Ask HN: Is no anti-virus software still best practice for mac?
Just checking in on the community. I haven't found anything that suggests I should change my best-practices of not running and not suggesting others run anti-virus packages on their MacOS machines.
Is this still best-practice in the wider community?
77 comments
[ 2.8 ms ] story [ 141 ms ] threadI personally haven't ever used an Antivirus on my Mac. If you believe you 'need' one, I recommend MalwareBytes.
https://objective-see.com/products/blockblock.html (free) Detects when software attempts to install itself to run at startup and lets you block the registration.
https://www.obdev.at/products/littlesnitch/index.html (paid) detects, reports, blocks applications connecting to the internet.
https://adguard.com/en/welcome.html (paid) High quality adblocker for safari.
But as an experiment I just tried removing the little snitch filter that lets adguard create all outgoing connections. it looks like adguard will request some or all requests that my web browser makes (like, it'll also request JS from slack or facebook). This might be because it detects and blocks crypto miner JS, or maybe some other heuristics. So far it hasn't tried to phone home but it's hard to look for that with little snitch when it's trying to connect to every site I browse to.
However it interacts annoyingly with RStudio despite being told repeatedly to trust it.
Also note that for Spectre and Meltdown 3rd party antivir had kernel patches delayed as they can become sort of an issue.
I use bitdefender at least it's quite unobtrusive on mac (sick of the windows version!). Sophos is free and afaik not too bad if you need one: https://home.sophos.com/free-mac-antivirus
Further I use: - https://objective-see.com/products/knockknock.html - https://objective-see.com/products/oversight.html - https://objective-see.com/products/blockblock.html
and Little Snitch - https://www.obdev.at/products/littlesnitch/index.html
and Firefox with - https://github.com/gorhill/uMatrix - https://github.com/gorhill/ublock
Hope that keeps the pest away ;)
http://www.ofb.net/~jlm/virus.html
In addition to community rules we also curate a bunch of rules in house from malware we've discovered across our fleet. We then aggregate this info into ELK and alert on it.
At Home: OSQuery as well + tiny elk stack + Elastalert. Overkill for a typical home setup but I like it.
Hope that helps!
I would also recommend joining the osquery slack: https://osquery-slack.herokuapp.com/
I'd get it for non-VPN, but for VPN connections - how does it matter? As long as peers properly authenticate each other, of course.
> If you are an employee or contractor - your risk is higher
Higher than whose risk?
In theory, that could be sensitive data or enable a sophisticated attacker to correlate you with your VPN exit (if you were using it for pseudo-anonymity).
I don't think key negotiation is compromised in any way...
At best they incur an ever present performance hit while only catching the lowest of low-hanging fruit. At worst they are constantly getting in your way with false positives (which train you to ignore any potentially legitimate alerts) and breaking everything. And the for profit ones tend toward the latter, because if you never notice it you won't believe it is actually doing anything and might not continue your subscription.
You might be thinking "that's all well and good for us computer geeks who know what's what, but what about everyone else?". Most people aren't as dumb as your ego likes to imagine them to be. They may not know the details of how their computers work but they know sketchy looking crap when they see it. And if they are that dumb then nothing will help them anyway.
No matter how you slice it, the cost/benefit pretty much never favors AV.
That’s simply not true. Like, at all. If it were, then viruses and malware wouldn’t be spreading like they are, especially phishing campaigns. I know many very smart people who have been compromised.
I also take issue with the word “dumb” — “smart” people can be caught off guard as well. Not everything looks sketchy, as good phishing does everything right to make you think it’s all ok.
It’s a really difficult type of software to create, and perhaps there’s room for new computer vision type anti-viruses to find look-a-like websites, but normal humans need all the help they can get!
Yeah, exactly my point. People aren't as dumb as you think they are because you and I are just about as dumb, we just think we're better than them because we understand some things they don't.
And more to the point, the thing about successful malware and phishing campaigns is that AV already does a shit job of stopping them. If you are inclined to believe something is legit, you're going to tell your AV or filter to shut the hell up and just do it anyway. The AV adds practically nothing and does it at a real cost.
Instead, they're stopped by almost constant security training. And, I'd argue that if your security training is good enough to get people to recognize phishing, spearphishing and the ilk, it's good enough to get them to recognize the kinds of low hanging fruit that reactive anti-virus software protects against.
The leaks did contain some really basic obfuscation techniques to defeat AVs, but that's nothing new.
https://www.wired.com/2017/03/clever-doubleagent-attack-turn...
Dumb isn't the word I'd use. If there were a less demeaning way of saying unaware, or ignorant, of black hat / scam trends, that's the wording I'd use.
Most people, including myself, are pretty bad a calculating risk when doing innocuous things like checking e-mail, logging in to websites or visiting a site with stealthy malicious content.
But I will say that I regularly help people including my parents who are tricked by those fake download-button ads. I'm not calling them dumb -- you were in your own premise. But that's one avenue for people to install malware on their computer.
"Don't worry about it, people don't get tricked!" is just false.
In this thread, no. But that’s a very common prevailing theme, that normal users are “dumb” compared to techies. Ask any help desk technician or desktop support employee or the BOFH or really anyone who deals with end users. Chances are they’re gonna say end users are dumb.
If anything, this persons attitude is refreshing, giving end users a bit more credit.
Actually, at worst, they can increase your attack surface and have, on more than one instance I can think of, introduced exploitable vulnerabilities that would not have existed without the antivirus.
My ego doesn't have to imagine anything. People inadvertently install malware all the time. I've personally done the deed of cleaning all that garbage up on hundreds of occasions.
This doesn't necessarily mean installing AV, though; a sufficiently-motivated idiot (or someone smart enough to be dangerous) will figure out a way to disable it anyway using a random website from a Google search as a reference. It does mean either locking down access or giving the user proper education (namely: "don't install random crap from the Internet, even if the Internet tells you to do so").
* Working code in github
* Photos in offline multiple HDD
* Docs in cloud servers and important ones printed out.
This way I dont really care if I get a virus, or gets stolen, or destroyed in fire or HDD crash etc. I actually locked myself out of my encrypted laptop and it didnt really matter - I just reinstalled everything.
I also think anti-virus is more trouble than its worth now, but am more assured as above.
Unless you are a professional film editor or photographer there is no need for RAW images (and even then, it's arguable), which is the main space sucker. The $10 a month to have Google manage it all for me is totally worth it.
If you get infected with a keylogger or a backdoor tool you're going to care. It doesn't matter how encrypted your hard drive is.
On the same note, Deep Freeze for those of you who have to deal with a bunch of Windows machines in a lab or library situation is amazing.
For those in "my enterprise doesnt need AV, because AV is stupid" camp: In the last week, the enterprise AV:
* Blocked 15 cryptominers * Blocked 3 email based ransomware attachments * Blocked 6 phishing emails * Blocked 3 installs for MacKeeper (PUA) * Found 4 other adware-type infections on hosts
Without it, these things would have hit the organisation. AV -- it will catch the lowest hanging fruit. You need this. It is necessary, but not sufficient.
[1]: https://robert.ocallahan.org/2017/01/disable-your-antivirus-...
(of course i am ignoring APT/nation state 0day, as it is not specifically about AV, all software is vulnerable against an adversary of this skill). If you worry is APT attacking your AV, you best to be looking at your Operating Systems first.
All of the things you mentioned can be stopped using far less intrusive methods than an always on, always scanning, antivirus.
The usual excuse given for requiring an antivirus is PCI compliance.
Yes, lowest hanging fruit, I know. So at this point you have to start managing your compromises instead of altogether preventing them.
To pick some nits, viruses are self-replicating. There are no viruses on Macs (yet). There are tons of Trojans. It's a big and important difference, but we obviously can't count on sensationalistic media to care about the difference. The more technical people here on HN, though, should know and care.
If the answer to that is 'yes', honestly, just suck it up and install it. It will be cheaper, easier and far less annoying to install some AV in your CDE than to have to explain why you didn't in the event of a breach.
(Note --- Post breach audits are my personal definition of hell.)
Otherwise, anti-virus is reactive and tends to protect against the lowest hanging fruit, all while introducing a real cost to everything else you do on that machine. Personally, I'd skip AV and just do a bit of security training.
Whether you use antivirus or not, use an adblocker. Keeping broken monetisation strategies alive is not your job, keeping your data safe is.
No, they'd have smaller budgets
I'm sure some academic out there will berate me for not insisting that we disassemble an entire department's workflow and rewrite it in SQL with some web frontend, but I work in the real world where costs need to be justified and the truth is they couldn't be. There were much simpler and cheaper ways to mitigate the threats we were worried about.
Ad blocking interferes with the Marketing Department occasionally but covers such a huge range of problems that it really is worth it.
For example, I occasionally receive Office documents or ZIP archives from clients.
If those should contain viruses these likely won’t affect my Mac but I can inform my client about this, help him fix his security issues and prevent viruses from spreading even further.
A colleague of mine got hit recently by a crypto-miner on their Mac. I don't know if they had an AV, and if so, if the AV would have caught the miner. This was detected by the IT department by monitoring suspicious traffic.
I don't use a macOS so I can't really say. I see AVs as another piece of proprietary software that you have to trust, and that takes significant resources without knowing how useful they are.
On Windows, I would probably use the one from Microsoft, since it's free and since I would already "trust" Microsoft by using their OS and I would somewhat bet that it is in their interest to keep their OS safe. I can't be sure tough: why is it not integrated by default (or is it?)? To allow competition? Then is Microsoft making their antivirus less efficient so the competition is still relevant? And maybe AV is not really Microsoft's main business so their antivirus may be lacking?
On the other side, I would bet it is in the interest of other AVs to always nag you and make you feel they are present and useful more than being actually efficient for other things than high detection rates in benchmarks.
They are irritating and advertise themselves in people's mail signatures, sometimes outright lying: "this email as no viruses" - That you can't be sure, and the mail could have got a virus in its way between the sender and the recipient.
By design, AVs can't really detect new viruses and I would not feel really more confident with an AV than without because of that. AVs didn't catch ransomwares when they first appeared after all.
I don't use any antivirus. My approach to security is:
- Using only free software, as much as possible (I know, I would need to audit everything I use for this to be perfect, but I can't possibly do that).
- that is preferably installed from the OS vendor, which I have no choice to trust anyway.
- usage of an ad blocker with more filters than the default
- be careful where clicking links
- instant backups in a self hosted cloud for important things, and automatic daily snapshots of this cloud somewhere else
- and I also happen to never be browsing sketchy websites.
- all this is true on my phone as well.
One could add usage of Google safe browsing or something related for phishing. And also blocking Javascript or third party Javascript by default when browsing, which I did at some point in my life but which is not convenient for most people.
Would I recommend AV for somebody who uses an OS that is more targeted by viruses than mine, and is likely to fell in a trap (the kind of trap an AV would catch anyway)? Probably Windows Defender on Windows, for Macs I really don't know. If there is an AV provided by Apple or by some other company you trust, I guess I would go for it rather than having nothing.
You can always get viruses from the network that will silently exploit an unfixed security breach on any system, and that may remain undetected so at least, I would tell them to be careful, to keep their system updated and to make backups regularly (ideally, backups should be automatic to some extent), since AVs can't guarantee that no virus will make it.
I would make sure that they are not too confident in the AV, too.