users to compromise Windows than on Mac.

Even so, the use of protective software on a Mac is actually a very good idea. This is not only to help mitigate the risk to your computer further, but also to protect other users as well; if you share your files, then it's good to have anti-virus on your Mac if you share files with Windows users.

An infected file that can't hurt OS X is still an infected file that will damage another computer that it can affect if it's spread there.

Posted by: Reinhart | December 27, 2007 4:20 PM | Report abuse

The main reason for the need of antivirus on a PC and not so much on a Mac is that a PC is riddled with M$ made vulnerabilities so as to provide a market for AV Writers whereas the Mac is built on Unix and anyone wishing to enter a secure Unix-like Operating system can only do it with the permission of the Administrator and so area's on a Mac cannot be accessed unless one has ultimate privilege and you can't just Hack that...

Posted by: cool | January 2, 2008 4:37 AM | Report abuse

Hi.. I'm Mac user and I come from Indonesia. I just read about the antivirus you've put into your Macbook Pro. And I'd like to know how did it work? and is there any antivirus which is best for Mac? in here Mac user never consider about antivirus because they think Mac is free from virus. That's what i thought before. But lately i was thinking that maybe Mac could have some virus and need protection. I was found an antivirus for Mac called Sophos Anti-Virus for Mac OS X. Is it more better comparing what you'd used?

Thank you,

Posted by: Griajeng Ruthjunitarani | August 16, 2008 12:09 PM | Report abuse

Hi All,

Some time ago we got trouble with a iMac and a PC and a server 2003 with Symantec on it as protection. Now 1.5 year later i found the solution and the Virus was started on the iMac by Apple Update!!!!!! I made a web page special for this solution. So if you have trouble like Network printer that is printing in the wild some times, your Mac or Pc is visit by some new users with the names like MisterX, Nowhereman, Pussygirl, and so on till you can not work anymore. On the server or just your USB drive the filenames get spelled backwards or a map goes to a other map and that won in a other and so on. It all starts with two new files on your Mac and PC named Chaos and Panic, the PC is just infected true the network and when the same name is used on that PC as the Mac. Anyway there is only won solution that i found and that solution you can read here!
http://members.chello.nl/t.emmelot/
So don't believe Apple when they say you don't need protection on a Mac!!!!!!

Posted by: Tom Emmelot | August 16, 2008 4:21 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company