Question macOS needs an AV?

Game Of Thrones

Level 5
Verified
Well-known
Jun 5, 2014
225
the only security softwares that updated to native m1 support are Kaspersky bitdefender and avast. avast was one of the first they did it really soon after m1 was announced. but yet i don't recommend installing one. if you insist to use mac security software, use Kaspersky why because of this reasons that i tested:

its the only mac security software that the realtime cloud protection works on mac too. so even newest windows threats will get detected. (KSN realtime protection) this does not happen in bitdefender or avast and so many others they just update the offline protection with updates so their cloud does not work in mac. if you want to test just use AMTSO cloudcar test which is the standard file to use to see if cloud protection works or not, only Kaspersky detects it on mac.

it has a good network protection unlike others

it recently got updated for m1 which will make it more friendly to m1 mac. i didn't tested the new version seems most problems got rectified. intel architecture is working the same so no difference

the internet protection link checker and stuff works better than the others only bitdefender comes close.

their behavior protection is somehow partially implemented on mac too i'v seen many heuristics and behavior blocking on many tests online or by myself. others have implemented mostly static detection for mac or have less effective methods.

regardless of your architecture i recommend Kaspersky if you look at their software it shows that they are taking mac security more serious than the others.from UI to detection capability
 

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
792
the only security softwares that updated to native m1 support are Kaspersky bitdefender and avast. avast was one of the first they did it really soon after m1 was announced. but yet i don't recommend installing one. if you insist to use mac security software, use Kaspersky why because of this reasons that i tested:

its the only mac security software that the realtime cloud protection works on mac too. so even newest windows threats will get detected. (KSN realtime protection) this does not happen in bitdefender or avast and so many others they just update the offline protection with updates so their cloud does not work in mac. if you want to test just use AMTSO cloudcar test which is the standard file to use to see if cloud protection works or not, only Kaspersky detects it on mac.

it has a good network protection unlike others
I generally agree with this. KAV on the Mac comes close to being a security suite, protecting at the network level as well as at the realtime level, and it's smart enough to skip scanning Apple's "sealed system volume" which is cryptographically read-only and signed anyway, making it a waste of time to scan for malware.

With that said, it does have a noticeable power impact on laptops, the daemon can easily reach 100% CPU usage when installing apps or doing other things, and it's not multithreaded so it also limits IO performance when kavd gets to 100%.

Note that the above is generally true of antimalware on the Mac, not a Kaspersky specific problem. I've found their engine has good detection rates on Windows/Linux/Mac malware, not much difference in static scanning performance. I don't see any evidence of behavior blocking though the macOS API doesn't provide much of an ability to implement one.


It's not without its bugs though. For example when the network filtering component blocks a file, it simply replaces the network stream with an HTML error page:
1631246852647.png


This causes some applications to behave really bizarrely if Kaspersky thinks a URL is malicious or phishing.There is no UI feedback for when this happens, though if you dig through the logs you can find it.


Overall, I still feel realtime Mac protection isn't worth the tradeoffs. It's gotten a little better compared to 2-3 years ago when crashy/panicky kernel extensions were the norm. But the slight protection it offers is not worth all of the ways the suite can fall over and make your life miserable when it misbehaves, especially since Apple is so known for changing their OS underpinnings rapidly.
 

Game Of Thrones

Level 5
Verified
Well-known
Jun 5, 2014
225
I generally agree with this. KAV on the Mac comes close to being a security suite, protecting at the network level as well as at the realtime level, and it's smart enough to skip scanning Apple's "sealed system volume" which is cryptographically read-only and signed anyway, making it a waste of time to scan for malware...
again a detailed writing. exactly what I'm talking about. as i said there are really strange behaviors when you install a security suit on mac. you went into details (y)👌

most don't know that there will be some problems with battery and IO with actually any security suit
 

SpiderWeb

Level 10
Verified
Well-known
Aug 21, 2020
455
Everything has changed with Monterey.

I have an M1. I am not happy with the current security solutions on the market. None of them are truly compatible with Monterey. You have to go into the "BIOS" equivalent of your M1 and disable critical security features in order for your AV to run. So you have to sacrifice hardware security for superficial software security. That's unacceptable. If someone knows of an AV that is M1-optimized and does NOT require System/Kernel extensions please let me know. As it stands I will not allow non-Apple signed code to run in kernel and scan everything when the default security policy is superior. As it stands, Mac Monterey and M1 just drove AVs out of business on Mac and none of them are willing to adapt.
 

bobrob

New Member
Dec 28, 2021
2
Everything has changed with Monterey.

I have an M1. I am not happy with the current security solutions on the market. None of them are truly compatible with Monterey. You have to go into the "BIOS" equivalent of your M1 and disable critical security features in order for your AV to run. So you have to sacrifice hardware security for superficial software security. That's unacceptable. If someone knows of an AV that is M1-optimized and does NOT require System/Kernel extensions please let me know. As it stands I will not allow non-Apple signed code to run in kernel and scan everything when the default security policy is superior. As it stands, Mac Monterey and M1 just drove AVs out of business on Mac and none of them are willing to adapt.

F-Secure SAFE for Mac no longer uses a System Extension, so you don't have to override any Kernel protections in your System Preferences to use F-Secure SAFE. From their release notes as of October 2020:

What's New in F-Secure SAFE for Mac - F-Secure Community

The SAFE for Mac 17.9 release brings support for macOS Big Sur. From now on, real-time protection does not use a kernel extension to operate. Instead, it uses an EndpointSecurity API provided by Apple that replaces the kernel extensions. These APIs are used by SAFE on macOS Catalina 10.15.5 and higher (Big Sur included). SAFE is still relying on kernel extensions for real-time protection when running on lower versions of macOS.
 

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
792
F-Secure SAFE for Mac no longer uses a System Extension, so you don't have to override any Kernel protections in your System Preferences to use F-Secure SAFE. From their release notes as of October 2020:

What's New in F-Secure SAFE for Mac - F-Secure Community
Kaspersky and ESET have switched to this model as well. Kaspersky’s system extension daemon that does the scanning appears to be M1 native but ESET is still using Rosetta and actually pretty heavy. I haven’t checked SAFE 17.9.

It’s good that for the most part you don’t have to downgrade secure boot level anymore to run an AV but a lot of the other trade offs still apply. MacOS antivirus is like the equivalent technology of 90’s windows AV, with a basic real-time scanner and on access component. (Maybe some have network protection too, sure). It doesn’t know how to disinfect other than deletion and it doesn’t really have behavior blocking, and even the signatures are easy to bypass due to the very basic anti-obfuscation techniques available.
 

SpiderWeb

Level 10
Verified
Well-known
Aug 21, 2020
455
Kaspersky and ESET have switched to this model as well. Kaspersky’s system extension daemon that does the scanning appears to be M1 native but ESET is still using Rosetta and actually pretty heavy. I haven’t checked SAFE 17.9.

It’s good that for the most part you don’t have to downgrade secure boot level anymore to run an AV but a lot of the other trade offs still apply. MacOS antivirus is like the equivalent technology of 90’s windows AV, with a basic real-time scanner and on access component. (Maybe some have network protection too, sure). It doesn’t know how to disinfect other than deletion and it doesn’t really have behavior blocking, and even the signatures are easy to bypass due to the very basic anti-obfuscation techniques available.
Thank you so much for the update! I am really disappointed that ESET is still stuck on Rosetta because it is by far my favorite. I tried Panda Dome (laughtrack.wav) and Bitdefender and I noticed a new issue arising. The way all AVs are now bundled with VPNs seems to break Apple's built-in Private Relay VPN. It will disable itself once the AVs install their own software. I 100% agree with your observations. The current AV landscape on macOS makes me realize that I really do not need a solution. The AVs I have tried just drain battery scanning everything when there little risk. No program I own has full disk access for example which eliminates that attack point for virtually all malware. The only program that did have full disk access was my AV which makes it my single point of failure. What I'm saying is that I am just not sold on the idea that an AV is essential on an M1 Mac after Monterey. AVs on Mac are just glorified adware. Vendors seem to be more preoccupied with upselling you a VPN plan than anything.
 

bobrob

New Member
Dec 28, 2021
2
Kaspersky and ESET have switched to this model as well. Kaspersky’s system extension daemon that does the scanning appears to be M1 native but ESET is still using Rosetta and actually pretty heavy. I haven’t checked SAFE 17.9.

I just want to clarify that there are two independent concerns with MacOS Big Sur and up and M1 macs:
  1. Apple Silicon Binaries (vs Intel) - Some Anti-Virus have Apple Silicon binaries, and some do not. Some have a few components of both. F-Secure states that some of their modules directly support Apple Silicon and some do not. In my own experience F-Secure still relies on Rosetta on an M1 Mac, even though some of their modules do support Apple Silicon already. Kaspersky (in my experience) completely supports Apple Silicon on M1 Mac. You can tell if a binary supports Apple Silicon by viewing the Activity Monitor in MacOS on an M1 mac.
  2. Support of the Apple EndpointSecuity API (vs. Kernel Extension) - Starting in Big Sur Apple started to depreciate Kernel Extensions and added new Security around them, which requires the user to manually approve each one before they are executed. In my experience, only F-Secure SAFE supports Apple's preferred EndPointSecurity API currently. Kaspersky, and Norton still require a MacOS Kernel Extension to run. Because F-Secure doesn't use an extension, the only Security popup which needs to be approved during install is the one to allow Full Disk access.
You're correct about MacOS AV being less sophisticated than Windows AVs. This is driven by the much smaller market for AV on Macs. If there were more users and interest in MacOS based AV, I think vendors would provide some of the cool Sandboxing, HIPS and other stuff AV enjoys on Windows. However with it's read-only system volume and other built in protections, perhaps Macs are secure enough without them.

I will point out that Kaspersky on Mac does utilize their security cloud, and has Network traffic inspection, and Network Intrusion prevention. F-Secure on Mac includes their Cloud Security, and has some Behavior Based blockers via their rules-based and user-configurable "DeepGuard" implementation.
 

roger_m

Level 38
Verified
Top Poster
Content Creator
Dec 4, 2014
2,753
Yes you do need antivirus for your Mac and you know antivirus any can protect your device

And Kaspersky is best for MAC OS
Kasperksy is the best? So you, haven't found a Mac antivirus to rebrand as TTB Total Security yet?
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top