Advice Request macOS needs an AV?

Please provide comments and solutions that are helpful to the author of this topic.

Game Of Thrones

Level 5
Verified
Well-known
Jun 5, 2014
220
the only security softwares that updated to native m1 support are Kaspersky bitdefender and avast. avast was one of the first they did it really soon after m1 was announced. but yet i don't recommend installing one. if you insist to use mac security software, use Kaspersky why because of this reasons that i tested:

its the only mac security software that the realtime cloud protection works on mac too. so even newest windows threats will get detected. (KSN realtime protection) this does not happen in bitdefender or avast and so many others they just update the offline protection with updates so their cloud does not work in mac. if you want to test just use AMTSO cloudcar test which is the standard file to use to see if cloud protection works or not, only Kaspersky detects it on mac.

it has a good network protection unlike others

it recently got updated for m1 which will make it more friendly to m1 mac. i didn't tested the new version seems most problems got rectified. intel architecture is working the same so no difference

the internet protection link checker and stuff works better than the others only bitdefender comes close.

their behavior protection is somehow partially implemented on mac too i'v seen many heuristics and behavior blocking on many tests online or by myself. others have implemented mostly static detection for mac or have less effective methods.

regardless of your architecture i recommend Kaspersky if you look at their software it shows that they are taking mac security more serious than the others.from UI to detection capability
 

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
779
the only security softwares that updated to native m1 support are Kaspersky bitdefender and avast. avast was one of the first they did it really soon after m1 was announced. but yet i don't recommend installing one. if you insist to use mac security software, use Kaspersky why because of this reasons that i tested:

its the only mac security software that the realtime cloud protection works on mac too. so even newest windows threats will get detected. (KSN realtime protection) this does not happen in bitdefender or avast and so many others they just update the offline protection with updates so their cloud does not work in mac. if you want to test just use AMTSO cloudcar test which is the standard file to use to see if cloud protection works or not, only Kaspersky detects it on mac.

it has a good network protection unlike others
I generally agree with this. KAV on the Mac comes close to being a security suite, protecting at the network level as well as at the realtime level, and it's smart enough to skip scanning Apple's "sealed system volume" which is cryptographically read-only and signed anyway, making it a waste of time to scan for malware.

With that said, it does have a noticeable power impact on laptops, the daemon can easily reach 100% CPU usage when installing apps or doing other things, and it's not multithreaded so it also limits IO performance when kavd gets to 100%.

Note that the above is generally true of antimalware on the Mac, not a Kaspersky specific problem. I've found their engine has good detection rates on Windows/Linux/Mac malware, not much difference in static scanning performance. I don't see any evidence of behavior blocking though the macOS API doesn't provide much of an ability to implement one.


It's not without its bugs though. For example when the network filtering component blocks a file, it simply replaces the network stream with an HTML error page:
1631246852647.png


This causes some applications to behave really bizarrely if Kaspersky thinks a URL is malicious or phishing.There is no UI feedback for when this happens, though if you dig through the logs you can find it.


Overall, I still feel realtime Mac protection isn't worth the tradeoffs. It's gotten a little better compared to 2-3 years ago when crashy/panicky kernel extensions were the norm. But the slight protection it offers is not worth all of the ways the suite can fall over and make your life miserable when it misbehaves, especially since Apple is so known for changing their OS underpinnings rapidly.
 

Game Of Thrones

Level 5
Verified
Well-known
Jun 5, 2014
220
I generally agree with this. KAV on the Mac comes close to being a security suite, protecting at the network level as well as at the realtime level, and it's smart enough to skip scanning Apple's "sealed system volume" which is cryptographically read-only and signed anyway, making it a waste of time to scan for malware...
again a detailed writing. exactly what I'm talking about. as i said there are really strange behaviors when you install a security suit on mac. you went into details (y)👌

most don't know that there will be some problems with battery and IO with actually any security suit
 

SpiderWeb

Level 10
Verified
Well-known
Aug 21, 2020
468
Everything has changed with Monterey.

I have an M1. I am not happy with the current security solutions on the market. None of them are truly compatible with Monterey. You have to go into the "BIOS" equivalent of your M1 and disable critical security features in order for your AV to run. So you have to sacrifice hardware security for superficial software security. That's unacceptable. If someone knows of an AV that is M1-optimized and does NOT require System/Kernel extensions please let me know. As it stands I will not allow non-Apple signed code to run in kernel and scan everything when the default security policy is superior. As it stands, Mac Monterey and M1 just drove AVs out of business on Mac and none of them are willing to adapt.
 

bobrob

New Member
Dec 28, 2021
2
Everything has changed with Monterey.

I have an M1. I am not happy with the current security solutions on the market. None of them are truly compatible with Monterey. You have to go into the "BIOS" equivalent of your M1 and disable critical security features in order for your AV to run. So you have to sacrifice hardware security for superficial software security. That's unacceptable. If someone knows of an AV that is M1-optimized and does NOT require System/Kernel extensions please let me know. As it stands I will not allow non-Apple signed code to run in kernel and scan everything when the default security policy is superior. As it stands, Mac Monterey and M1 just drove AVs out of business on Mac and none of them are willing to adapt.

F-Secure SAFE for Mac no longer uses a System Extension, so you don't have to override any Kernel protections in your System Preferences to use F-Secure SAFE. From their release notes as of October 2020:

What's New in F-Secure SAFE for Mac - F-Secure Community

The SAFE for Mac 17.9 release brings support for macOS Big Sur. From now on, real-time protection does not use a kernel extension to operate. Instead, it uses an EndpointSecurity API provided by Apple that replaces the kernel extensions. These APIs are used by SAFE on macOS Catalina 10.15.5 and higher (Big Sur included). SAFE is still relying on kernel extensions for real-time protection when running on lower versions of macOS.
 

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
779
F-Secure SAFE for Mac no longer uses a System Extension, so you don't have to override any Kernel protections in your System Preferences to use F-Secure SAFE. From their release notes as of October 2020:

What's New in F-Secure SAFE for Mac - F-Secure Community
Kaspersky and ESET have switched to this model as well. Kaspersky’s system extension daemon that does the scanning appears to be M1 native but ESET is still using Rosetta and actually pretty heavy. I haven’t checked SAFE 17.9.

It’s good that for the most part you don’t have to downgrade secure boot level anymore to run an AV but a lot of the other trade offs still apply. MacOS antivirus is like the equivalent technology of 90’s windows AV, with a basic real-time scanner and on access component. (Maybe some have network protection too, sure). It doesn’t know how to disinfect other than deletion and it doesn’t really have behavior blocking, and even the signatures are easy to bypass due to the very basic anti-obfuscation techniques available.
 

SpiderWeb

Level 10
Verified
Well-known
Aug 21, 2020
468
Kaspersky and ESET have switched to this model as well. Kaspersky’s system extension daemon that does the scanning appears to be M1 native but ESET is still using Rosetta and actually pretty heavy. I haven’t checked SAFE 17.9.

It’s good that for the most part you don’t have to downgrade secure boot level anymore to run an AV but a lot of the other trade offs still apply. MacOS antivirus is like the equivalent technology of 90’s windows AV, with a basic real-time scanner and on access component. (Maybe some have network protection too, sure). It doesn’t know how to disinfect other than deletion and it doesn’t really have behavior blocking, and even the signatures are easy to bypass due to the very basic anti-obfuscation techniques available.
Thank you so much for the update! I am really disappointed that ESET is still stuck on Rosetta because it is by far my favorite. I tried Panda Dome (laughtrack.wav) and Bitdefender and I noticed a new issue arising. The way all AVs are now bundled with VPNs seems to break Apple's built-in Private Relay VPN. It will disable itself once the AVs install their own software. I 100% agree with your observations. The current AV landscape on macOS makes me realize that I really do not need a solution. The AVs I have tried just drain battery scanning everything when there little risk. No program I own has full disk access for example which eliminates that attack point for virtually all malware. The only program that did have full disk access was my AV which makes it my single point of failure. What I'm saying is that I am just not sold on the idea that an AV is essential on an M1 Mac after Monterey. AVs on Mac are just glorified adware. Vendors seem to be more preoccupied with upselling you a VPN plan than anything.
 

bobrob

New Member
Dec 28, 2021
2
Kaspersky and ESET have switched to this model as well. Kaspersky’s system extension daemon that does the scanning appears to be M1 native but ESET is still using Rosetta and actually pretty heavy. I haven’t checked SAFE 17.9.

I just want to clarify that there are two independent concerns with MacOS Big Sur and up and M1 macs:
  1. Apple Silicon Binaries (vs Intel) - Some Anti-Virus have Apple Silicon binaries, and some do not. Some have a few components of both. F-Secure states that some of their modules directly support Apple Silicon and some do not. In my own experience F-Secure still relies on Rosetta on an M1 Mac, even though some of their modules do support Apple Silicon already. Kaspersky (in my experience) completely supports Apple Silicon on M1 Mac. You can tell if a binary supports Apple Silicon by viewing the Activity Monitor in MacOS on an M1 mac.
  2. Support of the Apple EndpointSecuity API (vs. Kernel Extension) - Starting in Big Sur Apple started to depreciate Kernel Extensions and added new Security around them, which requires the user to manually approve each one before they are executed. In my experience, only F-Secure SAFE supports Apple's preferred EndPointSecurity API currently. Kaspersky, and Norton still require a MacOS Kernel Extension to run. Because F-Secure doesn't use an extension, the only Security popup which needs to be approved during install is the one to allow Full Disk access.
You're correct about MacOS AV being less sophisticated than Windows AVs. This is driven by the much smaller market for AV on Macs. If there were more users and interest in MacOS based AV, I think vendors would provide some of the cool Sandboxing, HIPS and other stuff AV enjoys on Windows. However with it's read-only system volume and other built in protections, perhaps Macs are secure enough without them.

I will point out that Kaspersky on Mac does utilize their security cloud, and has Network traffic inspection, and Network Intrusion prevention. F-Secure on Mac includes their Cloud Security, and has some Behavior Based blockers via their rules-based and user-configurable "DeepGuard" implementation.
 

roger_m

Level 41
Verified
Top Poster
Content Creator
Dec 4, 2014
3,014
Yes you do need antivirus for your Mac and you know antivirus any can protect your device

And Kaspersky is best for MAC OS
Kasperksy is the best? So you, haven't found a Mac antivirus to rebrand as TTB Total Security yet?
 

Trident

Level 27
Verified
Top Poster
Well-known
Feb 7, 2023
1,628
I am using Norton on my Mac just for an extra eye.
It now natively supports M1 (not under Rosetta).
I tried few antiviruses and this is my opinion.

Panda:
Relatively light, not designed for M1 (runs under Rosetta). It doesn’t include uninstall routine, third-party uninstaller required to remove. Effectiveness under a question mark.

Bitdefender:
Overall great and natively supports M1. The whole antivirus engine over 500 MB is enclosed in a package. It clearly updates way faster compared to the Win version but produces too many read/write operations on a device where SSD is not replaceable by itself. The benefit doesn’t justify the impact.

Trend Micro:
Overall great user experience but caching is not optimised just like on Windows and produces too many idle wake-ups. CPU and memory usage constantly fluctuate.

Overall from the above, only Norton seems to be optimised. It includes antivirus and IPS. The IPS is a very striped down implementation compared to the Windows one.
 

simmerskool

Level 31
Verified
Top Poster
Well-known
Apr 16, 2017
2,094
I am using Norton on my Mac just for an extra eye.

Overall from the above, only Norton seems to be optimised. It includes antivirus and IPS. The IPS is a very striped down implementation compared to the Windows one.
I am currently running Malwarebytes on my mac_mini as Apple support (level2) said if you must, use only mbam to scan and were neutral re mbam real-time. The nice thing, mbam has not slowed mac down and no issues. (once upon a time I put webroot on a mac -- that was :eek::sick::poop:)
I have Norton on win10_VM, and I like it. but not convinced to switch mbam for Norton on macOS, how strongly do you feel about needing Norton on mac?
What about DeepInstinct on mac, I have 2 thoughts about that, either good and smooth, or very very bad...?? :unsure: :D/:eek:
 

Trident

Level 27
Verified
Top Poster
Well-known
Feb 7, 2023
1,628
how strongly do you feel about needing Norton on mac
I wouldn’t classify installation of third-party antivirus on Mac a must. Specially after the latest XProtect updates. It falls into the “nice to have” group.

DeepInstinct on Mac I’ve not tried, this is software I use for business purposes. I am unable to confirm its effectiveness on Mac and due to their obscure, almost non-existent documentation regarding product features and internals (not talking about user manual), I am not even aware how it works on Mac. I am not sure that there is enough Mac malware to properly train the ML, it may be relying on Yara signatures, just like XProtect.
 

simmerskool

Level 31
Verified
Top Poster
Well-known
Apr 16, 2017
2,094
I wouldn’t classify installation of third-party antivirus on Mac a must. Specially after the latest XProtect updates. It falls into the “nice to have” group.

DeepInstinct on Mac I’ve not tried, this is software I use for business purposes. I am unable to confirm its effectiveness on Mac and due to their obscure, almost non-existent documentation regarding product features and internals (not talking about user manual), I am not even aware how it works on Mac. I am not sure that there is enough Mac malware to properly train the ML, it may be relying on Yara signatures, just like XProtect.
Well I'm thinking, ok, try Norton on mac, since if Norton creates problems, Norton techs will get it fixed, correct, basically guarantee to get ti fixed...!! Correct??
fwiw, the webroot techs were useless on mac, almost worse than useless but that was several years ago. If my mac really gets borked, I'm minimum 4 hour drive one-way to mac store. And if I sent my macmini to Apple, they'd probably tell me time to replace with a new mini. Not that old, and newer than this windows hardware, although new mini is floating around in back of my mind.
 

Trident

Level 27
Verified
Top Poster
Well-known
Feb 7, 2023
1,628
Well I'm thinking, ok, try Norton on mac, since if Norton creates problems, Norton techs will get it fixed, correct, basically guarantee to get ti fixed...!! Correct??
Since you’re a paying customer it is their duty to get certain product issues fixed. If they can’t, they will escalate it to the relevant team. As always, you’ll need to try for yourself, proceed with caution.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top