Dear All,

I have so far in my MacUser life avoided getting any anti virus software for my powerbook, believing, perhaps naively, that it was somewhat irrelevant. But I don't actually have any hard evidence that this is so, hence the question. What do people 'in the know' think about the current anti virus software for OS X (I have 10.4.2)? Is it worth getting and if so, which manufacturer do you trust?

Much appreciated,

simon.

There are different points of view about this issue. Some people (Tacit, in particular) feel that antivirus software is not only unnecessary but harmful. Certainly, Norton has caused problem. Others, myself included, feel that it's worthwhile to have some protection if only to prevent infecting Windows users. Personally, I use Intego VirusBarrier X. I bought it after reading this article. Maybe I wasted my money, but that was my decision.

As an aside, nnager has posted, many times, that he was a beta tester for Norton Antivirus 10 and that it caused on problems for him and that it works better than previous versions. Bottom line: look at different opinions and then draw your own conclusions.

The question of the need for anti-virus software has been discussed many times in these forums, as you'll discover if you do some searches.

I think you'll find the posts on the topic in these threads useful:

Norton AntiVirus 10 works flawlessly with Tiger (original title: I can't delete this damn folder!)

Norton and Scan Notification

You have a Mac, and since there are no viruses that affect Macs, anti-virus software is unnecessary. Leave the constant worrying about viruses to Windows users.

Right now, there are no viruses that can affect or infect Mac OS X. None. Zip. Zero. Nada. Not a single one.

That means, right now, if you buy an antivirus program, you are paying real money to protect against an imaginary threat that does not even exist.

Now, there are three reasons people give for spending money to protect against non-existant threats. I'll address each of those three reasons in turn.

REASON #1: It's better to be safe than sorry.

This reason assumes that having an antivirus program makes you safer, and there is no down side to having an antivirus program. This is not true. It does not make you safer (I'll explain why when i talk about Reason #2). What's worse, it actually makes your computer experience worse.

How? Well, even good, reliable, trouble-free anti-virus software such as ClamAV still slows down your computer. Bad antivirus software such as Norton Antivirus is a disaster. Norton Antivirus has been implicated in many, many serious problems on Mac OS X systems, some of which can destroy data or make the computer completely unusable, including:

- Random freezes and kernel panics
- A bug which can consume all of the space on your hard drive.
- An extremely serious bug which can destroy your ability to authenticate with a password. This means you cannot install software, you cannot run Apple Software Update, and you cannot modify the system. I have yet to find any solution other than a complete reinstall of OS X for this problem.

Even the newest version of Norton, Norton AV 10, has many serious documented bugs, including:

- A data-corruption bug which causes it to destroy files when you use the Save command from Adobe products such as Photoshop and InDesign. The file seems to save OK, but it is corrupted by Norton as it is saved. You will not know the file is corrupted until you go to try to use it later.

- A system-level bug which can destroy your ability to use Classic. If you install Classic after you install Norton, or you reinstall Classic, the next time Classic goes to start up, it will hang or crash on the "Updating system resources" dialog. You will need to remove Norton AV, reinstall Classic, launch Classic, allow it to update any system resources, and then reinstall Norton.

There are other problems with Norton (including Norton 10) as well; this is not an exhaustive list. the point is, "it's better to be safe than sorry" only works if the things you do to be "safe" don't hurt you. Since the purpose of AV software is to protect you from things that might disrupt your computer, if the AV software disrupts your computer, the AV software is in a very literal sense worse than the virus threat. Especially since there are...err, no viruses.

REASON #2: Sooner or later, somebody will come out with a virus. When this happens, people who already have AV software will be better off.

FACT: virus software does not work by magic. It works by comparing every file on your hard drive to a list of known viruses. When a new virus comes out, it is not in the AV list of known viruses. The AV software is utterly powerless to stop it.

Now, some AV software uses "heuristics"--it tries to find unknown new viruses by compring the behavior of running computer programs to the behavior of known viruses or to known security exploits. Because there are no known computer viruses and no known "in the wild" security exploits for OS X, OS X antivirus software can not use heuristics to look for unknown viruses.

People rarely understand how rapidly viruses spread. A typical PC worm or virus spreads worldwide, on average, about 7 hours after it is released. Fast viruses can infect every single vulnerable computer everywhere on the Internet, worldwide, in 45 minutes or less. What that means is that when a new virus comes out, if it ever does, the people with antivirus software will have exactly, precisely the same level of protection as those with no antivirus software: none. Not even the tiniest bit. None at all; zip. Viruses spread far, far faster than AV companies can release updates.

REASON #3: Having antivirus software installed on your Mac stops you from spreading PC viruses to other Windows users.

A Mac can spread a PC virus to a Windows user. There are two ways this can happen. The first way is via an email attachment; if a Mac user receives an infected file in an email, and then clicks the Forward button and forwards it on to a friend, then that friend might become infected.

The second way a Mac can spread a Windows virus is in a client/server or LAN environment. If a Mac is acting as a file server on a LAN that has Windows users, a Windows user can copy an infected file onto the Mac file server, and then another Windows user can copy the infected file off. I'll talk about each of those two scenarios in depth:

First, the email vector. Spreading a virus by email can not happen automatically. The only way for it to happen is if the Mac user receives the infected email attachment and then clicks the Forward button and intentionally forwards it to a Windows user. (There may be times when it appears a Mac user has spread a virus without hitting "forward"--let's say a Windows user receives an infected email from a Mac user's address, like "somebody@mac.com." In this case, the From address is fake. The virus came from an infected Windows computer, and sent itself out with the fake "From:" address of "somebody@mac.com;" if the person who receives it does not know how email viruses work and does not know that the From address is faked by viruses, then the person who receives it may go to the poor Mac user with fists shaking and say "You sent me a virus!"--when in fact that is not what happened, and the Mac user had nothing to do with it at all.)

The easiest and most low-impact way to stop a Mac from spreading Windows email viruses does not rely on software; it relies on common sense. Do not forward messages with attachments to other people. No matter who you think they are from and what you think is in them. If you do not know, personally, what the file is, or you did not create it, don't forward it. Even if it has the Microsoft logo and official looking text saying "This is a Windows security update." Even if it just looks like a harmless joke. Even if it promises hot pictures of Britney Spears naked in unbelievable oral XXX action. Do not forward emails with attachments to other people. If you are on a Mac, on a Windows machine, on a Sun, it doesn't matter...Do not forward emails with attachments to other people.

It should be noted, also, that AV software can not scan an attachment while the file is still on your ISP's mail server. The attachment can only be scanned if it is downloaded to your computer--either by you or by the AV software. So having AV software does not prevent you from forwarding viruses to Windows users; it only prevents you from forwarding viruses if you have downloaded the attachment yourself first.

Now, in a client-server situation, the problem is a bit different. If a Windows machine in a LAN environment has placed a Windows virus onto a Mac server, antivirus software on the Mac will not solve the problem. Yes, it might find the virus--but at this point, the LAN is already infected. There is already at least one Windows computer on the LAN which is infected with a virus, and removing the virus from the Mac will not change that. The problem cannot be solved until the source of the infection is removed.

But will the AV software on the Mac server help slow down the infection? No. By the time a computer on a LAN has been compromised, you can expect with any worm and almost any virus that all vulnerable PCs on that LAN will be compromised as well within minutes. Viruses do not wait for human beings to copy files to a server in order to spread; if they did, they would spread slowly and be easy to stop. A virus on a PC is going to spread by many vectors--TCP/IP or UDP (and the presence of a firewall will not stop the virus once it is already in the LAN), or automatically via peer-to-peer Windows SMB shares, or via Windows PnP, RCOM, or RPC vulnerabilities, or...well, you get the idea. The important thing to remember is this: The server will not be a significant infection vector; by the time the virus has infected a computer on the LAN, you have bigger problems to worry about--like, for example, your entire LAN has probably already been compromised. The only way--the ONLY way--to deal with this is to identify, isolate, and repair every single infected PC, then patch the vulnerability, update the PC AV software, or both. Once this is done, any remaining copies on the Mac server can be dealt with manually (PC AV software can scan and disinfect a shared Mac volume), but at that point it's irrelevant anyway--any virus still on the Mac software cannot infect a PC once the PC vulnerabilities are fixed, and before the vulnerabilities are fixed the Mac server isn't likely to be a relevant infection vector.

Of course, all of this would not matter if the Mac AV software were zero-opportunity-cost; that is, if the Mac AV software did not cost you anything in terms of time, reliability, system performance, or money. But this is not the case. For questionable (read: no) protection, you are exchanging, at best, a loss of system performance, and, at worst, disruptions in the system, system stability, and data loss.

Not a good deal.

The equation will change if a Mac OS X virus ever does appear. Once such a virus exists, and AV signatures which identify the virus exist, then you will probably be well-advised to use an antivirus program that isn't unstable and destructive. ClamAV and similar programs are a good bet; Norton, not so good.

But until that day comes, the AV software you install on your Mac is a whole lot of steaming nothing. What's worse, it can do more harm than good, not only because of bugs and system instability but also because it may give you a false and undeserved illusion of security. A person with a false sense of security, who erroneously believes himself to be protected, is less likely to pay attention to security than a person without this false sense of security.

 
The question that Tacit has just answered gets asked again and again. IMO Tacit's answer is one of the best that these forums have seen and I suggest that it merits being converted into a permanent ‘Sticky’, perhaps best here in the Newbie's forum.
 

I second that notion.

I do have a question, though: Why do hackers do it? Are they so pathetic that they don't have a life, so they spend all their time developing viruses? What do they gain from it? A typical virus enters the average person's computer and ruins their files, system, etc. So what? What does the hacker get out of it? I don't understand it...

I agree, Andreas. Thing is, to make tacit's reply sticky we'd have to sticky the whole thread...and with our software the Last post info doesn't update on stickies so subsequent replies can easily get missed. (Yes, I'm still taking the pills. )

As a (perhaps temporary) alternative, I've copied tacit's reply into a new locked and stickied post, and included a link to this thread for any replies. ('Course, maybe posting it myself was what you meant by convert...if so, done!)

Tacit, if you'd like to write up a separate post yourself I'll lock it and sticky it in place of the one I just put up.

cyn: "Tacit, if you'd like to write up a separate post yourself I'll lock it and sticky it in place of the one I just put up."

Yes, please, Tacit. What cyn has done is fine, but that would be a tiny bit better.

The short answer is that they do it to feed their ego. It has nothing to do with them hating Windows or because there are more Windows machines in the world or because some countries are trying to disturb the economy or any of those “worn out” reasons that we've seen people repeatedly spread across the internet. They do it because it gives them a rush in hopes of becoming renowned and it feeds their ego, pure and simple.