Should Mac Users Run Antivirus Software?

adamengst sends in an article from TidBITS in which Macintosh security expert Rich Mogull explains why he doesn't use antivirus software on the Mac, and why most Mac users shouldn't bother with it either. The article also touches on the question of when an increasing Mac market share might tip it over an inflection point into more active attention from malware writers. (Last month Apple had 14% of PC sales, but 25% of dollar value.)

It's called a "Disk Image"

[StCredZero]

It's called a Disk Image. If you have it mounted, then you can scan it with any anti-virus program. There's no reason not to use anti-virus on Macs. ClamAV is free and works quite well.

Re:It's called a "Disk Image"

[datapharmer]

At the risk of being modded flamebait, I wanted to point out that when I tried ClamAV on mac it worked piss poor. There was little for it to find that affected me, so basically all it did was protect windows users from viruses passing through my computer to theirs and it did all sorts of screwy stuff with my system including making it so slow it was unusable. I kept it less than a week.

Use a tool like little snitch, up you security settings, don't run as administrator, don't run random programs you find on the net and you'll be fine.

Yes

[davidwr]

Short answer: Yes

Long answer:
If your Mac runs MS-Office software or other cross-platform software that has infectable data files, you are vulnerable to some Macro viruses.
If your Mac can run MS-Windows binaries you may be vulnerable to some Windows viruses.
If your Mac hosts files on a mixed network your Mac should protect itself from hosting infected files.

So, unless you've got an all-Mac/no-Windows network or your Mac doesn't run or host Windows files, AND you do not run any cross-platform files that have infectable data files, you should protect yourself and your network.

Re:Nay!

[imamac]

Mac have comparable prices for equivilent quality. Big difference. I'm glad my Mac isn't as "cheap" as a lot of the PCs I see.

I do

[supun]

I've been running ClamXav, http://www.clamxav.com/ , for a long time. I normally don't run full scans, but I do use the Sentry ability on any download directories. So anything I download is scanned. Nothing so far :)

Only if you'refrom the US

[jonnyj]

Last month Apple had 14% of PC sales, but 25% of dollar value.

This is just a teeny-weeny bit unreal. Close inspection reveals that the cited article refers to US-based PC retail sales.

There is more to the world than the US. And there's more to sales than retail sales. Apple has much lower sales penetration in Europe and Asia, and it has much lower sales in the commercial sector. Apple might be on enjoying a renaissance, but don't be fooled by inappropriate statistics.

Re:Nay!

[vux984]

Say it isn't so. Everyone knows macs are just as cheap as PCs!

I know your just being funny, but I figured I'd explain it anyway...

An awful lot of PCs are those $300 dell specials. Apple doesn't make products that crappy, but Dell moves boatloads of them... so Dell picks up a lot of unit sales eroding Apples 'market share by unit', but because the price is so low and Apple hangs onto more of the higher value sales, the erosion effect of these low end units on their 'market share by price' is considerably less.

Lets compare apples and oranges ;)

I sell oranges at $1
I sell apples at $1
As you can see "Apples are no more expensive than oranges."

I also sell rotten oranges at 50 cents.
I don't sell rotten apples.

So if I sell 100 apples, 200 oranges, and 200 rotten oranges:

Apple has 20% of the market but 25% of dollar value.

market = 100/[100+200+200] = 1/5 = 20%,
dollars = 100/[100+200+200*0.50] = 1/4 = 25%

That's essentially whats happening here.

Mac A/V needed !!!

[qwertphobia]

The only reason I require folks to run antivirus software on the Mac is because of Microsoft products. We have had several macro viruses spread across campus through the sharing of Microsoft Office documents.

Re:Nay!

[vux984]

at lest that $300 dell uses desktop parts unlike the $600 mini.

You'd be assuming that someone who buys a mini would be pleased with a loud bulky cheaply built tower why?

And for $600 you can get a dell that is a lot better and it has slots to add video and other cards to it.

A lot better? Give me a break. I challenge you to put together a Dell for $650 (or $750 including monitor, since with a lot of their budget PCs you can't unbundle it) that matches the mini's specs. I challenge you.

It must have bluetooth, 802.11g wifi, firewire, at least 4 usb ports, gigabit, optical audio in and out, DVI video out, Core2Duo w/ 2MB cache, 1 GB of RAM.

The mac mini only has integrated video so GMA950 is what you need to meet or beat there, and the small slow laptop hard drive should be a nobrainer to beat too.

Since its a PC not a Mac, I'll forgive you leopard, but you'll need at least Home Premium, no Home Basic. And make sure it comes with a restore disk.

And even if you managed to do it, then ask yourself... can you also make it virtually silent and fit into a space about the same as a stack of 5 CD jewel cases?

I'm not saying you can't get a good value for $600 from a dell. And theres no question that $600 spent the right way can result in a PC that's better than a mac mini for, say, games, for example. But spec for spec, Apple is very good value, provided your needs line up with the features they offer.

I agree there are some big gaps in the apple line up... where is the fast core 2 duo tower that I can put expansion pci cards into for around $1200 for example. The imac is good value and the right specs, but the wrong form factor since I can't expand it... that's why I still use a PC tower. My laptop otoh, which I don't require to be expandable, is a mac.

With mac's expandability isn't their market; except at the extreme high end. That tends not to go over well with the 'tech crowd' like the one here, but in practice, joe sixpack never upgrades his PC anyway nor plays FPS shooters, so for them this gap is not much of an issue.

Re:Eh, I don't know about that

[Sycraft-fu]

It's not a matter of voiding the warranty, it is a matter of who fixes things when it breaks. That's the whole reason why we buy something from one vendor around here (MPC for PCs). Our staff is fully capable of building systems form parts, and fully capable of diagnosing problems. However doing so would get in to a support nightmare. If something goes wrong with one of the PCs and all the hardware is from one company, we just tell them what we need replaced. It is easy to see if it is under warranty and so on. Also, if it is a strange issue that might be more than one part, it isn't a problem to get multiple parts. You don't have the maker of one part blaming the maker of another part.

Now this isn't critical, and I'm certainly not saying we've never bought aftermarket upgrades. However, it is a real consideration since one of the reasons people try to sell you on Macs is support. They say it is easier since the whole deal comes from one vendor. Ok, there's a lot to that, but you start to break that if you add aftermarket hardware. It isn't that you'd invalidate the warranty on the existing Apple hardware, but that if the aftermarket piece breaks, they can't help you.

Not a major issue when you have a single computer, but when you have 500, it can get problematic. Much better to have a single point for support as often as possible. However if you are having to order aftermarket upgrades for every single box due to the cost, well you don't get to have that.

Re:Then Rich Mogull Ain't No Security Expert

[z4ce]

You aren't protected from zero day expliots by anti-virus either. The new virus won't have a definition. Even some existing viruses can get past anti-virus using encryption. I saw a computer not long ago infected with a nasty Zlob variant with new definitions. I then tried to use several different vendors to remove it. Guess what, not symantec, mcafee, or nod32 could get rid of it. It took me using hijackthis along with mounting the file system from a linux live CD to get rid of the bugger.

Yes there is a risk of getting a virus on the internet. However, in my opinion, it only helps people who are prone to clicking omgponies.exe.

Re:Nay!

[serviscope_minor]

if you can afford shit like mini's, you can afford a large enough living area to put a pc. seriously they aren't fucking mobility device.

Are you trying to act stupid or can you really not see the point in having a small PC? A mini comes in a small, neat, quiet package. You think if I can afford a nice large living space, I'm going to fill it with monstrosities just for the hell of it?

Re:I think slashdot Mac users are more vulnerable

[PenguSven]

safeguards? sure. whenever you launch a third party app for the first time, you get a simple prompt, telling you its the first time you've run it, and giving you options to continue, cancel or show the application in finder.

Re:I think slashdot Mac users are more vulnerable

[catwh0re]

It's because you need a perfect storm of failures to make this work. First the user needs to double click the file, which might be displaying a .app extension if the user has extensions visible.(Meaning they'd realise it wasn't a .doc file.)

Secondly they'd need to not realise that their .doc file isn't opening in Word or a similar program, but rather in a new program that is for some reason asking them to authenticate.

Thirdly they'd then need to enter in a username and their password(if they are even the account holder who knows it/remembers it) to give the software permission to alter critical files on their system - all while not seemingly realising that their file isn't opening in Word/text editor.

This kind of virus is akin to dragging all your files to the trash, emptying it and claiming it was a virus.

Now take the case of windows. "www.porn.com" is a perfectly accepted file name for an executable. It too can have a little icon of something pornographic. Meanwhile, all a Windows person need do is double click it and it's game over. (Or if you're a Vista user, you'd need to choose accept from a dialog window - which the OS has already trained you to click blindly.)

If you're comparing Vista to Mac OS 10.5, then the moment you received this ".doc" file, whether from an email attachment, chat or website, the OS will alert you when you're opening it to where the file has come from, what time you received it, from what program and even what user sent it to you - and most importantly what kind of file it -really- is. This particular attack vector has been addressed extensively. It will as a minimum stall or prevent the creation of a botnet using Mac OS computers.

Re:I think slashdot Mac users are more vulnerable

[Hes+Nikke]

Actually, my basic complaint is that in the default view for each OS, it's not intuitively obvious which icons represent files or links to files which are directly executable. None of the three OS has this as a feature, to the best of my knowledge. With leopard, one feature you have is called Quick Look. QL shows you a preview of the selected file if it can read it. if it can't, it shows a bunch of metadata about the file, including it's type (Application, vs Microsoft Word Document to use the example mentioned earlier).

And before that we had column view. Column view shows you a bunch of metadata (yes, including file type) on the selected item - unless that item is a folder, than it shows it's file list in the next column over.

And before THAT we had list view. In list view you have a bunch of columns showing us a bunch of selectable metadata (inclusing - you guessed it - it's file type) on all visible files. List view has existed in some form or another on the macintosh since 1984. If you slow down and pay attention to the metadata that is being presented to you, you might notice that it tells you when you're about to open an application!

Cheap? Not at all.

[Onan]

Please Google for OS X viruses, they do exist.

By any reasonable definition, no, they don't. There have been a couple of extremely limited proof-of-concept viruses in the past few decades, which have infected approximately no one.

As to why you should deploy AV? Because it's a cheap way of adding another level of security protection to your machine.

But it's not cheap. The cost is, in fact, huge.

Antivirus software is incredibly invasive, mucking about to do secret things in kernelspace, inserting itself into nearly every action performed by a machine. It takes substantial resources to accomplish this dubious goal, and alters the system in unpredictable ways.

The "more security is always better" rationale that you propose is too simplistic. Security measures must always be evaluated by comparing their benefits against their costs. Your estimation wildly exaggerates the (nonexistent) benefits of antivirus software while completely glossing over its substantial costs.

Antivirus software is categorically a foolhardy and dangerous thing to ever run on one's machine at all. The only strange edge case in which it represents an improvement is if one is using software like Windows, which is so wildly hole-ridden that security is expected to come from third parties. But even there, the correct solution is not to add more layers to shore up a quicksand foundation, but to simply replace it with a sane operating system.