Mac and the State of Malware

To add to what Thomas has said.

You are conflating a user (human) interaction with all the interactions that are continuously happening all the time in a modern computer. And by modern I mean most anything made in the last 20 to 40 years.

If you bring up Activity Monitor from your Utilities folde you’ll see dozens or hundreds of applications running. Most setups easily have over 100 applications running. I just quit out of the more than a dozen applications with a user interface and still had over 400 tasks/applications running on my system. And each of these is “doing something”. Watching for a Wi-Fi or Bluetooth interaction or connection. Maybe a wired network interaction. A USB port being plugged into something. (Your keyboard and mouse are USB devices these days even if you don’t see the cables.) The battery reporting its charge state. The microphone detecting “Hey Siri”. (The last one is way over simplified but the mic is always on.) There is ALWAYS networking traffic flowing and tickling your ports. It’s just the way networks work these days.

Open up a browser window? Now you have all kinds of stuff going on. Gmail’s web site does live updates to your browser window as emails come into your inbox. Shutting down the JavaScript that allows this to work will break most web sites these days. Not to mention all those ads and similar things that can happen. The Ghostery plug in has over 5000 items in its inventory of things you can allow or not. (Trust your bank. Don’t trust “we give you free stuff all day long”.) (I’m a big fan of Ghostery.)

The problem is mostly software errors. With a few issues resulting from bad standards. When everyone plays by the rules things work almost all the time. But the common example is a buffer overflow.

If the rules say the sender can ship between 1 and 80 characters and it ships 81 well that’s too many. But if the receiving system doesn’t check suddenly there is 1 character where it should not be. And in the bad early days of malware, a bad actor would literally ship a very long string of data containing some code that would wind up where it would get exectuted and the malware then be in charge.

Most of this simplistic attack is now checked against. And standards tightened up to avoid such things. And modern operating system internally do things to make these attacks very much harder than before. No developer with any sanity writes code anymore that just assumes everything it is handed is perfect. But still you can get into problems when the receiving system checks but doesn’t address being told a billion or so characters are coming and barfs. And said barf is in a predictable way such that a system can be compromised.

And this is why every now and then you read about how an unread email or “text” message can compromise a system.

As a side note there are various TLA (Three Letter Agencies) and similar that work hard at finding software bugs that will let them break into a system. And they hold these close to their vest. Especially the really obscure ones. So they can target a small subset of high value targets. Presidents, generals, ambassadors, banking C-suite folks, etc… These tend to almost all be what are called 0 day exploits. But others are packaged up and sold as a “how to steal from others” kit. Which is what most of us have to deal with in terms of malware. (Ukraine was a center of such things prior to 2014. Long interesting history that ties to the current situation there but I digress.)

Anyway, all of the decent Malware fighting companies work continuously to look for and stop attacks that have been spotted. And the bad guys love systems that are no longer being patched.

Personally I like MalwareBytes. And I’m not a fan of Norton. I’ll leave it at that.

But how can they get into my system? Well, there are a lot of malware tool kits that are sold that spread by various means. Many of these run on Windows computers. So if you best friend or son’s girlfriend brings an infected computer to your house and you let it on your network it might try and infect your security camera, printer, TV (most TVs have terrible security), whatever is connected to your network and has an exploitable embedded OS. Even some routers. Or attached some bad bit to emails sent to you. Or ….

How do you deal without becoming an hermit? Well assume the really really really sophisticated attacks are not aimed at you. These can cost the attacker $100k or more per device attacked.

At a lower level, in your home, don’t allow unknown computers on your wired network. Use a Guest network that can’t see anything else in your house. Don’t plug in that odd USB drive unless you know where it came from and why and preferably have some malware detection software running.

Keep your systems up to date.

In your browsers, well what I do is

• Show full web site addresses in Safari or others
• Turn off the “Open Safe Files” in Safari or others

(This one suprises me that Apple has this option.)

• Install Ghostery on all my browsers (I have Safari, Chrome, and Firefox)
• Don’t give web sites accesss to your contacts or similar. Just say no.
• Set your browsers and email applications to have you pick where to save things.
• Periodically look in:
• ~/Library/LaunchAgents
• ~/Library/LaunchDaemons
• /Library/LaunchAgents
• /Library/LaunchDaemons

This last one is a bit of a geek things but this is where things are placed that auto run without you asking. There are a few more but if you’re geeking at this level you can find them. Please NOTE that these things must exist today. If you have some anti malware software it will have entries in one or more of these places so it can run all the time.

And a very very very big one. Think long and hard before installing any browser plug in. These things will get to see EVERYTHING you type and is displayed. EVERYTHING. Those coupon / shopping savings plugins cost real money to develop and maintain. This money comes from them selling your information to others. Nuff said.

Think about using your computer like visiting a hospital. If you see a $20 bill on the corridor floor would you just pick it up and shove it in your pocket? Or walk into a room not knowing what is in it and whay you are walking in? Not me.

Later

This thread has reminded me that I haven’t run DetectX Swift in a while. It updated to a new version (1.0983) and then ran, and ran, and ran…not so Swift anymore. In fact it ran for 20 minutes and still came to no conclusion. I tried to go to sqwarq.com and see if there was an issue with macOS 13.0.1 but I’m told the website cannot be found. Has Sqwark folded up?

PS tried it with Safari instead of Firefox and this time I get a page telling me it is for sale. RIP, DetectX Swift.

I suspect he just forgot to renew the site. He has a #detectx channel on Slack MacAdmins and you can contact him on his Twitter Account @philofishal (which was active today) or email sqwarqdev@icloud.com or Mastodon http://infosec.exchange/@philofishal

Thanks, I’ve sent an e-mail. Deleting everything with AppDelete, reinstalling (I found the download page at https://s3.amazonaws.com/sqwarq.com/AppCasts/dtxswift_release_notes.html ) and then trying again resulted in the same behaviour - a search that goes on forever.

Wondering if this board has a view on the antivirus app called Sophos. It is a cloud based solution that works on multiple machines. I have been been using Sophos home version after I experienced a lot of slow downs from Norton.

Been using Sophos @ Home for a few years now. I find it free, lightweight, and picks up the odd infection, usually a macro virus in email attachments. No negatives to using it, although there may be more effective options out there.

I maintain a Web site called:

Macintosh Slowdown Solutions
http://www.macattorney.com/sd.html

where I try to keep track of the most common things that cause users’ Macs to suddenly and precipitously slow down, and offer solutions to this.

I hear from folks whose Macs have slowed down quite frequently and I usually assist them in troubleshooting the problem. I’d say that 85 to 90% of the time, the problem turned out to be due to fully interactive anti-virus software, and in about 95% of those instances, the problem was due to the free version of Sophos. I think that Sophos causes more problems than it prevents, and that it is best to stay away from.

No reply from Phil Stokes, and sqwarq.com is still unreachable. It doesn’t look like we can rely on DetectX Swift any more.

Setapp users…

CleanMyMac X has a simple “Malware Removal” thing that scans your machine in ~60 secs for bad stuff.

Although I don’t use the app for much else, as it thinks it wants to remove all kinds of other stuff for me that I actually want to keep. ;-)

Thank you Randy. Based on the board comments, my experience of some random slow downs in certain situations, and the good recommendations about Malwarebytes, I deleted Sophos Premium (paid) on 2/3 of my machines and installed Malwarebytes.

Though folks may have different goals, I believe I should be running some anti-virus software. I understand there is some overhead on the system, but if I have an effective product with minimal overhead, for now I am making that choice. I have heard many people I respect make the case that no anti-virus software, other than keeping up with Apple OS security updates, is needed these days.

I was also considering going back to ClamAV, as I ran it for a long time, but making a change for now.

The board discussion has been very helpful for my decision process. Thank you.

My personal recommendation is that Malwarebytes isn’t the way to go if you are serious about wanting extremely effective anti-malware software. Malwarebytes is excellent with respect to ridding one’s computer of adware after one is infected. It’s excellent if you ever need that. (Adware has sort of disappeared recently since Apple started depreciating extensions and Flash was discontinued.) However Malwarebytes also holds itself out as a comprehensive anti-malware (i.e. anti-virus) solution. It isn’t.

Run a scan using Malwarebytes. How long does it take? A minute or two…maybe three? Run a scan using a traditional commercial anti-virus product. How long does it take? Probably an hour or two.

So, ask yourself, can Malwarebytes be doing a comprehensive scan of everything on your hard drive for malware? The answer is that it can’t possibly be doing so in so little time. Malwarebytes looks for certain file names in certain locations. That’s not nothing, but it’s also not fully comprehensive. Malware has been known to hide within files, and the places it resides and the names of its files can be changed at the drop of a hat.

I’m guessing that if you have decided that you want AV software installed, that you want really comprehensively effective AV software.

Instead, I suggest that you download and use this free product:

VirusBarrier Free Edition (free)

This is a full version of Intego’s anti-virus program VirusBarrier [usually $40/year] minus some of the automated scanning features in the commercial version. Because it isn’t a fully interactive product, you should never have a problem with it reducing your Mac’s performance, or worse, bringing your Mac to its knees. For those who don’t know, Intego’s VirusBarrier comes from a company that only creates software for the Macintosh, unlike just about all other AV developers, who sell ports of Windows products. And Intego is extremely effective at discovering new malware as it comes on the scene and quickly updating their product to protect against it.

If you are running a very recent version of the Mac OS, you should really read this article:

However, even ignoring that, let me just give you my personal empirical story. (Yes, the sample size is N=1, but it still might be of some interest.)

Since the introduction of OS X, about 20 years ago, I’ve been running fully interactive commercial anti-virus software (Intego’s commercial version of VirusBarrier. VirusBarrier has won all of the believable comparison tests that I’ve read.) I don’t run it because I believe that I “need” it. (I don’t believe that I need it at all.) I run it because my profession requires that I run AV software as a “best practice.”

I surf the Web with abandon. I often download and test new software. I stream movies, etc. I don’t, however, frequent torrenting sites, and I don’t download pirated software. In the past 20 years, VirusBarrier has often “warned” be about stuff, but it has never “saved” me from anything that I truly needed to be saved from. Sure, it’s warned me about phishing attempts, but those are really easy to spot if one isn’t completely gullible. It’s picked up Windows viruses that showed up as e-mail attachments, but those don’t run and are harmless on a Mac and they are easy to spot and just trash. It’s flagged false Flash installers, but I never would have been stupid enough to install a copy of Flash that I had gotten from anywhere other than directly from Adobe’s Web site anyway. (Flash is gone now, so that problem is moot now.)

So, the point is that I paid for 20 years of the very best anti-virus software for the Macintosh that I could find, and it was entirely a waste of money. The Macintosh isn’t Windows. It may superficially look the same, but it’s really different. The common wisdom that your Windows-using friends offer that you really need AV software…is just wrong. But if you are paranoid, now you can use an entirely free version of VirusBarrier. Please let us know if it ever actually saves you from anything that you needed saving from. (Or, if you are using a recent version of the Mac OS, please let us know what the redundancy is doing for you.)

There’s never been a virus on MacOSX.

From memory, they are also a company that developed once a Mac virus to show that their AV software can find viruses. An ever so slightly odd business model, and it made me give up on this company for good, as in ‘forever’. My own experience of the time was that it slowed the Mac down quite a lot. I accept that I’m talking about a somewhat distant past, YMMV and all that.

If you read the article, you’ll see that there are no viruses mentioned that apply to the Mac.

Any good security professional will subscribe to “defense in depth”. Just because “no viruses exist” for macOS does not mean that malware can’t spread using macOS to carry infected files.

There may be situations where Apple’s protections are sufficient. There are also ones where they are not, because XProtect Remediator is focused on macOS executables.

Ultimately you need to judge your own tolerance for risk and the tolerances of those around you. Then make the decision whether to run a third party AV solution or not.

They explain why. They are not scanning every file on your computer for a malware signature, but are instead looking at the files that each piece of malware in their database is designed to infect.

This means that they will miss a piece of malware if it is not in the expected location (e.g. a malicious browser extension that is not actually installed in your browser), but if their database is accurate, those items will not pose any danger unless you take action to install it.

It’s a different philosophy. Not necessarily better or worse, but it is important to understand that difference so you know what the software will and will not do when you use it.

Well… what it really means is that no virus can spread on a Mac.

Malware is a broader term and how you deal with it depends on 1/ what you know about it and 2/ how you behave as a user.

Personally, I prefer to be careful rather than install something that gets profound access rights to my Macs/Network. These apps have caused more problems than they solve for decades. MacKeeper is good example. Norton was like filling your Mac with treacle.

Well, that statement opens a can of worms.
It is demonstrably false no matter how you meant it.

Traditionally Windows users (and the general media and public) define a “virus” as “all malware.” Macintosh users tend to use a narrower, and more techically correct, definition. Mac users traditionally define a “virus” as a piece of “self-propagating malware.”

The latter definition excludes Trojans, adware, spyware, etc.

There is an archive of all existing Macintosh malware (all since the advent of OS X) that all of the AV software companies use to analyze what’s out there and to create definitions for detecting and dealing with malware. I just looked, and currently it contains 138 examples of Mac malware.

There are no viruses (defined as self-propagating malware) currently running around in the wild for the Macintosh. However, there have been two “proof of concept” viruses for the Macintosh. One was non-malicious and the other the Mac OS has been patched against so it is now extinct in the wild. They were apparently created to make the point that creating an actual virus for the Mac is possible (if not necessarily easy.)

However, if you use the term “virus” to refer to all malware (as most Windows users do), then saying that there “are no viruses for the Macintosh” is really far from being correct. While the amount of malware for the Mac isn’t in the same ballpark as for Windows (less than 150 mostly innocuous or extinct examples for the Mac, compared to over A COUPLE MILLION (!!!) for Windows), malware for the Macintosh definitely exists. (There is an open source database of malware for Windows.)

Which isn’t to say that any Macintosh users have to be paranoid about malware. There is extremely little malware for the Mac that is currently running around in the wild that is capable of infecting users’ computers. If you go on a very large Macintosh discussion list, NO ONE is complaining about having been infected by malware. And the Macintosh has had several layers of anti-malware software built-in for a bunch of years now, which has recently become quite a bit more interactive. By and large, most Mac users have done completely without third party AV software, and everyone has been fine.

Yes, they do. And unless you fall for their marketing BS, you have to come to the conclusion that Malwarebytes does a nice superficial job of finding malware that is dead easy to find, and that it does an entirely inadequate job of finding malware that has been written to evade such lazy detection.

Once again, it’s up to you, but if you have decided that you want or need AV software, I’d have to assume that you would prefer AV software that does a superior job of detecting malware. You can’t even use the argument that Malwarebytes comes in a free version. So does VirusBarrier, which doesn’t do a superficial job.

Windows zealots like to go around saying that Macs can spread viruses to Windows PC’s and they may even refer to Macs as “Typhoid Mary’s.” At best, this sort of statement is ill-informed, and at worst it is a nefarious lie.

Macs do not spread Windows viruses and there is no sound reason why Mac users need to be using anti-virus software to protect Windows users from viruses.

Windows viruses usually show up in one of two ways on a Macintosh. First, they can show up as an e-mail attachment to a message sent out by a Windows virus on a Windows computer. In this case, the attachment won’t run on your Macintosh and it will open (if at all) as just a mess of code in a text editor or word processing program. It can’t do any harm to your Mac. Since a Windows virus can’t run on a Mac, it cannot re-e-mail itself out from a Macintosh (i.e. it cannot be self propagating). Such a virus will be easy to spot and just trash. There is little to no chance of spreading such a virus to a Windows using colleague.

The second common way to get a Windows virus on your Mac is to receive a Word or Excel macro virus as part of a Word or Excel document that someone sends you. You should have “Macro Virus Protection” turned on in the preferences of both of those applications, which will keep any unidentified macros from running. Documents with unidentified macros should never be sent to others.

So, if a Mac user exercises the slightest amount of care, the likelihood of a Mac user accidentally infecting a Windows-using colleague with a virus is ridiculously low. No virus detection software is required to protect Windows-using colleagues.

Possibly more importantly, Macintosh anti-virus software isn’t designed to identify all Windows viruses. Even the best Macintosh anti-virus programs only identify the most common Windows viruses. (I’ve asked.)

In any case, any Windows user who isn’t running good, meticulously updated anti-virus software to protect themselves, frankly, has only themselves to blame if they become infected. There are over TWO MILLION viruses for Windows!!!

Windows users should protect themselves. They shouldn’t have to rely on Mac-using colleagues to use AV software to protect them from the minuscule possibility of receiving a Windows virus from a Mac user. Windows viruses are Windows-users’ responsibility.