Do I REALLY need an antivirus?

Discussion in 'Mac Apps and Mac App Store' started by Forkjulle, Aug 30, 2012.

  1. Forkjulle macrumors regular

    Joined:
    Aug 1, 2012
    #1
    I come from a Linux background, so antivirus software is pretty much nonexistent. But since I'm migrating to Apple, and since Apple's popularity has soured in recent years, is antivirus software necessary?

    I know it's "safe" to install it, but I understand that OSX uses passwords for installations and access to the file system (which is difficult to edit).

    OSX much the same?
     
  2. polotska macrumors 6502

    Joined:
    Sep 23, 2007
  3. simsaladimbamba

    Joined:
    Nov 28, 2010
    Location:
    located
    #3
    No need.


    Currently there are zero viruses affecting Mac OS X in public circulation, but there are other kinds of malware existing, that can infect your Mac, but those need user interaction.
    To learn more about malware in Mac OS X and what steps can be taken to protect yourself, read the following F.A.Q.:
     
  4. Weaselboy Moderator

    Weaselboy

    Staff Member

    Joined:
    Jan 23, 2005
    Location:
    California
    #4
    At this point probably the only real need for AV on OS X is if you want to make sure you don't unknowingly pass along a Windows virus along to friends with a Windows machine.
     
  5. netslacker macrumors 6502

    Joined:
    Jan 21, 2008
    #5
    Short answer: Depends on how careless you are on the net and with email.

    Long answer: Mac viruses definitely exist despite what others would have you believe. Just google it and start reading. However, Macs do benefit from a key distinction to windows: far fewer users which translates into a much smaller target for virus and malware creators. The real answer to your question lies in how safe and cautious you are when on the net and using email. If you like to receive and open random emails with dancing cats then that's a red flag. If you surf porn or warez sites then those are huge red flags for virus and malware. If you're a social media junkie - another red flag. If this describes you then get AV.

    If you don't download random crap from warez or pirate sites, porn or open stupid email attachments forwarded from your second cousins' third wife's step child then you are likely OK.. for now.
     
  6. GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #6
    False. There has never been a Mac OS X virus in the wild. There have been a few trojans, but not a single virus. Read the link below to understand the difference.
     
  7. simsaladimbamba

    Joined:
    Nov 28, 2010
    Location:
    located
    #7
    Thanks for the laugh. Please, show me ONE real Mac OS X virus! The ones reported as viruses are not real viruses and are often trojans or scareware or other kinds of malware, that the user installed (except the Flashback trojans from some months ago, which exploited a Java (not JavaScript) vulnerability).

    So either learn the differences via the FAQ posted in post #3 or don't, but then don't make claims like you do.

    PS: Warez and porn sites can be visited quite safely if one employs safe surfing steps (outlined in that FAQ) and does not install any crap one comes upon. But since most people are probably computer illiterate (I am illiterate in many areas too), stuff like this will happen again and again (installing every ***** one comes upon).
     
  8. Risco macrumors 68000

    Risco

    Joined:
    Jul 22, 2010
    Location:
    United Kingdom
  9. GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #9
    I'll have you know that my second cousin's third wife's step child is a fine, upstanding citizen who never sends malware-infected attachments in their emails! :D
     
  10. simsaladimbamba

    Joined:
    Nov 28, 2010
    Location:
    located
    #10
    So says the Nigerian Mister of Malware Basics.
     
  11. scarred macrumors 6502a

    Joined:
    Jul 24, 2011
    #11
    People ask me this all the time. Do I need antivirus?? I always told them the truth and said no. Then they do something stupid and blame me because they didn't have an antivirus program (even though it wouldn't have helped).

    So yes... if you are asking, sorry, that means you should probably get one.
     
  12. GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #12
    The right answer is "No, you don't need a 3rd party antivirus app, IF you practice safe computing." Of course, many will need an explanation of what constitutes safe computing.
     
  13. scarred macrumors 6502a

    Joined:
    Jul 24, 2011
    #13
    "It was just a screensaver"....
     
  14. GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #14
    LOL! I've heard that one many times!
     
  15. munkery macrumors 68020

    munkery

    Joined:
    Dec 18, 2006
    #15
    This is now debatable, although, I agree that antivirus software is still not needed.

    The variants of Flashback that utilized CVE-2012-0507 prior to being patched could install without user interaction but with only ad-click hijacking functionality to generate revenue. The CVE-2012-0507 exploit allows the untrusted Java applet to perform functions outside the Java security sandbox without user interaction. It should be noted that the Java sandbox is self contained and part of the Java implementation; it is not an implementation of the sandboxing used with other client side apps within OS X.

    This Java exploit does not utilize memory corruption but instead leverages a logical error in the Java reference array to achieve code execution. The runtime security mitigation in OS X Lion don't prevent these types of exploits that rely on logical errors. This type of vulnerability is rare but does lead to reliable exploits when found.

    Infecting Safari occurs in two ways:

    1) Safari is infected when the info.plist file contained in its app bundle is modified; this requires password authentication. Specifically, the LSEnvironment entry in the info.plist file is modified. The payloads are loaded into Safari when launched.

    2) The ~/.MacOSX/environmental.plist file is modified so that a filtering payload is loaded into every app that then loads the ad-click payload into the browser when the browser is launched. This method does not require password authentication. The modification to environment.plist includes adding DYLD launch variables.

    It should be noted the environment variables added to environment.plist don't take affect until the user has logged out and then logged back in. This could be why so many machines reported themselves as infected to the C&C servers despite only 10,000 machines actively having Safari modifying ad-clicks to generate revenue. I do not believe that this limitation occurs with installation method #1, which could be why method #1 is the prioritized installation method.

    Given that password authentication is not required to install the ad-click hijacking payload, the request for password authentication in method #1 may also have been intended for functions included in subsequent versions of Flashback. For example, logging keystrokes protected by NSSecureTextField (masked text entry such as passwords and banking credentials) would require password authentication given that Flashback didn't include a privilege escalation exploit within OS X.

    This version of Flashback replicates by loading itself into every app launched by the user if infection method #2 is used. Method #2 requires no user interaction. Although, the user having to log out/in could be considered user interaction.

    Luckily, the ability to load DYLD launch variables from environment.plist has now been removed from Mac OS X as well as the issue with Java being patched.

    http://support.apple.com/kb/TS4267

    Subsequent patches to Java for Mac are going to be produced by Oracle and will be released along side patches for other operating systems.
     
  16. GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #16
    Those variants were still classified as a trojan, not a virus, due to the fact that, while they could install without user interaction, they could not replicate, which is the 2nd criteria for defining a virus. All Flashback variants were successfully avoided by leaving Java disabled in the browser.
     
  17. munkery macrumors 68020

    munkery

    Joined:
    Dec 18, 2006
    #17
    Sorry, you missed my edit.

     
  18. GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #18
    It still required user interaction and was completely avoided by disabling Java in the browser.
     
  19. munkery macrumors 68020

    munkery

    Joined:
    Dec 18, 2006
    #19
    In older versions of OS X (Lion and older) that come with Java by default and Java is enabled by default in the browser, no user interaction is required in a default installation of OS X.

    I think defining user interaction as logging in/out is a pretty weak argument for making a case of user interaction because it is a fairly common task in some settings and isn't explicitly associated with authenticating malware.
     
  20. GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #20
    Disabling Java in the browser has been a recommendation for safe computing since at least the MacDefender era. Flashback is not a virus and every reputable source properly identifies it as a trojan.

    The bottom line is still the fact that practicing safe computing* will completely protect Mac OS X from any malware that has ever existed in the wild.

    * Safe computing practices:
    1. Make sure your built-in Mac firewall is enabled in System Preferences > Security > Firewall

    2. Uncheck "Open "safe" files after downloading" in Safari > Preferences > General

    3. Disable Java in your browser (Safari, Chrome, Firefox). This will protect you from malware that exploits Java in your browser, including the recent Flashback trojan. Leave Java disabled until you visit a trusted site that requires it, then re-enable only for the duration of your visit to that site. (This is not to be confused with JavaScript, which you should leave enabled.)

    4. Change your DNS servers to OpenDNS servers by reading this.

    5. Be careful to only install software from trusted, reputable sites. Never install pirated software. If you're not sure about an app, ask in this forum before installing.

    6. Never let someone else have access to install anything on your Mac.

    7. Don't open files that you receive from unknown or untrusted sources.

    8. For added security, make sure all network, email, financial and other important passwords are long and complex, including upper and lower case letters, numbers and special characters.

    9. Always keep your Mac and application software updated. Use Software Update for your Mac software. For other software, it's safer to get updates from the developer's site or from the menu item "Check for updates", rather than installing from any notification window that pops up while you're surfing the web.
    That's all you need to do to keep your Mac completely free of any Mac OS X malware that has ever been released into the wild. While you may elect to use it, 3rd party antivirus software is not required to keep your Mac malware-free.
     
  21. munkery macrumors 68020

    munkery

    Joined:
    Dec 18, 2006
    #21
    I agree that safe computing practices can keep you safe.

    But, this variant of Flashback does meet the definitional requirements to be a virus.

    It requires no user interaction and it replicates.

    I think the argument for it being defined as a virus is further supported by the fact that it required no user interaction on many default installations of OS X.
     
  22. throAU, Aug 30, 2012
    Last edited: Aug 30, 2012

    throAU macrumors 601

    throAU

    Joined:
    Feb 13, 2012
    Location:
    Perth, Western Australia
    #22
    Need? Do you need a computer at all?



    It is an additional line of defense. When some malicious software is released that is truly evil, and exploits a 0-day (an exploit which hasn't been publicised yet) for which there is no work-around/patch available yet, a lot of the people with no AV simply won't know they are infected, and thus propogate the problem.

    Unfortunately this is rife in the mac community (ditto for the Linux crowd) - and when something does eventually propagate, the user-base is going to get decimated.


    There are plenty of 0-days out there. Java 7 for example - no patch available, if you have Java enabled in your browser, you're vulnerable.

    Safe computing is a good thing, but if that is your only defense, eventually you'll get screwed. All it takes is for you to not keep up with one recommended best practice / patch - and potentially you are owned.

    All it takes is for ONE of the sites you visit, that you usually trust (for flash, javascript, java, whatever), to get owned on the server side, and it will start serving you malware. This happened on a huge scale in the windows world with code-red, and there's no reason it can't happen on the mac as well.

    If you rely on "safe computing" alone, you are putting your PC's security in the hands of every website you visit, that you trust to run interactive code in the context of your browser.

    AV software can use heuristics - even malware that it doesn't specifically know about can often be detected due to it doing "something dodgy".

    AV is free. It is not intrusive. There's no real excuse NOT to run it.

    It is not a silver bullet. However, nor is "safe computing" alone. Security needs to be handled in layers.

    Run AV software. Keep it updated.
    Run a firewall.
    Keep on top of software updates.
    Practice safe computing - follow the rule of least privilege - if some site doesn't need java/javascript/flash - don't enable it.
    Be paranoid. The bad guys on the internet really ARE out to get you. It doesn't matter if you aren't storing state secrets/nuclear plans/etc. Your internet connected PC is a computing resource - and they are a commodity traded on the black market. You ARE a target.
     
  23. GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #23
    The same is true for those running AV. Antivirus apps provide no assurance of protection against 0-day exploits. If you choose to run AV, that's fine. Just don't be lulled into a false sense of security, thinking it will protect you from anything that safe computing won't.
     
  24. munkery macrumors 68020

    munkery

    Joined:
    Dec 18, 2006
    #24
    And, OS X includes AV software by default.

    Heuristics in AV software is easily subverted.
     
  25. throAU macrumors 601

    throAU

    Joined:
    Feb 13, 2012
    Location:
    Perth, Western Australia
    #25
    For all intents and purposes, the distinction between "trojan" and "virus" is irrelevant. It's still malware, and the most common infection vector these days is via the browser. There are and will continue to be HTML rendering engine exploits.

    Yes, safari and chrome are sandboxed, but the mac has been owned every year at pwn2own so far, and I don't see that changing any time soon.



    re: av subversion.

    read my post. its not a silver bullet. it is an additional layer. trusting your security to a single layer (safe computing) is negligent. accidents happen. are you really sure that you will NEVER click on something dodgy, at 2am after a few pints?
     

Share This Page