Disclaimer: I work for Sophos and have for the last 5 years.
I worked for an advertising company for 20 years as the Mac admin and 3rd line support before joining Sophos. We ran Sophos across all our estate without issue. In those days we would detect PC infected files brought in from home and freelancers with keygen software on their external disks.
We all know that Macs are less likely to be attacked, but today’s attacks are not viruses, they are hands-on keyboard attacks. Attackers gain persistence on a network, run reconnaissance, and launch their attack. They could do this from a Mac if they wanted to. When we investigate attacks, customers will tell us they were attacked last night when the files were encrypted. In fact, the attacker had been on the network for an average of 11 days.
We should no longer call this software Anti-Virus, it is security software. With all the recent macOS zero days you never know which attack vector an attacker might use.
Far too many companies don’t manage their Macs properly. The users are admins on their machines. I understand why they do this if they don’t have an MDM solution, but this will allow a user to install anything they like. Their password is the admin password.
Users are companies first line of defence. If they don’t fall for the email or open the attachment then we are off to a good start.
Please don’t take this post as sales pitch. I just wanted to add some colour to the world of attacks. If you like to read a bit more please read this The Active Adversary Playbook 2021
Appreciate the insight, but feel I should point out that both the references you gave us are aimed at Enterprise IT’s and aren’t that applicable to ordinary at-home users. Corporate networks are quite susceptible to spear-phishing attacks to give them access to their networks and admin credentials. Although similar attacks can and have taken place against home networks, they are far less common. Most home network access has been due to massive vulnerabilities in cheap routers that allow very simple means of network penetration and most of those instances have been because default passwords are still being used and WAN access has not been disabled. Updating the firmware, disabling WAN (from the Internet) access and changing to a strong password will normally prevent such things. As you observed, “Mac’s are less likely to be attacked” and that applies to Macs on a home network, as well. And to bring it back to the concerns expressed over ransomware attacks, there have not been any known attacks initiated against macOS via network access to date, but that could always change with a zero-day tomorrow.
I totally agree. I just wanted to add a bit of colour to the world of attacks and how easily these things can happen.
You are 100% correct. Doing the simple things well, update quickly, turn off badly configured features (iOT, routers), don’t reuse passwords etc will help a lot.
I appreciate the security coverage that @ace and the team provide. We need to educate the less tech savvy users as best we can. I once blocked a URL via our work proxy. The user said, don’t worry, I will open it at home!
@bazmail
I have used Sophos for decades at many, many organisations. I also agree with you that these days such software deals with a lot more than traditional virus/trojan/worm malware.
Unfortunately this month I am dumping Sophos. They have still failed to provide a fully native Apple Silicon version and whilst over the last year companies including those I managed IT for were able to stick with Intel Macs in the hope Sophos would get their act together we can no longer do this as this year Apple have discontinued the Intel MacBook Pro models. Something that should have been obvious to Sophos and certainly something I and other customers have been repeatedly warning Sophos about.
Running such a critical tool as Sophos via Rosetta is not an acceptable solution, and even using Rosetta to run Sophos has only recently become possible.
Sophos had from June 2020 when the beta of Mojave was released along with information about the move to Apple Silicon to begin the necessary changes, and whilst Apple Silicon models were officially launched in October 2020 Sophos could have accessed the Mac mini seed models before then so arguably Sophos have now had 18 months. Now over a year since Mojave and Apple Silicon Macs were both officially released Sophos still have not delivered full Apple Silicon support.
I also don’t understand that statement. Rosetta 2 converts the intel code to Apple Silicon the first time it’s launched and isn’t required again until the app is updated. So a one time delay for a few seconds isn’t that much to ask, IMHO.
At this time, most responders are just using the built-in XProtect, then the leading product is Malwarebytes. But we may not have enough participants to be statistically significant, there are only 36 people so far. Add your vote!
Personally, I’ve used anti-virus software with my Mac since 1998. First Virex, then the McAfee VirusScan provided with .Mac. On OS X I’ve been using the free Sophos anti-virus, currently called Sophos Home.
Why run third-party anti-virus on a Mac? A couple of reasons:
XProtect only scans when an app is downloaded to the Mac or when there’s a security update, there may be a risk that malware can slip by it.
Sophos is blocking malicious websites, so it can catch things like malware delivered through subverted advertising scripts
It catches Windows viruses in email so I don’t inadvertently propagate them to other people
You read about malware that is able to get past macOS protections before Apple closes the security hole. I feel safer running the third-party antivirus; the malware has to get past both what Apple is doing and the anti-virus scanning.
The 3rd party antivirus gives me more control and reporting of what it is doing than XProtect.
That being said, I don’t think it is wrong for someone just to use the built-in XProtect.
@Simon@alvarnell
The reason(s) running Sophos via Rosetta is unacceptable are
Rosetta whilst it may not cause a major performance hit apparently does have a significant effect on battery life
Rosetta according to a number of reports even if initially installed (manually or by enterprise management tools) is often removed or broken when macOS updates are installed. That is you have to again install a matching Rosetta after upgrading macOS
In an Enterprise environment - where it arguably is more common and more necessary to install Sophos or a similar tool it is also common to have to have many, indeed the majority of users only given standard level user accounts and not admin level. This means the users themselves cannot install Rosetta. Particularly in the case of a tool like Sophos which you need to be confident is always running you cannot allow a window where it is broken due to the lack of Rosetta to enable it.
Therefore a likely scenario of a Mac being initially automatically deployed with Rosetta installed and then Sophos also automatically installed and then later a subsequent macOS upgrade being enforced might result in a Mac ending up with no or a broken Rosetta. One could have e.g. Jamf Pro detect the absence of Rosetta and trigger another auto install of Rosetta but between the macOS upgrade and this detection and ‘repair’ would be an interval when Sophos would become disabled. No matter how short this window is, it introduces a period of risk and might at best require an additional restart of the Mac to re-enable Sophos after the reinstallation of Rosetta which is an additional hassle to users further impacting productivity. It is already sadly the case that macOS upgrades/updates are far more time consuming than equivalent Windows 10/11 updates.
Even if the above was not an issue it is inexcusable for a major software company as opposed to a single person ‘hobbyist’ to take over 18 months and counting to update their software for compatibility. Sophos are not the only company at fault here, Dropbox is another example of a company who has yet to provide a native Apple Silicon version.
It actually runs more often in Catalina, Big Sur and probably Monterey:
in his presentation for session 701 of WWDC 2019, Garret Jacobson stated clearly that, in Catalina, XProtect checks the executable code of every app and command tool whenever it’s run, regardless of whether its quarantine flag is set. Prior to Catalina, XProtect is only run when Gatekeeper performs first run checks on an app whose quarantine flag is set, or which hasn’t previously been run from its current path.
Thank you for your comments. I do not want to go in your Sophos comments here, but if you DM I am more than happy to reply. As I said in my post I wanted to add some colour and also be upfront who I worked for.
I am interested in your commend and Rosetta being uninstalled. I have an M1 iMac and have never seen that on my machine. That is very odd.