Question macOS needs an AV?

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
792
I personally don't think you do. macOS's built in protections have gotten pretty good over the years. If you have a recent macOS like Big Sur, there's built in things like:
  • Every software you download gets checked against a live internet database of notarized apps (apps that Apple has a copy of and has determined isn't harmful), and those can be live-revoked should they be deemed malicious
  • "behavior blocking" style behavior is built in to the OS. Accessing sensitive folders like your documents, downloads, photo library, etc all trigger permission prompts from the OS by default
  • macOS has a modest built in antivirus (XProtect and MRT), and they get regularly pushed updates in the background and will check your system for the most prevalent infections as well as running early in bootup to guard against malicious startup services
  • The OS itself is now completely read-only and "sealed" with an Apple signature, and that's enforced at boot up. Unless you downgrade your security, attackers cannot modify any of your OS bits.
  • Critical OS services like the antimalware are protected against even the root user and it cannot be defeated, especially not in a way that survives rebooting the machine.
With all of that, I think the main threat you'll hit is PUA/annoyanceware. Things that aren't strictly illegal or harmful like search toolbars / homepage hijackers / ads, that big companies are afraid to block because of all the legal issues around a company of Apple's size declaring war on an industry. If you do a lot of that, then maybe you want something.

MalwareBytes I think is most useful on the Mac because they take such an aggressive stance against PUA. I don't like their products for Windows because IMO the protection against true malware and ransomware is weaker than the combination.

In general I do not recommend realtime scanners on macOS. They are better since Big Sur because they use a new "system extensions" API that no longer requires a hacky kernel driver (and downgrading your security). However, they still add noticeable overhead, as AV software on macOS doesn't do all the clever tricks that Windows AV Software do in terms of skipping repeatedly scanning things or skipping system files. Plus, again, because the OS's built-in protections are great compared to Windows. You don't have that problem where a malicious software running without realtime protection can find a way to hide and remain resident and block future attempts to clean/remove it.

If you have annoyanceware on your system, you'll realize it, and at that point you might want to grab a scanner for it. Otherwise, IMO it's a waste of money, system resources, and time.
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,460
Just being basic curious, I installed F-Secure on a real old MacBook Air 2012, with Catalina OS. RAM usage: 9,6MB

I thought I for sure saw wrong, but nope. It won't hurt the system, but I probably will be satisfied enough with their VPN. It's a plain simple machine I won't use for any malware testing anyway, but it sure could use a hardware upgrade and that's actually very possible. Sadly can't from the information I found update to the latest OS, Big Sur, but Catalina still gets security updates.

@MacDefender , how well would you say it's firewall is? I haven't done any testing so I don't know.
 

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
792
Just being basic curious, I installed F-Secure on a real old MacBook Air 2012, with Catalina OS. RAM usage: 9,6MB
I would wager a guess that if you try to copy a bunch of files, you’ll notice a significant amount of extra CPU usage and a slowdown. It’s kind of like BitDefender’s conserve memory mode… a lot of these realtime engines on the Mac simply aren’t optimized for performance. It’s good that it’s not a memory hog though at least!

@MacDefender , how well would you say it's firewall is? I haven't done any testing so I don't know.
The built in firewall on the Mac is kind of similar to the Windows Firewall — it’s pretty effective but basically inbound-only and doesn’t control outbound traffic. By default, properly signed apps can open ports without warning you, but that’s a setting you can change in macOS.

I do think there can be value in adding an outbound control firewall just like on Windows. Little Snitch I think is the best written outbound firewall, but it’s expensive, and quite honestly I think for 99% of people, it will just be a lot of nags/hassle without much benefit unless you are really trying to run somewhat untrusted software and worried about it phoning home. But on the other hand, Macs strongly use process isolation so the alerts can be really fatiguing. For example, even a simple app like Weather might use 3 different processes to fetch different kinds of data.

Like one thing nice about macOS Catalina and above’s built in ransomware protection is that if an app tries to look at your photos or documents, that triggers a permissions dialog. It’s like a better / interactive form of Controlled Folder Access. A rogue app can’t steal/upload files from you if it can’t access them in the first place.
 

fabiobr

Level 12
Thread author
Verified
Top Poster
Well-known
Mar 28, 2019
560
I would wager a guess that if you try to copy a bunch of files, you’ll notice a significant amount of extra CPU usage and a slowdown. It’s kind of like BitDefender’s conserve memory mode… a lot of these realtime engines on the Mac simply aren’t optimized for performance. It’s good that it’s not a memory hog though at least!


The built in firewall on the Mac is kind of similar to the Windows Firewall — it’s pretty effective but basically inbound-only and doesn’t control outbound traffic. By default, properly signed apps can open ports without warning you, but that’s a setting you can change in macOS.

I do think there can be value in adding an outbound control firewall just like on Windows. Little Snitch I think is the best written outbound firewall, but it’s expensive, and quite honestly I think for 99% of people, it will just be a lot of nags/hassle without much benefit unless you are really trying to run somewhat untrusted software and worried about it phoning home. But on the other hand, Macs strongly use process isolation so the alerts can be really fatiguing. For example, even a simple app like Weather might use 3 different processes to fetch different kinds of data.

Like one thing nice about macOS Catalina and above’s built in ransomware protection is that if an app tries to look at your photos or documents, that triggers a permissions dialog. It’s like a better / interactive form of Controlled Folder Access. A rogue app can’t steal/upload files from you if it can’t access them in the first place.
Do you know if iCloud has some ransomware rolled back protection as OneDrive? Saving different versions of files.
 

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
792
Do you know if iCloud has some ransomware rolled back protection as OneDrive? Saving different versions of files.
I don't believe it's as good as OneDrive though I haven't really tried it. OneDrive does a great job with versioning and restoring files, and even giving you prompts for when it thinks you got ransomed.

iCloud Drive gives you some ability to restore deleted files but I worry that it's probably easy to modify then delete it in a way that you won't get iCloud backups of.

I do like that Time Machine, Apple's backup solution, works so well in terms of storing historical versions of your files. macOS's built in CFA-like system aggressively protects Time Machine backups too.
 

Filipe

Level 1
Verified
Feb 23, 2018
42
Av don´t think we need to add an extra attack surface and exploit possibilities. macOS is secure by default but talking about firewall, the firewall in OS controls as you said the inbound traffic mainly. I would advice to install an hardware firewall from a reliable vendor with regularly releases so can control even more outbound traffic, also, botnets, cc´s etc and logging traffic is good for forensics also. My advise is securing by hardware since the macOS is secure by default. :)
 

JB007

Level 25
Verified
Top Poster
Well-known
May 19, 2016
1,461
I just read this report: "New AdLoad malware variant slips through Apple's XProtect defenses"
:confused:
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,460
What should we conclude from this? As stated at the outset, we’re not Apple-bashing here: XProtect does do a decent job of blocking the macOS malware that it knows about, particularly since recent versions of the OS ensure files are scanned by XProtect even if they are missing the com.apple.quarantine extended attribute.

The problem is there’s just a lot more malware out there than XProtect knows about. Yes, Apple has another tool, the MRT.app, that can remediate some known malware infections, again if it knows about them, but there are other problems with MRT.app, chief among them the frequency with which it runs (or doesn’t run). We’ve written about MRT.app before at length here and here.
Pretty interesting report on the topic.
 

JB007

Level 25
Verified
Top Poster
Well-known
May 19, 2016
1,461

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,460
Thanks @upnorth
However I'm wondering if in the end the purpose of this very interesting article is not the self-promotion of SentinelOne ? :unsure:
Partially can agree with that, as we normally also see the exact same with almost all company/vendor created reports and articles as those are also used 24/7 with sites like Bleeping, but it's in this case way too small marketing if you compare the whole report. The marketing parts is for companies. It's also no surprise because these genuine security companies have very skilled and professional researchers. SentinalOne is thankfully at least not a complete unknown source.

The main message is much more about what actually Apple themselves admits ( Craig Federighi, Apple’s Senior VP of Software Engineering ) and even officially states, but just as mentioned more then once by Phil Stokes the author of the report, this ain't about bashing Apple.
 

Dave Russo

Level 17
Verified
Top Poster
May 26, 2014
848
Thanks @upnorth
However I'm wondering if in the end the purpose of this very interesting article is not the self-promotion of SentinelOne ? :unsure:
Seems like it to me as well, every major player offers Mac protection
 

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
792
The main message is much more about what actually Apple themselves admits ( Craig Federighi, Apple’s Senior VP of Software Engineering ) and even officially states, but just as mentioned more then once by Phil Stokes the author of the report, this ain't about bashing Apple.
Yeah I don’t think it’s bashing Apple, but the subtext is important. Apple executives are basically saying this to argue that it is impossible to solve the malware problem without an iOS style walled garden where the OS does not allow installing things that aren’t signed and approved by Apple.

Apple isn’t implying that any third party AV is a viable solution, though of course they have their agenda for pushing this discussion towards a walled-garden App Store.

As with most things, the truth is muddy. Apple’s argument doesn’t make sense given that these recent malware samples are notarized and signed by Apple (Note that the signing identity costs at least $99 per human identity, Apple detects trying to use another credit card under the same name to pay for a Developer ID), so it isn’t practical or cheap. And note that SentinelOne has a suggested set of YARA rules for detecting this attack, which simply says Apple’s XProtect ones are not sufficient. It’s not much different from how any malware (Windows or otherwise) attempts to evade static signatures.
 

poopdookie

Level 2
Feb 11, 2021
81
We go back and forth on this, if a supply chain attack occurs...oof. Maybe a network layer monitor is all that's needed, but would love to know whenever possible if there is any malicious activity in eco system.
 
  • Like
Reactions: Nevi and JB007

Game Of Thrones

Level 5
Verified
Well-known
Jun 5, 2014
225
I personally don't think you do. macOS's built in protections have gotten pretty good over the years. If you have a recent macOS like Big Sur, there's built in things like:
  • Every software you download gets checked against a live internet database of notarized apps (apps that Apple has a copy of and has determined isn't harmful), and those can be live-revoked should they be deemed malicious
  • "behavior blocking" style behavior is built in to the OS. Accessing sensitive folders like your documents, downloads, photo library, etc all trigger permission prompts from the OS by default
  • macOS has a modest built in antivirus...
one of the best explanations of why you actually shouldn't install security software on a mac. a simple habit of installing known apps and visiting safe websites makes you near 99 precent safe with a mac and even windows. i have an m1 air which is my primary laptop and i take it as my primary device anyday compared to our windows laptops and desktops. you don't have to tinker with a mac or ios system. you use them. big sur was one of the most significant security upgrades to mac which for normal users was not advertised by apple. you hear news about a new malware for mac and think that they are unsafe but the impact they have and how many people get infected is actually really low and most who got infected used cracked software or had careless behavior. as someone who used macs as primary for about 7 years i never got a malware or bad app and my friends too didn't had any problem.
the realtime protection of most security softwares does NOT slow down the system noticeably but will create odd behavior i tested bitdefender and Kaspersky for mac as curiosity and i don't recommend installing one. they create odd behaviors like bad standby behavior, slow login in login screen(had that with kaspersky) and some other stuff. the mac os does not have the security software friendly behavior of windows because it has strict rules for programs behavior which makes it more secure by default.
as a mac user i say don't install security softwares. in future you may need them as the more users a platform get the more attention from malware writers it will get. but for now you don't need them.just use your mac.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top