Antivirus For Mac : The Scary Results

Why An AntiVirus For Mac?
What Is The Best Value Antivirus  For Mac?






-Mac don't get Viruses!
-Well, they can. They can also get Trojans, RootKit and Malware.  Keyloggers too.
Less than Windozes, but, basically only because of the market share economics.  Nothing else, really. 

As of 2010, Apple is selling about 1 in 5 computers in the US market, and it's climbing, so rest assured Dear Mac Fan that your average Malware maker has duly noted the fact.
The Malware/Crapware manufacturer has shifted from the bored geek in the '90 to well organized Criminal groups.
In clear: it's about the money! : Making a virus for 1% of the market is not something economically viable, making a piece of code for 50 or 100 million potential target .. it's different
let's see ... let's assume 75M Mac user, if you can catch 1% of them, and steal $10 from each.  That would make $7,500,000  What do you think?  is it worth it for them?  Coding a Cryptoworm for 30 days and racking $200,000 in few days?   And for you? How much would you pay to get all you data back?  $10, $50 or more?

Do you think I am exaggerating?
Here is an excerpt from the very serious report on the Koobface worm: "Koobface: Inside a Crimeware Network"
  • "The operators of Koobface have been able to successfully monetize their operations. Through the use of pay-per-click and pay-per-install affiliate programs and forcing compromised computers to install malicious software and engage in click fraud, the Koobface operators earned over US$2 million between June 2009 and June 2010."  
  • Average Earning per Day ~ $5,860.  And this figure include Week-Ends.  $178,000 Per Month
Source: The Information Warfare Monitor   Full Report Available on the page. Please take a minute to read "Part 2: The Money"

My point is, As of now, if you do not have some sort of protection, you are a sitting duck: Sooner or later, you will be shot.



The Ranking 

ClamXav            Grade:  29% 
iAntivirus           Grade:  52%
MacKeeper AV  Grade:  42%   (Antivirus Alone)
Norton AV          Grade:  81%
Sophos AV          Grade:  90%   
Intego VB6         Is still being tested 


The Tests:  Macintosh Best Virus Protection

I selected 6 Antivirus to compare:  3  free AntiVirus:  ClamXav,  iAntivirus & Sophos home edition
Norton AntiVirus and Intego VB6 have a yearly fee,  MacKeeper AV comes in a bundle of about 15 App together.
Sophos Pro, for Business has a yearly fee too. The Free home edition of Sophos has no support, just a user forum. 

I used a standard Eicar string test and placed EICAR in different files and situations to test the response of the Antivirus. (EICAR = European Institute for Computer Antivirus Research)

The goal was not to find the "fastest" but solely to see if one could find the test string(s) where my twisted mind tried to hide it: scanning a file in plain view is not that hard, but what if you where to put an infected file in a disk image? or in a deep level zip? changing the extension or downloading via HTTPS? Is the Antivirus letting you download the infected file or is it blocking it before it reaches your hard drive? How deep do you scan? too deep? (Zip Bomb) or too shallow?

Speed Vs. Reliable
There is no surprise here: The very fast are just skimming the surface, while the slower are digging deeper.
If you scan a night, speed is not an issue for you,  if your computer is already slow and you scan while you work, it could be.  Furthermore, some AV pretend to perform a "full scan" when in fact they only scan the Home Folders.

Options, Options, Options
The need for speed is the culprit. AV makers had duly noted that the complaint #1 was the length of time needed to (fully) scan a whole disk, so they use "options" to make scans lighter, so watch out: Trojans left out. Keyloggers not checked, "only" scan home folders or "only" logged users, Archive not scanned, etc.
As a piece of advice, scan only once, but scan as deep as you can: The very well coded Malware have a tendency to go deep in your system. Options should set to the max by default.  

White List
When performing two scans in row, the second scan was blazing fast with Norton AV.   Good?  I don't know...it did not scan the second time: just compared the files.  This type of option AKA "Turbo Mode" by default should be disclosed in clear for the user to know.
Intego had, by default, (Average user settings) the Trojans protection off.  

Delete, Quarantine or Repair?
Most free Antivirus have only 2 options: Delete or Quarantine. More complete product have the "repair" option where you have the possibility to try to repair the damages caused by a Malware.  The "Delete" of ClamXav made my jaw drop to floor: What in the hell is wrong with them? read along....


Here comes the surprise....  

ClamXav was unable to detect a downloaded infected file, either .com or .zip or to find a threat in a disk image.
iAntiVirus, Intego and Norton were choked by a 49 KB (KiloBytes, not MB or GB) Zip Bomb. iAntivirus did not detect a single threat hidden in it.
Some took so much resources that they brought my MBP to its knees, making so sluggish that the only solution was to turn off the "Real Time Protection", hence living me half naked.
Some with "Real Time Protection" did not react when a USB key loaded with a smorgasbord of infected file was plugged in and were still sleeping while unzipping the contaminated files.
Most of the light contenders (Free ones) have only limited options: Quarantine or Delete, when found!  If the Trojan or worm has opened a backdoor, well, too bad: We fix the virus, not the babies.

The biggest surprise for me was to discover that ClamXav, when asked to delete a infected file in the iPhoto library moved the entire iPhoto library (19.037 files) to the trash. As a user, if you see your entire iPhoto library going down the trash, you are going to swear a little. If you don't see it and empty the trash, you are going to swear a lot.


At the end, Your choice of an AntiVirus will depend on two factor:  Your Profile & Usage.

Do you want an AntiVirus that scan fast but leaves possible time bombs behind, or do you want something that will clean under-the-rug-behind-the-coach but takes it's time?   Your call.  I personally prefer the latter: One lengthy scan is better than 10 crappy ones. As my dad would say: Aim Twice, Shoot once! it's a kill. 


 Results

The "Just Don't Use it"

ClamXav is free, but that's pretty much it.  As of Nov '10, ClamXav does not have a Real Time Protection: This allows to download or execute infected files. ClamXav is basically just a scanner.   It also deleted an entire iPhoto Library for a single file infected: 1 file infected, deleted 19,000 files.   Best to Avoid,  Stay away from it.

ClamXav Grade:  29% 

The "Real Antivirus" List 



iAntiVirus or MacKeeper

iAntivirus performed farly well for a free Antivirus. It offers real time protection and a Quick scan feature. It does not protect against phishing threats or fraudulent website: Solely against "viruses" ,MacKeeper does.
iAntivirus Grade   52%




MacKeeper
Update Sept 2012: 
MacKeeper has entered a "grayish" zone:  They started nice but have since moved far out.  The Marketing techniques used, overrated statements, false advertising are making them closer to a legal scam than a true Mac Application.   After digging a bit more into the guts of MacKeeper,   I can only state my personal and private opinion about MacKeeper:  Stay away from it!  Plus, you're paying a fee for almost nothing. Almost ALL TOOLS provided with MacKeeper are either included already in your Mac, or most likely, free of charge elsewhere:  You're paying for a nice logo.
is a new comer in the AV Business, it is also a Multi Applications Software (Undelete, Anti Theft, Duplicate Finder, etc ) MacKeeper comes loaded with other very nice features. it's not just an Antivirus but a multi App to take care of your Mac. Think of it as a Gym / Beauty Salon / Doctor Office for your Mac.
MacKeeper AV Grade 42%   (Antivirus Alone, Phishing threats not tested )



 
Norton AV For Mac
Has a suite for Internet threats (NIS) and reacted very well on immediate threats. Has heuristics and manage Windows as well as OS X.  Norton comes almost equal with Sophos in terms of protection, I just wish it had more options.



Intego VB6  has all the bells and whistles, a very nice interface and is very detailed, It has nice windows with a dashboard that show the traffic, usage, etc.
It monitors Your Network, Firewall and gives you the ability to block websites once a threat has been detected. It was also performing very well at detecting threats online and warned you even before downloading.
The issue being that I was never able to complete a full scan, as well as it got trapped by the Zip Bomb and crashed my Mac with Kernel Panic 3 times.....*
Update:  Intego Support was kind enough to reply to my emails and follow up.  The issue was caused by multiple AV installed.  The Kernel Panic stopped as soon as I removed other AV.
Intego VB Support showed that they do care about customers, and will follow up! 

Norton Av Grade 81%


I want the best 

Sophos AV
Sophos AV performed the best. It was the only one with Intego to be able to detect Multi level zip included in an unmounted disk image.  To push a little, I went to create a disk image inside a disk image and then stuff it with a multi level infected zip. It caught all threats with no fuss. Sophos AV was also the only one not falling for the Zip Bomb while reporting it (logged as an error during scan and reported the error as "possible Zip Bomb").  The con is the time needed, but if you are serious about it or want to sleep at night, Sophos is for you.

Sophos AV Grade 90% 

Sophos AntiVirus For Mac Home Edition is Free

Intego Virus Barrier VB6  Review

Intego VB Grade 93%

I had few issues with Intego, 
Kernel Panic caused by Kernel Extensions in backtrace  com.intego.iokit.VBX6NKE(1)
Issues Fixed with the Help of Intego Support.
The Issue was (ahem!) due to my laziness. Even if I know for a fact that you should not have multiple AV running at once, I tried anyway.

Even thought it has all the bells and whistles (almost too much) and was the only one scanning encrypted DMG's (upon password provided by YOU and option selected ),
Intego is highly configurable, it's a blessing and a curse:
For instance, the great option menu of Intego Virus Barrier X6 has by default "Keyloggers" not considered as a threat.  If a Keylogger is not one, what is?  ditto for Trojans left "Off". 

Other than that, If you check the boxes, you'll have The Top Notch Protection:  Intego Scans BEFORE finishing a download, or was the only one scanning inside encrypted DMG's.
One last word:  When they say support, they mean support. And they'll answer your emails or request.  Sophos Free AV is good, but there is no support whatsoever.
If you are serious about security, Intego has also a very serious firewall, and will fit your needs, even for middle sized businesses.
 VirusBarrier X6 2-User 




Best Value Antivirus  For Mac


iAntiVirus is free, so you can't beat that, but it was not providing a high level of protection.   

Sophos AV for Mac Home Edition is Free and it's really something to be considered. The catch is that there is no support for the Free version, only a user supported forum. I would choose Sophos over iAntivirus in a heart beat.

MacKeeper is apart, for $40 they (used to) provide much more than just an Antivirus.
Nov '11 update:   MacKeeper has now entered a "grayish" zone:  They started nice but have since moved far out.  The Marketing techniques used, overrated statements, false advertising are making them closer to a legal scam than a true Mac Application. 


Reviews of Antivirus For Mac
MacKeeper Antivirus, iAntiVirus, ClamXav Sophos AV, Norton AV Mac, Intego VB6

 Click on the chart for a full view














(1) Found when scanned directly with path ~/Volumes/Disk Image.dmg
(2) Found when scanned directly with path ~/Volumes/Disk Image.dmg
(3) ClamXav does not have a "Real Time Protection"
(4) Intego: Option must be selected
(5) Does NOT perform a Full Scan when selected, only Home Folders
(6) Does not scan all files.
(7) Does scan all files.
(8) Did not detect infected files in a unmounted Disk Image
(9) Could not complete full scan, attempt 1,2,3 failed.  #4 was successful.
(10) When removing ONE infected file, ClamXAv removed the ENTIRE directory (19,037 files)

Definitions & Notes

EICAR String: A standard string of characters made to test an Antivirus.
Multi-level zip:  A file zipped , in a zipped file, in a zipped file... etc  see Zip Bomb for ultra deep level.
Modified extension: An executable file where the extension was changed to look like a non executable. i.e from .bas to .JPG.  Some Antivirus do not scan JPGs or have list of exclusions files by default (to save scanning time, e.g whitelist)
Zip Bomb or Zip of Death,  see below


Zip Bomb

A Zip Bomb is a very simplicated thing:  write million of times a single character in a file, compress, copy, and compress the copies, and do it over and over again.  You'll have a very small file containing gigormous amount of data.  So huge that it can choke your AntiVirus if it tries to scan it, or bring a mail server to its knees, or make you simply skip or cancel the scan: Goal achieved 
I made a 197KB file that contained million of times more data than my hard drive can hold and tested it.
If your Antivirus is "dumb" you can spend hours or days scanning a 200KB file, and grab 50% of the resources for hours or days in a row;  If your Antivirus is skipping those files, a unwanted tenant could remain undetecte. 

iAntiVirus scanned this file for hours,  and found zero virus!
ClamXAv scanned only for 11 sec before saying "No Virus Found"  (hey, psss..3,000,000 is the real count!)
Norton AV: found the threats after 7.5 hours ... Rflllll


Only Sophos returned the proper answer:   a warning logged as : "Error: scan was aborted (possibly because of a zip bomb) while scanning file...."  (Scan of THIS file aborted, not complete scan. )

If you want to try a zip bomb yourself , you can download it here : zipbomb.zip
Size 46KB , does not contain anything else than the letter "z", no test string included. Made of text files, 10MB each.
iAntiVirus spent 7hours 48 minutes to scan what is apparently 45KB containing 32,575,834 files.  1MB of those files placed high enough in the hierarchy would create a 7 days scan.












ZipBombs are not viruses, they are just an annoyance that may lead you to De-Activate your antivirus.
If I had renamed the files and Archives ~ /Pictures/iPhoto Library/ foobar.dp or something iTunes/foobar.m4a , I doubt that the common user would try to delete the file
Just de-activate the AV is simpler.....
Also, don't make it self extracting ......



                       Like this Article? SHARE IT!!!
                          Use the Share Button ☟
Don't like this Article? Share It With People You Don't Like!!!
    Know Something worthy of mentioning? Leave a comment and earn brownie points!


6 comments:

  1. Just out of curiosity, I tried scanning the ZipBomb with VirusBarrier. It took about 4 seconds for it to tell me "no virus detected."

    ReplyDelete
  2. Anonymous:
    The file zipbomb.zip does not contain any test strings, if I was to include a test string inside it could be picked up by crawlers and would probably make this blog blacklisted.

    "4 seconds":
    You should check your settings under "Scan Settings" to verify that:
    1) you are scanning archives
    2) that the time off is not set up at "zero" under "Default Archive Time Off"

    ReplyDelete
  3. Hello, thanks for posting this information, I was trying to find information on this topic –this was very helpful.

    ReplyDelete
  4. A couple of comments concerning ClaXav.

    In addition to Delete and Quarantine you can also "Reveal in Finder" and "Show Path". This is most necessary when scanning email, backup files and, as you found, iPhoto libraries.

    There has been a real time scan capability known as Sentry for as long as I have known about the application, several years now.

    For details on all this please visit the web site and for help visit the forum.

    Full disclosure: I provide uncompensated tech support in the Forum.

    ReplyDelete
  5. I tested 4 out of 5: a horrible experience. It is a shame really. This article seems to be written without any such tests done....

    ReplyDelete
  6. No, we just pretend...
    but, on your side, you tested them thoroughly, and have posted the results... correct? and that why you use "Anonymous"...

    ReplyDelete