Anti-Virus / Malware / Phishing Question

Here is a good place to start:

http://www.reedcorner.net/mmg/

I have no idea what most of those products claim to do because I won't install them. That is one of the reasons why I have a Mac. I've run ClamXAV occasionally (once in two years maybe). I don't run Windows and do not open attachments from Windows users (fortunately, I am not in a work environment so I can afford the luxury of (not) doing that). I am also careful what and from which site I download (I choose not to use torrent sites or go to any site that WOT shows a warning for). I've read that the best precaution is to use your head.

FWIW: nothing can protect you from a new threat - the AV software can be updated after the malware/virus has been released, but how could it know in advance?

Hopefully some of our expert AV members will chime in here.

This comment applies to malicious software ("malware") that's installed unwittingly by the victim of a network attack. It does not apply to software, such as keystroke loggers, that may be installed deliberately by an attacker who has hands-on access to the victim's computer. That threat is in a different category, and there's no easy way to defend against it. If you have reason to suspect that you're the target of such an attack, you need expert help.

All versions of OS X since 10.6.7 have been able to detect known Mac malware in downloaded files. The recognition database is automatically updated once a day; however, you shouldn't rely on it, because the attackers are always at least a day ahead of the defenders. In most cases, there’s no benefit from any other automated protection against malware.

Starting with OS X 10.7.5, there is another layer of built-in malware protection, designated "Gatekeeper" by Apple. By default, applications that are downloaded from the network will only run if they're digitally signed by a developer with a certificate issued by Apple. Applications certified in this way haven't actually been tested by Apple (unless they come from the Mac App Store), but you can be sure that they haven't been modified by anyone other than the developer, and his identity is known, so he could be held responsible if he knowingly released malware. For most practical purposes, applications recognized by Gatekeeper as signed can be considered safe. Note, however, that there are some caveats concerning Gatekeeper:

1. It doesn't apply to software that comes packaged as an installer. Treat all third-party installers with caution.
2. It can be disabled or overridden by the user.
3. It can be bypassed by some third-party networking software, such as BitTorrent clients and Java applets (see below.)
4. It only applies to applications downloaded from the network. Software installed from a CD or other media is not checked.

Notwithstanding the above, the most effective defense against malware attacks is your own intelligence. All known malware on the Internet that affects a fully-updated installation of OS X 10.6 or later takes the form of so-called "trojan horses," which can only have an effect if the victim is duped into running them. If you're smarter than the malware attacker thinks you are, you won't be duped. That means, primarily, that you never install software from an untrustworthy source. How do you know a source is untrustworthy?

1. Any website that prompts you to install a “codec,” “plug-in,” or “certificate” that comes from that same site, or an unknown one, is untrustworthy.
2. A web operator who tells you that you have a “virus,” or that anything else is wrong with your computer, or that you have won a prize in a contest you never entered, is trying to commit a crime with you as the victim. [Some reputable websites did legitimately warn users who were infected with the "DNSChanger" malware. That exception to this rule no longer applies.]
3. “Cracked” copies of commercial software downloaded from a bittorrent are likely to be infected.
4. Software with a corporate brand, such as Adobe Flash Player, must be downloaded directly from the developer’s website. No intermediary is acceptable.

I should add that if you're looking for a consensus, you won't find it here. Some people on this site, for example, advocate for Sophos, which I think is completely worthless, at best. All it will ever do is slow down and destabilize your computer.

iAntivirus is a scam.

Sophos is OK but may slow down your Mac.

ClamXav is fine.

There are many forms of ‘Malware’ that can affect a computer system, of which ‘a virus’ is but one type, ‘trojans’ another. Using the strict definition of a computer virus, no viruses that can attack OS X have so far been detected 'in the wild', i.e. in anything other than laboratory conditions. The same is not true of other forms of malware, such as Trojans. Whilst it is a fairly safe bet that your Mac has NOT been infected by a virus, it may have another security-related problem, but more likely a technical problem unrelated to any malware threat.

You may find this User Tip on Viruses, Trojan Detection and Removal, as well as general Internet Security and Privacy, useful:

https://discussions.apple.com/docs/DOC-2435

The User Tip (which you are welcome to print out and retain for future reference) seeks to offer guidance on the main security threats and how to avoid them.

More useful information can also be found here:

http://www.reedcorner.net/mmg/

michaelsip4 wrote:

Personnally at times I get confused on malware, anti-virus and phishing with all the discussions I have seen on the forums as well as when I attempt to read product information at given sites eg: clamxav sophos iantivrus etc.....So please allow me to ask the following question, even though macs really dont get virus's

So assuming I have a mac in a pure mac environment...

(1) Clamxav - does clamxav work as an antivirus does it protect you from malware does it protect you from phising does it protect you from trojans/worms

Yes.

Now assuming that I have a mac in a windows shared environment, what does... do with the win relationship existing

(1) Clamxav

Since ClamXav uses the cross-platform ClamAV scan engine, it does exactly the same job with respect to windows malware (which includes Trojans and worms) and phishing. I would encourage you to go to the ClamAV web site to learn more and if you have additional questions about it, I'll be happy to attempt to answer them.

I have refrained from making any recommendations here, for reasons that will become obvious later, but I have responded to your questions because I have an intimate knowledge of it. I do have Sophos installed, along with Intego's Virus Barrier X5 and MacScan, but none of them are being used in an active mode, the VB X5 subscription was allowed to expire after the first yeae of use and I hardly ever use any of them except in a test mode. So I hesitate to comment on what Sophos does or does not do and I am unable to use the Symantec version of iAntivirus with my setup.

Full disclosure: I do uncompensated Tech Support on the ClamXav Fourm.

All three of those products will protect you against both Mac and Windows malware, though you should note that iAntivirus is sub-par in that area and I don't recommend it. (More on this in a minute...)

ClamXav is a very low-impact app best used for scanning specific folders. You can set it to automatically scan any new files added to certain folders (like the Downloads folder), or you can use it for manual scans. It absolutely will not destabilize your machine, and it will detect everything in my malware collection at this time.

Sophos is a more sophisticated app that does what is called "on-access scanning." This means that, when a file is interacted with in any way, it is scanned and, if it is deemed to be malware, that interaction is blocked. If you get a malware file of any kind on your machine, you will not be able to open it, move it, rename it, delete it (except through Sophos's quarantine), etc. This is accomplished through kernel extensions, and that is its main source of potential problems. Some people have reported that it causes kernel panics, usually around the time of major system upgrades, though very few have ever reported that to my knowledge and it behaved well in my testing. It had very no noticeable impact on performance. Sophos also detected everything in my malware collection.

The lat time I tested the new iAntivirus, it did indeed catch most of what is in my malware collection. Strangely, though, it reported finding more malware than I actually have in my collection. Even more strangely, it apparently didn’t catch a few that were inside .zip files, so I’m a bit confused as to what it actually found. Worse, the quarantine list only showed one item, so there was no way to find out what it found other than that one file. I’m actually a bit mystified at what it did with most of my malware collection, which simply disappeared after the scan. Good thing I had my collection backed up, and good thing none of the things it found were false positives!

One last consideration: any anti-virus software obtained through the App Store can only do manual scans of specific folders that you select. They cannot scan anything automatically. This is due to sandboxing restrictions applied to apps in the App Store, as a security measure, but it does limit the capabilities of such software. On the other hand, these restrictions also limit the potential for mayhem caused by bad anti-virus software (like iAntivirus). iAntivirus is only available through the App Store. ClamXav is available both in a feature-limited version through the app store and in a more feature-rich version through the ClamXav website. Sophos is only available through the Sophos website.

I look on various websites for comparatives (product to product) and dependening on the web-site they slam one product and state another is excellant and on another site the opposite is true

You have to be very careful that you're not looking at sponsored reviews. There's a lot of monkey-business going on in this industry, which is very competitive. There's a lot of anti-virus software out there, all competing for the same market, and there's a fair bit that's free. That makes the market very competitive, and increases the chances of advertising half-truths and exaggerations.

A wierd thing I noticed in the av-comparatives org links post was that mackeeper was rated fairly good yet it is consistantly slammed as well as other products on the forum which also confuses me.....

Zeobit (the company behind MacKeeper) is a very unethical advertiser. They have been known to buy domains similar to competition and put deceptive things there. They have also been known to buy positive reviews on sites like VersionTracker and C|Net, by offering free upgrades to customers who post there. They also will throw money at other reviewers... I was offered a consulting job by them out of the blue after writing a negative review of MacKeeper (Beware MacKeeper), and was basically told to "name my fee."

So it's not at all surpising that there should be a disparity between different reviews of a product like MacKeeper. Avoid it, it's trash.

michaelsip4 wrote:

A wierd thing I noticed in the av-comparatives org links post was that mackeeper was rated fairly good yet it is consistantly slammed as well as other products on the forum which also confuses me......is it an inherint biass from mac 0s 8 or 9. Is it substantiated, is it a continuation that spun a life of its own.... this also confuses me at times

I think a lot of this is due to first impressions. Their aggressive, in-your-face all the time advertising behavior was one reason. This is apparently a very successful technique on the Windows side of the house, but they ran into a huge outcry with it with their first introduction. In order to rush their product to market, they used as much of the code they already had with their Windows offering as they could and that was especially true with their A-V module which used Wine to run their PC code. When I was attempting to evaluate the application I was surprised to find that the file only contained a downloader that required Internet access to install the actual application code. That's a technique I had only previously seen with malware, so that raised my suspicions. Visiting their web site I discovered they had another office in the Ukraine and must admit to an immediate prejudice which I hope has not clouded my thinking. I don't believe I've ever said anything here that wasn't based on fact nor recommended against it's use, but have pointed out removal instructions to those who expressed a desire or frustration with doing so. Some MacKeeper supporters were initially disappointed that their life-time free updates were limited to v1.x.x and that in order to get the new 2012 version they would have to pay for it. Bait and switch? Of course when they were offered free updates in exchange for a review, most of them jumped at the chance. Thomas covered most of those issues. There was also the matter of trying to remove it. Initially there was no uninstaller. They would only tell people to call the 800 number where they tried to talk you out of doing so. Then they posted some instructions for manually deleting it, but users quickly found that the list was incomplete. Then they started using the built-in uninstaller that asked for your password and to give them a reason for wanting to delete it. That was also incomplete, which is why Phil Stokes' blog on the subject.

I was marginally involved when they purchased ClamXav.org with a big green download button that gave you MacKeeper, instead. They were very close to having to go to court to explain that one before they had their advertisers back off and add a smaller link to ClamXav, then eventually remove the big green button. I also observed them at Macworld 2012 handing out condoms with their logo on them, in one case to a thirteen year old daughter of an acquaintance of mine.

Even if it wasn't for all of the above, I still would not have recommended it in view of all of it's non-malware functions, which I consider to be not only unnecessary but somewhat dangerous in the hands of the average user. The OS takes care of most all of that by itself and although things like cleaning cache can be useful at times, it's will often slow your Mac down for a period of time and should not be used in a routine manner. Things like stripping languages and codes can cripple some apps that don't like to be touched in that manner. I only made that mistake once with another app many years ago and it took two weeks of re-installation to repair all the damage.

So where are we today. The advertisement has abated to some extent, although we still read about all the pop-ups people can't seem to get rid of. The A-V code has been totally re-written and is probably OK, but the article you pointed out is one of a hand-full that have tried to compare it to other offerings. I can no longer run the current version, so again I won't make any judgments on it's effectiveness and hope to see more labs take that job on, especially as concerns that other half dozen or so formerly Windows only A-V vendors that showed up in the Mac arena last Spring. The built-in uninstaller is now the preferred method of deleting it, but a few users still claim to have problems with it.

Bottom line is that I think they suffer from an initial bad impression in the Mac market, similarly I think Symantec is in a similar situation based on it's ruining of Norton products after it took control of them. I don't think I will ever recommend a generalized "cleaner" app to Mac users. Perhaps Consumer Reports will eventually evaluate Mac malware offerings. To date they have said it's not necessary for Macs. Until then I'm not sure I trust any of the reviews I've read to give me valid results of their tests. There are testing organizations that are paid by the vendor to rate their product, so I don't usually even bother to read their results.