Questions about anti-virus software for the Mac have been asked and answered many times in this forum and others at MFIF. The following in-depth response was tacit's reply to one such query entitled Anti virus software:


Right now, there are no viruses that can affect or infect Mac OS X. None. Zip. Zero. Nada. Not a single one.

That means, right now, if you buy an antivirus program, you are paying real money to protect against an imaginary threat that does not even exist.

Now, there are three reasons people give for spending money to protect against non-existant threats. I'll address each of those three reasons in turn.

REASON #1: It's better to be safe than sorry.

This reason assumes that having an antivirus program makes you safer, and there is no down side to having an antivirus program. This is not true. It does not make you safer (I'll explain why when i talk about Reason #2). What's worse, it actually makes your computer experience worse.

How? Well, even good, reliable, trouble-free anti-virus software such as ClamAV still slows down your computer. Bad antivirus software such as Norton Antivirus is a disaster. Norton Antivirus has been implicated in many, many serious problems on Mac OS X systems, some of which can destroy data or make the computer completely unusable, including:

- Random freezes and kernel panics
- A bug which can consume all of the space on your hard drive.
- An extremely serious bug which can destroy your ability to authenticate with a password. This means you cannot install software, you cannot run Apple Software Update, and you cannot modify the system. I have yet to find any solution other than a complete reinstall of OS X for this problem.

Even the newest version of Norton, Norton AV 10, has many serious documented bugs, including:

- A data-corruption bug which causes it to destroy files when you use the Save command from Adobe products such as Photoshop and InDesign. The file seems to save OK, but it is corrupted by Norton as it is saved. You will not know the file is corrupted until you go to try to use it later.

- A system-level bug which can destroy your ability to use Classic. If you install Classic after you install Norton, or you reinstall Classic, the next time Classic goes to start up, it will hang or crash on the "Updating system resources" dialog. You will need to remove Norton AV, reinstall Classic, launch Classic, allow it to update any system resources, and then reinstall Norton.

There are other problems with Norton (including Norton 10) as well; this is not an exhaustive list. the point is, "it's better to be safe than sorry" only works if the things you do to be "safe" don't hurt you. Since the purpose of AV software is to protect you from things that might disrupt your computer, if the AV software disrupts your computer, the AV software is in a very literal sense worse than the virus threat. Especially since there are...err, no viruses.

REASON #2: Sooner or later, somebody will come out with a virus. When this happens, people who already have AV software will be better off.

FACT: virus software does not work by magic. It works by comparing every file on your hard drive to a list of known viruses. When a new virus comes out, it is not in the AV list of known viruses. The AV software is utterly powerless to stop it.

Now, some AV software uses "heuristics"--it tries to find unknown new viruses by compring the behavior of running computer programs to the behavior of known viruses or to known security exploits. Because there are no known computer viruses and no known "in the wild" security exploits for OS X, OS X antivirus software can not use heuristics to look for unknown viruses.

People rarely understand how rapidly viruses spread. A typical PC worm or virus spreads worldwide, on average, about 7 hours after it is released. Fast viruses can infect every single vulnerable computer everywhere on the Internet, worldwide, in 45 minutes or less. What that means is that when a new virus comes out, if it ever does, the people with antivirus software will have exactly, precisely the same level of protection as those with no antivirus software: none. Not even the tiniest bit. None at all; zip. Viruses spread far, far faster than AV companies can release updates.

REASON #3: Having antivirus software installed on your Mac stops you from spreading PC viruses to other Windows users.

A Mac can spread a PC virus to a Windows user. There are two ways this can happen. The first way is via an email attachment; if a Mac user receives an infected file in an email, and then clicks the Forward button and forwards it on to a friend, then that friend might become infected.

The second way a Mac can spread a Windows virus is in a client/server or LAN environment. If a Mac is acting as a file server on a LAN that has Windows users, a Windows user can copy an infected file onto the Mac file server, and then another Windows user can copy the infected file off. I'll talk about each of those two scenarios in depth:

First, the email vector. Spreading a virus by email can not happen automatically. The only way for it to happen is if the Mac user receives the infected email attachment and then clicks the Forward button and intentionally forwards it to a Windows user. (There may be times when it appears a Mac user has spread a virus without hitting "forward"--let's say a Windows user receives an infected email from a Mac user's address, like "somebody@mac.com." In this case, the From address is fake. The virus came from an infected Windows computer, and sent itself out with the fake "From:" address of "somebody@mac.com;" if the person who receives it does not know how email viruses work and does not know that the From address is faked by viruses, then the person who receives it may go to the poor Mac user with fists shaking and say "You sent me a virus!"--when in fact that is not what happened, and the Mac user had nothing to do with it at all.)

The easiest and most low-impact way to stop a Mac from spreading Windows email viruses does not rely on software; it relies on common sense. Do not forward messages with attachments to other people. No matter who you think they are from and what you think is in them. If you do not know, personally, what the file is, or you did not create it, don't forward it. Even if it has the Microsoft logo and official looking text saying "This is a Windows security update." Even if it just looks like a harmless joke. Even if it promises hot pictures of Britney Spears naked in unbelievable oral XXX action. Do not forward emails with attachments to other people. If you are on a Mac, on a Windows machine, on a Sun, it doesn't matter...Do not forward emails with attachments to other people.

It should be noted, also, that AV software can not scan an attachment while the file is still on your ISP's mail server. The attachment can only be scanned if it is downloaded to your computer--either by you or by the AV software. So having AV software does not prevent you from forwarding viruses to Windows users; it only prevents you from forwarding viruses if you have downloaded the attachment yourself first.

Now, in a client-server situation, the problem is a bit different. If a Windows machine in a LAN environment has placed a Windows virus onto a Mac server, antivirus software on the Mac will not solve the problem. Yes, it might find the virus--but at this point, the LAN is already infected. There is already at least one Windows computer on the LAN which is infected with a virus, and removing the virus from the Mac will not change that. The problem cannot be solved until the source of the infection is removed.

But will the AV software on the Mac server help slow down the infection? No. By the time a computer on a LAN has been compromised, you can expect with any worm and almost any virus that all vulnerable PCs on that LAN will be compromised as well within minutes. Viruses do not wait for human beings to copy files to a server in order to spread; if they did, they would spread slowly and be easy to stop. A virus on a PC is going to spread by many vectors--TCP/IP or UDP (and the presence of a firewall will not stop the virus once it is already in the LAN), or automatically via peer-to-peer Windows SMB shares, or via Windows PnP, RCOM, or RPC vulnerabilities, or...well, you get the idea. The important thing to remember is this: The server will not be a significant infection vector; by the time the virus has infected a computer on the LAN, you have bigger problems to worry about--like, for example, your entire LAN has probably already been compromised. The only way--the ONLY way--to deal with this is to identify, isolate, and repair every single infected PC, then patch the vulnerability, update the PC AV software, or both. Once this is done, any remaining copies on the Mac server can be dealt with manually (PC AV software can scan and disinfect a shared Mac volume), but at that point it's irrelevant anyway--any virus still on the Mac software cannot infect a PC once the PC vulnerabilities are fixed, and before the vulnerabilities are fixed the Mac server isn't likely to be a relevant infection vector.

Of course, all of this would not matter if the Mac AV software were zero-opportunity-cost; that is, if the Mac AV software did not cost you anything in terms of time, reliability, system performance, or money. But this is not the case. For questionable (read: no) protection, you are exchanging, at best, a loss of system performance, and, at worst, disruptions in the system, system stability, and data loss.

Not a good deal.

The equation will change if a Mac OS X virus ever does appear. Once such a virus exists, and AV signatures which identify the virus exist, then you will probably be well-advised to use an antivirus program that isn't unstable and destructive. ClamAV and similar programs are a good bet; Norton, not so good.

But until that day comes, the AV software you install on your Mac is a whole lot of steaming nothing. What's worse, it can do more harm than good, not only because of bugs and system instability but also because it may give you a false and undeserved illusion of security. A person with a false sense of security, who erroneously believes himself to be protected, is less likely to pay attention to security than a person without this false sense of security.

Viruses aren't the only kind of malware. In the recent Any Mac Viruses? thread, tacit explained the different types of malicious software and which ones can infect your Mac:


To date, there are no "in the wild" viruses that can affect or infect Mac OS X. However, having said that, it's important to understand that when people use the word "virus" they're actually talking about, and often confusing, three separate and unrelated things.

Before I go into that, though: Yes, you will meet people who say their Macs have been infected by a virus. Some folks believe that any time anything happens on their computer they did not expect or do not understand, it must be a virus. We get a few of those from time to time here at MacFixIt. I've seen people say "It's a virus!" when confronted by anything from a defective keyboard to problems with their Internet service provider to their own ignorance about how Unix operates.

Technically speaking, there are four completely different, totally unrelated types of malicious software that people call "viruses." There are computer viruses, which are small programs that attach themselves to other applications and spread from application to application and from computer to computer. There are "worms," which are programs that do not attach themselves to applications, and copy themselves from one computer to another by exploiting flaws in networking software or server programs. There are "Trojan horse" programs, which are programs spread by deceit and lies. There are "rootkits," which are programs that bury themselves in a system and then hide themselves by modifying the operating system so that standard file APIs will not show them.

People also talk about "adware" and "key loggers." The classifications above refer to how a program operates; the names "adware" and "keylogger" refer to what a program does. Adware displays ads on an infected computer. Key loggers record each time a button on the keyboard is pressed, with the idea that if a person does something like visit his online bank account or his eBay account after he is infected, the key logger will record his password.

Let's talk about each of these one by one.

"Viruses" are little bits of self-replicating computer code that are not complete programs; they work by attaching themselves to other programs. When a computer is infected with a virus, which usually happens by copying a program off of an infected computer onto an uninfected computer, the virus copies itself onto programs, usually as they are run. For example, if you have a virus on your computer, and you run Adobe Photoshop, the virus embeds itself inside of Adobe Photoshop. Then you run Internet Explorer, and the virus embeds itself inside Internet Explorer. Then you run Second Life, and the virus embeds itself inside Second Life. Then you give your copy of Adobe Photoshop to your brother, and now his computer is infected. Some viruses can attach to types of files that are not computer programs, such as Microsoft Word files (these are called "macro viruses").

There are no viruses which can infect or affect Mac OS X, though Microsoft Word files which are infected with macro viruses can sometimes be found on Macs.

Worms are programs that scan computer networks searching for computers that are running programs that listen for network connections, then trying to exploit flaws in those programs to copy themselves. Worms work automatically. They do not need people to trade files in order to spread. They are a huge problem on Microsoft Windows systems, because when you install Microsoft Windows, it installs many programs that listen for connections from across the Internet and will accept incoming commands from other computers on the Internet. Worms do not always try to exploit built-in operating system programs; sometimes, they try to exploit flaws in server software that you install later. W32/Witty is a worm that propagated by copying itself onto Windows computers that were running a security program called Black Ice.

There are no worms that can affect or infect Mac OS X. When you buy a Mac or install OS X, there are no server processes running; your computer is not listening for connections across the Internet. Therefore, an infected computer from somewhere on the Internet can not connect to you and copy the worm onto your computer.

Firewalls are useful to prevent worms. A firewall blocks connections from across the Internet; firewalls are highly effective at stopping network worms.

A Trojan horse is any program that says it does something, but actually does something else. There are many examples. The common W32/Storm Trojan that infects Windows computers pretends to be a video game, or pretends to be an electronic greeting card. People deliberately download it onto their computers because they think that they are downloading a video game or a greeting card, but they are really downloading malicious software. Another common Trojan pretends to be a Microsoft security update. Still another common Trojan pretends to be pictures of Brittney Spears naked.

The common theme of Trojans is that they never get onto your computer by themselves. You have to deliberately, intentionally download them and deliberately, intentionally run them in order to be infected. They will never infect you unless you specifically choose to put them on your computer and run them. So the people who create them use lies and deceit to trick you into putting them on your computer. It turns out that this is very effective; people are easy to trick and gullible enough to believe everything they read. If you have ever received an email that has a From: address of "security@microsoft.com" that says "Attached is a critical Windows security update, please download it and install it at once," then you have seen a Trojan. If you've received an email that says "Please click on this link to see a love letter from a secret admirer," and then when you go to the Web site you see a message saying "Please click here to download your love letter," then you have seen a Trojan.

There are Trojans in circulation for Mac OS X. One, which came out a while ago, pretends to be a pirated copy of Microsoft Office that you can download for free. When you download it, it deletes everything in your home folder. The other pretends to be a special piece of software that you need in order to view Internet movies or Internet porn. You will go to a Web site, you will see a picture on your screen that looks like a movie player, and you will see a message telling you that your computer can not show movies unless you download a video player CODEC and install it on your computer. If you believe the message and download the software, you infect yourself.

The last category is "rootkits." These are programs that will embed themselves in an operating system and then hide themselves by modifying the system in such a way that it won't display them. For example, they might change the way the Finder looks so that when you double-click on a folder, it will look empty, even though it has files in it.

Rootkits may be installed on a computer deliberately; for example, some rootkit writers will go to Internet cafes, install their rootkits on all the computers at the Internet cafe, and then whenever anyone goes to eBay or an online banking site the rootkit records what they do. Sony released a rootkit on certain music CDs some time ago; when a person put the CD in their computer, the rootkit copied itself onto the computer, concealed itself, then prevented that computer from being able to rip those CDs.

There is a rootkit that can infect Mac OS X. Like with a Trojan, it can not get on your computer by itself. It must be installed manually, and the person who installs it must know the password of the computer it is being installed on. Because of this, it is not a significant threat; since it has to be installed manually, it can not get onto a computer on its own, and since you have to know the password for the computer you're installing it on, a stranger can't put it on a computer by walking into an office or something like that.

The structure and architecture of Mac OS X makes writing viruses and worms extremely difficult. People have been trying for years to create viruses and worms for OS X, without success so far.

Trojans and rootkits (some of which are distributed as Trojans) are potentially a problem on any computer. They do not rely on hacking the computer or on infecting programs on the computer; they rely on tricking human beings into infecting themselves. As long as human beings can be tricked, it will be possible to spread Trojans.