ClamXav went Commercial

[throAU]

But unless I install an infected application, how exactly will I be owned? There are proof-of-concept viruses and worms, but right now there are only Trojans.

Malicious javascript via browser bug. Malicious font handling exploit in the browser. Malicious HTML rendering bug in the web content.

All of these possibilities exist to own anyone running OS X prior to 10.9 or 10.10. And no doubt unknown possibilities or un patched holes in 10.10 and 10.11 as well.

It's only dumb luck and smaller OS X market share (why bother target OS X when you can just get 90% of people by targeting windows?) that people haven't been owned like this yet.

True, if a virus suddenly comes to life that can silently break through any browser or OS' security, I'll be vulnerable, but so will you. The current OS X virus protection packages will be ineffectual at stoping a zero-day exploits because they don't know what to look for. They're better on Windows because there is a long history of viruses and an understanding of how they work.

I'm not opposed to AV programs, but they seem more trouble than they're worth at the moment.

True, a zero day may get through. However some AV programs do heuristics (i.e., they make an intelligent guess at flagging code that looks dodgy). AV definitions are often updated multiple times per day (i.e., you will be protected before Apple patch the hole and perhaps before you read about the malware or the site operator fixes their hacked site). Malware definitions are much quicker to push out than developing, testing and distributing a security update is.

And the other benefit of AV is that you aren't passing windows viruses on to windows using friends or colleagues. You can safely detect Windows malware with no risk of being owned and warn others.


An AV package can protect against a firmware hack being run in the first place if it is the type that runs on your machine via a web exploit or whatever and then infects your firmware. Being owned by a hacked thunderbolt (or USB) device - there's not a lot you can do other than have fixed EFI firmware in your mac.

But that doesn't mean you just throw your hands up and say "it's possible that some vectors can bypass my scanner! there's no point at all!". You just take physical security of your machine more seriously. If someone malicious has unfettered, unsupervised physical access to your hardware, you're boned. End of story.

 

[Traverse]

It's only dumb luck and smaller OS X market share (why bother target OS X when you can just get 90% of people by targeting windows?) that people haven't been owned like this yet.

I'm not going to debate the market size argument because it has been debunked numerous times, but the highlights agains it:

• There are still millions of Macs in use, that's a great target.
• What hacker wouldn't want the credit of creating the first true OS X virus?
• Since "most" Mac users are presumed to be ignorant and defenseless, the creation of a successful virus would spread like wildfire and make a handsome profit for the creators.

Market size has little affect on why a virus hasn't been created.

True, a zero day may get through. However some AV programs do heuristics (i.e., they make an intelligent guess at flagging code that looks dodgy). AV definitions are often updated multiple times per day (i.e., you will be protected before Apple patch the hole and perhaps before you read about the malware or the site operator fixes their hacked site). Malware definitions are much quicker to push out than developing, testing and distributing a security update is.

All true, but until there is a proven need that an AV is needed and effective, I don't want a program making "educated guesses" on my system about what is safe and what is not. And there are reports of virus packages like Avast occasionally causing Kernel Panics. I don't like that.

And the other benefit of AV is that you aren't passing windows viruses on to windows using friends or colleagues. You can safely detect Windows malware with no risk of being owned and warn others.

This part I agree with, which is why I have an on demand scanner. There are some members on this forum who say that this is not a good reason because the Windows user should have their own defenses in place, still, I think it's a good neighbor policy. I rarely send files to Windows user and when I do (or when I download anything like school files or music from artists from SoundCLoud) I scan it with ClamXav's on demand scanner and sometimes I'll even boot up my Windows VM and scan it with Avast for Windows.

That's not a huge inconvenience and just is good policy. However, I don't want something consultancy scanning my system, all my internet traffic, all of my mail, all of the time. I just want something I can boot up and scan with and then quit.

An AV package can protect against a firmware hack being run in the first place if it is the type that runs on your machine via a web exploit or whatever and then infects your firmware. Being owned by a hacked thunderbolt (or USB) device - there's not a lot you can do other than have fixed EFI firmware in your mac.

But that doesn't mean you just throw your hands up and say "it's possible that some vectors can bypass my scanner! there's no point at all!". You just take physical security of your machine more seriously. If someone malicious has unfettered, unsupervised physical access to your hardware, you're boned. End of story.

Absolutely. Physical access is one of the most crucial points which is why all companies (including Apple) recommend putting your computer to sleep when you're away and using a password along with FileVault.

If the firmware attack is very new and dynamic (which seems to be the case) the AV won't stop it on the software side. It's scary. Potentially, a new Sony flash drive you just purchased could have a firmware virus. These are clever hackers and scientists, but at least the recent discoveries have been to protect the users and not to attack them. I'm less than thrilled with Apple's speed towards fixing them however.

Like I said, I'm not opposed to AVs at all and tried Avast back on OS X Mountain Lion. It generated several GBs of inactive RAM and slowed my system down. I haven't tried any package recently so I can't judge them now, but I just don't see the need. When OS X viruses or other dynamic malware reach the point that they are rapidly affecting users despite safe computing habits, I'll install one. Right now, it hasn't been done.

I use Click-to-Plugin to block most plugins like flash.
I've disabled "Open safe files after opening"
I only install apps from the MAS or from the developer
I scan downloaded files using an on-demand scanner.

And other steps. I feel safe and the system has worked for the past 4 years so I am comfortable for now.

 

[DKZ]

The code the malicious web site could attempt to execute on the system could be intercepted. Thus, an antivirus product could be beneficial in this scenario.

Sure ya, and if you have a habit of falling for phising emails and faked web sites, then we'll agree that you need AV.

 

[SlCKB0Y]

Well, none. Seeing as then they wouldn't be viruses.

That's not a firm characteristic of a computer virus. They have to be self-replicating, not self-executing.

 

[SlCKB0Y]

True, if a virus suddenly comes to life that can silently break through any browser or OS' security, I'll be vulnerable, but so will you. The current OS X virus protection packages will be ineffectual at stoping a zero-day exploits because they don't know what to look for. They're better on Windows because there is a long history of viruses and an understanding of how they work.

If you're talking about the builtin protection, XProtect, then you're correct - it can only protect against known threats.

If you're talking about any of the major third-party anti virus packages then you are absolutely incorrect. Most of them use the same detection engine as their Windows equivalent, just ported across to OS X (remember that a major use of OS X anti-virus is to detect Windows viruses).

These all contain Heuristics and Generic analysis features which can be used to detect previously unknown threats just like their Windows counterparts. How successful this is is another question, but your statement was not correct.

 

[Traverse]

If you're talking about the builtin protection, XProtect, then you're correct - it can only protect against known threats.

If you're talking about any of the major third-party anti virus packages then you are absolutely incorrect. Most of them use the same detection engine as their Windows equivalent, just ported across to OS X (remember that a major use of OS X anti-virus is to detect Windows viruses).

These all contain Heuristics and Generic analysis features which can be used to detect previously unknown threats just like their Windows counterparts. How successful this is is another question, but your statement was not correct.

I don't know the deep underpinning differences between how OS X and Windows operates, but I would assume that a virus would work in a different way on OS X than it does on Windows so educated guesses based on Windows malware wouldn't be very effective.

But you may know much more than me about the underlying programming.

 

[Dirtyharry50]

@Dirtyharry50

I don't think even an AV package will protect against a firmware attack. That is something that will need to be patched on the root level by Apple

I pointed out above an example of how it could based on an example in the linked article of one way to infect the firmware. I agree though, that's not a complete solution by any stretch. I was only arguing for the idea that having that defense is better than not having it, not that the broader issue of firmware vulnerability does not need to be addressed by hardware vendors.

 

[Dirtyharry50]

Sure ya, and if you have a habit of falling for phising emails and faked web sites, then we'll agree that you need AV.

A well crafted email can potentially fool some people. No, I do not consider myself one of them but that doesn't mean it isn't an issue. Insinuating that some people are idiots doesn't do anything to further the conversation in my opinion.

There are plenty of people who are not necessarily aware of how to check the real origin address in their email app or web based email for example even if they do suspect phishing. Sites are easy to fake once you get someone there. It happens all the time and I do not believe all the victims are idiots when they are fooled by this.

People who frequent a site like this and engage in discussing topics like this are a minority among computer users. That should probably tell you something right there.

 

[Dirtyharry50]

I only install apps from the MAS or from the developer

You may find this article interesting. As I asserted earlier, no system is invulnerable. In this case it was Apple's App Store:

http://www.computerworld.com/articl...it-apple--plant-malware-in-the-app-store.html

 

[ardent73]

Sure ya, and if you have a habit of falling for phising emails and faked web sites, then we'll agree that you need AV.

AV is for files (downloaded or attachments) not web or email; that requires [java]script blocking.

 

[Artimus12]

A well crafted email can potentially fool some people. No, I do not consider myself one of them but that doesn't mean it isn't an issue. Insinuating that some people are idiots doesn't do anything to further the conversation in my opinion.

There are plenty of people who are not necessarily aware of how to check the real origin address in their email app or web based email for example even if they do suspect phishing. Sites are easy to fake once you get someone there. It happens all the time and I do not believe all the victims are idiots when they are fooled by this.

People who frequent a site like this and engage in discussing topics like this are a minority among computer users. That should probably tell you something right there.

The Mac "Anti anti-virus" brigade always seem to insinuate someone must be thick to need AV. I really can't find the incentive to debate it non stop with those that won't admit it's a good idea to have layered security, and there's no reason to rely on wits alone.

Back on topic: gotta say I'm loving Avira! it goes about its duty very quietly, unlike Avast.

 

[throAU]

I don't want a program making "educated guesses" on my system about what is safe and what is not.

If you only periodically scan you are likely to be owned before you know what is going on, in the event of one of the scenarios I describe above.

The "educated guesses" flag things with warnings. A scanner that gives you kernel panics is garbage, don't run it. That doesn't mean all scanners are garbage. And no, no scanner will be 100%, but 90% is better than 0% at picking things up before you notice your machine is owned (by that point it is too late).

This part I agree with, which is why I have an on demand scanner. There are some members on this forum who say that this is not a good reason because the Windows user should have their own defenses in place, still, I think it's a good neighbor policy.

Yup.

DOS attacks, spam, and other illegal activity is generally done via bot-net. We don't want bot-nets on the internet, whether they are Windows, Mac, Linux or whatever. Preventing people from getting infected is the goal, whatever they run.

Absolutely. Physical access is one of the most crucial points which is why all companies (including Apple) recommend putting your computer to sleep when you're away and using a password along with FileVault.

That's not enough. The thunderstrike hack will own you if someone has access to your power button.

You can have all the file vault and passwords you like - if someone can access the ports on your machine and access the power button to your machine without you being present they can own your firmware with thunderstrike 2. Mac powers up, runs the option ROM in the dongle and the EFI is owned. No boot into OS X required.

Sure, that may be patched soon. But it's merely an example and do not expect it to be the last.

If the firmware attack is very new and dynamic (which seems to be the case) the AV won't stop it on the software side.

No, but it may block one of the vectors a malicious site may have tried to get it to run on your PC. The firmware can't be hacked from remote without another exploit to get code to run on your machine. Again, no protection is 100%, but that doesn't mean it is useless. Same as with condoms for protection from STDs.

And other steps. I feel safe and the system has worked for the past 4 years so I am comfortable for now.

Thing is, no one really knows if they've been owned or not if the malware is sufficiently advanced.


And yes, as mentioned above, security is best dealt with in layers. You assume that various measures will fail. You're assuming that AV will fail, so why bother.

I'm assuming that wits, patching and "not visiting dodgy sites" will eventually fail me. Because I've been doing this for a long time (as my day job) and have (in the past) actually had machines compromised without opening attachments, without visiting dodgy sites, etc. Via remote connections both over the internet and via the LAN on various operating systems.

AV is not a silver bullet. But it is another safety net if other "best practices" such as patching, running an up to date OS, not running un-trusted code, not downloading warez, etc. fail you. Which they will, eventually. Assuming that "oh, i'll be careful, i'll be safe" is exactly like "I'll pull out in time" guys ending up paying child support.

 

[MacGuffin]

From the international gold standard in antivirus reviewing, AV Test, on April 28, 2015:

"Only the security package from ClamXav exhibited a total failure here: only 39.6 percent of the malware threats were detected."​

Dead last -- that's the bad news. Here's the good news: it's easy to uninstall, and there are excellent free alternatives from developers who know what they're doing. See them at:

https://www.av-test.org/en/news/new...-attack-10-security-packages-put-to-the-test/

 

[Maximara]

I'm not going to debate the market size argument because it has been debunked numerous times, but the highlights agains it:

• There are still millions of Macs in use, that's a great target.
• What hacker wouldn't want the credit of creating the first true OS X virus?
• Since "most" Mac users are presumed to be ignorant and defenseless, the creation of a successful virus would spread like wildfire and make a handsome profit for the creators.

Market size has little affect on why a virus hasn't been created.

Right, as the worst the virus situation was on the Mac was with System 6 (1988-1992) as there was even an antivirus program called Disinfectant and an extension called Gatekeeper (not to be confused with Apple's current security feature of the same name) both of which were continued into the mid to late 1990s.

Not counting variants there were 15 different Mac viruses in the 1989-1992 period but the marketshare of the Mac didn't hit the double digits until 1992 and system 7 in 1991 stopped about half of the Mac viruses that did exist from working.

But that means that the Mac virus situation was worst at a time when the Mac had a far less marketshare then it does now. But remember we are also talking about a far less secure OS when what we have now.

So yes the Mac can have viruses but the greater danger these days is from trojans and with the balkanization Windows has had most of its life it was (and still is) far easier to trick a Windows user into installing something then for Mac users if for no other reason the average Mac user knew support for most things like video and pictures back in those days was poor at best.

 

[Che Castro]

i was able to download ClamXav from my purchased list in the app store today, the 2.6.4 version

the definitions get updated too, don't know if is old definitions

so you can still use this on demand

 

[Dirtyharry50]

i was able to download ClamXav from my purchased list in the app store today, the 2.6.4 version

the definitions get updated too, don't know if is old definitions

so you can still use this on demand

Why would you want to considering this apps's abysmal performance in comparatives testing? Something like the free Sophos or Avira would be far better and cost zero.

I've taken a test drive of the Intego suite of security and maintenance apps and like them so I am going to buy into that annually myself but if I wasn't willing to pay for some sort of security app, I'd probably go with Sophos at this point having both read about and used it along with Avira. My leaning toward Sophos as a free app and Intego as a paid one is based on a recommendation by a friend who administers a network of Macs for a hospital and research facility along with documented measures of their performance in testing.

 

[Dirtyharry50]

For anyone interested, here is the link for Sophos free edition:

https://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-mac-home-edition.aspx

If you'd like to check out something more comprehensive with a pretty user interface and nice features I would recommend downloading the free 30 day trial of Intego's suite that includes their Washing Machine system utility software. This trial will scan realtime and on demand and then quarantine anything it finds for you without restriction. It won't repair a file though in the trial version. The easy to manage firewall which also allows control of what goes out along with what comes in is fully functional in the free trial and so is the update utility. The Washing Machine app in the trial is largely useless due to restrictions in the trial but is useful as a means to see the app and run various parts of it, etc. It's a very nice and comprehensive suite of apps from a company with a long history of providing security products exclusively for Macs. I consider this worth the cost but to each their own of course. Here is the link:

http://www.intego.com/mac-washing-machine-security-x8

Please be aware you need to keep the installer for the free trial and reopen it to run the uninstaller later if you decide you don't want to keep the product. I have tested this also and it works well to fully remove the software without any problems.

The button for the free trial is at the bottom of the page of info about the product. There are other options if you prefer to skip the Washing Machine component on the site as well. I like that so I chose that link but the rest is very easy to find once there. Also, for Bootcamp/Windows users there is an inexpensive option for dual system coverage. They have a partnership with Panda Software which is a very good product in the Windows world to provide Panda too at a substantial discount.

I am not associated with these companies in any way. These are simply products I have looked into, tried out and would recommend.

Lastly, for someone preferring to stick to the free route you could use a combination of Sophos for OS X and the free version of Panda for your Windows install if you have one. That is available here:

http://www.pandasecurity.com/usa/homeusers/solutions/free-antivirus/

Last but not least, the Mac apps recommended here are already El Capitan compatible.

 

[fran010180]

Hi
actually Sophos requires me to register/provide details before sending me the dmg
?!?

I wouldn't bother to test it but I'am in a "vulnerable" position because both my macs are old (intelcoreduo/10.6.8); that's to say they do not receive any more OS update. Someone told me that the security patches are still "silently" received ... or not?!

BTW, I do use clamxav 2.6.4. However when I click "update definitions" it still download it. Does it mean that it is working and is uptodate or what?
Thanks

 

[Ulenspiegel]

I do use clamxav 2.6.4. However when I click "update definitions" it still download it. Does it mean that it is working and is uptodate or what?

Yes, it is fully functional and updates the definitions on stratup, if you set this option. The last non-paid version of ClamXav is 2.7.5.
You might consider using Malwarebytes Anti-Malware for Mac. It is free.

 

[IHelpId10t5]

The problem with those that insist on installing AntiVirus on Macs is that they simply don't understand the downside. Let's look at the costs and benefits of installing AV software on a Mac. My only assumptions are that the end-user installs Apple updates regularly and isn't willing to click through the two or three warning dialogs that it typically takes to install a trojan to infect yourself.

The benefits of having AV installed are ... nothing! The ONLY malware that Mac users have to worry about are trojans that require making multiple horrible decisions to infect yourself. There are also no viruses (never have been), and no drive-by infections on a Mac. In addition, the Mac already has many layers of protection enabled by default that you never see (Gatekeeper, XProtect, etc. and now SIP in El Capitan).

The costs of having AV installed are ... significant! Installing unnecessary AV and security products on your Mac will:

1) Slow it down
2) ADD POTENTIAL VULNERABILITIES to your system that were not present before. That's right, don't forget that by installing AV on your Mac you are potentially making is LESS SECURE.
3) Introduce a privacy and spying threat to your Mac
4) Introduce instabilities to your Mac. It's impossible to know just how many botched Mac OS updates are caused by AV and other unnecessary "monitoring" utilities -- but we all know that it's likely the most frequent cause.

If you want additional protection on your Mac you are better off just doing the following:

1) Uninstall Java completely
2) Uninstall Flash and/or disable it in your browser
3) Use an OpenDNS account to add protection from known bad domain categories and allow easy blacklisting of specific domains like mackeeper, etc.
4) Add only a few trusted extensions to your browsers like HTTPSEverywhere, Privacy Badger, and uBlock Origin
5) Take a class in Cybersecurity so you don't fall victim to the few, obvious, self-induced threats that exist for the Mac.
6) Do not believe the never-ending FUD articles from security companies that report new Mac threats to scare uninformed users into buying unnecessary AV products.

 

[Ulenspiegel]

@IHelpId10t5: Somehow, you have completely forgot about Adware. And about a small fact that ClamXav is an on-demand application.

 

[MacTech68]

Three points.

Sadly, MalwareBytes requires 10.8 as a minimum. So it's not a solution for 10.6.8 - but it IS a very effective tool for removing nasty browser hijacks.

Secondly, when companies like DivX suddenly decide to include some PUPs in their installers with checkboxes to install them by default, advice to be careful what you're installing is potentially useless.

Finally, using openDNS may also prevent some ISP's 'free download' quotas from working properly, if they are maintaining their own genuine farm of CDN like akamai.

 

[Ulenspiegel]

Sadly, MalwareBytes requires 10.8 as a minimum. So it's not a solution for 10.6.8 - but it IS a very effective tool for removing nasty browser hijacks.

I stand corrected. The iOS version in the OP skipped my attention.

 

[IHelpId10t5]

Somehow, you have completely forgot about Adware. And about a small fact that ClamXav is an on-demand application

I should have made it clear that I don't have a problem with ClamXav as it was indeed an on-demand scan. I have it installed for just that reason (scanning attachments and shared files from Windows users). It's ashamed to see them go commercial if that is actually the case.

As far as Adware, I most certainly addressed it. If you have a Mac, keep your browser updated, and aren't a fool, then you will never experience Adware more than a Game of War or MacKeeper redirect that can be corrected by closing a tab in your browser. And, if you use OpenDNS, and extensions such as HTTPSEverywhere, Privacy Badger, and uBlock Origin, then even that adware is not even a thought.

 

[Ulenspiegel]

I should have made it clear that I don't have a problem with ClamXav as it was indeed an on-demand scan. I have it installed for just that reason (scanning attachments and shared files from Windows users). It's ashamed to see them go commercial if that is actually the case.

I share your view. There was no need going commercial after so many years and the all-round negative reviews it has lately. I have it installed as well, though seldom click on it.

As far as Adware, I most certainly addressed it. If you have a Mac, keep your browser updated, and aren't a fool, then you will never experience Adware more than a Game of War or MacKeeper redirect that can be corrected by closing a tab in your browser. And, if you use OpenDNS, and extensions such as HTTPSEverywhere, Privacy Badger, and uBlock Origin, then even that adware is not even a thought.

We agree to disagree. Your exact words:

The benefits of having AV installed are ... nothing! The ONLY malware that Mac users have to worry about are trojans that require making multiple horrible decisions to infect yourself. There are also no viruses (never have been), and no drive-by infections on a Mac.

First of all there are cases when you can not close the tab when the browser is redirected/hijacked, even if you have uBlock or uBlock Origin for that matter installed. So, this problem is not that simple.