The Official Mac AntiVirus and Firewall FAQ

ajundra said:

Hi Guys

I find it astonishing that mac users still believe they're completely safe. I work as a system administrator at a Swiss university. We have about 550 pc users and more than 2500 mac users. All pcs have AV software installed, where only about 150 macs have it. Now guess what. More than 80% of all recorded infections come from those 150 macs. In the past year I head to support three users that where cut off from the internet by their providers because they were sending out viruses en masse. All three are mac only users. They don't have Windows on their machines. In the 12 years I do this job, I never experienced anything like that with a pc user. How's that possible you ask? Well, these three macs obviously didn't have any AVs installed. They also didn't get their malware from pcs since it was an OSX trojan/spam proxy. They picked it up somewhere on the internet. There are websites which specifically target both operating systems. Sophos has some analysis and demo videos on their website if you're interested.

Click to expand...

Not a bit. Sophos and their ilk have a vested interest in trying to keep the sheep in the pen, so to speak.

There are two trojans in the wild for Mac OS X at the moment. Both of them must be very deliberately installed and neither are self-propagating. They are easily avoided by either A) not downloading pirated copies of iWork '09 that contain one of the trojans - and B) Not downloading a fake video player from certain (porn) websites.

Either way, Apple wisely implemented measures that prevent their installation in 10.6, essentially making them moot.

When true self-propogating viruses or worms that are unpatched are released, I'll recommend AV software for OS X. Right now, it's more trouble than it's worth.

Another case: We use Windows pcs as printer release stations for plotters and other specialised equipment. Everyone can just plug in their usb sticks and print their files. I'm bormbarded almost daily with emails from the AV on those machines because most of the usb sticks carry some form of the Conficker worm or other autorun virus. The sticks are cleaned everytime. And yet, everytime the users come back, they have the same virus on their stick. These are almost exclusively mac users. Somehow this stuff manages to use their macs as a platform for spreading itself to external disks. Even if this particular virus does not affect the macs directly, we don't know what else they have on their machine. If it can spread, it can also download more malware. I made some tests. 18 of the scanned machines where infected with RSPlug-F.

That's a mac only virus. It doesn't exist on Windows.

Click to expand...

You give it more credit than it deserves. It's a trojan - and again, it's not self-replicating. Also, there are no autorun viruses for Mac OS X at the present, so not sure exactly where your flash drive malware is coming from. It's possible that the files are being copied willfully to the volume, but OS X wouldn't be able to execute them.

Now think again. Do you need AVs on mac or not? If you're a techsavy and experienced user, you may have a few more virus-free years ahead. Otherwise... think again.

Click to expand...

Nope. I'm not against taking appropriate measures, and I'm not deluded into thinking that OS X won't one day be compromised by a true virus. But that day is not today. And the AV products out there for the Mac mostly suck at the present and cause more harm than good.

As an MCSE and a network admin for a Fortune 50 company with over 10K users, I am well versed in security concerns. And I've found in my 11 years in the field that the best defense is an educated user.

So, my recommendation would be to make it very clear to your Mac users that these things can be quite easily avoided by using a bit of common sense, most namely:

1. Before you install any software downloaded from the Internet, make sure you trust the source of the software. Also, make sure you know what the program is and what it does.
2. If you install any software download from the Internet, be particularly cautious about installing it if you are prompted for your password during the installation (this means that the software wants to modify system directories or files).
3. Turn on your OS X firewall in the Security preferences pane. Go into Advanced and enable "Stealth Mode". This makes your computer invisible on any network you might happen to connect to, and therefore will make it that much more difficult for a motivated hacker to locate to do any damage to.
4. Keep your software and operating system up-to-date. When prompted to update a software package, particularly things like Java, Flash and other web-enabled technologies.

Kind regards,
Roberto

Click to expand...

Right back at you. Take it easy.

The problem is not self-replication, it's the users behaviour. You know as good as I do how difficult it is to educate them. These are young students. They just won't listen. Not until they have a problem. So instead of running after them to clean up their mess, I'm more into proactive measures. After all, I'm trying to protect their data. And the only real threat at the moment are their own computers.

If you look at a mac as a single unit, you probabaly won't need additional protection. I agree. But that's a rather egoistic view. As soon as you exchange data with the outside world, there is a high probability that you will run into problems.

I'd be very interested to hear how you handle data exchange issues but this is probably not the right thread.

ajundra said:

The problem is not self-replication, it's the users behaviour. You know as good as I do how difficult it is to educate them. These are young students. They just won't listen. Not until they have a problem. So instead of running after them to clean up their mess, I'm more into proactive measures. After all, I'm trying to protect their data. And the only real threat at the moment are their own computers.

Click to expand...

I would say the issue is their own behavior. If it we were talking about the tens of thousands of different maladies that Windows users are likely to encounter, that would be a different story. But we're literally talking about 2 malicious programs, both of which are rather simple to avoid.

The trick is in how you educate them. I'm a parent of two young children. They don't tend to listen to much that I say, but I make sure that they understand the true dangers in life - don't go with strangers, look both ways before you cross the street, that sort of thing.

If you can't get the message across, requiring proactive measures for your network is probably the right answer in your specific situation. But any responsible adult should be able to get by just by following a few simple and common sense measures. That's why we make the recommendations we do here. It has nothing to do with ego and everything to do with the current sad state of AV products for the Mac and the present threat level (which is practically non-existent).

I'd be very interested to hear how you handle data exchange issues but this is probably not the right thread.

Click to expand...

In my professional life, I don't have any responsibility for Macs. My Windows machines run a combination of McAfee VirusScan Enterprise, Anti-Spyware, and Data Loss Protection (to limit the ability of using removable media), with policies enforced by EPO.

I agree with Roberto with regards to the challenges companies face today, not just an individual computer.
Being responsible for IT Security in a top 500 FMCG company ( 80.000 users ), I constantly ask myself the one question:
- How do we know we are targetted and worse, how do we know we haven't been hit already ?
End-user awareness is crucial, but the effectiveness of that control sits with end-users.
When you say " you must only visits sites that can be trusted " .... how can you tell ?
It's not that these sites show a " trust me " certificate on their landing page.
When you connect to your bank, they will know who you are, but how do you know you are talking to your bank, before you enter your credentials?

Bottom line is that everyone is pointing to someone else, assuming that other people have their controls in place .... always trusting other people.
You can only trust yourself and take 5 minutes to assess what risks you are exposed to and what you intend to do about them.
In todays environment, a risk accepted by one is a risk shared by all, as painfully experienced by people every day.

I posted some info on here over the past two years on this subject, and it always strikes me that people still talk about virusses/trojans/worms whilst it doesn't make a difference ... the damage is the same .... it's just semantics.
( Off course you can be selfish and say that the damage did not affect you personaly because you have OS X )

The simple fact that there are so many posts on the forum with questions on malware is a good thing, means that people are thinking. Maybe it is time to close this thread and create a new sticky that better reflects today's situation..... just my 2 cents.

Anyway ... I had to get this off my chest in an attempt to inform people on malware. Rest assured, I love OS X and I do understand that OS X is less prone to .... virusses .... compared to other OS's.

Cheers ... McBie

OSX.Keylogger and OSX.Remoteaccess


What are these, and do they affect Snow Leopard? Leopard? Tiger? Older OS X versions?

Apparently these have propagated back in April.

Schweb, which one do you use? sorry about this. I'm new to this and am having issues with my MAC. I love it, but now I'm not able to login to my ebay account and reading some of these posts, I thought I could be a virus. Something weird did happen the other day. I was researching and accidently clicked on a banner ad, I could hear it running in the background and closed my browser and deleted the cache, but since then it is still acting strangely.

pcs said:

Schweb, which one do you use?

Click to expand...

I run ClamXav.

I'm new to this and am having issues with my MAC. I love it, but now I'm not able to login to my ebay account and reading some of these posts, I thought I could be a virus. Something weird did happen the other day. I was researching and accidently clicked on a banner ad, I could hear it running in the background and closed my browser and deleted the cache, but since then it is still acting strangely.

Click to expand...

I highly doubt it's a virus. I'd suggest resetting your eBay password and if that doesn't work, try posting a thread in the OS X Apps forum to see if someone can help you out.

You sure about that?

"There has never been a virus or spyware released for Mac OSX to date."

I find that very, very hard to believe. Perhaps you just haven't heard of any. But saying that there's never been a virus for Macs seems like quite the overstatement IMO.

Just Googling "First Mac Virus" brought me to this...

First ever virus for Mac OS X discovered

Macs are great products, as I'm just finding out (new Mac owner). I just don't understand why people fabricate the truth to make Apple products seem magical.

Trojans, yes. Viruses, no. There's a difference that matters in terms of your approach to prevention.

sjr09 said:

"There has never been a virus or spyware released for Mac OSX to date."

I find that very, very hard to believe. Perhaps you just haven't heard of any. But saying that there's never been a virus for Macs seems like quite the overstatement IMO.

Just Googling "First Mac Virus" brought me to this...

First ever virus for Mac OS X discovered

Macs are great products, as I'm just finding out (new Mac owner). I just don't understand why people fabricate the truth to make Apple products seem magical.

Click to expand...

worm

I am using both ClamX and iAntivirus, and everytime my friend saves a file from my macbook pro to his flashdrive and then plugs it into his pc, his norton antivirus says there's a worm or virus. He said this never happens when he copies files from his grandfather's mac.

I have run virus checks multiple times throughout the months and it never finds anything! yet here we are months later, and he came by the other day and was working. we copied a file and sure enough, norton kicked in and cleaned a worm from his flash drive.

I'm baffled and open to any suggestions. I don't have money to spend, so the least expensive solution would be great!

Norton is, simply put, mistaken. You can email a virus or worm to a PC user, but you can't pass one on unintentionally just via a flash drive.

There's something about your machine (probably invisible DS_STORE files) that Norton is flagging incorrectly.

chas_m said:

Norton is, simply put, mistaken. You can email a virus or worm to a PC user, but you can't pass one on unintentionally just via a flash drive.

There's something about your machine (probably invisible DS_STORE files) that Norton is flagging incorrectly.

Click to expand...

Ok forgive the ignorance. I'm still pretty new to Macs. I assume DS_STORE files are nothing to be worried about?

I knew my way around PCs pretty good, viewing hidden files, knowing what and how to make changes, etc. I haven't a clue what I'm doing on a Mac. Is there somewhere to go where i can learn the ins and outs (i'm not talking about just how to use my Mac) of the intricacies to get a better understanding of how to tweak when necessary?

Thanks for the reply!

MiamiDan said:

Ok forgive the ignorance. I'm still pretty new to Macs. I assume DS_STORE files are nothing to be worried about?

I knew my way around PCs pretty good, viewing hidden files, knowing what and how to make changes, etc. I haven't a clue what I'm doing on a Mac. Is there somewhere to go where i can learn the ins and outs (i'm not talking about just how to use my Mac) of the intricacies to get a better understanding of how to tweak when necessary?

Thanks for the reply!

Click to expand...

Find out which specific file Norton is concerned about (it should give you path and filename) and what malady it identifies it as (usually it will have a short description). Then we'll have a better idea of what we're dealing with.

Here's a description of DS_Store files:

.DS_Store - Wikipedia, the free encyclopedia

New, updated and improved thread here:

http://www.mac-forums.com/forums/sw...tivirus-malware-firewall-faq.html#post1087306