Do I REALLY need an antivirus?

Forkjulle

macrumors regular
Original poster
Aug 1, 2012
211
1
I come from a Linux background, so antivirus software is pretty much nonexistent. But since I'm migrating to Apple, and since Apple's popularity has soured in recent years, is antivirus software necessary?

I know it's "safe" to install it, but I understand that OSX uses passwords for installations and access to the file system (which is difficult to edit).

OSX much the same?
 
Nov 28, 2010
22,684
27
located
No need.


Currently there are zero viruses affecting Mac OS X in public circulation, but there are other kinds of malware existing, that can infect your Mac, but those need user interaction.
To learn more about malware in Mac OS X and what steps can be taken to protect yourself, read the following F.A.Q.:
 

Weaselboy

Moderator
Staff member
Jan 23, 2005
29,669
9,297
California
I come from a Linux background, so antivirus software is pretty much nonexistent. But since I'm migrating to Apple, and since Apple's popularity has soured in recent years, is antivirus software necessary?

I know it's "safe" to install it, but I understand that OSX uses passwords for installations and access to the file system (which is difficult to edit).

OSX much the same?
At this point probably the only real need for AV on OS X is if you want to make sure you don't unknowingly pass along a Windows virus along to friends with a Windows machine.
 

netslacker

macrumors 6502
Jan 21, 2008
278
48
Short answer: Depends on how careless you are on the net and with email.

Long answer: Mac viruses definitely exist despite what others would have you believe. Just google it and start reading. However, Macs do benefit from a key distinction to windows: far fewer users which translates into a much smaller target for virus and malware creators. The real answer to your question lies in how safe and cautious you are when on the net and using email. If you like to receive and open random emails with dancing cats then that's a red flag. If you surf porn or warez sites then those are huge red flags for virus and malware. If you're a social media junkie - another red flag. If this describes you then get AV.

If you don't download random crap from warez or pirate sites, porn or open stupid email attachments forwarded from your second cousins' third wife's step child then you are likely OK.. for now.
 
Nov 28, 2010
22,684
27
located
Short answer: Depends on how careless you are on the net and with email.

Long answer: Mac viruses definitely exist despite what others would have you believe. Just google it and start reading. However, Macs do benefit from a key distinction to windows: far fewer users which translates into a much smaller target for virus and malware creators. The real answer to your question lies in how safe and cautious you are when on the net and using email. If you like to receive and open random emails with dancing cats then that's a red flag. If you surf porn or warez sites then those are huge red flags for virus and malware. If you're a social media junkie - another red flag. If this describes you then get AV.

If you don't download random crap from warez or pirate sites, porn or open stupid email attachments forwarded from your second cousins' third wife's step child then you are likely OK.. for now.
Thanks for the laugh. Please, show me ONE real Mac OS X virus! The ones reported as viruses are not real viruses and are often trojans or scareware or other kinds of malware, that the user installed (except the Flashback trojans from some months ago, which exploited a Java (not JavaScript) vulnerability).

So either learn the differences via the FAQ posted in post #3 or don't, but then don't make claims like you do.

PS: Warez and porn sites can be visited quite safely if one employs safe surfing steps (outlined in that FAQ) and does not install any crap one comes upon. But since most people are probably computer illiterate (I am illiterate in many areas too), stuff like this will happen again and again (installing every ***** one comes upon).
 

GGJstudios

macrumors Westmere
May 16, 2008
44,419
759
If you don't download random crap from warez or pirate sites, porn or open stupid email attachments forwarded from your second cousins' third wife's step child then you are likely OK.. for now.
I'll have you know that my second cousin's third wife's step child is a fine, upstanding citizen who never sends malware-infected attachments in their emails! :D
 

scarred

macrumors 6502a
Jul 24, 2011
516
1
People ask me this all the time. Do I need antivirus?? I always told them the truth and said no. Then they do something stupid and blame me because they didn't have an antivirus program (even though it wouldn't have helped).

So yes... if you are asking, sorry, that means you should probably get one.
 

GGJstudios

macrumors Westmere
May 16, 2008
44,419
759
People ask me this all the time. Do I need antivirus?? I always told them the truth and said no. Then they do something stupid and blame me because they didn't have an antivirus program (even though it wouldn't have helped).
The right answer is "No, you don't need a 3rd party antivirus app, IF you practice safe computing." Of course, many will need an explanation of what constitutes safe computing.
 

munkery

macrumors 68020
Dec 18, 2006
2,217
1
False. There has never been a Mac OS X virus in the wild. There have been a few trojans, but not a single virus. Read the link below to understand the difference.
This is now debatable, although, I agree that antivirus software is still not needed.

The variants of Flashback that utilized CVE-2012-0507 prior to being patched could install without user interaction but with only ad-click hijacking functionality to generate revenue. The CVE-2012-0507 exploit allows the untrusted Java applet to perform functions outside the Java security sandbox without user interaction. It should be noted that the Java sandbox is self contained and part of the Java implementation; it is not an implementation of the sandboxing used with other client side apps within OS X.

This Java exploit does not utilize memory corruption but instead leverages a logical error in the Java reference array to achieve code execution. The runtime security mitigation in OS X Lion don't prevent these types of exploits that rely on logical errors. This type of vulnerability is rare but does lead to reliable exploits when found.

Infecting Safari occurs in two ways:

1) Safari is infected when the info.plist file contained in its app bundle is modified; this requires password authentication. Specifically, the LSEnvironment entry in the info.plist file is modified. The payloads are loaded into Safari when launched.

2) The ~/.MacOSX/environmental.plist file is modified so that a filtering payload is loaded into every app that then loads the ad-click payload into the browser when the browser is launched. This method does not require password authentication. The modification to environment.plist includes adding DYLD launch variables.

It should be noted the environment variables added to environment.plist don't take affect until the user has logged out and then logged back in. This could be why so many machines reported themselves as infected to the C&C servers despite only 10,000 machines actively having Safari modifying ad-clicks to generate revenue. I do not believe that this limitation occurs with installation method #1, which could be why method #1 is the prioritized installation method.

Given that password authentication is not required to install the ad-click hijacking payload, the request for password authentication in method #1 may also have been intended for functions included in subsequent versions of Flashback. For example, logging keystrokes protected by NSSecureTextField (masked text entry such as passwords and banking credentials) would require password authentication given that Flashback didn't include a privilege escalation exploit within OS X.

This version of Flashback replicates by loading itself into every app launched by the user if infection method #2 is used. Method #2 requires no user interaction. Although, the user having to log out/in could be considered user interaction.

Luckily, the ability to load DYLD launch variables from environment.plist has now been removed from Mac OS X as well as the issue with Java being patched.

http://support.apple.com/kb/TS4267

Subsequent patches to Java for Mac are going to be produced by Oracle and will be released along side patches for other operating systems.
 

GGJstudios

macrumors Westmere
May 16, 2008
44,419
759
The variants of Flashback that utilized CVE-2012-0507 prior to being patched could install without user interaction but with only ad-click hijacking functionality to generate revenue.
Those variants were still classified as a trojan, not a virus, due to the fact that, while they could install without user interaction, they could not replicate, which is the 2nd criteria for defining a virus. All Flashback variants were successfully avoided by leaving Java disabled in the browser.
 

munkery

macrumors 68020
Dec 18, 2006
2,217
1
Those variants were still classified as a trojan, not a virus, due to the fact that, while they could install without user interaction, they could not replicate, which is the 2nd criteria for defining a virus. All Flashback variants were successfully avoided by leaving Java disabled in the browser.
Sorry, you missed my edit.

This version of Flashback replicates by loading itself into every app launched by the user if infection method #2 is used. Method #2 requires no user interaction. Although, the user having to log out/in could be considered user interaction.
 

munkery

macrumors 68020
Dec 18, 2006
2,217
1
It still required user interaction and was completely avoided by disabling Java in the browser.
In older versions of OS X (Lion and older) that come with Java by default and Java is enabled by default in the browser, no user interaction is required in a default installation of OS X.

I think defining user interaction as logging in/out is a pretty weak argument for making a case of user interaction because it is a fairly common task in some settings and isn't explicitly associated with authenticating malware.
 

GGJstudios

macrumors Westmere
May 16, 2008
44,419
759
In older versions of OS X (Lion and older) that come with Java by default and Java is enabled by default in the browser, no user interaction is required in a default installation of OS X.

I think defining user interaction as logging in/out is a pretty weak argument for making a case of user interaction because it is a fairly common task in some settings and isn't explicitly associated with authenticating malware.
Disabling Java in the browser has been a recommendation for safe computing since at least the MacDefender era. Flashback is not a virus and every reputable source properly identifies it as a trojan.

The bottom line is still the fact that practicing safe computing* will completely protect Mac OS X from any malware that has ever existed in the wild.

* Safe computing practices:
  1. Make sure your built-in Mac firewall is enabled in System Preferences > Security > Firewall

  2. Uncheck "Open "safe" files after downloading" in Safari > Preferences > General

  3. Disable Java in your browser (Safari, Chrome, Firefox). This will protect you from malware that exploits Java in your browser, including the recent Flashback trojan. Leave Java disabled until you visit a trusted site that requires it, then re-enable only for the duration of your visit to that site. (This is not to be confused with JavaScript, which you should leave enabled.)

  4. Change your DNS servers to OpenDNS servers by reading this.

  5. Be careful to only install software from trusted, reputable sites. Never install pirated software. If you're not sure about an app, ask in this forum before installing.

  6. Never let someone else have access to install anything on your Mac.

  7. Don't open files that you receive from unknown or untrusted sources.

  8. For added security, make sure all network, email, financial and other important passwords are long and complex, including upper and lower case letters, numbers and special characters.

  9. Always keep your Mac and application software updated. Use Software Update for your Mac software. For other software, it's safer to get updates from the developer's site or from the menu item "Check for updates", rather than installing from any notification window that pops up while you're surfing the web.
That's all you need to do to keep your Mac completely free of any Mac OS X malware that has ever been released into the wild. While you may elect to use it, 3rd party antivirus software is not required to keep your Mac malware-free.
 

munkery

macrumors 68020
Dec 18, 2006
2,217
1
Disabling Java in the browser has been a recommendation for safe computing since at least the MacDefender era. Flashback is not a virus and every reputable source properly identifies it as a trojan.
I agree that safe computing practices can keep you safe.

But, this variant of Flashback does meet the definitional requirements to be a virus.

It requires no user interaction and it replicates.

I think the argument for it being defined as a virus is further supported by the fact that it required no user interaction on many default installations of OS X.
 

throAU

macrumors 603
Feb 13, 2012
5,507
2,556
Perth, Western Australia
Need? Do you need a computer at all?



It is an additional line of defense. When some malicious software is released that is truly evil, and exploits a 0-day (an exploit which hasn't been publicised yet) for which there is no work-around/patch available yet, a lot of the people with no AV simply won't know they are infected, and thus propogate the problem.

Unfortunately this is rife in the mac community (ditto for the Linux crowd) - and when something does eventually propagate, the user-base is going to get decimated.


There are plenty of 0-days out there. Java 7 for example - no patch available, if you have Java enabled in your browser, you're vulnerable.

Safe computing is a good thing, but if that is your only defense, eventually you'll get screwed. All it takes is for you to not keep up with one recommended best practice / patch - and potentially you are owned.

All it takes is for ONE of the sites you visit, that you usually trust (for flash, javascript, java, whatever), to get owned on the server side, and it will start serving you malware. This happened on a huge scale in the windows world with code-red, and there's no reason it can't happen on the mac as well.

If you rely on "safe computing" alone, you are putting your PC's security in the hands of every website you visit, that you trust to run interactive code in the context of your browser.

AV software can use heuristics - even malware that it doesn't specifically know about can often be detected due to it doing "something dodgy".

AV is free. It is not intrusive. There's no real excuse NOT to run it.

It is not a silver bullet. However, nor is "safe computing" alone. Security needs to be handled in layers.

Run AV software. Keep it updated.
Run a firewall.
Keep on top of software updates.
Practice safe computing - follow the rule of least privilege - if some site doesn't need java/javascript/flash - don't enable it.
Be paranoid. The bad guys on the internet really ARE out to get you. It doesn't matter if you aren't storing state secrets/nuclear plans/etc. Your internet connected PC is a computing resource - and they are a commodity traded on the black market. You ARE a target.
 
Last edited:

GGJstudios

macrumors Westmere
May 16, 2008
44,419
759
When some malicious software is released that is truly evil, and exploits a 0-day (an exploit which hasn't been publicised yet) for which there is no work-around/patch available yet, a lot of the people with no AV simply won't know they are infected, and thus propogate the problem.
The same is true for those running AV. Antivirus apps provide no assurance of protection against 0-day exploits. If you choose to run AV, that's fine. Just don't be lulled into a false sense of security, thinking it will protect you from anything that safe computing won't.
 

throAU

macrumors 603
Feb 13, 2012
5,507
2,556
Perth, Western Australia
False. There has never been a Mac OS X virus in the wild. There have been a few trojans, but not a single virus. Read the link below to understand the difference.
For all intents and purposes, the distinction between "trojan" and "virus" is irrelevant. It's still malware, and the most common infection vector these days is via the browser. There are and will continue to be HTML rendering engine exploits.

Yes, safari and chrome are sandboxed, but the mac has been owned every year at pwn2own so far, and I don't see that changing any time soon.



re: av subversion.

read my post. its not a silver bullet. it is an additional layer. trusting your security to a single layer (safe computing) is negligent. accidents happen. are you really sure that you will NEVER click on something dodgy, at 2am after a few pints?