I use Malwarebytes also and it works fast using the free version.
Yes, they had to work on that issue and I haven’t seen any recent complaints about it. There is background activity associated with updating the malware database, but that doesn’t last long or often and isn’t a heavy CPU user.
1 Like
I’ve been using Intego for several years, and in the past several months its scans have started spotting and quarantining malware that arrived as email attachments. I think that is getting more common now in the spam that slips through my ISP’s spam filter. Both my wife and I have hit odd things on the web that in one case required downloading Malware Bytes to clean up. Until we started having these problems, I had was growing a bit skeptical about antivirus software, but now I’m coming to think it offers an important level of security.
One other thing I should mention. A year or so ago I tried tightening up privacy and blocking trackers and most ads, but eventually found that caused problems accessing banks and many web sites because they use trackers in their security monitoring systems. I gave up when those sites started putting up Captchas that I could not solve which blocked my access to sites. Some digging found that was a direct consequence of blocking tracking, which I found disturbing.
2 Likes
I strongly suspect these are Microsoft documents that contain Macros, which are quite common these days, but are usually an actual threat only to Windows users. Intego doesn’t know what the targeted platform is, but will quarantine any such files just in case and to prevent you from accidentally forwarding an infected email to a Windows user.
I have used Intego but gave it up - it never found any Mac malware. Most of the time you don’t know t is running, but sometimes it could really hang a powerful system (iMac Pro) - particularly when copying large files. When you run a complete system scan for large disks (I have 6 TB of attached SSD storage) it can take a day to complete.
The other thing you can do to increase security is not to use an Administrator account. Your default account can be a normal user account - and the Admin account only used when necessary - or just sudo when necessary. For my wife’s iMac, I have an admin account and her account is a standard users account - she downloads a lot of crap and I can’t stop that!
1 Like
Offering a slightly different view, I’ve had to install Sophos AV software for a particular client. It has been interesting. I was a bit grumpy about having to do this because I’ve always been super careful with what I open, though I’ve almost been caught with some unfortunately times phishing attempts.
There was an issue at first with Big Sur and was unworkable on my main machine. I hear that’s fixed now, however at the time, we reverted to a Catalina machine where it’s running really well. It’s an older mac mini but I haven’t noticed any performance hit.
Your mileage may vary.
Rob
1 Like
I had Sophos Home installed for several years in the past for testing purposes, but often had to uninstall//re-install it several times when it completely locked up my Mac. At some point in 2020 I permanently removed it from my Mojave Mac when it became totally unusable and have not tried it since.
Yep, have always been skeptical of A/V software for mac.
The thing that’s most making me reconsider my position is ransomware.
Ransomware certainly needs to be a consideration as it’s impact can be devastating. The first thing to consider are multiple, solid, reliable backup plans. A backup that is attached to your computer is just as vulnerable to ransomware as your boot drive, so you need detached and off-site backups in addition to something like TimeMachine.
That said, there have only been two or three ransomware threats against macOS and all were caught almost immediately and rendered inoperable with very few victims. In addition, malware criminals have quickly learned that it is not cost effective to go after individuals who can’t afford to pay enough to make it worthwhile. Much more money in attacking corporations or governments that are more likely to be willing to part with millions. And very few such targets will be relying on macOS to run their operations.
So any ransomware attack against macOS today will be a zero-day since none are known to exist today, which means that the AV utilities will almost certainly not be able to stop such an attack right away. A utility such as RansomWhere? would likely be able to alert you, but it also produces false alarms when it detects something compressing/decompressing or locking a file that is a normal operation by many updating processes, so the user will need to learn what’s normal and what’s not.
1 Like
Well, off-site isn’t necessary for this purpose. But something disconnected (or at least powered off) when not actively making a backup is important.
Off-site backups are important to protect against something that damages/destroys the site itself - flood, fire, hurricane, etc.
I was actually recommending both detached and off-site, but didn’t state it properly. And there are a couple of approaches to off-site, actually storing media in a different location or using an online backup service like CrashPlan, BackBlaze, iDrive, etc.
That said, there have only been two or three ransomware threats against macOS and all were caught almost immediately and rendered inoperable with very few victims. In addition, malware criminals have quickly learned that it is not cost effective to go after individuals who can’t afford to pay enough to make it worthwhile.
What is your source for that? Are you referring to the attacks 5 years ago? Is that still true?
I agree that Macs are in a better position that - say - Windows PCs, but I’m not sure that’s as true as it used to be.
The size of the target I don’t think is germaine in automated attacks. It’s like spam, if they fire out millions of attacks hoping to get just a few successful hits. If you are one of the hits, you are still hit.
If you are in a mixed environment, the requirements change. If a ransomed client on your network sneezes, you might catch the cold.
If your work sits on a local network attached storage that gets infected, it doesn’t matter if you are mac or pc, it’s compromised.
And you might not be ransomed, however, it isn’t a huge stretch to imagine that you might be a vector passing on an attack.
Circling back to my initial comment, if your contract requires you to adopt someone else’s protections (anti-malware) then you have to do it and it had better be good. Of course, it’s fun sometimes to turn this around and say to client “how are you protecting me” but probably best to be judicious with such an approach.
In the course of a week, I connect to probably a few dozen different networks so I have to know that I’m a good citizen.
This is all an interesting discussion. Maybe an article about ransomware on the mac would be interesting reading?
r
I collaborated with several others at the time, within minutes or hours of their discovery and yes, it was in 2016-17. I think the order was KeRanger (hacked Transmission app), Patcher (Adobe Premiere CC and Microsoft Office 2016 “cracks.”) and MacRansom (advertised as a “service” but never reported as an infection). There have also been two or three of proof-of-concept papers, but again no reports of infection. All were short lived before being removed or disabled and are considered to be extinct by most AV vendors. Still true.
If your are referring to malware in general, then yes there has been an uptick from year to year, but most of the macOS infections are nuisance adware and few are malicious.
None of the known macOS Ransomware attacks so far have been automated. They all required the user to download what they thought was a legitimate update or visit a known pirate site.
If you are saying that something on your Mac could be spread automatically to another machine, there hasn’t been such malware (a true virus) in decades. That’s one thing that Apple has managed to prevent since the inception of MacOS in 2001. I suppose it might be possible for a Mac user to purposely forward some Windows ransomware to a PC users, I just haven’t heard of such a case
I’ve not heard of a way to launch a ransomware attack from a passive storage unit, but it’s an interesting concept to think about how that could be made to happen
Thank you. This and the following email from Al Varnell solved my problem trying to install the 11.6 Big Sur update. It would download (painfully slowly) and get about a third of the way through the Preparing Update phase then hang. I removed Sophos Home, and the update went off without a hitch. The machine was on Catalina when new, and Sophos Home didn’t prevent installing Big Sur, so I would never have suspected it of stalling the update. But apparently it did.
Disclosure: I know nothing about Ransomware or Apple’s FileVault.
Does encrypting a disk with FileVault offer any sort of protection from a Ransomware attack or would it simply re-encrypt the encrypted files??
No. FileVault is unlocked as soon as an approved user logs in, so it offers no protection from ransomware. It only protects your drive from being removed or accessed while none of those users is logged in.
Follow up question.
If the entire disk is encrypted with FileVault, how is it all unlocked when someone logs in? I’m assuming it would be decrypting files on an ‘as needed’ basis otherwise it would be trying to decrypt an entire disk at login (or am I completely misunderstanding how it works?)
Maybe it creates like a sandbox of user files which is protected by the key and access is unlocked and the files are actually not encrypted - just the access?
Files are decrypted on the fly when opened, so unlocking the drive simply makes the decryption key available to the OS. This does impose a 20-30% tax on the CPU to do so, but in my experience it isn’t perceptible and is probably improved by investing in faster a faster CPU, SSD and more RAM.
1 Like
FileValult 2 (the version used today, not the original version) works by encrypting a storage volume on a per-disk-block basis.
When you power-on the computer, the OS doesn’t actually boot. Instead, it brings you to a pre-boot screen that deliberately resembles the normal macOS login screen. When you log in to an account that is authorized to unlock the volume (or provide an unlock password), the pre-boot system loads the volume’s encryption keys (which are encrypted in a way that the pre-boot system can decrypt after you provide correct authentication), so it can access the encrypted volume’s blocks.
It then boots macOS, decrypting the disk blocks on the fly as it reads the storage. The volume’s encryption keys remain in memory until the computer is shut down. Even if you log off, if you don’t actually shutdown macOS, those keys remain active in memory.
Once the volume has been unlocked, software doesn’t see the encryption at all.
Of course, if you encrypted files yourself (e.g. an encrypted disk image, zip file or any other mechanism), that encryption is distinct from FileVault. A malicious app would need to know its key in order to modify the contents. (Of course, it could still just delete the encrypted file or overwrite it with garbage. But it couldn’t replace the contents without making it inaccessible using the key you provided/)
1 Like