Mac OS X versions 10.6.7 and later have built-in detection of known Mac malware in downloaded files. The recognition database is automatically updated once a day; however, you shouldn't rely on it, because the attackers are always at least a day ahead of the defenders. In most cases, there’s no benefit from any other automated protection against malware.
The most effective defense against malware is your own intelligence. All known malware on the Internet that affects a fully-updated installation of Mac OS X 10.6 or later takes the form of trojans, which can only work if the victim is duped into running them. If you're smarter than the malware attacker thinks you are, you won't be duped. That means, primarily, that you never install software from an untrustworthy source. How do you know a source is untrustworthy?
- Any website that prompts you to install a “codec,” “plug-in,” or “certificate” that comes from that same site, or an unknown site, merely in order to use the site, is untrustworthy.
- A web operator who tells you that you have a “virus,” or that anything else is wrong with your computer, or that you have won a prize in a contest you never entered, is trying to commit a crime with you as the victim.
- “Cracked” versions of commercial software downloaded from a bittorrent are likely to be infected.
- Software with a corporate brand, such as Adobe Flash Player, must be downloaded directly from the developer’s website. No intermediary is acceptable.
Follow these guidelines, and you’ll be as safe from malware as you can reasonably be.
Never install any commercial "anti-virus" products for the Mac, as they all do more harm than good. If you need to be able to detect Windows malware in your files, use the free software ClamXav — nothing else.
have u tried sophos or kaspersky? those are free antivirus
Kaspersky costs $40, but there is a free trial version.
There are several other newly introduced free offerings from vendors who have provided quality Windows A-V software in the past, but I would not want to be the first to try such applications on a Mac. Give them time to prove themselves if you insist or are required to use something.
Sophos has been around for quite awhile and only a handful of users have issues with it on older, slower Macs.
Full Disclosure: I provide uncompensated technical support for the ClamXav Forum.
MadMacs0, Linc Davis:
Could you provide a source for first-party documentation of the Max OS X built in malware detection, or at least a more rigorous discussion of how it works and how and how often it updates its definitions? I am similarly fed up with Symantec Auto Protection and ready to uninstall it, but I'd like to get a little more comfortable before I pull the trigger.
I did a quick Google search for [Mac os x built-in malware detection] and the results were mixed at best:
- Apple's overview of security in Mountain Lion says that "files you download using Safari, Mail, and Messages are screened to determine if they contain applications," which sounds a lot like what you are talking about. The problem is, what happens if you are using other browser and mesaging applications, e.g. Firefox/Chrome and Gmail?
- Lifehacker's Non-Alarmist’s Guide to Mac Malware Protection calls the built-in malware detection service "months behind the databases provided by security firms like Sophos."
- It doesn't look like like the built in definitions file is updated even remotely close to daily
- It took Apple weeks (at least) to update the built in software to detect Flashback
- Neither ArsTechnica nor MacWorld's review of the built-in malware detection service - which granted are from when the service was first released almost three years ago - seem particularly confident in the product, Apple's commitment to it, or how or how often the definitions will be updated.
- From the above review, I found the list of malware definitions in an XML file at /System/Library/Core Services/CoreTypes.bundle/Contents/Resources/XProtect.plist. My file hasn't been updated since 9/27/2012 - almost a month ago. I thought that might have been b/c I haven't installed the latest OS X Lion v10.7.5 update, but that was not released until 10/4, or a full week after my last update (why haven't I installed the update? Because it requires almost a full GB and I only have 3GB left on my HD after foolishly putting too much into my Windows partition).
Linc Davis' recommendations for identifying malware are fantastic, and I'm not sure if I've ever had to violate any of them, but as an internet entrepreneur and startup advisor I install a lot of beta and even alpha software from unverified sources and misconfigured servers, so I have to override normal security warnings all the time.
I'm probably being paranoid since my own malware detection skills are good enough that I've never - knock on wood - gotten a virus on any of my Windows machines - and my caution is almost certainly related to my having grown up on Windows, but a rigorous conversation benefits the entire community.
Thanks for indulging!
Could you provide a source for first-party documentation of the Max OS X built in malware detection
That's a very tall order. I'm sure that any such documentation is firmly locked up by Apple Security and I doubt that anybody here would be able to discuss it even if they knew. As you can imagine, all A-V software vendors publish very little about the actual operation of their software to prevent the bad guys from easily defeating it. Even the open source ClamAV information is somewhat limited, especially as regards bugs, limitations and deficiencies.
The key to OS X protection is in the Quarantine system which came with Leopard, IIRC, with improvements in each upgrade. Every new file brought in from outside is flagged with a date/time and where it came from. Initially it was only used to warn the user the first time it is launched/opened with that information.
The XProtect system took that a step further in that anything that contained executable code was scanned and matched against the definitions signature database. This can be either a hash identifier or a telltale hex character string (normally translated from ASCII text). The Lion and Mountain Lion XProtect systems will also disable blacklisted Java and FlashPlayer versions.
The current database contains 21 entries representing different variants of most all modern day OS X malware, most have multiple definitions for various components of that malware variant, which prevents false positives. Note that all of these definitions are targeted to find the initially delivered file since that's where the most immediate threat is. For that reason, any malware that was allowed to install or subsequently downloaded won't be detected. Since Apple was late deploying preventive majors on two occasions, they had to deploy a Malware Removal Tool (MRT) for MacDefender at the same time they rushed to add XProtect to Snow Leopard (I suspect it was already in the works for Lion and they moved it forward) and again for this years Flashback Trojan/Backdoor when they were late to patch Java to prevent it. Quarantine (and therefore XProtect) only deal with installed files and Flashback was using Java applets in RAM, which can't be quarantined or detected. The MRT cleaned up all the common payloads left by MacDefender and Flashback before the fixes were made.
Thomas Reed's catalog of Macintosh Malware lists 30 unique types of malware, but most of these were patched long ago, either in the OS or application they infected, so are no longer a threat to anybody with an up-to-date system/application suite.
how often it updates its definitions?
It updates definitions immediately, as required, and the database is checked by all Macs running OS X 10.6.7 or above each time they boot and every twenty-four hours thereafter, unless they are asleep at the time, in which case they check at wake-up.
As somebody that checks to see if there has been an update at least once a day, I can tell you that they are currently as good and sometimes better than the commercial vendors. That wasn't always the case, but there seems to be a lot more cooperation these days. I've seen ClamAV beat them by a few hours once or twice, but most of the time they, along with the vendor blogs came out the same day.
Since new threats to OS X don't come out daily, there is no attempt to do it nearly that often. By far the majority of definitions released by commercial vendors are for Windows and cross-platform threats which don't impact OS X. XProtect does nothing to attempt to detect these, and since there is no manual scan capability, there is no reason to include definitions for most installed payloads. Another area that it doesn't deal with is e-mail content (other than attachments). It relies on junk/spam filtering both by the e-mail client application and the e-mail ISP's server to catch those. The OS X Server software comes with ClamAV to check any mail server being run on it. There is no known e-mail malware that can impact OS X when reading it. Most of these threats involve phishing or spoofed URL's which users need to be cautious of. XProtect does nothing about this and filters aren't always effective, either.
XProtect has not been used against vulnerabilities (CVE's) as they would prefer to issue a Security update to patch the vulnerability. Instead they use XProtect to counter any threat that attempt to exploit these vulnerabilities. Some commercial vendors check for files that appear to be attempting an exploit, which produce quite a few false alarms and are not removed when the vulnerability has been patched on that particular platform.Lifehacker's
Non-Alarmist’s Guide to Mac Malware Protection calls the built-in malware detection service "months behind the databases provided by security firms like Sophos."
I don't recall ever seeing months behind, although there have been times when it was a week and as I said, somehow things have improved greatly. I'm guessing that Apple just wasn't tied into the right sample sources initially and it took them some time to develop the right relationships. In the MacDefender days they were coming out with updates within hours of the time the malware developer deployed a new variant.
It took Apple weeks (at least) to update the built in software to detect Flashback
Again, I don't recall that. Only the variants before Feb 2012 are detected. The delay on the Java based variants was due to Apple's being late to update Java (which is a legitimate gripe against Apple) and their inability (even today) to detect applets that are downloaded and executed from RAM. As far as I know, no A-V software has that capability today, but some use an active watch capability to observe packets received from the Internet which could catch it, and OS X does not have such a capability. Many users were saved by Little Snitch from being completely infected by the variant that made all the headlines with perhaps 600,000 infected Macs. The download component was caught phoning home for instructions by LS so most such users were able to shut down the process before it did any real harm. Again, this was only fixed by updating Java, not by doing anything with the database.
MadMacs0 has you covered with his extremely detailed reply. You'll find more information on the topic, including the catalog of malware that MadMacs0 mentioned, on my Mac Malware Guide.
Note that Linc's information is quite good, as far as it goes, but it's a bit limited in scope and he tends to be extremely biased against anti-malware software. I don't want to pick on Linc specifically, as that is not a unique perspective, due to the fact that there's a lot of crappy anti-virus software out there... but there is some good stuff. My personal opinion is that you don't need it, based on current risk from known malware and how well the system will protect against it. But not everyone is able or willing to do without anti-virus software, so telling people that it all does more harm than good and to avoid it at all costs is not realistic advice.