Ask HN: Is no anti-virus software still best practice for mac?

65 points by _justinfunk ↗ HN
Just checking in on the community. I haven't found anything that suggests I should change my best-practices of not running and not suggesting others run anti-virus packages on their MacOS machines.

Is this still best-practice in the wider community?

77 comments

[ 2.8 ms ] story [ 141 ms ] thread
Nowadays I just figure it's common sense on what to install/what not to install.

I personally haven't ever used an Antivirus on my Mac. If you believe you 'need' one, I recommend MalwareBytes.

I don't run traditional antivirus but I do run:

https://objective-see.com/products/blockblock.html (free) Detects when software attempts to install itself to run at startup and lets you block the registration.

https://www.obdev.at/products/littlesnitch/index.html (paid) detects, reports, blocks applications connecting to the internet.

https://adguard.com/en/welcome.html (paid) High quality adblocker for safari.

I am super skeptical about ad guard and I'm looking for someone to allay that skepticism. It's just... too clean. I don't trust software this perfect, especially since it's made in Russia and sees all the internet traffic on my computer.
I didn't know it was made in Russia! Up until now I've had a good experience, and trusted reviews.

But as an experiment I just tried removing the little snitch filter that lets adguard create all outgoing connections. it looks like adguard will request some or all requests that my web browser makes (like, it'll also request JS from slack or facebook). This might be because it detects and blocks crypto miner JS, or maybe some other heuristics. So far it hasn't tried to phone home but it's hard to look for that with little snitch when it's trying to connect to every site I browse to.

Yeah, I ran their free trial and had a good experience. I did the same kind of tests you did, but I still don't feel comfortable with it. It's just too slick. That mixed with the fact that their entire team is Russian nationals... I dunno. Too sketchy.
In my opinion it's also the best practice for windows. But never without ad-blocker like ublock.
(comment deleted)
I use BitDefender, which also has various web privacy features and a VPN.

However it interacts annoyingly with RStudio despite being told repeatedly to trust it.

BitDefender is quite a pain if it ever gets in your way. They really did a bad job there wouldn't buy it again.
Well MacOS (an Windows) have built-in ones. MacOS has XProtect between other things like app signing.

Also note that for Spectre and Meltdown 3rd party antivir had kernel patches delayed as they can become sort of an issue.

Even if people aren’t targeting Macs, if you comms with people using other OSes, it’s good citizenship to ensure your machine is not a host vector.
Have one but never needed it so far - or it didn't catch the virii ;)

I use bitdefender at least it's quite unobtrusive on mac (sick of the windows version!). Sophos is free and afaik not too bad if you need one: https://home.sophos.com/free-mac-antivirus

Further I use: - https://objective-see.com/products/knockknock.html - https://objective-see.com/products/oversight.html - https://objective-see.com/products/blockblock.html

and Little Snitch - https://www.obdev.at/products/littlesnitch/index.html

and Firefox with - https://github.com/gorhill/uMatrix - https://github.com/gorhill/ublock

Hope that keeps the pest away ;)

I use bitdefender as well, but lately I started deactivating "autopilot" (auto scanning folders in the background) because it pushes my cpu usage to > 100% regularly while I am using my Mac.
I fortunately do not have that problem, yet. But the autopilot stuff and other weird stuff bitdefender is doing autonomously is exactly why i may ditch it soon. Will probably switch to sophos once it happens.
In a corporate setting: At Etsy we use OSQuery on all of our corp machines(macOS) to help with malware/virus detection. We use community rules: https://github.com/facebook/osquery/blob/master/packs/osx-at...

In addition to community rules we also curate a bunch of rules in house from malware we've discovered across our fleet. We then aggregate this info into ELK and alert on it.

At Home: OSQuery as well + tiny elk stack + Elastalert. Overkill for a typical home setup but I like it.

Can you elaborate more on your home setup?
If you are an employee or contractor - your risk is higher than you might think. As an employee, if you do 'non-work' activity on your laptop that compromises it's integrity - you could be at actual monetary/legal risk. I would highly recommend you have one. Also, as a contractor you run a higher risk. With Mac, configure your built in firewall. Run a "paid for" version of Bitdefender or other. Use VPN ad blocking. Use LTE connections, not wi-fi, for VPN connections.
> Use LTE connections, not wi-fi, for VPN connections

I'd get it for non-VPN, but for VPN connections - how does it matter? As long as peers properly authenticate each other, of course.

> If you are an employee or contractor - your risk is higher

Higher than whose risk?

No idea if this is was the commenter was implying, but I think the advice is because plenty of apps can send requests in the 1 second initial window as you authenticate your VPN.

In theory, that could be sensitive data or enable a sophisticated attacker to correlate you with your VPN exit (if you were using it for pseudo-anonymity).

I don't think key negotiation is compromised in any way...

Great question. For 'in flight' connections like a VPN, it is harder. I would most likely try to be "same network"... so I'd find them at a coffee shop and try to compromise the dev machine on the network, social engineer/phish, or if the dev was at home and I needed in, I'd try to impersonate their home WAP, or I'd try compromise their machine to cross a tunnel or look for codebases, etc. Edit: Totally derailed the topic, my bad.
(comment deleted)
No anti virus software is even best-practice for Windows. At least third party anti virus software.
It is my considered opinion that "no anti-virus" is still the best practice for nearly everything. About the only place it makes any sense is in your email filters or anywhere else the public can send random bullshit.

At best they incur an ever present performance hit while only catching the lowest of low-hanging fruit. At worst they are constantly getting in your way with false positives (which train you to ignore any potentially legitimate alerts) and breaking everything. And the for profit ones tend toward the latter, because if you never notice it you won't believe it is actually doing anything and might not continue your subscription.

You might be thinking "that's all well and good for us computer geeks who know what's what, but what about everyone else?". Most people aren't as dumb as your ego likes to imagine them to be. They may not know the details of how their computers work but they know sketchy looking crap when they see it. And if they are that dumb then nothing will help them anyway.

No matter how you slice it, the cost/benefit pretty much never favors AV.

“Most people aren't as dumb as your ego likes to imagine them to be. They may not know the details of how their computers work but they know sketchy looking crap when they see it.”

That’s simply not true. Like, at all. If it were, then viruses and malware wouldn’t be spreading like they are, especially phishing campaigns. I know many very smart people who have been compromised.

I also take issue with the word “dumb” — “smart” people can be caught off guard as well. Not everything looks sketchy, as good phishing does everything right to make you think it’s all ok.

It’s a really difficult type of software to create, and perhaps there’s room for new computer vision type anti-viruses to find look-a-like websites, but normal humans need all the help they can get!

(comment deleted)
> I also take issue with the word “dumb” — “smart” people can be caught off guard as well.

Yeah, exactly my point. People aren't as dumb as you think they are because you and I are just about as dumb, we just think we're better than them because we understand some things they don't.

And more to the point, the thing about successful malware and phishing campaigns is that AV already does a shit job of stopping them. If you are inclined to believe something is legit, you're going to tell your AV or filter to shut the hell up and just do it anyway. The AV adds practically nothing and does it at a real cost.

I agree with what you're saying, but it's worth noting that the kinds of attacks you're talking about cannot be reliably stopped by anti-virus.

Instead, they're stopped by almost constant security training. And, I'd argue that if your security training is good enough to get people to recognize phishing, spearphishing and the ilk, it's good enough to get them to recognize the kinds of low hanging fruit that reactive anti-virus software protects against.

I think "dumb" is the incorrect word for this context. They simply lack the awareness. Us IT folks hang around in places like HN where we constantly bombarded with advisories against viruses and online scams, and hence well-aware of them.
This attitude is so completely negligent I dont even know where to start. Its dangerously misinformed. ('i never caught a virus, why bother'). AV catches the low hanging fruit. If you do not have it, you will forever be poisoned by that low hanging fruit.
At worst, AV is an increase in attack surface, as detailed in the CIA wikileaks.
Not everyone's threat model includes actors out there bypassing AV. Most people need AV to be able to protect themselves against accidentally opening a spammy, script-kiddie level spam mail.
Most viruses out there are bypassing AV.
> Most people aren't as dumb as your ego likes to imagine them to be. They may not know the details of how their computers work but they know sketchy looking crap when they see it.

Dumb isn't the word I'd use. If there were a less demeaning way of saying unaware, or ignorant, of black hat / scam trends, that's the wording I'd use.

Most people, including myself, are pretty bad a calculating risk when doing innocuous things like checking e-mail, logging in to websites or visiting a site with stealthy malicious content.

Eh, your "not as dumb as you think" is unnecessarily hostile. Also, nobody except you was calling people dumb, it's some weird rhetoric.

But I will say that I regularly help people including my parents who are tricked by those fake download-button ads. I'm not calling them dumb -- you were in your own premise. But that's one avenue for people to install malware on their computer.

"Don't worry about it, people don't get tricked!" is just false.

>Also, nobody except you was calling people dumb

In this thread, no. But that’s a very common prevailing theme, that normal users are “dumb” compared to techies. Ask any help desk technician or desktop support employee or the BOFH or really anyone who deals with end users. Chances are they’re gonna say end users are dumb.

If anything, this persons attitude is refreshing, giving end users a bit more credit.

>At worst they are constantly getting in your way with false positives

Actually, at worst, they can increase your attack surface and have, on more than one instance I can think of, introduced exploitable vulnerabilities that would not have existed without the antivirus.

"Most people aren't as dumb as your ego likes to imagine them to be."

My ego doesn't have to imagine anything. People inadvertently install malware all the time. I've personally done the deed of cleaning all that garbage up on hundreds of occasions.

This doesn't necessarily mean installing AV, though; a sufficiently-motivated idiot (or someone smart enough to be dangerous) will figure out a way to disable it anyway using a random website from a Google search as a reference. It does mean either locking down access or giving the user proper education (namely: "don't install random crap from the Internet, even if the Internet tells you to do so").

I just got in trouble at work today for booting my computer from an external drive to bypass the antivirus laden computer I have to use normally.
My approach is to make my PC disposable. With all cloud services its a lot easier than it used to be. IE

* Working code in github

* Photos in offline multiple HDD

* Docs in cloud servers and important ones printed out.

This way I dont really care if I get a virus, or gets stolen, or destroyed in fire or HDD crash etc. I actually locked myself out of my encrypted laptop and it didnt really matter - I just reinstalled everything.

I also think anti-virus is more trouble than its worth now, but am more assured as above.

Why would you have bothered encrypting the laptop if everything is in the cloud/elsewhere anyway?
You would still want to encrypt since sensitive data might be cached on the hard drive in plain text or credentials stored in an insecure way.
In case it gets stolen. But you're right if I'm worried about that I should be worried about getting a virus that steals my files.
This is what I have been trending towards as a matter of practicality. I want all of my devices to be thin clients.
Not a bad approach, but if you have a virus that hasn't "shown itself" yet, then it could infect or otherwise corrupt the back up HDD's, right?
My approach as well, except I don't deal with offline HDD, I keep all my photos in Google Photos, offline docs in Google Drive.

Unless you are a professional film editor or photographer there is no need for RAW images (and even then, it's arguable), which is the main space sucker. The $10 a month to have Google manage it all for me is totally worth it.

reminds me I often enjoy virustotal as a serious check for some files.
> This way I dont really care if I get a virus, or gets stolen...

If you get infected with a keylogger or a backdoor tool you're going to care. It doesn't matter how encrypted your hard drive is.

Practically speaking, how many key loggers and backdoor tools are detected by AV?
Normally, I would say no, but recently, I've been thinking a bit differently on the matter. At minimum a good ad blocker is needed, and even with that some things are getting through. If the general technical experience level of the user is low to medium, I would seriously consider a virus protector.

On the same note, Deep Freeze for those of you who have to deal with a bunch of Windows machines in a lab or library situation is amazing.

I use objective-see suite of products like little snitch (well their new open source version named something different), knock-knock, block-block and kext-viewer. They are all free and let you know what is going on without tryinb to manage everything. They also have a simple menu item that lets you know if youre camera is hijacked. I like their sodtware
you need AV on your corporate macs. No excuses.

For those in "my enterprise doesnt need AV, because AV is stupid" camp: In the last week, the enterprise AV:

* Blocked 15 cryptominers * Blocked 3 email based ransomware attachments * Blocked 6 phishing emails * Blocked 3 installs for MacKeeper (PUA) * Found 4 other adware-type infections on hosts

Without it, these things would have hit the organisation. AV -- it will catch the lowest hanging fruit. You need this. It is necessary, but not sufficient.

This [1] post last year pointed to Google Project Zero, which found dozens of exploits in popular AV software. What if your third-party AV is your lowest hanging fruit? How many issues did your AV itself cause? How would you know?

[1]: https://robert.ocallahan.org/2017/01/disable-your-antivirus-...

Im aware of the research p0 did on AV -- its very important, and their findings were fed back to the vendors, to improve their products. AV is not the low hanging fruit, there has never been a discovered malware that exploits an AV bug. It might happen, but you are a million times more likely to find a garden variety malware that all AV detects.

(of course i am ignoring APT/nation state 0day, as it is not specifically about AV, all software is vulnerable against an adversary of this skill). If you worry is APT attacking your AV, you best to be looking at your Operating Systems first.

So far my corporate Mac antivirus has only blocked iOS apps that I personally built and it completely breaks the iOS simulator. It has caused me hours of headache and it regularly locks up my machine to the point that I have to restart it almost daily.

All of the things you mentioned can be stopped using far less intrusive methods than an always on, always scanning, antivirus.

The usual excuse given for requiring an antivirus is PCI compliance.

AV detection rate is not very good. And of course targeted stuff can just test against your av.

Yes, lowest hanging fruit, I know. So at this point you have to start managing your compromises instead of altogether preventing them.

Macs are excellent about making it difficult to run and install things, accidentally or otherwise. If someone can't listen to simple instructions about not "updating Flash" or not installing a "PDF plugin", anti-virus isn't going to stop them. In cases like that, it's better to focus on the problem, not the symptom.

To pick some nits, viruses are self-replicating. There are no viruses on Macs (yet). There are tons of Trojans. It's a big and important difference, but we obviously can't count on sensationalistic media to care about the difference. The more technical people here on HN, though, should know and care.

Little Snitch is all you need.
I never used any third-party antivirus software. AFAIK both Windows and macOS have built-in antivirus software, although I think that it's not required either. Properly patched software to minimize risk of RCE vulnerability and brain to avoid running untrusted programs should be enough.
macOS does not have built-in antivirus software, hence the question.
It has gatekeeper for spotting malicuous downloads.
I believe it's called XProtect. It checks files with known virus signatures.
Are these machines part of a cardholder data environment (as defined by PCI-DSS)?

If the answer to that is 'yes', honestly, just suck it up and install it. It will be cheaper, easier and far less annoying to install some AV in your CDE than to have to explain why you didn't in the event of a breach.

(Note --- Post breach audits are my personal definition of hell.)

Otherwise, anti-virus is reactive and tends to protect against the lowest hanging fruit, all while introducing a real cost to everything else you do on that machine. Personally, I'd skip AV and just do a bit of security training.

One of the best anti-virus tools on any platform is a good adblocker (I prefer ublock origin). It completely removes large classes of infection sources (malvertising, fake download buttons, etc). Then disable macros in office products. If every IT department did that, they’d have much more time for useful work.

Whether you use antivirus or not, use an adblocker. Keeping broken monetisation strategies alive is not your job, keeping your data safe is.

> If every IT department did that, they’d have much more time for useful work

No, they'd have smaller budgets

I really wish we could disable macros, but it turns out the hoops we'd have to jump through just so accounting could continue to do their jobs wasn't worth the effort.

I'm sure some academic out there will berate me for not insisting that we disassemble an entire department's workflow and rewrite it in SQL with some web frontend, but I work in the real world where costs need to be justified and the truth is they couldn't be. There were much simpler and cheaper ways to mitigate the threats we were worried about.

Ad blocking interferes with the Marketing Department occasionally but covers such a huge range of problems that it really is worth it.

I don’t think it’s particularly widely used but in my opinion using antivirus software is a matter of good hygiene, even if the system you run isn’t prone to being infected by viruses.

For example, I occasionally receive Office documents or ZIP archives from clients.

If those should contain viruses these likely won’t affect my Mac but I can inform my client about this, help him fix his security issues and prevent viruses from spreading even further.

As far as I'm concerned, anything not open source is a virus.
At INRIA (a French computer science research institute), AV became mandatory on Macs last year.

A colleague of mine got hit recently by a crypto-miner on their Mac. I don't know if they had an AV, and if so, if the AV would have caught the miner. This was detected by the IT department by monitoring suspicious traffic.

I don't use a macOS so I can't really say. I see AVs as another piece of proprietary software that you have to trust, and that takes significant resources without knowing how useful they are.

On Windows, I would probably use the one from Microsoft, since it's free and since I would already "trust" Microsoft by using their OS and I would somewhat bet that it is in their interest to keep their OS safe. I can't be sure tough: why is it not integrated by default (or is it?)? To allow competition? Then is Microsoft making their antivirus less efficient so the competition is still relevant? And maybe AV is not really Microsoft's main business so their antivirus may be lacking?

On the other side, I would bet it is in the interest of other AVs to always nag you and make you feel they are present and useful more than being actually efficient for other things than high detection rates in benchmarks.

They are irritating and advertise themselves in people's mail signatures, sometimes outright lying: "this email as no viruses" - That you can't be sure, and the mail could have got a virus in its way between the sender and the recipient.

By design, AVs can't really detect new viruses and I would not feel really more confident with an AV than without because of that. AVs didn't catch ransomwares when they first appeared after all.

I don't use any antivirus. My approach to security is:

- Using only free software, as much as possible (I know, I would need to audit everything I use for this to be perfect, but I can't possibly do that).

- that is preferably installed from the OS vendor, which I have no choice to trust anyway.

- usage of an ad blocker with more filters than the default

- be careful where clicking links

- instant backups in a self hosted cloud for important things, and automatic daily snapshots of this cloud somewhere else

- and I also happen to never be browsing sketchy websites.

- all this is true on my phone as well.

One could add usage of Google safe browsing or something related for phishing. And also blocking Javascript or third party Javascript by default when browsing, which I did at some point in my life but which is not convenient for most people.

Would I recommend AV for somebody who uses an OS that is more targeted by viruses than mine, and is likely to fell in a trap (the kind of trap an AV would catch anyway)? Probably Windows Defender on Windows, for Macs I really don't know. If there is an AV provided by Apple or by some other company you trust, I guess I would go for it rather than having nothing.

You can always get viruses from the network that will silently exploit an unfixed security breach on any system, and that may remain undetected so at least, I would tell them to be careful, to keep their system updated and to make backups regularly (ideally, backups should be automatic to some extent), since AVs can't guarantee that no virus will make it.

I would make sure that they are not too confident in the AV, too.