Antivirus....Which One?

Cognisant as I am, of Apples inexorable slide or drift, twards that day of reckoning, when some hack at Macworld informs the World that: There are now as many nasty little pieces of Mac-specific malware out there, as there are those aimed at MS et al; and given the sudden proliferation of slavic featured gentlemen, purchasing property in my local; allied to the iffy performance of my beautiful little, sexy as hell, iMac, inclining me to wonder if the Russian Maffia havent already established a bridgehead, on iMacs hard dive; I was wondering what protection other members of Scriveners crew use (and do me a favour! Im not talking safe sex. Let`s all see if we can rise above the juvenile…eh? (Not for ever,mind) ), if anything.

Im inclined towards Sophos or Intego. but I would really appreciate having the benefit of knowing what Scrivs crew think on this particular topic.

In anticipation, thanks.
Take care
Vic

Sophos is excellent, Vic.

Dave

How can you tell if an anti-virus security package is any good if there aren’t any viruses for it to detect? I’m not being facetious; I genuinely would like to know, because I have been thinking about anti-virus software for the past five years and have never taken the plunge because I couldn’t decide what to get.

That will never happen, and you can quote me on that in five years’ time if you like

If you are concerned, though, as Dave says Sophos is one of the more reputable companies out there. There’s also ClamXav, a freeware app based on the open-source ClamAV antivirus engine for Unix, though it hasn’t yet been fully updated for Leopard.

[EDIT TO ADD: Basically, just avoid Norton/Symantec like the plague…]

Thanks for your response Dave.

Siren,
As I understand it: up to date, there have been (I think) three pieces of nasty stuff, written specifically with the Mac OS in mind; could be more by now. The only reason there aren`t that many yet, is simply that nobody has bothered to write them. But, they will.

Unprotected Macs can play,host to viruses aimed at other OS`s. We can infect anyone we interact with.

After I posted my request last night, I had a quick glance at the Guardian before I went to bed, and low and behold, in its IT supplement, there is an article under Newly Asked Question about Leopard being so full of security problems, its worth reading if you are upgrading. Ill see if I can find a link on Guardian web-site when Ive posted this.

I`ll get right back with link,

Vic

antony, I`ve just seen your post, thanks. The sentiments expressed about Mac viruses belong to one of two polarised schools of thought, that are as contentious as the Mac vs Wintel debate.

Id like to think that it could never happen but when you consider the intellectual prowess, of some of the people, just inScriv forums alone , I think its odds on its gonna happen.

Theres an even greater threat, for me, than the Russian Maffia geting at my hard drive: My in-laws could get at it. Thats something we all should fear

Vic

Like you, Vic, I started to feel uneasy about my unprotected Mac and took a look at the antivirus stuff out there a week or so ago. Sophos, I thought, was aimed at the business community. I downloaded a trial of Intego, found it quick and easy to set up and operate, so paid for a licence two hours later.

As far as I can tell, it just sits there and gets on with its job without interrupting my work.

It’s expensive, though, IMHO-- about £45 for a year’s subscription. But with that, and my automatic remote daily backup, I worry less about losing work.

Cheers.
cw

cw,
Thanks for your response, appreciate it
Here`s the Guardian article i mentioned :

[Start Article]
Newly asked questions
Is Apple’s Leopard less secure than its predecessor, Tiger?
Kate Bevan
The Guardian
Thursday November 8 2007
In some ways yes, in others no. The latest big cat flavour of OS X unleashed last month was quickly poked and prodded by security experts keen to explore any weakness they could find (since the headline “weakness in OSX!” is surefire reader magnet). They found lots: first, the firewall is turned off by default (as it has been on previous versions), and when turned on will still allow al connections - about as useful as a chocolate fireguard. Next, notes Heise Security it doesn’t distinguish between trusted networks and potentially dodgy ones - unlike (gasp!) Windows Vista tinyurl.com/39bjq5). Then, you can only deny connections by application, not by service or by port - which you could in Tiger and which you really ought to be able to do. Nor can you block outbound services - and it’s those that are usually a problem with exploits. The review identifies other issues to do with Apple not using the most up-to-date versions of various protocols. The gist is clear: security wonks aren’t happy.

Next is the new Back To My Mac service, which lets .Mac subscribers access their Macs via .Mac from any other machine running Leopard. One click connects directly to it, without any other password. So someone who gets your .Mac account login gets your machine too, for free. “Do not go back to my Mac,” warn the Open Door team (tinyurl.com/yo39gk).

A closer examination by Matasono Security (at tinyurl.com/yqt3pl) also points to weaknesses in the one-time “guest” account and even in the new “address randomisation” feature, which should makes some attacks (notably buffer overflows, a common remote exploit) more difficult. Overall, it’s cold comfort - especially for those whose mums have accessed their porn stash via Back To My Mac. [End Article]

I`ll leave you all to make your own assessment of its content as I’m not competent to critique it

Take care
Vic

Personally I wouldn’t bother with AV. One day there may be something to get worried about but until then I’ll pass. That said, from talking to those more paranoid than me, Intego is the one that gives the least trouble. Not cheap but I think the renewal costs are rather less - some £25. Norton/Symantec should be avoided at all costs.

I thought Sophos was only available to Corporates…

The most likely Mac exploit is not a virus but a trojan. There’s one currently doing the rounds posing as a Quicktime codec. Needless to say the anti-Mac brigade are touting this as proof that Macs are ‘just as susceptible to viruses as Windows’, ignoring the fact that it’s a trojan NOT a virus. To get it you have to:

a) visit a specific porn site, although no doubt there will be others,
b) download the package when asked
c) open the package
d) supply your admin name and password when it asks, something you should never do for an unknown/untrusted package.

The installed rootkit will then phone home with your bank details and whatever else it can gather.

Apart from using common sense there is not a lot you can do to guard against this sort of exploit.

Sorry, Vic, but that Grauniad article is just repeating stuff from blogs, some of them very alarmist, and half of them debunked since they were published. No doubt that Leopard has a few bugs, but security isn’t one of them - the firewall is entirely different to older versions, and behaves accordingly. There have been several more in-depth examinations of it since those articles appeared.

As for my initial “that will never happen” line, it was directly in response to the idea that one day there’ll be as many virii for OSX as there are for Windows. Which really isn’t going to happen, owing to their very different histories and design philosophies.

Absolutely not true. The prestige, praise and reward that would be heaped upon the first hacker to successfully write a true virus for OSX is enormous. The oft-spread FUD that OSX is only secure because of its small market share is rubbish.

Now, does that mean there will never be virii on OSX? Of course not. Nothing is impossible. But the likelihood of a successful, damaging, self-propagating OSX virus remains extremely small. And there certainly aren’t any about at the moment.

(The trojan that Tacitus points out is just that, a trojan, which relies on social engineering - i.e. the naivety of the user - to succeed. Anyone who downloads a ‘special video codec’ from a porn site and then authorises it to run with their administrator password… well, they probably shouldn’t have an administrator password )

For those who like tinkering, “getting under the hood” as our American cousins have it, you can disable the new firewall and play with the Unix ipfw firewall which is still there.

Alternatively you can use Intego’s Net Barrier. Amongst the other stuff is WaterRoof (free), Flying Buttress and DoorStop (both paid for). I don’t use any of them, but I think the latter simply supply a GUI for the Unix stuff.

I’m not yet on Leopard as I generally wait until the .3 release before I move. Let others have the grief

antony,
Thanks for your responses.
My iterations are the product of, Everymans Entitlement, to a Working Misconception of Anything and Everything, and as a consequence may appear to be embracing a naive and somewhat alarmist approach to the subject. Thats not the case.

I endorse the sentiments expressed in the adage, “Better Safe Than Sorry.â€

No matter whether they’re written by some kid with too much time on his hands, the Mafia, or international terrorists, virii are just software. Sneaky, malicious software, but software nonetheless. They have to use whatever mechanisms the operating system provides to transmit, install, and run themselves.

Windows (and MS-DOS) was originally designed for standalone, non-networked, PCs. For those computers, the only way software could get onto a system was if the user put it there. Many users consider it rude if the operating system gets in the way, so Windows got out of the way and let the user do pretty much whatever he wanted. However misguided that might be. When the new networked world full of bad actors dawned, Windows was woefully unprepared and has basically been closing holes ever since.

Unix, in contrast, was designed from the very beginning for networked, multiuser environments. In those environments, you can’t assume that the user knows what he is doing, and even if he does, you still can’t just allow him to blunder through everyone else’s data. Unix computers were also among the first to be subject to cracker attacks, for the simple reason that for a long time they were the only computers that had both network connections and information worth stealing. Thus, Unix systems draw a sharp distinction between user-level privileges and admin-level privileges. Most tasks run with user privileges, which among other things keep the task from poking its little electronic nose where it doesn’t belong. I’ll spare you the detailed technical explanation, but most unpleasant virus behavior requires admin privileges, and under Unix (or OS X) it’s difficult for a task to get admin privileges unless a human user explicitly gives them to it.

That’s where social engineering comes in, and social engineering attacks will work on ANY computer. If a piece of software can deceive the human user, it can get permission to do whatever the human himself can do. That’s why on really secure systems, only a few humans have admin-level access. Joe the clueless accounting temp can’t give away data that he doesn’t have.

Anyway, the biggest difference between Unix (and OS X, which is Unix underneath) and Windows (pre-Vista) is that admin access is not automatic, for either humans or software. It requires not only confirmation (click a dialog box), but authentication (enter a password). That’s a much higher barrier for malicious code.

No, that does not mean that OS X is an impenetrable security fortress. But it does mean that the number of ways in is far more limited, and therefore the watchers, human or electronic, have much less to worry about. Even as the number of attackers increases – which it will, with growing market share – that structural advantage will remain. And of course the Mac-focused security resources will also increase as market share grows.

(Windows Vista bragged about improved security. I don’t know enough to comment on that.)

Katherine

Yes and no. It’s true that OS X is a prestige target that probably gets plenty of attention. However, the small market share would limit the spread of any OS X virus as it could only propagate itself to other OS X systems. That makes OS X a much less lucrative target for people attempting to harvest private information, build botnets, and so forth. Prestige-motivated crackers may be interested in OS X, but the hypothetical organized crime baddies are economically motivated and may not see it as a good investment.

Katherine

It’s not about the relative number of malicious folks, it’s about the underlying operating system. OS X, like any good (Unix, Linux, BSD)-based OS, actually has a sane system of users and administrators. Windows XP basically refused to run if you weren’t operating as an administrator. OS X, even in accounts WITH administrator access, times out your kerberos keys (basically the permission from the OS to do high-level things) fairly quickly, so ANY sort of deep system modification requires inputting a password.

I can’t even write a file to the main directory of my hard drive without putting in a password. I can manipulate things inside my home directory with reckless abandon, but the actual software that runs the operating system resides elsewhere and lives independent of my wacky little preference files.

THAT is why, as yet, I’m not burning up the RAM for an antivirus program. The only Mac trojan that’s been publicized recently posed as a video codec. You’d download it, install it, and it would ask for a password. As a general rule, if you never type in a password without knowing FOR SURE from whence the program came, the odds of your computer catching anything are vanishingly small.

Katherine, antony, Tacitus and bhpascal,
A very big, sincere thank you for the time and effort, youve all put in, in order to penetrate that which lies beneath my, Everymans ` cap.

I must have inadvertently given you all, my adnim`s password because not only have you managed to install a Trojan Horse on my cranial hard drive, there is also a Spanish Galleon and a Viking longboat (all crewed of course).

If I may ask for your views on: (a) OS X hosting non-Mac malware; (b) the impact on OS X security with Apples big time incursion into Wintelland with the adoption of the Intell Processors, Parallels and Boot Camp. I see that as a big incentive to MS Windows users to jump ship, and still retain the best of both worlds ( MS must do something right).

Of course the dirty great whacking thank you extends to all who`ve taken the trouble to share their views on this topic. I would of course appreciate all your contribution to the Wintel question aswell.

Its 12-45am and Jameson is tapping me on the shoulder, so Ill wish you all good night , and thanks a trillion.
Take care
vic

That’s true, of course, but the fact remains that if OSX were like ‘other’ systems, you’d expect the number of virii on it to at least vaguely resemble the corresponding market share. Which of course isn’t the case.

Thank you for the more in-depth explanation, by the way; most of my security and *nix knowledge is second-hand. My sources are people I trust, natch, but it’s not something I know well enough to write such an explanation myself

(a) What do you mean by hosting? A malware file can quietly reside on a Mac OS X hard disk, just like any other file. However, it can’t propagate itself unless it can run, and foreign software can’t run on a Mac.

EXCEPTION: Microsoft Office for Mac files can carry and propagate Office macro viruses. These depend on the Office software, not the Mac platform. Fortunately, stopping macro viruses is pretty easy, as Office can be told not to run foreign macros without permission.

(b) A Windows installation running under Parallels or Boot Camp is exactly as vulnerable to malware as any other Windows installation. Personally, I would avoid running browsers, mail clients, and other Internet-accessing software from within the virtual machine. If you can’t avoid that, protect the virtual machine as you would any other Windows box. Though the chances of a program jumping the barrier and infecting the main OS X system are remote, a Windows virus could potentially read or damage any file that can be seen from the Windows installation. Parallels (and presumably Boot Camp) has tools to define the access given to the Windows installation.

Katherine

I installed Fusion and Windoz XP Pro simply so I could check web designs in IE 6. After reading that an unprotected Windoz box could pick up viruses in the first five minutes online, I was careful to disconnect the Mac from my router, and install Grisoft’s virus bits, along with several other programs to prevent other nasties. Now whenever I fire up the Fusion/XP, it goes through a few minutes of downloading the virus updates. Using the freebie Grisoft software, I can only get updates on a daily basis, but I understand they do the updates throughout the day.

Actually, it isn’t the viral bits that bother me as much as Windows in general. I’m always careful to wash my hands after shutting down Fusion.

Katherine,

Once again a BIG THANKS and aBIG X

Vic

Lenf

Abig thanks to you too Pal… sorry no big kiss though… standards and all that… know what I mean?

lenf

I suppose a little peck on the cheek isn`t gonna do any harm, is it?

x

vic