Mac anti-virus: Why I’m trying out Sophos Antivirus for Mac Home Edition

“As Mac popularity grows so does the interest in developing threats for the platform, and while it is far more secure than Windows, it’s not 100% safe,” Simon Royal writes for Low End Mac. “Do we need to think about Mac anti-virus?”

“I’ve been a Mac user for 15 years and have enjoyed using a computer without the hassle of finding an anti-virus suite, maintaining and keeping my computer clean,” Royal writes. “With the introduction of Mac OS X and the rise in popularity of Apple’s portable devices, the Mac is no longer for the nerdy; it is now perceived as ‘cool’ – and with this comes a larger user base. More users mean those intent on infecting computers of the world could now see the Mac platform as a viable place to attack. In this article, I take a look at Sophos Antivirus for Mac Home Edition… I have been running Sophos on my 2009 MacBook running Mavericks for just over a week, and I haven’t noticed any performance drop since it has been installed.”

“Whether or not you think Mac anti-virus is necessary, is there any harm to having it installed? After all it, doesn’t suck resources, require time to maintain and update it, and its free,” Royal writes. “I intend on keeping it installed.”

Read more in the full article here.


    1. I pointed out in a reply below to Johnny Appleseed what’s going on with Mac malware at the moment. It’s up to individuals to decide what to do. But I can point out that there have been two Mac specific botnets since 2009. The first botnet used infected WAREZ installers, including a hacked installer for iWork. That botnet had over 100,000 Macs. A more recent botnet, in the sprint of 2012, had over 600,000 Macs. The infections were caused by the installation of the Flashback series of Trojans. They were called Flashback because they posed as installers for Adobe Flash Player.

      1. Derek, I’m not sure of the point of your post. Are you advocating the installation of anti-virus software on the Mac or are you saying that it’s fine running a Mac without anti-virus software. Sorry, your posts are informative but a bit too verbose for me to pick out the essence.

        I’m in the no anti-virus camp simply because I don’t see the need to eat up CPU cycles and memory just to run anti-virus on my Mac so long as I am careful as to what I download and give authorisation to. It seems to me to be an unnecessary expense in terms of resources on a Mac.

        1. I’ve been focusing on targeted subjects, not the whole. The best general statement I can make is that it’s up to the individual whether they want anti-malware.

          As someone who writes about Mac security, here’s what I do:

          1) I have ClamXav installed and up-to-date. It’s not the best. But there is a gang of us who continue to press the issue of keeping the ClamAV project current with Mac malware signatures. We try. They resist. We persist. It’s annoying. Meanwhile, Mark Allan’s ClamXav GUI for ClamAV is EXCELLENT. It’s free.

          2) For the paid anti-malware, the one I like best and continue to pay for is Intego’s VirusBarrier. It too is EXCELLENT. It scores excellent as well for finding current malware of all kinds, Mac, Windows and Linux. I highly recommend it. –You have to run it once for your entire computer for it to tag safe files. This is a relatively slow process. From then on, it skips over those tagged files and only analyzes new or changed files, which is FAST!

          3) For enterprise Macs, I recommend Sophos. They’ve got a great reputation and are also terrific contributors to security within the Mac community. Plus, they offer a free version for individual users that also has a great reputation.

          What I’d avoid: Obviously anything Symantec. I not only despise the evil of that company but their Norton anti-malware frequently scores low on detection. It’s also infamous for screwing up the Macs where it’s installed.

          Also well hated is MacKeeper. It’s the worst of the worst from all reports. Plus they’re incredible scammers as proven by their consistent click-jacking on the web to fool people into thinking their computers are infected. I don’t just suggest you avoid MacKeeper. I encourage people to actively work to get this garbage OUT of the Mac community permanently, it’s that evil.

          That’s my wordy summary. Make of it what you will.

          1. Keep in mind that for people who participate on this forum, typically are more Mac-or-computer savvy than the average computer user, so antivirus software may seem like a minimal benefit. For the average computer user, who still sees computers as a Black Box, then your advice should be considered Mandatory, for Peace of Mind, if nothing else.

        2. BLN,

          FWIW, I’ve used Little Snitch for years now and love it. After teaching it about what is acceptable activity, it stays out of the way for the most part. But it is ever vigilant and lets you know when there is something trying to ‘phone home.’

            1. You’ll like it. There was some Mac trojan that looked for the presence of Little Snitch. If the trojan detected that Little Snitch was active, it didn’t install its backdoor functions and gave up.


              The author of the trojan wanted to keep the true nature of the program secret for as long as possible. That last thing he needed was sophisticated users—no doubt active in the Mac blogosphere—being tipped off about the trojan early on.

      2. I keep challenging this myth of the 600,000 Mac botnet where ever it pops up. First of all, to get infected with this botnet one had to download infected character definitions from obscure websites in Eastern Russia. . . yet somehow, according to the intercept honeypot records, the vast majority of the infections were all in the United States (!) yet records did not show sufficient usage traffic to account for it. Secondly, no one ever found any infected Macs in the wild. . . only reports of the kind “I had a friend who had a second cousin who had a friend whose Mac was infected.” People who manage large numbers of Macs only reported that they found they had Macs that were listed as members of the botnet because the Mac’s UUID was on the honeypot’s list. However, many Macs were on that list that were found and TESTED and found to be Trojan free, in-infected, and in fact, had NEVER had Java ever installed on them! Some had never even been opened out of their factory sealed boxes and were still unsold. . . without Java, a requirement for the botnet to operate. Users on forums reported the test scripts found their UUIDs on the honeypot, but they were not infected. . . no one reported being infected except those who’s writing gave themselves away as anti-Apple trolls, saying things like “I spent $2500 on this IMAC to get away from viruses like the fanboyz told me and now it’s got a virus!” Within a month, the 600,000 number was dropped to 179,000. . . and then the topic faded from the radar. Those of us who administer Mac networks, NEVER saw an infected Mac. None of my clients ever called with a Flashback infected Mac. Not one.
        I believe that the so called discoverer of this botnet and honeypot, merely had a list of UUIDs assigned to Apple and used these to spread FUD about a mythical Mac botnet (remember, this was supposed to be cross platform, yet no one was finding Windows’ UUIDs in the honeypot, and 50% of Macs being sold were being sold over seas, yet better than 90% of the UUIDs in the honeypot were US UUIDs with the majority of the rest being in the UK, which makes no sense for a foreign language game website!) Where were the Windows members? This was just at the time when the DISCOVERER of the botnet was rolling out their new Mac anti-virus product. Yeah, right. And then they find a way to intercept the phone home of the botnet, so that infected can learn if they’re infected, using their software???? If you believe these coincidences, I’ve got a bridge in Brooklyn I’ll sell you cheap.

          1. Find an infected Mac. Show us one. There were Mac in the honey pot that had NEVER had Java installed. The number of “infected” Macs WAS dropped from the reported 600,000 to 179,000 then the reports of infection disappeared completely. It was as though the event never happened. All of the statements I made are true. I administer lots of Macs. Not one infection. No one I know can document a true infection. It is always somebody knows of somebody who was infected. Even on MDN, no one on here reported being infected that was not of the troll type posting I described. Don’t you find that strange? Where were the foreign Macs in the infected listings??? Something did not add up. . . and if one part of it is a lie, all of it is. You continually report the 600,000 number but that was debunked long ago. Kaspersky came up with the 179,000 after adjusting for the phony, non-distributed UUIDs, but even they didn’t adjust for the people who were reporting that their Macs were listed as being members of the botnet did NOT have the malware present, and/or never had Java installed, which would have reduced the number to an even smaller number. Not once in any forum I visited did I find what I considered a legitimate instance of a Mac infected with the Botnet. . . the description and language used by the few I found claiming infection simply did not jive with an actual Mac user’s experience, rather they came across as smug, contrived trolls. . . and Derek, I spent several weeks looking for them.

  1. My brother has NOD32 on both his PCs and Macs. I asked him if he ever got a hit on the Macs and he said it’s never found anything, unlike what it would block on his Win7 machines.

    1. Trojans are definitely the vast majority of Mac malware. But thanks to the terrible security in both Adobe freeware and Oracles’ bastardization of Java, there has been a series of drive-by infections as well as infection of seemingly innocuous files that, when opened, run JavaScript of Java code that infects Macs.

      At this time, Adobe’s crap Flash Player plug-in has thankfully been sandboxed on OS X 10.9 Mavericks, but NOT on any other version of OS X. Latetly, Adobe has been pumping out Flash security fixes once a month.

      As for Oracle’s Java, just don’t use it, if possible. Java used to be sandboxed by default. That has been blown to hell by Oracle and is never going to be fixed. There are zero-day Java security holes being exploited in the wild at this moment, it’s that bad and Oracle is that careless. Thankfully, in recent versions of Safari, Apple has forced the crap Java plug-in to be turned off unless the users specifically requests it to be turn on site by site.

      1. Malware and vulnerabilities are two different things. Not every vulnerability discovered Mac’s Java and Flash run times has had malware exploit them – malware like that that is very rare, and every one I know of required the user to install a Trojan.

        Macs have many layers of security, so a single unpatched vulnerability isn’t usually enough for malware to run havoc.

        1. Correct. But I don’t understand why you had to point that out. I also disagree with the statement:

          Macs have many layers of security, so a single unlatched vulnerability isn’t usually enough for malware to run havoc.

          Bullshit. I never FUD, but again I have to point to 600,000 botted Macs due to the FlashBack Trojan horse series. Fool the luser that it’s a Flash Player installer, PWN their entire computer.

          So I should add that part of getting Trojans installed is to use ‘Social Engineering’, which is all about conning the mark. Social Engineering RULZ Wall-Nut Street right now. It could not be more obvious. It’s part of ‘The Spirit of the Age’: Screw They Customer.

          1. I will dispute the 600,000 botnet. We had two IMacs in my office, all with Java Installed, whose UUIDs indicated they were members of the so called botnet. They were not infected. Nothing. Thoroughly checked. That’s what got me suspicious to do the research

            1. How is the FACT that I own two macs, among many others on our office network, whose UUIDs that were in the honeypot that said they were members of this mythical botnet, yet were NEVER infected, never had the malware on them, a lie??? The is a fact. The fact is I have worked in IT for over thirty years, personally checked these machines and confirmed both their UUIDs and the lack of infection, which is what started my research on this claimed botnet in the first place, that shows me that it IS NOT what was claimed. You claim I am a liar. Yet the facts I have laid out are as I have found them. EVERYTHING is based on news reports from single source and what was found in that damn honeypot. Yes, Flashback existed. . . But it was based on a security hole that had been closed more than six months earlier. It was old news. The honeypot was reporting infections for UUIDs Macs that did not even come with Java preinstalled, that required users to actively download it, ignore warnings, and activate it, in percentages higher than Apple said were normal. Again, when you add that to the fact that the honeypot was reporting UUIDs for brand new Macs that had not even been sold, Macs that did not have Java even installed because they had yet to be started up, then something is VERY wrong with the botnet member list! It has to be a construct made up of known UUIDs that someone got a hold of that was known to have been and WILL BE assigned to Apple Macs. That is the only way new, uninfected or non-java Macs could be on a list of computers that have supposedly “phoned home” to the botnet control server (or the intercept honeypot) to be listed as members of this “huge 600,000 Mac botnet.” Can you explain another way??? I can’t.

        2. I really get tired of Mac users being described as ‘smug’ just because we made the smart choice and chose the inherently more secure computing platform. We are smart enough to realize that no operating system is perfectly safe. But we also realize that an OS that is much more inherently secure than Windows is a great start. Combine that more secure OS with safe internet practices and avoidance of Adobe products and we Mac users have less stress and greater computing enjoyment.

  2. “…is there any harm to having it installed?”

    a decade ago I installed Norton anti-virus. it was going through a “repair” during a scan, caused my Mac to crash. when I rebooted, it had damaged many of my files.

    i tried to un-install Norton, only to find they install all this crap all over the drive. murder to get rid of it.

    and yes, I felt it working in the background, slowing down my system when it was scanning.

    glad to use a Mac and glad to never have to use anti-virus ever again.

    1. I’m chattering too much in this thread. But I have to point out that Symantec has actively HATED on Mac for decades. They were the ones who invented the deceitful ‘Security Through Obscurity’ myth in 2005. Their Norton anti-malware scores poorly for detection AND is infamous for doing EXACTLY what you experienced on your Mac. I hate Symantec.

      Please do NOT let stupid Symantec screw your head over as well. I’ve pointed out some excellent anti-malware in the tread, all worth using, none of which screw up your Mac, all of which are provided by companies that LOVE the Mac and make wonderful contributions to the security in the Mac community.

      One more time! They are: ClamXav (free), Sophos (free or paid versions), and Intego VirusBarrier (free or paid versions) which is my favorite for individual users.

      1. The Symantec attitude is a little bit more complicated than that. When I worked at JPL in the late 90s, I had a conversation with the lead Mac Support tech there, who told me that Symantec’s main Mac programmer had quit and gone on to work elsewhere. At the time, his concern – rightly – was about the quality of continuing Mac Support, and the response he got from them was that Management was planning to minimize or shut down the Mac product because it was felt Windows sales were more lucrative. So I suspect from your telling of events that Symantec’s attitude hasn’t changed: one of laziness and indifference. But if that’s considered Evil, then so be it.

        1. No, Symantec has NOT been ‘indifferent’ to the Mac platform. The entire period of time I’ve been involved in Macs, 1991-now, Symantec have been nothing less than aggressive in their public verbal hatred of Macs. Then add in the laziness.

          Again: It was Symantec who published the ‘Security Through Obscurity’ bullshit in 2005. That’s where it began. That’s not ‘indifference’. That’s aggression.

  3. I had viruses on my Macs back decades ago – “High Scores” rings a bell as the most frequent offender. But that was decades ago, literally probably Macintosh System 1.xx. Since the virus age (the last 15-20 years?), I haven’t seen one. I think System 6 might have still been slightly vulnerable if you were still swapping floppies with the local UG, but nothing since System 7 came out, for sure.

    1. By the end of the original Mac OS era, there had been a total of ~55 Mac specific malware. Since the dawn of OS X, I’ve kept track of 106 OS X specific malware. My net friend Thomas Reed has a cache of 188, although some of them are minor variations of the same malware.

      Apple has done a terrific job building security into OS X in recent years. If you’re running OS X 10.6.8 upwards, you literally have anti-malware protection already, built into the OS and Safari. It’s by no means perfect and does nothing to detect malware for other platforms. But it’s good.

      1. That’s a bit misleading if someone only reads that as MacOS had ~55 and OS X had 106-188.

        MacOS had a bunch of very active viruses, all during a time when Macs weren’t nearly as connected or involved with sending and receiving of files as we are today.

        The overall number of infections during System 6 and System 7 were huge and widespread. It was enough of an issue that the Authorized Apple Service Center that I managed (one of the largest) routinely did a virus scan with each Mac that was brought in for service.

        While there have been some trojans in the wild, most OS X malware has been contained and never widespread.

        Don’t pirate software.
        Don’t install Java.
        Keep Flash up-to-date and only install from
        Use Gatekeeper (built in to OS X).
        Keep OS X up-to-date.
        Keep your apps up-to-date.
        Use https.

        Use best practices when it comes to usage, and you’ll find yourself better off than running anti-virus software. As in more data loss has occurred from people running anti-virus software in OS X than without running anti-virus software. In addition, there is the cost, the time and hassle, and the consumption of computer resources involved.

        This differs from MacOS where best usage practices would still put you highly at risk if you had not been running anti-virus software.

        1. One disagreement: The two Mac specific massive botnets that I describe earlier up the thread. A botnet of 600,000 Flashback infected Mac is NOT to be ignored. That was a Trojan, and 600,000 users (or LUSERS) installed it.

          Meanwhile, I have the number right for Mac OS. And I remember visiting many publishing companies on seek and destroy missions to rid them of a Mac malware infection that traveled on font installation disks. It was a nightmare. I’ve never dismissed the chaos created by those 55 Mac OS malware, many of which were actual vicious viruses.

          1. “A botnet of 600,000 Flashback infected Mac is NOT to be ignored”

            Sure it is, if you don’t have Java installed.

            “Meanwhile, I have the number right for Mac OS.”

            It’s not the number that I was taking issue with it’s comparing the number of MacOS malware (mostly viruses) to the number of OS X malware (mostly trojans) instead of comparing the number of MacOS infections to the number of OS X infections.

            I think that’s highly misleading (188 > 55) in that the reality was that those 55 were widespread and unavoidable (in shared environments) with best practices that excluded the use of antivirus software wherein those 188 are easily avoidable in even highly shared and networked environments as long as best usage practices are used (outside of anti-virus protection).

            1. I cannot agree with you at all. You’re spreading ignorance and feeding the rumor that Mac users are security illiterate.

              Read what I wrote. Quote what I wrote. Never inflict bullshit into an intelligent conversation. Now get lost.

            2. Did you just reply to the wrong comment? I literally copied and pasted your quotes.

              If you meant to reply to me:

              You’ve got serious (anger?) issues beyond malware that you might want to get checked out. What part of what I wrote is bullshit?
              The Flashback trojan required Java to be installed, and could/can be ignored if you don’t have java installed.

              You’re comparing numbers of variants with disregard to numbers of infections which is the real issue to be concerned about. How is this not the case?

            3. Derek,

              Seriously, calm down and take a deep breath and read what you wrote again and consider the perspective of someone who doesn’t know anything about the subject.

              You were around during the MacOS years as you yourself later comment on how bad it was dealing with those 55. We’re all here now and nobody from back in the day would compare the chaos of then to the relative security of today, right?

              So when you write a paragraph that compares ~55 to 106-188, instead of the impact of those ~55 to the impact of the 106-188 it’s misleading. That’s all I’m saying.

              Instead of just accepting that, you feel the need to point out that 600,000 Macs were infected by Flashback. And I haven’t disputed that number either. All I’ve said is that there are best usage practices that exclude the use of anti-virus software that prevent things like Flashback. Not running Java is one of those things, and in fact prevents/prevented Flashback.

              What I’m calling you out on is not on your facts. They’re all 100% correct. It’s a question of using the right numbers wrongly. Comparing 106-188 to ~55.

              Really, the only basis for disagreeing with me would be to say that malware during OS X has been worse than MacOS in terms of the percentage of Macs infected and that it’s harder to prevent infection in OS X without anti-virus software than it was in Mac OS. If you disagree with either of those two, then provide some basis of an argument.

          2. This was the Auto-Start virus that used a hole in Quicktime auto-start to reboot the computer and install an extension which searched for every mounted drive or disk image and infect it with a time bomb, which after a period of time began to over-write every graphics file it could find.

            I know this because my wife worked for Symantec from about 1994 to about 2000. Previously she had been a repair tech for a huge Mac reseller. She went form Symantec to Dantz development where she supported cross platform backup software.

            Symantec did not consistently have a hatred for Mac. After the head Mac programmer quit (the guy who invented the disk edit program) they could not replace him at a reasonable cost, so they considered doing away with Mac software and support altogether. But after a period of time they realized that though they sold less Mac software, it was more profitable per transaction because those customers seldom called for support. My wife was one of those Mac technical support people, and she probably worked for the support supervisor mentioned above.

            Then, with the advent of a new CEO about 2000 they had a stock price spike due the austerity campaign instituted by that new CEO which saw a reduction in Mac and other products, reduced marketing, they asked for volunteers to take severance so they could reduce the head count. My wife and I were about to get married, and she wanted to come live with me in the SF area in CA, so she accepted. Shortly after she sold off her employee stock option investments the cuts hit home and the stock tanked.

            So it’s not so much that Symantec hated Apple. It was more that they couldn’t make up their mind whether to invest in support for Apple products.

    2. Hmmmm… fun researching that ancient history and remembering what really might have happened. “Scores” was apparently only there on System 6 and 7 – I thought it was earlier. I don’t think I used any of Systems 2-5, but I remember 6 and the big upgrade to 7 quite well. I did upgrade to 6 about the time I had the issues, so that could be right. I didn’t have problems with System 7, which didn’t come out until 1991. I know I didn’t still have problems then, so suspect the Wiki article about it might even be wrong on that point, but I can’t say others didn’t still have it.


  4. I’ve had Sophos Anti-Virus and ClamXav installed and running on my 5-year-old MacBook Pro for three years now, after discovering half a dozen Word macro viruses (and realizing that I was sending virus-laden Word documents to people because the Normal template was infected). A Sophos Anti-Virus scan found and removed the viruses. I’ve had several downloaded files flagged by the scanners since then, with no discernible impact on the computer’s performance in the meantime. (But I’d never install anything from Norton, having had horrible luck with it years ago.)

  5. I’m so tired of the “security thru obscurity” myth. what a load of bs! cracking the Mac OS would be a crown jewel in any hacker’s world. especially since it’s proven that mac (and iOS) users are more affluent than users of other operating systems.

    security is baked into Unix, and therefore Mac OS X. install questionable software from questionable sources and you are entitled to reap what you’ve sewn.

    this argument is old, tired, and unnecessary.

    1. I’ve written out the math many times pointing out that Mac ‘Security Through Obscurity’ was never anything but bullshit from haters. The original myth was foisted in the spring of 2005 by none other than SYMANTEC.

      Here we are 8 years later and… either that ‘obscurity’ is intact, or the Mac always was safer than Microsoft alternatives. You decide. But I’m happy to show the math yet again for those interested.

  6. I run click to flash, like wise the same for Java. In addition, I run Sophos on my Mac, not for the Mac, but for Windows. I get spam and viruses sent to my Gmail and Yahoo accounts all the time. It’s not that I have done something, it’s that our email providers aren’t doing enough. Anyway, I am protecting more than myself with AV installed.

  7. I would bet that this guy is cashing a check from Sophos. Why else would any long time Mac user be a shill for anti-virus programs. Been on iBook and Mac Book Pros since ’01, no problems. Just take care when you type that Admin. password.

    1. Yeah but, Sophos doesn’t make a paid version of anti-malware for individual users. They ONLY charge for their enterprise level anti-malware. That’s not the target audience of this admittedly messy article, from what I can tell.

  8. I wonder what certification is it that puts anti-virus software companies above the spy-on-your-computer fray? Who gives them the passing grade? If there ever was an easier way to…

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.