The past few years have seen a renewed focus on Mac OS X security product development. In what was once the domain of a handful of persistent specialists, many traditional antivirus/anti-malicious software vendors have released products for Mac OS X. This includes several vendors who’ve never released products for Mac OS X before.
When Mac OS X was first released very few of the Mac OS ‘Classic’ security software vendors carried forward with Mac OS X products. This was likely due to a combination of factors.
Products like antivirus solutions operate at a low level in any operating system as trusted system functions. To be able to examine data accessed from a disk or over a network, antivirus products introduce their own inspection functions into operating system routines used to read from or write to storage and network functions.
Most Mac OS X products of this type do so using kernel extensions which extend or replace the data store and retrieval functions in the OS X kernel. This is to provide ‘on access’ scanning which actively examines storage and, in some cases, system/program memory and execution.
So, for modern Mac OS X (as against classic Mac OS software), vendors had to use a new approach to being closely integrated with the operating system, starting over with signatures for viruses that would impact Mac OS X.
And attackers had to start over too.
Due to this technology restart – and a lack of demand from customers – antivirus technologies had a slow start on Mac OS X.
Do I need antivirus or anti-malware products?
The need for this type of technology for Macs has been the subject of much debate among Mac users and security geeks. It’s likely that our time has come to become as targeted for attack as our Windows-using peers.
In the time since Mac OS X was released new threat categories have emerged and other threats have morphed. Unsolicited commercial email (spam) threats have grown to become a more complex nuisance than they were in 2000 (when Mac OS X Public Beta was released), and email-based delivery of malicious software has grown as a related threat.
Also since 2000, ‘phishing’ attacks that attempt website/service impersonation have emerged and grown to be a menace and source of identity theft and fraud.
Looking good. It’s nice to be able to see the state of all the components in Intego Internet Security Barrier X6 for Mac’s Overview window tab.
A common scenario is receiving a realistic-seeming email purporting to be from a financial institution, social media or e-commerce website. Web page links in the email direct you to a website impersonating the real site in an attempt to gain access to your credentials for the legitimate site.
Also over this time, with technology changes removable media issues have shifted from floppy disks and optical media like
CD-Rs and DVD-Rs to USB sticks and portable hard drives.
And, finally, remote attack on Mac OS X network services, ‘botnet’ membership and Mac OS X-specific malware have revealed that we Mac users are in the same boat as others we’ve traditionally mocked. And the reality is that we have been all the time.
For most users the most effective way to deal with this is to, at some level, make these issues some else’s problem.
Finding a solution
Content protection solutions would form only one part of your overall security arsenal. In the January 2010 issue of Australian Macworld (www.macworld.com.au/23787) I gave advice on how to ‘harden’ your Mac against attack, and on subtle features of the Mac OS X firewall. Many of those recommendations would still apply today.
Adopting technologies that help to maintain the integrity of your system, applications and data is a logical next step towards reducing the likelihood of attack.
In 2011 Mac users have a wide selection of products providing basic and advanced content protection. Some of these products only focus on antivirus technologies while other ‘security suite’ products also include intrusion-prevention technologies, simple or complex firewalls and better integration with web browsers or email clients.
Antivirus solutions usually cover a wide range of malicious software threats. Most antivirus products contain inspection for traditional computer viruses that propagate among storage devices presented to an infected computer, including disks, network volumes mapped as disks, removable media such as floppy disks and USB sticks.
Most modern antivirus products also inspect your system to attempt to identify other types of malware, including network-roving worm programs that would propagate between similar types of systems, and software the user chooses to install which may introduce privacy-compromising functions commonly called spyware applications or adware applications.
Many internet users choose to install spyware or accidentally do so without knowing it. Probably the least threatening form of spyware (but still not harmless) would be toolbars installed in browsers by everyone from search engines to paint manufacturers. I’m sure I’m not the only person who wonders how older relatives can view an 800 x 600 internet browser with five or six toolbars constantly competing for attention.
Today’s antivirus solutions also attempt to identify other malicious software including Trojan programs impersonating legitimate ones, software tools used for attack purposes and other perceived nuisances.
Some security software suite products also include other information-integrity functions including data leakage protection, remote intrusion prevention, firewall management, anti-spam and anti-phishing.
Importantly, several of the products were designed to be integrated into whole-environment antivirus solutions. This would permit them to share a local signature repository with Windows or other systems using antivirus technology from the same vendor, have events collected from the system when issues occur and so on.
How we compared
Many of these products inspect your Mac for malicious software that would be effective on Mac OS, Windows and other platforms. This approach also permits vendors to provide updates for multiple products using the same or related updates.
To test this approach we installed each of these products on the same slightly-out-of-date test bed OS – Mac OS X 10.6.5 – and then we gave the product some random ‘bad stuff’ to consider – some attack tools, test ‘viruses’ and other malicious data. We presented this data from disk images, local copies on the system and remotely retrieved via POP3/IMAP email and via a web browser on the system.
Admittedly, without having access to an archive of every variation of every ‘bad thing’ ever created we’d have a difficult time measuring the most effective eliminator of malicious software. So I’ll say up front that the results are entirely subjective, arbitrary, random and unlikely to survive repeat testing. But we did our best to be fair and to weigh up the usability experience in the sense of, ‘What would our non-geeky friends be able to handle?’