Is anti-virus protection necessary?

On 11/29/05 13:53, "Randy B. Singer" <randymacattorney.com> wrote:

> I don't see ClamXav as being a substitute for a commercial anti-virus
> program. It might be a worthwhile utility to use in addition to a
> commercial anti-virus program that does not comprehensively scan for
> Windows-only viruses, if, for some reason, you find that important.
>
> The gentleman who has ported ClamAV to the Mac, and who is providing
> ClamXav for free, is to be commended for providing a free product to the
> Macintosh community. However, even though he does not disagree with any
> of what I have said above (this all came up on Macintouch), he also
> doesn't clearly state it on his Web site. So folks are lured into
> thinking that their Macs are completely protected, and will be in the
> future in the event of a very serious threat, when they aren't. That does
> the Macintosh community a very serious disservice.

ClamAV was really never a desktop product. It's more of a server product,
and is quite good at that.

For clients, a little folder action shell scripting and Virex 7.2 takes care
of many needs without the need for kernel extensions.

I posted a set of scripts on versiontracker:

<http://www.versiontracker.com/dyn/moreinfo/macosx/18081>

Note that they delete infected files quickly and quietly, there's no
cleaning.

Not the most elegant setup, but a solution that works across many OS X
versions.

--
John C. Welch Writer/Analyst
Bynkii.com Mac and other opinions
jwelchbynkii.com

At 11:53 AM -0800 11/29/05, Randy B.Singer wrote:
>In addition, if a Macintosh-only virus were to appear in the wild, there
>is no indication that the ClamAV database would be updated to deal with
>it. As far as I can tell, no one is writing and adding virus definitions
>to the ClamAV database for Macintosh malware. (The developer of ClamXav
>has admitted that not only has he not contributed any such definitions,
>but that he doesn't know how write such definitions.) In other words,
>ClamXav is practically worthless for use with the Macintosh, and worse, I
>fear that it lulls Mac users into a false sense that it is protecting
>them, when in fact it doesn't protect them from much at all. (It does
>provide protection from cross-platform Word and Excel macro viruses.)

        I see that one can submit virus samples to them at
<http://www.clamav.net/sendvirus.html> I wonder if they would accept any
old Classic malware? Does anyone have any samples?


--
* Johann Beda - contact link: <http://public.xdi.org/=j-beda> *
* Johann's MostlyMac Computer Consulting - <http://mmcc.beda.ca/> *

On 29 Nov 2005, at 12:53 , Randy B. Singer wrote:

> As a test, do a search for "Macintosh", or "Opener", or "Renepo"
> and see
> if anything shows up.

THese are not viruses in any sense of the word. They do not infect
applications. YOu have to INSTALL them. you have to validate with
your admin password. They are trivial to look for on your system.

--
and I lift my glass to the Awful Truth / which you can't reveal to
the Ears of Youth / except to say it isn't worth a dime


 

Google Kreme said:

>> As a test, do a search for "Macintosh", or "Opener", or "Renepo"
>> and see
>> if anything shows up.
>
>THese are not viruses in any sense of the word. They do not infect
>applications. YOu have to INSTALL them. you have to validate with
>your admin password. They are trivial to look for on your system.


I didn't say that they were viruses. I said that they were "Trojans",
right?

http://en.wikipedia.org/wiki/Trojan_horse_%28computing%29

A Trojan is still Mac malware that (at least I, I don't know about you)
want to be protected from. And they aren't "trivial" to look for. A
Trojan can masquerade as just about anything. Folks still don't aren't
sure how Opener arrives, it is that non-trivial to look for.

All of the major commercial anti-virus applications look for and
eradicate these Trojans. ClamXav does not. I don't know about you, but
I would like to be protected from Trojans.

Randy B. Singer
Co-Author of: The Macintosh Bible (4th, 5th and 6th editions)

Routine OS X Maintenance and Generic Troubleshooting
http://www.macattorney.com/ts.html

On 11/30/05 12:13, "Google Kreme" <gkremegmail.com> wrote:

>> As a test, do a search for "Macintosh", or "Opener", or "Renepo"
>> and see
>> if anything shows up.
>
> THese are not viruses in any sense of the word. They do not infect
> applications. YOu have to INSTALL them. you have to validate with
> your admin password. They are trivial to look for on your system.

On 10.4 (maybe 10.3.9) and greater true.

On a stock pre-10.3.8/9 and earlier system, if you're an administrator user,
(as every Mac OS X's default first user is), no, actually, you don't need to
auth at all to create /Library/StartupItems and have it set world-writeable.

--
John C. Welch Writer/Analyst
Bynkii.com Mac and other opinions
jwelchbynkii.com

An antivirus software is yet another piece of software that needs to be maintained on a computer. Aside from the virus definitions, the application itself needs to be launched periodically, kept updated (which entails downloading, extracting, copying etc). And may possibly require things to launch at startup (this is a generalisation).

Is this really worth it, given the dearth of reports of viral activity that directly affect Macintoshes? I certainly would not install one for my parents, even though they are (compared to me) less likely to practice “safe computing”.

Off the top of my head, the Mac softwares that have caused the most headaches, have been: an iTunes updater that deleted a home directory, Word macro virii, a system software updater that disabled FireWire drives, or disabled 3rd party RAM. Anyone (who has read Matt Neuburg’s Definitive Guide to AppleScript maybe) can create a little Applescript that moves files from the home directory to trash. And then paste a different icon on it, and induce someone to double click on it. With shell scripting, there’s even greater potential for malware.

I think there is a lot of possible malware on the Macintosh, which are not protected by the presence of anti-virus software. Anti-virus software should be way down the list of concerns for most Mac users. New users are better off grasping the logic of being wary of launching unfamiliar files, or holding off system updates for a while etc. And having scheduled back up -- a process that takes more memory muscle than launching an anti-virus program.

IMHO on Mac OS X, anti-virus software is a little more useful than Norton-branded software -- but that’s cold comfort.

On 3/12/2005, at 7:20 PM, fcchuan wrote:

> An antivirus software is yet another piece of software that needs
> to be maintained on a computer. Aside from the virus definitions,
> the application itself needs to be launched periodically, kept
> updated (which entails downloading, extracting, copying etc). And
> may possibly require things to launch at startup (this is a
> generalisation).
>
> Is this really worth it [...]

Any anti-malware (virus/spyware/trojan/etc) software should launch at
startup/login and not need to be launched periodically. It should be
capable of updating itself, without the user doing any manual
downloading/extracting/copying (having the user approve the update,
unless blanket update approval is given).

If the anti-malware software *doesn't* do all of this transparently,
then you need better software, not to give up on using it altogether.

It seems to me that the "do I need anti-virus protection" question is
pretty similar to ones you ask yourself when figuring out a backup
scheme. Would you care if an OS X virus appeared and infected your
machine? Could you easily repair it (e.g. from a machine that can't
be affected (e.g. a Windows/Linux machine, or one not networked)? Is
everything important backed up anyway? (If not, it should be).
Could you manage without the machine for a small amount of time if
necessary?

=Tony.Meyer

On Dec 2, 2005, at 11:20 PM, fcchuan wrote:

> Anti-virus software should be way down the list of concerns for most
> Mac users. New users are better off grasping the logic of being wary
> of launching unfamiliar files, or holding off system updates for a
> while etc. And having scheduled back up -- a process that takes more
> memory muscle than launching an anti-virus program.

This is certainly my view. No one has ever been crippled by a Mac
virus, as far as I know. But (in the Apple Forums at least) I have
seen dozens of users have part or all of their system made
non-functional by immediately installing every Apple update that comes
out when they have no backup or other way to return to the status quo
ante. All it takes is for one crucial app to stop working to really
ruin your day or week.

You know, some people have said on threads like this to have antivirus software available "just in case" a virus actually comes out-and they've been saying this for years.

Yet OS X is still essentially virus-free, all these years it's been out. How many new viruses and worms have come out for XP in that time? A few hundred at least.

Sure there are a few trojans, and a proof-of-concept virus, but not much has come of either of them. If this had been Windows, there would have been multiple versions of malware created from the MP3 concept virus alone. And there would definitely have been multiple means created to automatically deliver the Opener trojan, by email, by website, by file-share, etc., etc.

As I said before, OS X has been out for several years now. If there had been a way to create a fast-spreading virus or worm on this platform, someone would have found it. Quite frankly, I don't think Mac users running OS X have to worry about viruses and worms. Hence, antivirus software is useless to us.

Not that we can skip around the 'Net worry free, but we just have other problems. The Unix foundations of OS X make us vulnerable to other types of attacks, through buffer overflow vulnerabilities and badly created temp files with incorrect permissions and other such problems Linux and BSD admins have to deal with. But we can deal with most of those problems with a properly configured firewall, and regularly updated applications and OS'es. We already have the firewall, and Apple is pretty good with supplying updates when needed.

So, to answer the question, is antivirus protection necessary? I'd say no, with a caveat. That caveat is, keep Software Update running regularly and learn to configure your firewall. Just because there are no OS X viruses and worms, and there aren't likely to be any in the future, doesn't mean OS X is invulnerable.

(Of course, a few months from now some OS X virus or worm will come out and make a liar out of me ;))

------------------------------------------------------------------- Victor Daniel a.k.a The MacNut macnutdca.net macnutmacnuthome.com Listmom, ClarisWorks/AppleWorks email list: <http://awlist.macnuthome.com/>

On 12/5/05 10:37, "macnut" <macnutmacnuthome.com> wrote:

> Not that we can skip around the 'Net worry free, but we just have other
> problems. The Unix foundations of OS X make us vulnerable to other types of
> attacks, through buffer overflow vulnerabilities and badly created temp files
> with incorrect permissions and other such problems Linux and BSD admins have
> to deal with. But we can deal with most of those problems with a properly
> configured firewall, and regularly updated applications and OS'es. We already
> have the firewall, and Apple is pretty good with supplying updates when
> needed.

None of that will help with a trojan. There is a tendency to not take
trojans seriously. This is of course a bad idea and one that should be
ruthlessly stamped into a faint smear on the tile.

Trojans are MUCH harder to protect against, but they're much more dangerous
too, and for them, you cannot rely on OS X to help. You have to have layers
of protection, and a decent AV/Anti-Malware program is part of that.

--
John C. Welch Writer/Analyst
Bynkii.com Mac and other opinions
jwelchbynkii.com

[OK, enough of a tangent here... -Adam]


On 02 Dec 2005, at 23:20 , fcchuan wrote:

> an iTunes updater that deleted a home directory,

This is not right. There was an iTunes update that could, under very
odd circumstances, have deleted data off a DRIVE (or partition).
However, the setup for this would require drives named like this:

Primary Drive:
"Word otherword"

another drive:
"Word"

because of the way the updater worked, it would delete all the data
on "Word".

So, if your primary drive was named "Macintosh HD" and you had a
second drive named "Macintosh" you would lose data. If the second
drive was named "Macintosh HD2" you would not.

I've had anti-virus software running on my Macs since System 7. I've used software like Disinfectant, Symantec Anti-Virus, Virex and (until recently) Norton Anti-Virus. Until recently, I thought it was important to use anti-virus software and advised anyone who asked to do so. However, I've NEVER seen any of these utilities detect a virus until, I think, about a year or so ago. That ONE time it was an attachment in a piece of spam: some Windows virus I don't remember. I would have trashed it anyway.

This "protection" did come at a price. My Macs were slowed down when they were scanned. I've had some freezes and unexpected quits I think were caused by anti-virus activities like disks being scanned on mount.

Recently I upgraded my aging Cube to an all new iMac. The Cube was running 10.3.9. The iMac came with Tiger. I used the migration utility to copy my data and such from the Cube to the iMac. This utility faithfully copied all of my stuff, including the Norton Systemworks components, to the iMac.

When I booted the iMac I had to deal with numerous messages that popped up notifying me that some Norton Anti-Virus thing did not load properly. Turning to the Symantec support pages it was clear that the version of Norton Anti-Virus I owned (as part of Norton Systemworks) was not Tiger compatible, which was also the case for most of Norton Systemworks. There was NO upgrade for Norton Systemworks (and none planned), only for Norton Anti-Virus.

I decided to remove all of Norton Systemworks from my iMac. The uninstaller that came on the CD did not work at all. The upgraded uninstaller that I downloaded from Symantec could not find any Symantec components! I had to manually search for "symantec", "Norton", etc. to find the components I had to remove. Fortunately that was relatively easy with Spotlight and fortunately I could remove all of them from within the Finder.

I have now also removed all of Norton Systemworks from my PowerBook G4, which is still running 10.3.9. Here the Symantec uninstaller did find and removed Symantec Systemworks components, but not all of them as I discovered when I performed some searches. But I managed to get rid of those as well. My first impression, after a few weeks, is that the PowerBook is running better (faster, less inexplicable "hangs") than before.

My conclusion: Anti-Virus software on a Mac is not worth the trouble. It slows down the computer and can cause other inexplicable problems without offering additional protection. I would NOT advice anyone to install an Anti-Virus utility on a Mac. I DO advice using a properly set-up firewall, using a non-admin account for your daily work, making regular (daily) back-ups of your data, trashing any e-mail attachments you do not completely trust and only downloading software from reliable sources.

On 12/10/05 23:53, "Frans Moquette" <fransmoquette.nl> wrote:

> My conclusion: Anti-Virus software on a Mac is not worth the trouble. It
> slows down the computer and can cause other inexplicable problems without
> offering additional protection. I would NOT advice anyone to install an
> Anti-Virus utility on a Mac. I DO advice using a properly set-up firewall,
> using a non-admin account for your daily work, making regular (daily) back-ups
> of your data, trashing any e-mail attachments you do not completely trust and
> only downloading software from reliable sources.

You do realize that Symantec is not the end all and be all of AV software on
the Mac, right?

--
John C. Welch Writer/Analyst
Bynkii.com Mac and other opinions
jwelchbynkii.com

Frans Moquetter said:

>My conclusion: Anti-Virus software on a Mac is not worth the trouble. It
>slows down the computer and can cause other inexplicable problems without
>offering additional protection. I would NOT advice anyone to install an
>Anti-Virus utility on a Mac.

Your experience with Symantec/Norton products shouldn't be extrapolated
to apply to all other anti-virus products for the Macintosh. (Just as
you shouldn't infer that all hard drive repair utilities are as
potentially dangerous as Disk Doctor.)

About a year ago I tested all of the popular anti-virus software products
for OS X, and I found that Intego's Virus Barrier was by far the best.
It extracts no noticeable performance penalty, and it runs completely in
the background, never interupting your work to do a virus scan. My Mac
is just as stable with it running as without.

I understand that Virus Barrier has been completely and significantly
updated recently, and I haven't tried the new version, so I can't tell
you if it is still the same, but my hope and expecitation is that they
haven't messed up a good thing.

Randy B. Singer
Co-Author of: The Macintosh Bible (4th, 5th and 6th editions)

Routine OS X Maintenance and Generic Troubleshooting
http://www.macattorney.com/ts.html

On Dec 12, 2005, at 10:37 AM, Randy B. Singer wrote:
> Frans Moquetter said:
>
>> My conclusion: Anti-Virus software on a Mac is not worth the
>> trouble. It
>> slows down the computer and can cause other inexplicable problems
>> without
>> offering additional protection. I would NOT advice anyone to
>> install an
>> Anti-Virus utility on a Mac.
>
> Your experience with Symantec/Norton products shouldn't be
> extrapolated
> to apply to all other anti-virus products for the Macintosh. (Just as
> you shouldn't infer that all hard drive repair utilities are as
> potentially dangerous as Disk Doctor.)

This was about 2-3 years ago, but Disk Doctor did fry an iMac hard
drive (the original DVD model). And when we did run Norton Anti
Virus, it did slow things down on all our Macs.

A question... We've got an old copy of Virtual PC on a Powerbook, so
we run anti-virus software on it. We only use Virtual PC a few times
a year, mostly to proof web designs. Would it still be advisable to
run anti virus software on it ? We do update the software regularly,
esp. since we still get spam with .exe attachments, though we never
open them.

Marilyn

Marilyn Matty said:

>A question... We've got an old copy of Virtual PC on a Powerbook, so
>we run anti-virus software on it. We only use Virtual PC a few times
>a year, mostly to proof web designs. Would it still be advisable to
>run anti virus software on it ? We do update the software regularly,
>esp. since we still get spam with .exe attachments, though we never
>open them.

It depends. If your Virtual PC partition is an island, that is you don't
use it to run an e-mail program or a browser, and you don't exchange
software with other Windows users, it is probably okay to do without
Windows anti-virus software.

Randy B. Singer
Co-Author of: The Macintosh Bible (4th, 5th and 6th editions)

Routine OS X Maintenance and Generic Troubleshooting
http://www.macattorney.com/ts.html

Is there a Mac equivalent of the excellent (and free) AVG anti-virus
software which is available for Windows?

Paul

John C. Welch said:

>You do realize that Symantec is not the end all and be all of AV software on
>the Mac, right?


Indeed, considering how few threats there are currently to the Macintosh,
it is surprising that the number of anti-virus programs for the Macintosh
has been increasing, rather than decreasing. These are the ones that I
know about:

Virex
<http://www.networkassociates.com/us/products/mcafee/antivirus/desktop/vire
x.htm>

Norton Anti-Virus
<http://www.symantec.com/nav/nav_mac/index.html>

Sophos Anti-Virus
<http://www.sophos.com/pressoffice/pressrel/uk/20030714mac.html>
<http://www.sophos.com/products/sav/>

Intego Virus Barrier X
<http://www.intego.com/virusbarrier/>

Authentium ESP Antivirus for Mac OS X
http://www.authentium.com/

ClamXav
http://www.markallan.co.uk/clamXav/index.php

Drive Vaccine
http://www.horizondatasys.com/product_page.html?page_id=1#1

MacShield
http://www.centuriontech.com/products/macshield/

Some users may not consider the last two products to actually be
anti-virus software. But they are marketed as such.


Randy B. Singer
Co-Author of: The Macintosh Bible (4th, 5th and 6th editions)

Routine OS X Maintenance and Generic Troubleshooting
http://www.macattorney.com/ts.html

On 12/12/05 at 7:37 AM, randymacattorney.com (Randy B. Singer)
wrote:

>About a year ago I tested all of the popular anti-virus software
>products for OS X, and I found that Intego's Virus Barrier was by
>far the best. It extracts no noticeable performance penalty, and it
>runs completely in the background, never interupting your work to
>do a virus scan. My Mac is just as stable with it running as
>without.

I am using the current version of Virus Barrier and my experience matches your comments, i.e., no noticeable performance penalty or work interuption.

> So, to answer the question, is antivirus protection necessary? I'd say no, with
> a caveat. That caveat is, keep Software Update running regularly and learn to
> configure your firewall. Just because there are no OS X viruses and worms, and
> there aren't likely to be any in the future, doesn't mean OS X is invulnerable.
>
> (Of course, a few months from now some OS X virus or worm will come out and make
> a liar out of me ;))

I've been told by folks who should be in a position to know that there
are Mac attacks out there. To date they haven't been seen "out in the
wild" but they have been seen and have been attacking some systems.


[Are you sure they're talking about virus-like attacks, and not humans cracking Macs remotely? I've definitely heard of people breaking into Mac OS X machines over the Internet because all it takes is a bad password and a lot of Internet services left on, but that's a very different problem. -Adam]


At some point it someone big will be hit and we'll have to all deal with
it. But in general the Mac OS design has fewer points of attack which
combined with its lesser market share, seems to keep the whiz kids out
of the business.