The best spyware/malware detection and removal solution in 2014?

judahman wrote:

... The hardest truth you are asking me to swallow is that if spyware has been placed on my MacBook, no commercial app can detect it.

That is correct. No commercial app can detect anything other than what it has been designed to detect.

There are a few commonly available and popular keylogger programs, and you can easily check for the presence of each of them individually. Would that alleviate your concerns? I think it should not, but that's up to you. It would be irresponsible of me or anyone else to suggest using product x when it is literally impossible to rule out the presence of all potential keyloggers or other devices, both hardware and software, installed within your Mac or without, that can intrude upon your private activity.

Run EtreCheck as MadMacs0 suggested. It cannot provide assurance that a keylogger is not installed on your Mac but it will confirm the presence of one, if it is installed. If you post its results you can obscure information you consider private, but if you need others to help you decipher its output please indicate what was obscured.

As I explained "spyware" is insufficiently precise terminology for what you are concerned about. If you need to address specific concerns then you need to describe them as accurately as possible. There is no practical difference between "spyware" and what Google installs on your Mac for instance, and I estimate at least 99% of Mac users use Google every day in blissful ignorance. It's "spyware" if it's malicious, but what constitutes malice is subject to interpretation.

is there ONE security app that should be retained? Alternatively, is there a different or better app I should install instead and scrap the rest?

The answer can be found in what I and the others posted. You need to re-read every word. A magical cure-all, if you found it, would only lead to the feel-good illusion that your Mac is protected from all threats. That accomplishes nothing more than self-deception, which itself presents the greatest threat to you and your Mac's security.

One last thought concerning security apps that would benefit you that I keep forgetting to recommend is Little Snitch. If there is anything on your computer that needs to communicate information to an outside source, LS will tell you about it. It will cause you to have to do your homework on what processes normally need to open an outbound connection so that you can approve it, but it will alert you when an unknown process is making such an attempt and who it's trying to contact.

There are one or two other choices, but I think it's your best choice at this point.

For what it's worth, I recently had an Apple certified service tech Mac inspect my MacBook by for any potential hardware problems before AppleCare expired, and no issues were found.

That sounds like you took the machine in and asked them to check it for problems "just in case," but weren't having any specific problems at the time. Is that the case? If so, I seriously doubt that that would have been any use at all. Without something specific to look for, it's just about impossible to detect a potential problem.

The hardest truth you are asking me to swallow is that if spyware has been placed on my MacBook, no commercial app can detect it.

That is, nonetheless, true. Someone with physical access to your machine could install any number of legitimate programs that can be misused, but aren't detected by anti-virus software. Some anti-virus software will detect some programs with the potential to be misued as "PUAs," but that's not particularly reliable.

Similarly, there are built-in features of your Mac that could be used to spy on you. For example, file sharing or the built in web and ftp servers could be used to download any of your files on demand, with the right minor reconfiguration of your wireless router.

Basically, if physical access has been achieved, there's no guarantee of safety other than wiping the hard drive.

Now, I do agree with those others who have said that they wouldn't do this based on what you have shared. Thus far, the only problem you have identified are these "blips," and that is not at all indicative of spyware being present. If that is the only thing causing you to worry about spyware, you should relax. Treat the symptom, not the imagined problem.

A physical inspection of every file on my system is necessary. This is difficult because even a clean Mac OS installation these days contains hundreds or thousands of files I do not recognize

Examining every file on your system is not practical. My hard drive currently has more than 800,000 files. And that's not because I have such a huge number of documents; I don't. A significant chunk of that is system files. I doubt there's any one specific person who knows the exact function and purpose of every single file in the system, much less who can verify the integrity of every single one of those files.

is there ONE security app that should be retained?

Avast has a serious long-term problem with false positives, and has repeatedly identified important system files as malicious. I don't recommend it, even though its detection of Mac malware is excellent.

BitDefender didn't do that well at detecting Mac malware when I tested it last year. It supposedly does quite well at detecting Windows malware, but if you intend to use it for that purpose, I recommend only using the version found in the App Store for manual scans.

I'm not sure what you found clunky about Sophos... it's pretty elegant, as I see it. It works well, it's got excellent detection rates for Mac malware and it causes the fewest problems in my experience.

Still, it's really not necessary to use any kind of anti-virus software for the most part. See my Mac Malware Guide.

About the usefulness of Little Snitch in this scenario: In another thread, which concerned the similar possibility of intrusion to install a back door, I disagreed with our Mr. Davis (herein quoted), who has certain, let us say, prejudices against anything (including any AV) that might install a system modification (as Little Snitch does.) He had said that Little Snitch was worthless (in general and for this in particular), and when I objected he wrote the following:

I can assure you of one thing: If I broke into your system and wanted to leave a back door, I could do it in a way that would be undetectable by "Little Snitch" or anything else — and I don't pretend to have any special skill as a "hacker." You have to assume that your intruder could do whatever I could do.

https://discussions.apple.com/thread/5730851?answerId=24330445022#24330445022

As I know nothing about writing code, I am in no position to dispute this claim, but I wonder what others may think of it.

WZZZ wrote:

About the usefulness of Little Snitch in this scenario...

Yes, I'm afraid I don't know how that could be done, either. The Flashback folks were never able to accomplish that. In several early iterations they would check for the presence of LS and a handful of other A-V software and abandon the installation if they found it. The version used in the Spring of 2011 did not have the necessary code on-board to make such a check before attempting contact with their C&C servers, which is how that one got caught.

I guess if I wanted to hack a computer I'd try out my hack after installing it and simply approve whatever LS rules I needed to make it work. In the OP's case, if the hack is already installed, then LS should be able to locate that process as soon as it fires up a connection request.

MadMacs0 wrote:

One last thought concerning security apps that would benefit you that I keep forgetting to recommend is Little Snitch. If there is anything on your computer that needs to communicate information to an outside source, LS will tell you about it. It will cause you to have to do your homework on what processes normally need to open an outbound connection so that you can approve it, but it will alert you when an unknown process is making such an attempt and who it's trying to contact.

There are one or two other choices, but I think it's your best choice at this point.

Yes, yes, yes, glad to finally hear Little Snitch being mentioned 🙂 Most malware, almost all spyware and almost all adware will at some point need to connect to somewhere to do their jobs. It may be connecting to a "home base" for instructions on what to do next or it may be connecting to a server to upload your data/screenshots/keylogs. Whatever connection it will attempt to make, Little Snitch will catch it in the act and give you an option to block the connection attempt. The vast majority of mal/spy/adware will stop functioning once those connections are blocked. To remove the -ware you'd have to go hunting the bug manually using a guide like this (for adware) one or use a good antivirus application to do it for you.

With malware (I just combine adware, spyware and whateverware in the word "malware", much easier) becoming more about targeted attacks and less about blanketing as many Macs as possible, it will become harder for antivirus solutions to get their hands on a sample they can use to write detection signatures. Little Snitch does not need signature updates, it just works and as long as you know how to read the alerts it presents to you it is possibly way more valuable than any antivirus solution out there.

So I take it that LD's claim about how easy it is to write a back door undectectable on outgoing by Little Snitch seems, on the face of it, far fetched? If those guys during the Flashback outbreak couldn't write a LS evading back door, then I suppose it's not quite that easy. (You reminded me how useful LS was then.)

Yeah, I don't know what he's talking about, unless he knows of a vulnerability in how Little Snitch operates.

Of course, it wouldn't be difficult for software installed with root permissions to simply disable Little Snitch or change its options, which may be what he was referring to. After all, the very first variant of Flashback apparently included code that would attempt to disable Little Snitch:

http://www.intego.com/mac-security-blog/intego-security-memo-september-26-2011-m ac-flashback-trojan-horse-masquerades-as-flash-player-installer-package/

Disabling Little Snitch is probably something that you would notice, but root-level code could do much sneakier things, like modifying Little Snitch's preferences file(s) to give permission to a malicious process to communicate via a particular port.

thomas_r. wrote:

After all, the very first variant of Flashback apparently included code that would attempt to disable Little Snitch:

They also said that Flashback collected UserID's and Passwords, but that was never proven, either. I think they saw a reference to Little Snitch and assumed it disabled it, but reading the more technical description from F-Secure:

If the program is found in the system, the installer will skip the rest of its routine and proceed to delete itself.

WZZZ wrote:

So I take it that LD's claim about how easy it is to write a back door undectectable on outgoing by Little Snitch seems, on the face of it, far fetched?

No, just that I don't know how to go about doing that. He's much more skilled at things Unix than I can ever hope to be.

I don't think I've discussed Flashback in any detail for many months until today.

Wouldn't you know that Intego would have some new information about it this afternoon!

Flashback Botnet is Adrift.

Seems there are at least 22,000 of the original ~600,000 infected Macs still checking for instructions on what malicious mischief should be attempted next. I think Intego may have given the bad guys some ideas here.

Since the OP, at least for the time being, appears to be gone, back to the discussion on JavaScript exploits, the most worrisome of which is the platform agnostic XSS.

http://hackademix.net/2008/01/12/malware-20-is-now/

WZZZ wrote:

back to the discussion on JavaScript exploits, the most worrisome of which is the platform agnostic XSS.

http://hackademix.net/2008/01/12/malware-20-is-now/

OK, but note that article is over five years old and defenses against such things have been applied to modern browsers. I'm not up-to-speed on any of that, but haven't read any new news on that front for a long time.

Wow, 2008 seems like yesterday. Anyway, even if browsers now include protection against XSS (I'll have to find out more about that), I don't mind having NoScript around to do the job.

judah --

Were you orginally a PC user, and have now switched to Macs?

I would wager that every one ( if not most) of the helpers who have responded so far do not personally use AV, malware, or security apps. I have had my own Macs since 1989. In the beginning, I had Norton on there, because everyone said I had to.

I was troubleshooting, trying to figure out what ground my Mac to a halt, and after a couple of days with no solution, I uninstalled Norton. My Mac went from a startup time of 5-7 minutes, to under 1 minute. I never looked back. In addition, I've never had my system overtaken by anything other than my own enthusiasm.

My personal opinion is to recommend you trust your Mac more, stay away from questionable websites, and don't open unknown links. Do not contaminat your Mac with useless programs that feed on paranoia. Please re-read John Galt's list, and visit Thomas R's website, http://www.thesafemac.com/mmg.