
Microsoft Defender Comes to the Mac - kaboro
https://techcrunch.com/2019/03/21/microsoft-defender-comes-to-the-mac/
======
saagarjha
Mac users cringe worldwide as they anticipate overzealous IT departments
mandating that they install this on their computers. Serious, though: why does
this exist? What does it protect Macs from? There are only a handful of things
that actually target macOS, and XProtect flags most of them pretty quickly…

~~~
kiwijamo
My ${dayjob}’s IT department installs security software from Symantec onto the
Macs in our organisation. If they swap that out for the new Microsoft tool in
the article that might be a net benefit.

~~~
qlm
Same, and Symantec is hot garbage that eats CPU and battery for no real
benefit.

~~~
misnome
Oh yes, our IT has mandated it installed on our (oldish) build server. That
went about as well as you can imagine, with all the file access.

~~~
swarnie_
Having enacted similar policies before i can say with some certainty your IT
department don't actually care. They're most likely trying to fill out a
checkbox on some compliance/tender document from a decade ago.

------
jeroenhd
If Microsoft can make the Mac version perform as well as the Windows version,
this is good news for Apple users. Apple's current attempt at antiviral
software seems to be "prevent infection by making it tough to run malware"
combined with a very simple signature based system.

This approach works for people who k ow not to click strange links, but as
long as people give their life savings away to scammers pretending to be the
IRS or Microsoft, people will just open random software from the Internet as
long as someone is telling them how to open the relevant executables. Linux is
much the same way (are there even antivirus products for Linux other than
ClamAV?) despite half the Internet running on mostly-unprotected Linux
servers.

However, due to the lack of signatures available on macOS viruses, I do wonder
how effective MS Defender will be. There's various interpreters and shells
available by default which make it easy to write an obfuscated virus script
for OSX (python, Ruby, bash, and so on) which is not as relevant ik the
Windows world.

To the people who complain about "bloatware" being forced onto their machine:
you're just as likely to get infected by a virus as the other techie people in
your company running Windows or Linux. How can you blame your boss for wanting
to prevent getting hacked? Apple's own AV is just not up to the task.

~~~
soraminazuki
You seem to assume that AV is a effective cure for people installing random
software on the internet, but I have never seen proof that this is the case.
Worse, there are many instances of poorly written AVs negatively impacting the
security and performance of the system it’s supposed to protect.

~~~
jeroenhd
It's true AV software won't fix behaviour. However, plenty of software gets
exploited. There was a news item a few years back when pirated versions of
Xcode inserted malware into some iOS apps; several big software projects have
had their servers hacked, serving malware through official download links.

AV won't fix users wanting to launch pirated games or software from sketchy
sources for example. However, it can fix malware placed on a system after an
exploit.

I have more faith into Microsoft and their Defender suite than any commercial
AV vendor or Apple itself. Right now, people are using Sophos or McAfee or
Bitdefender on corporate Apple devices; none of those have a good reputation
with me. I'd strongly prefer Microsoft's AV solution over any existing macOS
security suite.

As for performance, any AV will cause some performance drops if you enable
live scanning or during periodic scans. Having a macbook scan overnight does
not cause an issue, having live scanning running during compilation will
slaughter performance. The performance impact is up to how the AV is
configured.

------
Dinux
We've used Windows Defender for Linux systems for quite some time (simply by
allowing access to the remote filesystems) and we have been positively
surprised that threats for Unix/Linux-only systems are caught just as fast,
even though there is no official support outside of Windows thus far.

However at the time almost all of the malware definitions are from other anti-
virus companies and Microsoft happens to ship them via Windows Update. But
this could have been changed by now.

If Microsoft is serious about the 'user-centric' approach, which it seems more
and more the case as opposed to just a cheap PR stunt, it might me a good move
to opensource the whole Defender base and include some Linux users while their
at it.

------
SCdF
Any super smart threat people reading this?

Does anti-virus matter anymore?

I haven't installed one for years, on Windows, Mac or Linx (decades?), it's
unclear if that is a mistake or not.

~~~
h2onock
No Anti-Virus on a Windows machine!? Are you a maniac!?

~~~
zingmars
It's not the 90's anymore, getting a virus is pretty hard. Hell, it wasn't
really all that easy in the first place, unless you pirated or installed shady
software from shady ads on shady websites.

~~~
bluedino
Not really. Still happening every day with home users and corporate america.
Botnets still have tens of millions of PC's and CryptoLocker is as common as
ever.

------
ggm
My ICT people made me install sophos on OSX. Even when disabled, the hooks it
had into the VM and VFS layers intruided into my life and made other
applications I depend on hang. Once I de-installed it, this behaviour stopped.

The moral of the story is that an after-market security solution not designed
by the core architects is very likely to be buggy. They don't understand
things. They make bad assumptions.

Windows Defender was designed by people who know windows. It works well on
Windows because it respects the core architecture. If this defender is written
in native OSX code, and obeys all the documented and un-documented OSX things,
and if Apple staff commit to forwarding bug reports to Microsoft, it might
work, one day, five or more years in the future.

Until then, I suspect like Sophos, its going to crash my Mac.

I feel like one of those curmudgeon memes with a "prove me wrong" sign on my
desk at school.

~~~
jeroenhd
Based on what I've read about the native "protection" macOS provides, there's
no real alternative way to scan files on-access other than to place hooks.

However, if you look at the performance on Windows, Windows Defender is one of
the best scanners out there. While some sort of added bottleneck is inevitable
(especially during workloads like compiling software or downloading thousands
of small files (NPM/Composer/etc)), I wouldn't be surprised if regular users
wouldn't notice such an extensive slowdown in their daily work.

Perhaps to some extent the Windows and Mac version share a portion of their
code, but at kernel level the Windows Defender system is simply incompatible
with macOS. A redesign of the performance-limiting features is a necessity in
this case, so I strongly doubt the "people who know Windows" were the ones
that designed the kernel interface layer.

Basically, expect small freezes during compilation, but not crashes.

~~~
ggm
I think you kind-of made my point: Windows Defender demanded Windows experts.
OSX Defender demands OSX experts. Now, remind me again, are they employed at
Redmond, or Cupertino?

I expect small freezes. I expect pretty big ones too. Your optimism is exactly
what my ICT guy said about Sophos.

------
stakhanov
Glad someone is finally doing something about there not being enough bloatware
on the average Mac!

------
butz
How about just hardening macOS installation?
[https://blog.bejarano.io/hardening-
macos.html](https://blog.bejarano.io/hardening-macos.html)

------
jeffbax
My gut tells me that XProtect, SIP, and only allowing software signed by Apple
like is the default should be enough for most users to not worry.

"Don't just type in your password" is something everyone using windows or Mac
or Linux should be taught.

Don't think I'd bother with this, but interested to see it play out. Maybe
it'll have positive detection effects that feed back into XProtect

------
chronogram
This makes a lot of sense after putting 365 on the Mac App Store and perhaps
builds on this: [https://techcommunity.microsoft.com/t5/Security-Privacy-
and-...](https://techcommunity.microsoft.com/t5/Security-Privacy-and-
Compliance/New-labeling-capabilities-in-Office-apps-helps-you-
protect/ba-p/325771)

------
out_of_protocol
* Will silently install Windows 10 in meantime

------
setquk
Bet it contains telemetry!

~~~
nindalf
How does a forum mostly made of software engineers hate opt-out telemetry so
much? How do you know how well your software is doing in the wild without
knowing about 1) Crashes with stack traces 2) which features actually get
clicked on. How do you make decisions without this information?

Example - Mozilla is going to remove support for TLS 1.0 and 1.1 [1]. A good
change, we can all agree. But what if half their user base was relying on this
feature? Can they still remove it? Should they commission a user survey asking
everyday users about TLS? Fortunately, they have telemetry that tells them
that only 1.2% of all connections are made with these versions of TLS. Cool,
this change can go ahead.

If you were in charge at Mozilla and you don't want to collect opt-out
telemetry, please tell me how you would have made the TLS decision.

Literally what are you scared of that telemetry will send? If you're so
concerned about it, why don't you just opt out?

[1] - [https://blog.mozilla.org/security/2018/10/15/removing-old-
ve...](https://blog.mozilla.org/security/2018/10/15/removing-old-versions-of-
tls/)

~~~
saagarjha
> Literally what are you scared of that telemetry will send?

This is dangerously close to a “nothing to hide” argument. The issue with
telemetry is that it’s difficult to do it right, and often it ends up just
siphoning data that ends up being abused or mishandled. Having this be opt-in
raises questions of consent.

~~~
nindalf
I'll be explicit then. Let's take the example of Microsoft VS Code. You have
"nothing to hide" from a text editor, as long as it's not uploading the
content of any of your files. VS Code is open source, it's trivial to check if
it does.

If you think there is something that it might upload that you might not like,
please let us know. Here's the extension -
[https://github.com/Microsoft/vscode-extension-
telemetry](https://github.com/Microsoft/vscode-extension-telemetry). You can
check for usages here -
[https://github.com/Microsoft/vscode](https://github.com/Microsoft/vscode)

There is plenty of personal information that I never want shared with anyone,
like my location history, who I speak to and so on. But what shortcuts I use,
what features I use in an application, _after_ it's been anonymized? I have
"nothing to hide" there.

~~~
admax88q
Why are you choosing an open source example when the parent thread is about a
closed source program?

~~~
nindalf
Because _every_ HN thread [1][2] about VS Code brings up the telemetry.
Despite the fact that it's opt-out and it's open source. At this point, it's
just irrational.

[1] -
[https://news.ycombinator.com/item?id=19427773](https://news.ycombinator.com/item?id=19427773)

[2] -
[https://news.ycombinator.com/item?id=19109815](https://news.ycombinator.com/item?id=19109815)
(this one is great, because it's a task raised on dotnet cli, but posted on
the thread about VS Code release notes)

------
simongr3dal
Maybe it will at least stop normal people from installing mackeeper or
similarily FUD-spreading bogus anti-virus software. It's a real pain to try
and uninstall completely.

------
mark_l_watson
I am going to try it. I like Office 365 on the macOS (and the web versions of
Office apps for Linux) and unless I hear any negative reports I will try it
out on my MacBook.

------
bni
This will be a great attack vector to get into corporate networks. Thanks!
/Bob the evil hacker

