
Ask HN: How to secure your Apple Mac against malware/viruses? - questionr
Are Macs just as susceptible to viruses&#x2F;malware as PCs? I&#x27;m under the belief that it is, but that less malicious code is written for the platform as its a smaller demographic of users.<p>Do you bother installing any &quot;anti-&quot; software? If so, which?<p>What further recommendations do you have for system configurations and tools?
======
gameofdrones
\- IceFloor (since OS X includes pf)

\- mDNSResponder -NoMulticastAdvertisements

\- Hands Off!/LS

\- Vera/TrueCrypt

\- Samhain/TripWire

\- GPG Tools

\- Homebrew packages

\- a password manager

\- 5x DNSCrypt-proxy instances round-robin'ed with dnsmasq

\- Chrome/FF

\- TorBrowser

\- i2p

\- no unnecessary apps

\- follow the NSA and other guides for securing OS X (FileVault 2, firmware
password, don't use iCloud Keychain, etc.)

\- use DBAN on old systems and drives

Be aware that security has to be balanced and leave a usable device, and some
security measures interfere with and/or disable certain features.

And no flash/adobe, browser java plugin

References:

[https://github.com/drduh/OS-X-Security-and-Privacy-
Guide](https://github.com/drduh/OS-X-Security-and-Privacy-Guide)

[http://docs.hardentheworld.org/OS/OSX_10.11_El_Capitan/](http://docs.hardentheworld.org/OS/OSX_10.11_El_Capitan/)

[http://www.tenable.com/blog/hardening-os-x-using-the-nsa-
gui...](http://www.tenable.com/blog/hardening-os-x-using-the-nsa-guidelines)

[https://ist.mit.edu/macosx/1011](https://ist.mit.edu/macosx/1011)

[https://walterkilar.wordpress.com/2016/05/08/apple-os-x-
el-c...](https://walterkilar.wordpress.com/2016/05/08/apple-os-x-el-
capitan-10-11-secure-configuration-guide/)

~~~
questionr
awesome thanks!

------
ams6110
Have a separate administrator account that you don't use for ordinary work.
Your normal account should not have administrator privileges.

Don't run Flash, Acrobat or anything else from Adobe.

Use a good ad-blocker

Never click on a link in an email, or open an email attachment.

I don't run any antivirus on my Macs.

------
brianjking
Little snitch is definitely a good tool, built in Mac OS firewall, uBlock
Origin, uninstall Flash or disable it another way. I'm considering trying out
BitDefender for Mac, but I've never had an issue before without added
protection. _knocks on wood_...

------
yellowapple
The first step to securing any desktop computer, regardless of operating
system, is to reduce your attack surface. Notably:

* Make sure your firewall's enabled and strictly configured

* Don't install arbitrary programs from the Internet

* Related to the above, _don 't pipe 'curl' into 'sh'_, and publicly scold anyone who's negligent and/or malicious enough to include that in the official installation steps of any program

* Make sure your web browser(s) is/are up-to-date

* Install an ad-blocker on said web browser(s)

* Disable anything that involves running arbitrary Turing-complete code off the Internet, including Flash, Java, and _especially_ Javascript. If some newfangled Wangular.js web-scale tangled mess of obfuscated code fails to run in your browser, then it's up to you to make that choice to enable it.

------
atmosx
Security != Flexibility and if you're going to make your daily workflow hell,
then _the hell_ with security measures! That is not valid for your working
desktop ofc.

Security is a collection of policies more than specific programs. You need an
anti-virus to scan for malicious files, possibly the moment they are locally
available.

I used to use littlesnitch, clamxav and spamsieve (since I don't do mail
filtering server-side). But never encountered any virus for mac. Everything
claxmav was catching up was either false positives or spam emails with zip
files which all ended up in the SPAM folder anyway.

------
alexmingoia
Some malware doesn't even touch the file system nowadays - software like
little snitch and tripwires are easily circumvented. All it takes is some
remote code execution and you're fucked, so the best strategy is
compartmentalization and extreme caution as to what code you execute. Only run
signed apps from the AppStore and remove flash, pdf, and Java from the
browser. The most critical thing is never running anything that didn't come
from the AppStore and trusted vendors, and keeping OSX up-to-date.

------
akulbe
I've been a Mac user since 2004. Up until December 2015, I never ran any type
of anti-{malware,spyware} software on my Macs.

Then I went freelance, and as part of the contract with my first costumer,
they required I be running AV stuff on any of my machines that connect to
their network. I happily complied.

My Macs run ESET. (Linux machines as well, consequently.)

------
0942v8653
Related: is it possible to use ClamAV without the daemon, etc.? I would like
to run it manually on specific files/dirs, but I don't know if I can.

~~~
rudolfochrist
Yes you can. I do

    
    
      freshclam 
    

to update the virus DB and then

    
    
      clamscan -iorz /
    

to scan the system.

(see `man clamscan` for the flags)

