Announcement: Upgrade to macOS Mojave

With features like Dark Mode, Stacks, and four new built-in apps, macOS Mojave helps you get more out of every click. 
Find out how to upgrade to macOS Mojave > https://support.apple.com/macos/mojave

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Question:

Question: Malware and macOS

I am one of those people who does not believe that macOS is immune to malware. I also don't think that just because the installed footprint of Macs is small compared to Windows computers that renders the macOS as not a target rich environment.


I've got my asbestos underwear on and am ready for the more experienced gurus to explain why I (and other people) are wrong. Please explain.

Posted on

Reply

Page content loaded

Nov 17, 2017 1:37 PM in response to DesertRatR In response to DesertRatR

You're not wrong. Malware and adware are becoming increasingly common on macOS, particularly with items masquerading on free video streaming sites as being necessary add ons to stream a video (i.e. fake Adobe Flash plugins). I like Malwarebytes for Mac and ClamX to scan for and remove threats: Malwarebytes | Free Cyber Security & Anti-Malware Software

https://www.clamxav.com/

Nov 17, 2017 1:37 PM

Reply Helpful

Nov 17, 2017 1:37 PM in response to DesertRatR In response to DesertRatR

No one has ever said it's immune. At least not those folks who are smart enough not to use such a blanket statement.


There are no viruses. None. And haven't been since OS X appeared. The closest anything ever came to being a virus was Flashback. It used one of the many flaws in Java to infect OS X as a back-door method. If you had Java on for your browser, just visiting an infected web site would get Flashback on your Mac. All very virus like behavior, with the caveat that it was Java being used for the infection, not the OS. It is long dead and patched against.


There are oodles of Trojans. Software which requires the user installing it to get on your Mac. Adware, keyloggers, you name it. Somehow, you have to be the one to get it on your system.


One worm. Oompa-Loompa (Leap-A). You first had to infect your Mac via a Trojan that installed Leap-A. It would then act as a worm looking for other Macs in your Messages list. Once found, it would cause that user's Mac to popup an admin password screen to allow it to install. Most folks knew better than to allow something to install they hadn't initiated. While there were likely quite a few unreported instances, experts say a grand total of 50 Macs were infected. It is also long dead and patched against.

Nov 17, 2017 1:37 PM

Reply Helpful

Nov 17, 2017 1:41 PM in response to DesertRatR In response to DesertRatR

You're not wrong. In fact Apple's products represent an enormous target for scam artists of all stripes.


The problem is the corrupt and filthy "anti-virus" business is on their side, not yours, with plenty of paid and unpaid shills representing their interests.


Read Effective defenses against malware and other threats.

Nov 17, 2017 1:41 PM

Reply Helpful

Nov 17, 2017 2:09 PM in response to John Galt In response to John Galt

Good article, John. And every single thing you recommend I already do (or don't do). Social engineering is by far the biggest source of malware into a network. There is nobody more paranoid than me, when it comes to security. I don't wear a tinfoil hat, but maybe I should.


I've seen other posts whereby folks claim AV and other anti-malware SW somehow hurts a Mac. Can you please elaborate on that?

Nov 17, 2017 2:09 PM

Reply Helpful

Nov 17, 2017 2:23 PM in response to DesertRatR In response to DesertRatR

Modern OSs like High Sierra have built in protections. There are no Mac virus' out in the wild. Anti virus apps use system resources and provide no benefit. So why install such an app? There is malware in the form of adware or other scams. You have already been provided a link to John's User Tip which addresses these types of malware. MalwareBytes and etrecheck are useful tools often used to remove malware.

Nov 17, 2017 2:23 PM

Reply Helpful

Nov 17, 2017 2:27 PM in response to DesertRatR In response to DesertRatR

macOS is based on BSD UNIX. The OS and applications are sandboxed. If you are an administrator on the system, you can not alter critical system files without authenticating with your administrator credentials. This means any malicious software you download also can not alter those files. You also do not automatically have rights to data stored in other users home folders.


AV software on a mac will, at best, impact performance by attempting to intercept and scan all file transactions, downloads, data transfers to and from the network and Internet, etc. At worst, it can attempt to delete, quarantine, or otherwise bork files when it throws a false positive for an infection. And ALL of the positives it generates will be false, since there are no viruses that can affect macOS. Malware... trojans, adware, etc. are NOT viruses. They are undoubtedly unwanted, but they are not viruses, and AV and active anti-malware SW can not stop them. In order to get them, you have to proactively grant them permission to do what they want to do.


The only anti-anything you need on a mac is common sense. Something that it seems is sorely lacking these days...

Nov 17, 2017 2:27 PM

Reply Helpful

Nov 17, 2017 3:04 PM in response to DesertRatR In response to DesertRatR

DesertRatR wrote:


I've seen other posts whereby folks claim AV and other anti-malware SW somehow hurts a Mac. Can you please elaborate on that?


There are a lot of answers to that question, some of which I did not address in that User Tip, such as the following:


https://www.wsj.com/articles/russian-hackers-stole-nsa-data-on-u-s-cyber-defense -1507222108

pull quote in case the above is behind a paywall:


“You’re basically surrendering your right to privacy by using Kaspersky software,” said Mr. Darché, who is chief security officer for Area 1, a computer security company.


To their credit, Kaspersky essentially responded by saying "what did people expect? Of course that's what our software does" or words to that effect. Not that I have read them, but its terms and conditions probably don't try to hide that fact.


Now... if a user chooses to ignore facts and reality, and really, really wants to use "anti-virus" junk in willful ignorance of such knowledge, Kaspersky isn't a bad choice. There are far worse products to choose from, most of which simply harvest the information on your Mac just so that they can sell it (like AVG) or exist for the sole purpose of providing kickback revenue to entities that advocate or require its use (like Trusteer). But you can't very well install "anti-virus" junk and then complain it does some very virus-like things.


I'd rather have a virus.


When the truth comes to light I prefer to just sit back and watch the show.


https://phys.org/news/2017-11-kaspersky-blames-nsa-hack-infected.html


There are plenty more sordid stories where that came from, and there will be plenty more to come, until people appreciate how the entire "anti-virus" consumer software business has been built on a foundation of lies and deception. Deceiving a perennially gullible public has always been a monumentally successful strategy though, and I'm not holding my breath.

Nov 17, 2017 3:04 PM

Reply Helpful (1)

Nov 17, 2017 5:51 PM in response to John Galt In response to John Galt

You bring up a good point with respect to accessing user data. It isn't clear to me what data AV programs have access to. Presumably file names and metadata. I think of it in terms of walking thru a library and noting down every book title.


BTW, what is your take on Intego AV and firewall?

Nov 17, 2017 5:51 PM

Reply Helpful

Nov 17, 2017 6:31 PM in response to DesertRatR In response to DesertRatR

Apps like the trusted MalwareBytes for Mac and EtreCheck look for malware in the only places it would typically be found. Which is your user account, and some limited access to the Library folder. That's mostly the reason they work so fast. Time isn't wasted examining every single file and folder on the drive.


With System Integrity Protection enabled, you shouldn't even have to look in the System folder. It is now off limits to everything that isn't part of the installed OS. Third party kernel extensions are no longer allowed in the System folder, and are now relegated to the /Library/Extensions/ folder.


SIP even protects every app installed by the OS. Nothing can be injected into those application packages. Nor can they be altered by any third party software.


AV programs want access to everything, as if your Mac were a PC. This is monstrous waste of time and system resources. Don't use them. They are completely - utterly - worthless.

Nov 17, 2017 6:31 PM

Reply Helpful

Nov 17, 2017 11:31 PM in response to DesertRatR In response to DesertRatR

BTW, what is your take on Intego AV ...


Apple is the most famously secretive company in the world. Apple's operating systems run only on Apple's hardware and they license neither to anyone. Why anyone or any thing would claim macOS knowledge superior to Apple's own is one of the most curious aspects of 21st century technology.


I personally evaluated all the popular Mac "anti-virus" products a while ago. Their effects on a Mac ranged from benign but useless to practically malicious. Intego's "Net Barrier" and "Virus Barrier" products resulted in the worst performance degradation of any product I ever used. The Mac became practically unusable as Intego churned and chugged along, looking for viruses that don't exist. No knowledgeable Mac user would have considered it even remotely acceptable.


I think you're missing the point though. This is not about any particular product. All non-Apple "anti-virus" products are categorically worthless. Installing them will expose a Mac to more threats than would exist without them, and the Kaspersky example I cited just happens to be the most prominent.


It shouldn't have come as a surprise to anyone:


Security wares like Kaspersky AV can make you more vulnerable to attacks | Ars Technica


Similar products will have similar vulnerabilities just waiting to be exploited:


It might be time to stop using antivirus | Ars Technica


Security and user space isolation have been a fundamental aspects of macOS since its inception. Each succeeding version has only grown more secure. Outside of proof-of-concept models under controlled conditions a macOS virus has never been successfully implemented, and with the introduction of SIP a while ago it can be said there will never be one. There is only worthless, time- and money-wasting garbage a user can willingly choose to install. Non-Apple "anti-virus" products might as well be in that category.


As computing and communications products go, Apple's are the most secure consumer-grade products on the planet, by far. If Apple's customers are bound and determined to install junk on their Macs though, macOS does little to intervene. If they couldn't, a Mac wouldn't be the general purpose computing appliance that it is. The alternative is iOS, running on devices completely closed to user-inflicted modifications—which is probably where macOS is headed anyway, eventually.


Apple's target demographic has frankly become too stupid not to require such nanny-like impositions, but guess what happens then? You got it, people complain: FTP server, Mac OS High Sierra.


... and firewall?


The purpose of an application firewall is frequently misunderstood. Not surprising, since it is also woefully misnamed. There is no fire and there is no wall. It sounds good though. Like "cleaning".

Nov 17, 2017 11:31 PM

Reply Helpful

Nov 18, 2017 10:04 AM in response to John Galt In response to John Galt

Pretty interesting reads. Perhaps the security key is the ultimate way to go. I've never heard of them and have no idea where to buy one or how to implement one, even if I thought it would help.


Here is what I have learned from this thread:

1) Viruses that can infect macOS High Sierra are a myth. There are none. So the AV SW is at best a waste, and potentially a vector for other exploits.

2) The malware exploits that can infect macOS High Sierra are self-inflicted via social engineering, user incompetence or ignorance.

3) Third party firewalls are also a waste of money. As for incoming threats, there are redundant to the OS FW. And there is no need to catch outgoing threats, as there would be none to catch.


Two more questions, please. I have read about what I'll call contaminated websites, whereby malicious code is some how inserted into images or other site items. The user supposedly doesn't even have to click on the contaminated items, but merely open the page with the contamination. Am I hallucinating? Or is that the case, but any regular security SW simply won't catch the exploit.


I thought I read somewhere one might want to set up a user account that does not have administrative privileges and do all ones web browsing from there. Or is that overkill?

Nov 18, 2017 10:04 AM

Reply Helpful

Nov 18, 2017 11:00 AM in response to DesertRatR In response to DesertRatR

3) Third party firewalls are also a waste of money. As for incoming threats, there are redundant to the OS FW. And there is no need to catch outgoing threats, as there would be none to catch.

That one does need minor clarification. If you aren't using a firewall capable router, then yes, you need a firewall on the software side. But no, you don't need a third party firewall. The one included with the Mac OS is industrial grade. Turn that one on if you need to. If your router does have its own firewall (and virtually all do), you don't need any firewall enabled on your Mac. They won't have anything to do behind the router.

I have read about what I'll call contaminated websites, whereby malicious code is some how inserted into images or other site items. The user supposedly doesn't even have to click on the contaminated items, but merely open the page with the contamination. Am I hallucinating?

No, not hallucinating. Flashback was the one and only known malware that could do a drive-by infection of a Mac. And that was only if you had Java enabled for your browser. It was patched against years ago. There has been no other such known attack.


Java and Flash have both been slated to be killed off for this reason. They are both full of security holes that allow back-door entrance to the system as Flashback did with Java. Getting rid of both of these browser extensions completely kills off that vector.

I thought I read somewhere one might want to set up a user account that does not have administrative privileges and do all ones web browsing from there. Or is that overkill?

Many security experts suggest setting up any Unix based system that way. You can still perform admin actions from a standard account. It's just that you need to type both the admin account user name and its password. It's an extra layer of protection while using your Mac to be in an account that has less permissions to the file system.

Nov 18, 2017 11:00 AM

Reply Helpful

Nov 18, 2017 10:58 AM in response to DesertRatR In response to DesertRatR

Two more questions, please. I have read about what I'll call contaminated websites, whereby malicious code is some how inserted into images or other site items.

As far as I am aware, OS X and macOS (and System 1-9) never executed code in data. I don't think any other OS did that, either. I believe that is completely the realm of Microsoft.

In a modern OS, you would first have to generate an exploit over the internet (extremely difficult). Then you would have to use that exploit to inject your malicious code into the execution space. Then, you would have to trick the OS into executing that code. See Kurt's discussion of Flashback. I think it might have been the great nephew of Ralph Nader who said Flash and Java are unsafe at any speed.

I thought I read somewhere one might want to set up a user account that does not have administrative privileges and do all ones web browsing from there. Or is that overkill?

Take a look at this discussion. I think we covered most of the pros and cons: Re: Users & Groups: Do I need a user besides an admin if I am the only user?


Back to the Firewall…

Since your computer is most likely already behind a NAT router, the Application Firewall is superfluous. About the only need for the built-in firewall (and most others) is if you 1) have a laptop and use public WiFi occasionally, and 2) you must enable several sharing services on your laptop when using normally (work, home), then turning on the Firewall when you connect to a public network would be simpler than turning off all of the sharing services. In an older Apple OS, Network Locations did this for you. I wish they'd bring that back.


Unless you enable them in the Sharing System Preferences (or other means), nothing will respond to an external request. So, even if you are open to the wild world of the internet, nothing is listening to respond to an attempt to hack.

Some firewall-like software may be useful to you if you want to see what is talking back to whom. You mentioned being paranoid(-ish), so something like Little Snitch may be entertaining to you.

Nov 18, 2017 10:58 AM

Reply Helpful

Nov 18, 2017 12:21 PM in response to Barney-15E In response to Barney-15E

This is all good stuff. Thanks, folks.


There is no -ish about my paranoia. I tend to think in terms of probabilities and consequences: a small probability of occurrence couple with a potential catastrophic result warrants action to head it off. Which is why I froze my credit files years ago, long before Experian. My house has a monitored alarm system. I use 2-factor authentication. And so on. As for computer paranoia, my biggest fear was a key stroker logger: the key to somebody's bank account. So I started using 1Password. I generate gobbledygook PWs that the Rainman couldn't remember and it auto-populates login credentials, so no typing to steal. Since the vault is local nobody (at least not yet) can reach thru, even if they got thru the FW (I use a Time Capsule) and unlock my vault. After all this I believe I am safe from that threat.


BTW, I did try out Little Snitch one time, out of curiosity. However I know so little about what it was reporting I was constantly in Google investigating this and that being reported. It became a distraction. So it went (I don't keep around SW I am not using).


I checked File Sharing. I have a shared Public folder that is shared only in my local network. I think I did that so my wife and I could exchange stuff without using Drop Copy.


I long ago got rid of Java. And I just scoured my HD and confirmed no remnants. I do have JavaScript enabled (Thanks John for confirming that is OK). I still have Flash (both regular and for Chrome), because I tend to watch TV on my 27" monitor when my wife is monopolizing the 70" LED with some HGTV show. My cable company requires Flash. And Safari is smart enough to disable it when I close the cable website. I allow no other sites to use it. When I get the notification an update is available, I go back to Preferences and verify there, before downloading via Preferences. And of course I would never install a Flash update from any website, no matter how out of date they tell me mine is.


I am also convinced that a standard user account is superfluous, Unix experts aside. Thanks for the links.


BTW, I did install Malwarebytes (tried it before and got rid of it). I already use Etrecheck. LOL Malwarebytes is peddling the same paid AV security everyone else is. I guess everyone needs to make a living. I'll let the trial period expire and let it downgrade just to an on-demand checker. I ran Malwarebytes and it listed a bunch of stuff it was searching for. I'll assume those were not viruses but other malware. The names meant nothing.


Lastly, does anyone know if a good firewall tutorial? I've looked before and all I could find was a bit too top level. A router tutorial would also be helpful. Something in between what I'd get in a university CS program and the very top level stuff that I could find. Thanks in advance.

Nov 18, 2017 12:21 PM

Reply Helpful
User profile for user: DesertRatR

Question: Malware and macOS