A Conceptual Question about the Mac Firewall and Security

[Reg88]

Hi,
I'm a PC person and I'm looking to be transitioning to Mac and I'm trying to understand a few things about the Mac firewall. I've done reading but I could still use some pointers.

I do not install software I don't know and one of my known programs asked me to "allow incoming connections" which I did allow.

1) I looked in the advanced settings for my firewall on my Mac and I did not see that program listed anywhere in the firewall applications. Does this mean that this was a one-time thing for that program and that because it's not on the list that there is no rule set for that program and that it won't accept incoming connections now in the future without my permission once again?

2) Along those lines, does a program on OS X ever ask about "allowing outgoing connections"? I don't recall that the above program asked that and I don't think I've ever seen that question asked by any software on the Mac.

3) I know that one of the best things about the Mac is the lack of malware/spyware,etc for the Mac and not having to deal with these issues (generally) is a very tempting prospect. But how can the Mac be as secure as everyone says without having any kind of outgoing firewall protection built-in? And if it is built-in, is it possible to see a list somewhere of what programs the OS is allowing to go out of the machine?

I know there are programs like little snitch, but I would guess that the majority of your average Mac users don't use programs like ClamXAV and little snitch, and nor are they as careful as those of us on this forum.

Yet the Mac plaftorm is wildly successful and thus I'm confused as to how so many people really have so few problems without knowing what's going out i of their machines per se. I feel like if I have to start with software like little snitch, then I may as well be back on a PC platform watching everything as I do now.

Thanks for your patience and your advice!
R

 

[GGJstudios]

I do not install software I don't know and one of my known programs asked me to "allow incoming connections" which I did allow.

1) I looked in the advanced settings for my firewall on my Mac and I did not see that program listed anywhere in the firewall applications. Does this mean that this was a one-time thing for that program and that because it's not on the list that there is no rule set for that program and that it won't accept incoming connections now in the future without my permission once again?

Typically, when an app asks for permission for incoming connections and you allow it, it remembers that setting. You can later reverse your decision in the firewall settings. If it didn't remember your decision, you can also add an allowed app in those settings.

2) Along those lines, does a program on OS X ever ask about "allowing outgoing connections"? I don't recall that the above program asked that and I don't think I've ever seen that question asked by any software on the Mac.

No, they don't ask about outgoing, only incoming.

3) I know that one of the best things about the Mac is the lack of malware/spyware,etc for the Mac and not having to deal with these issues (generally) is a very tempting prospect. But how can the Mac be as secure as everyone says without having any kind of outgoing firewall protection built-in?

Outgoing connections don't present the same threat level as incoming. You can certainly use apps like Little Snitch, but if you simply practice safe computing, you'll be fine.

Macs are not immune to malware, but no true viruses exist in the wild that can run on Mac OS X, and there never have been any since it was released over 10 years ago. The only malware in the wild that can affect Mac OS X is a handful of trojans, which can be easily avoided by practicing safe computing (see below). Also, Mac OS X Snow Leopard and Lion have anti-malware protection built in, further reducing the need for 3rd party antivirus apps.

Mac Virus/Malware FAQ​

1. Make sure your built-in Mac firewall is enabled in System Preferences > Security > Firewall
   
   
2. Uncheck "Open "safe" files after downloading" in Safari > Preferences > General
   
   
3. Disable Java in your browser (Safari, Chrome, Firefox). This will protect you from malware that exploits Java in your browser, including the recent Flashback trojan. Leave Java disabled until you visit a trusted site that requires it, then re-enable only for the duration of your visit to that site. (This is not to be confused with JavaScript, which you should leave enabled.)
   
   
4. Change your DNS servers to OpenDNS servers by reading this.
   
   
5. Be careful to only install software from trusted, reputable sites. Never install pirated software. If you're not sure about an app, ask in this forum before installing.
   
   
6. Never let someone else have access to install anything on your Mac.
   
   
7. Don't open files that you receive from unknown or untrusted sources.
   
   
8. For added security, make sure all network, email, financial and other important passwords are long and complex, including upper and lower case letters, numbers and special characters.
   
   
9. Always keep your Mac and application software updated. Use Software Update for your Mac software. For other software, it's safer to get updates from the developer's site or from the menu item "Check for updates", rather than installing from any notification window that pops up while you're surfing the web.

That's all you need to do to keep your Mac completely free of any Mac OS X malware that has ever been released into the wild. You don't need any 3rd party software to keep your Mac secure.

 

[Reg88]

Thanks so much for your detailed reply.

And just to clarify....other than installing the software in the first place, there's basically there's no way then that one could accidentally later on give blanket permission for an application to then have outgoing access?

Also note that for whatever it's worth, I run day-to-day Mac work in user accounts only, and not in admin accounts.

Lastly, why is there less concern about outgoing connections? Coming from a PC background when I think outgoing connections, I think keyloggers, etc, so that's why I'm trying to figure all this out ahead of time.

Thanks again for your continued help!

 

[GGJstudios]

And just to clarify....other than installing the software in the first place, there's basically there's no way then that one could accidentally later on give blanket permission for an application to then have outgoing access?

The firewall doesn't restrict outgoing access, only incoming.

Also note that for whatever it's worth, I run day-to-day Mac work in user accounts only, and not in admin accounts.

There is no disadvantage to running daily as an admin user. That's the default.

Lastly, why is there less concern about outgoing connections? Coming from a PC background when I think outgoing connections, I think keyloggers, etc, so that's why I'm trying to figure all this out ahead of time.

The only way you can get a keylogger on your Mac is to install it yourself, or give someone else access to install it.

 

[Reg88]

The firewall doesn't restrict outgoing access, only incoming.

There is no disadvantage to running daily as an admin user. That's the default.

The only way you can get a keylogger on your Mac is to install it yourself, or give someone else access to install it.

Ok but then if you WERE to get a keylogger, is this the kind of thing that ClamXAV or OS X's internal malware protection can handle or would pick up?

Thanks.

 

[GGJstudios]

Ok but then if you WERE to get a keylogger, is this the kind of thing that ClamXAV or OS X's internal malware protection can handle or would pick up?.

A keylogger isn't, by definition, malware. There are legitimate uses for keyloggers and some users install them intentionally. ClamXav may give a warning if one is detected, but I wouldn't worry about it. Keyloggers on Macs are rather rare.

 

[munkery]

Outbound firewalls are kind of a joke given that any malware that is able to log protected keystrokes has the privileges required to make an exception for themselves in the outbound firewall rules.

Several examples of malware exists that do this for popular outbound firewalls.

Mac OS X Mountain Lion includes code signing that prevents unsigned code from executing in the first place. This is much more effective than an outbound firewall.