Should Mac Users Run Antivirus Software?

>>
>> But do document the direct and labor costs of maintaining AV in your
>> departmental budget and financial reports, under the heading of
>> "required overhead." And document the number of detected viruses in
>> your departmental operational reports. Someday, an auditor whose
>> focus is on cost-cutting might actually see the connection!
>

That will never happen. No auditor will put themselves on the line to
save costs for a client. Once something is in the book as a "best
practice" it never leaves.

On Apr 4, 2008, at 10:08 AM, Bill Rowe wrote:

> I don't believe the choice is as stark as you present.
> Currently, there are no native viruses etc for OS X. Given that,
> I cannot equate ClamAV or ClamXAV' lack of ability to detect Mac
> malware as incomplete protection.

Many (most?) Mac users believe that there is no malware for the
Macintosh. That isn't the case.

While there is are no viruses that target OS X, there are several
Trojan Horses (and not just "concepts"), scareware, Word and Excel
macro viruses, and OS 8/9 viruses that can still infect Classic.

http://www.sophos.com/security/analyses/search-results/?
search=macintosh&action=search&x=0&y=0

http://search.securityfocus.com/swsearch?sbm=%
2F&metaname=alldoc&query=macintosh&x=0&y=0

Except for the macro viruses, to my knowledge, ClamXav doesn't look
for any of these.

Which is not to say that any of these are prevalent...none are. And
I'm not saying that ordinary Mac users need to have AV software...I
don't think that they do. I'm just saying that, if the poster I was
responding to actually feels that he *needs* AV softaware, it makes
sense to me that he would want *good* AV software, not ClamXav, which
does surprisingly little for the Mac user.


Randy B. Singer • Mac OS X Routine Maintenance • http://www.macattorney.com/ts.html

On Apr 5, 2008, at 10:03 AM, Rich Mogull wrote:
> If AV worked as well, on any platform, as the vendors would like us
> to believe I would recommend it to all users. The statistics I've
> seen show that the best AV software only detects 85%-95% of known
> viruses, and if the software includes heuristics it only detects
> 30%-40% of new variants. It's a well known problem in the security
> industry that new variants appear far faster than the vendors can
> respond.

You've said the above several times, but you're just citing this off
the cuff. Do you have anything to back up these statistics?


Kirk

On Apr 5, 2008, at 10:03 AM, Randy B. Singer wrote:
> Which is not to say that any of these are prevalent...none are. And
> I'm not saying that ordinary Mac users need to have AV software...I
> don't think that they do. I'm just saying that, if the poster I was
> responding to actually feels that he *needs* AV softaware, it makes
> sense to me that he would want *good* AV software, not ClamXav, which
> does surprisingly little for the Mac user.

Yes, but people want to like Clam because it's open source, and, they
think, open source in this case is better.


Kirk

On Apr 5, 2008, at 2:36 AM, Kirk McElhearn wrote:

> Yes, but people want to like Clam because it's open source, and, they
> think, open source in this case is better.

I think that most folks want to like ClamXav because it is *free*.
Unfortunately, "free" isn't always the best value.

I remember the days of DIsinfectant, and I'd love there to once again
be a free product that could be counted on to protect all of us Mac-
users from all malware. But until/unless technically inclined
members of the Macintosh community get behind the ClamAV project,
ClamXav isn't it.

Maybe Tidbits' publishers would like to promote such an effort?

Randy B. Singer • Mac OS X Routine Maintenance • http://
www.macattorney.com/ts.html

Randy B. Singer wrote:
> My feeling is that if you feel that you have a need for anti-viral
> software to find Windows viruses (and I'm still not convinced that
> Mac users really have to be concerned with this), then it would
> probably be worth the money to purchase *good* AV software. (...)
> My understanding is that ClamXav (note that I'm not speaking about
> the use of ClamAV on a server) does not scan files interactively, it
> has to be run manually.

Which, in my opinion, is the very definition of good Mac AV software,
since it won't slow down your system with useless background threads,
it won't eat up your memory, and it won't constantly check files, thus
slowing down your disk and killing your battery if you're on a
notebook. If I were to run AV software on my Mac, I certainly would
not choose a product which ran constantly, but one which would be
invoked manually (perhaps even automated via folder actions, Hazel, or
something similar).


> You can choose to not be fully protected with ClamXAV, or you can
> choose to be fully protected with a good commercial product.

You are never "fully protected." Testing shows that AV software often
has "an average detection rate of [...] 33% with maximum at 50% and
minimum at 2%."
<http://chuvakin.blogspot.com/2007/04/answer-to-my-antivirus-mystery-question.html>

Lukas

On Apr 6, 2008, at 11:27 AM, Lukas Mathis wrote:
>> My feeling is that if you feel that you have a need for anti-viral
>> software to find Windows viruses (and I'm still not convinced that
>> Mac users really have to be concerned with this), then it would
>> probably be worth the money to purchase *good* AV software. (...)
>> My understanding is that ClamXav (note that I'm not speaking about
>> the use of ClamAV on a server) does not scan files interactively, it
>> has to be run manually.
>
> Which, in my opinion, is the very definition of good Mac AV software,
> since it won't slow down your system with useless background threads,
> it won't eat up your memory, and it won't constantly check files, thus
> slowing down your disk and killing your battery if you're on a
> notebook


Huh? I use VirusBarrier, and in normal use (other than copying large
numbers of files) it takes up just a smidgen of processor time. Others
may be more intrusive, but VirusBarrier certainly doesn't have any
effect on performance for me.



Kirk

> You've said the above several times, but you're just citing this off
> the cuff. Do you have anything to back up these statistics?

Here are a few sources, and you can find many more with a Google search:

http://winnow.oitc.com/AntiVirusPerformance.html
http://www.av-comparatives.org/seiten/ergebnisse_2007_11.php
http://blog.untangle.com/?p=96

The results vary greatly depending on the testing criteria, so the
numbers I cite are general ranges based on a number of sources and
conversations with other security industry researchers.

On Apr 6, 2008, at 2:27 AM, Lukas Mathis wrote:

> You are never "fully protected." Testing shows that AV software often
> has "an average detection rate of [...] 33% with maximum at 50% and
> minimum at 2%."
> <http://chuvakin.blogspot.com/2007/04/answer-to-my-antivirus-
> mystery-question.html>

This article is about all about Windows computers, not Macs. The
malware scene for Windows is nothing like that for the Macintosh.
Macintosh OS X is quite a bit different than Windows. Even a non-
technically oriented person can read this article and see that you
can't extrapolate anything from it and apply it to any sort of
generalization about the Macintosh.

Randy B. Singer • Mac OS X Routine Maintenance • http://www.macattorney.com/ts.html

On Apr 7, 2008, at 12:51 PM, Randy B. Singer wrote:
>> You are never "fully protected." Testing shows that AV software often
>> has "an average detection rate of [...] 33% with maximum at 50% and
>> minimum at 2%."
>> <http://chuvakin.blogspot.com/2007/04/answer-to-my-antivirus-
>> mystery-question.html>
>
> This article is about all about Windows computers, not Macs. The
> malware scene for Windows is nothing like that for the Macintosh.
> Macintosh OS X is quite a bit different than Windows. Even a non-
> technically oriented person can read this article and see that you
> can't extrapolate anything from it and apply it to any sort of
> generalization about the Macintosh.

Yes, and the same is true for the links that Rich posted.


Kirk

On 4/7/08 at 3:51 AM, kirkmcelhearn.com (Kirk McElhearn) wrote:

>Huh? I use VirusBarrier, and in normal use (other than copying large
>numbers of files) it takes up just a smidgen of processor time.
>Others may be more intrusive, but VirusBarrier certainly doesn't
>have any effect on performance for me.

With the current version of Virus Barrier, there can be a impact
on performance if real time scanning is enabled and you are
doing something that creates lots of files. That is, I have seen
problems with a batch process that modified ~100 50 MB files.
Once I shut real time scanning down, things ran much better.

On 4/7/08 at 2:21 PM, kirkmcelhearn.com (Kirk McElhearn) wrote:

>On Apr 7, 2008, at 12:51 PM, Randy B. Singer wrote:
>>>You are never "fully protected." Testing shows that AV software
>>>often has "an average detection rate of [...] 33% with maximum at
>>>50% and minimum at 2%."
>>><http://chuvakin.blogspot.com/2007/04/answer-to-my-antivirus-
>>>mystery-question.html>

>>This article is about all about Windows computers, not Macs. The
>>malware scene for Windows is nothing like that for the Macintosh.
>>Macintosh OS X is quite a bit different than Windows. Even a non-
>>technically oriented person can read this article and see that you
>>can't extrapolate anything from it and apply it to any sort of
>>generalization about the Macintosh.

>Yes, and the same is true for the links that Rich posted.

While it certainly is true the links were for Windows based
programs, it seems to me the stats for detection rates are
meaningful for two reasons.

First, it seems very unlikely malware detection software written
for Mac OS X could be significantly better at detecting Windows
malware than software written for Windows. It is the algorithm
used to detect malware that matters and this is not dependent on
the OS.

Second, given there currently are no viruses in the wild that
run under OS X, it seems the detection rate for Windows viruses
and other malware would be the correct thing to measure at this time.

Randy B. Singer wrote:
> > You are never "fully protected." Testing shows that AV software often
> > has "an average detection rate of [...] 33% with maximum at 50% and
> > minimum at 2%."
> > <http://chuvakin.blogspot.com/2007/04/answer-to-my-antivirus-
> > mystery-question.html>
> This article is about all about Windows computers, not Macs.

And since there are no active Mac viruses, looking at Windows
antivirus software is the only thing we can do, especially given that
typically, the same developers create both Mac and Windows antivirus
software. If the Mac situation ever becomes substantially worse than
it is today, there is no reason to believe that Mac antivirus software
will do better than Windows antivirus software.

The main reason for this is that most antivirus apps try to blacklist
viruses. Blacklisting viruses does not work. Even if the blacklist was
perfect, matching 100% of all existing viruses (which is unlikely
enough to be impossible), a hypothetical Mac virus attacking Mail.app
or iChat or a similarly popular Mac application would most likely
propagate fast enough that many or most people would be infected
before blacklists could be updated and distributed to take the new
virus into account.


> Macintosh OS X is quite a bit different than Windows.

Different how?

Lukas

On Apr 8, 2008, at 4:26 AM, Bill Rowe wrote:

> First, it seems very unlikely malware detection software written
> for Mac OS X could be significantly better at detecting Windows
> malware than software written for Windows.

Maybe, but you don't know that.

> It is the algorithm
> used to detect malware that matters and this is not dependent on
> the OS.

This really doesn't follow. As far as I can tell, the only malware
that Macintosh AV software looks for is Windows malware that is
likely to show up on Macintosh computers, that is, viruses that can
send themselves out via e-mail, and macro viruses. First, I don't
know if these are especially hard to detect (Windows AV software may
only have a problem with certain types of Macware that never shows up
on a Mac), and second, any cloaking abilities built into this malware
may only work on the Windows platform that they are designed to infect.

Once again, the Macintosh is a completely different environment than
Windows. You can't extrapolate from an article on how AV software
runs on Windows anything about how AV software runs on a Mac.

Randy B. Singer • Mac OS X Routine Maintenance • http://www.macattorney.com/ts.html

On 4/8/08 at 10:16 AM, randymacattorney.com (Randy B. Singer) wrote:

>On Apr 8, 2008, at 4:26 AM, Bill Rowe wrote:
>
>>First, it seems very unlikely malware detection software written
>>for Mac OS X could be significantly better at detecting Windows
>>malware than software written for Windows.

>Maybe, but you don't know that.

True, since I am not a software developer nor do I have access
to the source code for various malware software, I cannot know
for sure. But consider there are only three choices here:

Mac software is much more efficient at malware detection than
Windows software: this seems like a very unreasonable and overly
optimistic assumption.

Mac software is much less efficient than Windows software at
malware detection. This assumes something on Windows performs
much better than it does on a Mac. This certainly doesn't match
my experience. And it seems this is basically the same
assumption as the first from a Windows user's perspective.

This leaves only the last possibility is that the detection
efficiency is essentially the same on both platforms. This seems
to me to be a very reasonable expectation particularly as the
same software companies develop software for both platforms.

>>It is the algorithm used to detect malware that matters and this is
>>not dependent on the OS.

>This really doesn't follow. As far as I can tell, the only malware
>that Macintosh AV software looks for is Windows malware that is
>likely to show up on Macintosh computers, that is, viruses that can
>send themselves out via e-mail, and macro viruses. First, I don't
>know if these are especially hard to detect (Windows AV software may
>only have a problem with certain types of Macware that never shows
>up on a Mac), and second, any cloaking abilities built into this
>malware may only work on the Windows platform that they are designed
>to infect.

I've no fundamental disagreement with what you wrote above. I
simply note it doesn't conflict with my statement that the
detection algorithm for malware isn't OS specific.

>Once again, the Macintosh is a completely different environment than
>Windows.

Absolutely true and totally not relevant in terms of the
efficiency of malware detection.

>You can't extrapolate from an article on how AV software
>runs on Windows anything about how AV software runs on a Mac.

In terms of the UI or in terms of performance times, you are
absolutely right. But in terms of the ability to detect malware,
you are simply wrong.

On Apr 9, 2008, at 5:27 AM, Bill Rowe wrote:

>
>> You can't extrapolate from an article on how AV software
>> runs on Windows anything about how AV software runs on a Mac.
>
> In terms of the UI or in terms of performance times, you are
> absolutely right. But in terms of the ability to detect malware,
> you are simply wrong.

Allow me to reiterate. You don't know this. You are merely
*guessing* that in the Macintosh environment AV programs have the
same efficiency and detection rate as on the Windows platform. Since
there is different malware on the Macintosh, and since it is an
entirely different OS, both with regard to the interface and under
the skin, your *guess* doesn't necessarily follow.

If you can point to some experience with the Macintosh and AV
software showing that Mac AV software can't find the malware it is
programmed to find, or a study of AV software in general running on
the Macintosh, or something about how AV programs work technically
and intrinsically on both platforms ...anything...you might have a case.

Randy B. Singer • Mac OS X Routine Maintenance • http://www.macattorney.com/ts.html

On 4/9/08 at 12:03 PM, randymacattorney.com (Randy B. Singer) wrote:

>On Apr 9, 2008, at 5:27 AM, Bill Rowe wrote:
>
>>
>>>You can't extrapolate from an article on how AV software runs on
>>>Windows anything about how AV software runs on a Mac.

>>In terms of the UI or in terms of performance times, you are
>>absolutely right. But in terms of the ability to detect malware,
>>you are simply wrong.

>Allow me to reiterate. You don't know this. You are merely
>*guessing* that in the Macintosh environment AV programs have the
>same efficiency and detection rate as on the Windows platform.

What I do know is malware detection is not built in to the OS on
either platform. So, the detection algorithm has to be built in
to the app. Meaning it is the way the app is designed not the
way the OS is designed that determines detection rates.

Beyond this we will simply have to agree to disagree.

>If you can point to some experience with the Macintosh and AV
>software showing that Mac AV software can't find the malware it is
>programmed to find, or a study of AV software in general running on
>the Macintosh, or something about how AV programs work technically
>and intrinsically on both platforms ...anything...you might have a
>case.

If that is what you want, I could dig up two examples from
systems past. Virus Detective pre OS X Mac systems and Dr
Solomon's for earlier versions of Windows.

Dr Solomon's came with a very complete manual and included quite
a bit of detail on the viruses it detected, how they were
detected and what those viruses would do to your system.
Comparing that to the operation of Virus Detective it was very
easy to see the basic algorithms being used to detect malware
was the same in both cases.

In fact, in those days where there were many fewer viruses on
either platform it was common to provide quite a bit of detail
as to how things worked. These days the amount of pages that
would be needed to provide the level of documentation that was
provided for Dr Solomon's is simply not cost effective given the
very large number of viruses/malware affecting Windows systems.

Note, this does not say these two programs were the same in any
other respect. UI was different, OS was totally different and
neither program was cross platform. That is neither included
sufficient information to detect viruses that would be found on
the other platform.

But since the basic detection algorithm was the same, it would
have been quite reasonable to expect the detection efficiency of
either program to be very comparable once the appropriate
signatures for the other viruses were added to the other system.

The thing of it is, I see no reason whatever to believe current
malware detection systems use fundamentally different algorithms
than these older obsolete programs. What has been changed is the
number of virus signatures a program now looks for and details
of those signatures.

The bottom line is until malware detection is built into the OS,
there cannot be any OS dependence with respect to detection
rates. Detection rates are have to be a strict function of the
quality of what is know about the virus/malware to be detected
and the algorithm used by the app itself.

Perhaps it also might be worth noting while I do not develop
malware detection software, I do create programs where the task
is to recognize features in a data stream. This is fundamentally
the same problem as detecting viruses except I don't need to
worry about a UI etc.

I have been using Mac since before 1992 with all the anti-virus software
then available. In fact I still use Disinfectant and Gatekeeper on Classic
but not once I came across a malware of any kind or description. We later
also had a Windows machine with 98SE and my experience with it bears little
comparison with applemac.

I have NAV on Tiger (10.4.11). From time to time it updates the virus
definitions but I have not the slightest notion what is updated. This debate
seems more surrealistic than real and reminds me, on a lighter note, of the
story I was told as a child, Leo has died. The princess was crying so the
whole kingdom started crying but when someday asked the princess who Leo
was, she said, he was yet to be born.

When there are a few real live viruses for mac then perhaps this whole
discussion would make a little sense.

Cheers

Back when I was in college (88-92) there were Mac viruses out there. I had a Mac, but had to take diskettes to the college computer lab to print. I remember picking up more than 1 virus that way. That said, I haven't seen one since...

I found out at a user group meeting Thursday night (the nicely-named
PTSLUG--Port Townsend Seriously Laid back User Group) that one Navy
Federal Credit Union member got a call from the CIO (not a minion) of
the organization berating him for not running three distinct kinds of
security software on his Mac.

   --John