Mac & The State Of Malware

I want to start a discussion of the state of malware on the Mac.

I have always understood that software, of any sort, could not run without action first on the part of the user. That action may be an email attachment with a self running macro in Word or Excel. Still, you would have to open the doc first AND allow an application to automatically run a macro without asking first.

It may be downloading AND INSTALLING software you don’t know.

Can malware be installed, without user action, from a website popup window? Can it be installed, arriving as an attachment on spam email, that you don’t open? What if you do open the email but not the attachment?

I’ve used different anti-virus and anti-malware software in the past, but never kept any of it up to date, thinking that by practicing safe computing, I was safe. I’ve been malware-free using Macs in our office since 1985. Still, my wife recently has had a horrid infection with malware installed

What do other people know? What prevention software are you using, if any?

I gave up on anti virus software when a company I worked for that used Macs caught a virus around 1997 or so, even though they used Norton. Since around that time, Apple’s software updates have also focused on regularly including very effective antivirus and malware measures. I’m very mindful about not clicking on anything that might be in the slightest bit suspicious, either in an email attachment or link, a browser page, or something on a memory stick.

When I did use Norton, it really slowed things down on the Macs I was using. I’ve never missed it.

Here’s Josh’s swan song about the latest Mac update:

That’s not quite true in that one type of malware called Virus has the capability of both infecting by itself and spreading to other devices without user interaction. There hasn’t been an instance of a Mac or iDevice virus since the introduction of Mac OSX and iOS. That doesn’t mean there could be such malware developed in the future.

Possibly, using javascript, but the popup window wouldn’t be necessary, simply a distraction. This is generally known as a drive-by infection and there have been a very few instances with macOS. Probably been patched by now.

Both doubtful. I’m unaware of either happening.

I would only challenge the use of “very effective” there. It took a very long time for Apple to guard against any kind of adware, which has been the most common Mac malware for a decade or more. And they were always days or weeks behind on countering zero-day infections. With the recent introduction of XProtect Remediator as a replacement for MRT, they may have cut that down to two weeks or less and the promise of “Rapid Security Responce” being tested now, that has the potential of being as fast as the various Anti-malware apps are at keeping up today.

I’ve been using ClamXAV for years, and set it to update virus signatures daily. I don’t use it to scan hard disks regularly, but it’s set to scan automatically everything that goes into the Downloads folder - which is where Mail saves attachments to, and where all browsers store downloaded files.

The cost is about 30€ for 2 years, although I think that’s cheaper as if you’d get it now, as I was grandfathered in for a cheaper tier due to owning the app before it became a subscription service.

In the 7 years or so I’ve been using it, it has caught something 2 or 3 times, if memory serves. And at least one of those wasn’t a virus but an adware-infected, but otherwise legitimate, software. So, I’m not sure how great the risk is to Mac users that are discerning where they surf and what they click to begin with, but the piece of mind is certainly worth €1.50 per month to me. YMMV.

1 Like

Great idea. Get ready for 10,000 different views. :) I use:

  1. Malwarebytes, free and run it manually.
  2. Virusbarrier Intego free from Macapp store and run it manually.
  3. DetestX Swift and run it manually.
  4. XProtectMediator or whatever it is called.
  5. Lulu, Oversight, BlockBlock, Ransomewhere all I think from Objective-see.org
  6. CleanMyMacX > Protection > Malware Removal occasionally
  7. I never run any of them at same time.
    Best, Patrick

From a theoretical point of view, we already know that this can happen. Pegasus at one point famously used (uses?) a specially-crafted SMS message that the user never opened, never viewed, that still infected an iPhone to the point that the user could be tracked to the minutest detail.

I think that Messages and phone calls are special on iPhones - there are parts of the firmware that handle them outside big iOS, as I understand it - but I think that MacOS is more open, less locked down than iOS and wouldn’t be surprised if there is some sort of attack vector, discovered or unknown, that could be taken advantage of in a similar way. We know that there can be junk filtering and rules processing of mail messages before you even view them on MacOS mail - perhaps there os a way to take advantage of something like that. (Windows in the past was attacked in a similar way as it used IE as a web view engine, and there were attacks that used malformed mail messages to take advantage of IE vulnerabilities even without viewing a message.)

So probably one of the best things we can do to prevent something like that is to keep MacOS updated as soon as Apple publishes security vulnerability updates. I know some hate what Ventura can’t or won’t do, or won’t do anymore, and it’s possible that adding new features/APIs adds new possible vectors for security vulnerabilities, but at least we know if Apple finds out about them, they will patch them as soon as they can, and I have less confidence that they will do so for older versions of MacOS.

Assume you do have Lulu, Oversight, BlockBlock & Ransomwhere running all the time, otherwise they are not effective.

You may want to consider one and only one that runs in Real-TIme/On-Access background mode to prevent malware from being installed. None other than the aforementioned Objective-See apps you list are capable of that. Either Malwarebytes for Mac Premium or Intego VirusBarrier X9 will do that, as does the previously covered ClamXAV and others that may or may not bog down your Mac.

Thank you. Yes, all Objective-see apps are continually running. The others are manual. Best, Patrick

Installed from a browser without interaction? As far as I know, all modern web browsers have features to prevent something like this.

You should always configure your web browser to never auto-launch downloaded content. For Safari, be sure to uncheck the “Open safe files after downloading” box on the General tab of the preferences:


Other web browsers may have other settings to control this.

Assuming your web browser allowed something to auto-execute (e.g. an installer of some kind), there is also the system permissions feature that will prevent a non-administrator from copying any content to the /Applications folder without getting you to provide an admin user name and password. Without that, it could still install something to your home directory, but that can limit the damage to your login, and probably protect the rest of the system.

Finally, there is Gatekeeper, which forces you to authorize any downloaded application the first time you launch it. If you’re not logged in as an administrator, you will need to provide an admin user name and password in order to do this. If the app is not digitally signed, Gatekeeper will refuse to let you launch it at all (although you can manually right-click on the app and select “Open” from there to authorize an unsigned app.)

So, there are several layers of protection that are designed to prevent software from auto-installing without your knowledge.

But all systems have bugs, so it would be foolhardy to claim that such a thing is impossible. Apple and other reputable software vendors will fix these bugs as they are discovered (which is why it is important to keep apps up to date), but sometimes they are exploited before they can be fixed (so-called “zero-day” exploits).

WRT anti-malware software, I have an installation of the free edition of Malwarebytes. I run a manual scan from time to time, when I think it’s been a while. So far, it hasn’t found anything, but I am very careful about what I download and where I download it from. I have never run a background-scanning app on my Macs. (I run Microsoft Defender on my Windows PCs, and don’t bother to run anything on my Linux systems, but that’s a different topic.)

re Ulf D comment …but it’s set to scan automatically everything that goes into the Downloads folder - which is where Mail saves attachments to, and where all browsers store downloaded files…

Many browsers such as Safari and Firefox and . . allow setting preferences for downloads to either a different volume or simply to desktop. Which then makes it easy to separately scan or evaluate and erase before doing damage. Yes the desktop folder is part of the user folder on the normal system disk. And even mail can be set via an ’ alias’ program AKA ‘symbolic linker’ ;to separate disks or volumes, reducing the ability of infecting the main software disk.

My own observations and short ddiscussions with knowledgeable types
seem to indicate that mail and ad stuff is the most common way to sneak in malware. Even answering a simple email from a known friend with correct name and email address - such as from " jim at xyz mail " " "joe- are you going to store today ? " so knowing your friend jim in the same apt building – you respond "Yes, what do you need " can trigger a major phishing email or worse within a few minutes. And it was NOT jims email system hacked or yours, but someone else you had both communicated with at sometime in the past.

With 11 plus BILLION emails addresses being exposed, its a good bet yours was at sometime in the past thru NO fault of yours.

Actually, that is not where Mail stores attachments, unless you open a message and use the paper clip icon in order to save the attachment, then point it to your download folder. Otherwise the attachment remains in your ~/Library/Mail/ directory, either still embedded in the message itself or in a separate “Attachments” folder if you have either opened it or it is an image you viewed when you opened the message. Sorry this is so confusing, but Apple had decided to make it so.

Also note that ClamXAV is configured to not scan emails:

# Enable internal e-mail scanner.
# If you turn off this option, the original files will still be scanned, but
# without parsing individual messages/attachments.
# Default: yes
ScanMail no

I phrased that badly - what I meant is “The Downloads folder is where I have set my mail and browser apps to store attachments and downloads”, precisely so they will be scanned upon saving.

There are zero-click exploits in existence. They require no interaction from the user, and are usually targeted attacks, which means you are safer if you are a nobody. Any incoming traffic to your device, (mail, messaging, browser data, file transfer, network traffic) could be an avenue for zero-click attacks, but they are currently the rarest of threats. The Pegasus exploit of iOS is a well known example of a zero-click used to breach targeted iPhones. Apple closed that particular hole in iOS 14.7

Wondering if this board has a view on the antivirus app called Sophos. It is a cloud based solution that works on multiple machines. I have been been using Sophos home version after I experienced a lot of slow downs from Norton.
BTW, I am a former user of ClamXV and thought it was good. After I moved to Sophos, I removed Clam, or so I thought. When I run EtreCheckPro, it reports I still am running multiple antivirus programs–and I am sure that is not good if true. But I think I have removed ClamXV and its affiliated items. Thoughts?
Many thanks.