p. 1 of 22 peter degroot 6/12/2012€¦ · two free mac antivirus apps!p. 1 of 22!peter degroot...

Two Free Mac Antivirus Apps! p. 1 of 22! Peter DeGroot 6/12/2012

There has been a lot of publicity about the recent Flashback Trojan threat to the Mac. Headlines like "600,000 Macs infected" have some Mac users worried that the Mac is going to become as prone to virus and other Malware attacks as the Windows system.

I think the threat is highly overblown, and much of the hype is from software developers, including Sophos, who want to build a business selling Mac antivirus software. Within the last year there have been several new free antivirus apps for the Mac from big players in the Windows antivirus world. My personal suspicion is that this is a way of getting their foot in the door for future paid versions.

In my opinion the threat to the Mac is minimal, but there are two reasons that you might want to run Antivirus software on your Mac. 1) A feeling of reassurance (particularly if you are an ex-PC users and used to the extreme level of threats in the Windows world, and 2) To prevent the spread of Windows viruses and other malware that won't harm your Mac even if the get into it, but could be spread via email or other means to friends on PCs.

Should you choose to run antivirus software, it should have a nearly imperceptible impact on computer performance while protecting against realistic threats. Both of the apps above can be configured to do this.

About this document:

This is derived from a Keynote presentation given at the AshMUG meeting on June 12, 2012. I have reproduced the Keynote slides, and added written commentary that follows more or less the verbal commentary accompanying the Keynote presentation, expanding on it where appropriate from the discussion at the meeting.


Contents

Topic! Page

Viruses and other Malware! 3Protection Measures! 7Capabilities of ClamXav and Sophos Apps Compared! 8Updating Virus Definitions! 10Initial Scan! 11Scan Incoming! 14Scheduled scans! 15Right-Click to Scan! 17Scanning Performance! 17Anti-malware effectiveness! 18Detected Threat Disposition! 19User Impressions! 20Recommendations! 21Special Thanks! 22


There seems to be a lot of confusion about computer viruses. To most people, anything bad that gets into your machine is a virus, but in fact viruses are just one form of Malware. There are also worms, Trojans, Phishing attacks, Spyware, Keystroke Loggers, Adware and other forms of Malware.

I'm not going to describe all of these threats, but will focus on the most common ones.


Malware can be divided into two broad categories. That which relies on Stealth, i.e. you don't even realize it is there until it is too late, and that which relies on Deception, i.e. it gets in because you let it in, thinking it is something other than what it really is.

Viruses and worms are the two principal forms of Stealth malware.

They are not a threat to the Mac. There are no Mac viruses circulating, and while there are hundreds of thousands of Windows viruses, they will not affect your Mac even if they do get in.

Viruses and worms share many characteristics as shown. The key difference is that viruses attach their code to that of another application, and run whenever that now infected application runs. Worms are stand-alone executable bits of code. However, the distinction isn't of much importance for our purposes.


Trojans are examples of malware in the Deception class.

They are named after the Trojan Horse of greek mythology/history. The Greeks were besieging Troy, and at one point created a statue of a huge wooden horse. they rolled it up to the gates of Troy, then retreated. The Trojans, thinking the Greeks had given up, rolled the the wooden horse into the city as a prize of war. Inside the horse were Greek soldiers, who came out at night, opened the city gates and let the rest of the greek army in to sack Troy.

In the Classical Trojan Horse, what was hidden inside were hostile Greek forces. In the computer version, what is inside are hostile Geek forces.

While there are many more Windows Trojans, there are also some that are or were a threat to the Mac.


Phishing attacks, usually carried out by email, but sometimes via pop-up windows on websites, are another example of Deception malware. They often take the form of a fake request for information from your bank, an online account or credit card account.

Here is an example of a phony ebay request. Note the clever touch of including the warning in red, hoping you will think "this must be legitimate, they would hardly put this warning on a fake message."

If you get one of these, never ever click on any link in the email. If you have doubts, contact the company by going to the appropriate website using Safari or another web browser

Another form of Phishing is an email that looks like it comes from a friend or relative (email addresses are easy to fake) asking you to wire money because they have been robbed and are stranded somewhere.


Here are some of the protection measures against malware.

Some of them are automatic; built-in to apps or put in place by your internet service providers.

In particular, most email service providers have good anti-malware built into their spam filters. You can also add local spam/malware filters, such as SpamSieve to your Mac. However, the email service filters have gotten so good, that its really no longer necessary.

Because Trojans and Phishing rely on deception, you can always be fooled. the best protection is keeping a wary eye on requests to install or download things that you did not initiate. If, for example, a window pops up and says you need to update Adobe Flash Player, you might want to go directly to the adobe site via your web browser to get the update.

Updates from Apple via Software Update or IOS app updates from iTunes are safe, as are most in-app updates. (The notification that there is an update when you open an app.)


Here are two free Mac antivirus apps. One is an old hand, been around the block a few times, and one is the new kid on the block, at least on the Mac block.

I've been using ClamXav for about 5 years and find it does the job in an unobtrusive way. Of course it is not a big job: I've found only two viruses, both Windows viruses, in that time.

By the way, The Gray Fox is a superb movie. A 1982 Canadian film that won 7 Academy Awards, including Best Actor for Richard Farnsworth. He was the oldest actor to win a Best Actor Oscar, and the record still stands.

The two features that I consider critical are highlighted in green.

Sophos and ClamXav have pretty similar over-all capabilities, except that Sophos has two features that are absent from ClamX.

Scan on Access scans anything you try to open, and will be discussed later.

Whenever Undefined Threat detects something "suspicious" but is not known malware, it supposedly relays the information back to Sophos where their experts review it and take appropriate action. Since it's not completely clear what that is, and Since I have no idea how to evaluate this feature, I'm giving it a pale gray checkmark.


Both apps scan the same kinds of files. I don't know of any anti-virus app that can scan encrypted files, however, Sophos Scan on Access feature would supposedly scan it immediately after it is decrypted and opened.

Neither of the apps can scan continuously in background, which is fine. Continuous background scanning is complete overkill for the level of threat to the Mac, and can really bog down computer performance.

ClamXav and Sophos can be downloaded and installed from the links given.

Installation is straightforward. Double- click the downloaded file and follow the instructions.

ClamXav Antivirus for Mac

Sophos Free Mac Home Edition

http://www.clamxav.com/download.php

http://www.clamxav.com/download.php

http://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-mac-home-edition.aspx





Now I'm going to walk you through some common procedures in each app so you can get a feel for the comparative ease of use.

First we need to make sure that the virus definitions (what the software uses to identify something as a threat) are updated on a regular basis.

In ClamXav, most things are done through Preferences, which is in the upper right of the main window that appears when you launch the app.

Setting the periodic virus definition updates is as easy as !,2,3.


It is also done through Preferences in Sophos, and is just as easy. Note that in Sophos Preferences are where you expect them to be for a Mac app.

It is a good idea to do an initial scan of your whole system, just to make sure that there isn't some malware already there.

You certainly want to scan your internal hard drive, and perhaps some external hard drives if you have any attached. Especially backup drives. You don't want to restore somewhere down the line from a backup that has malware on it.

Depending on the amount of data you have, this will take a long time, and is best run overnight when you aren't using your computer.


1

2

Initial “Scan Everything” ClamXav

To select the drives to be scanned, click the +, then select the drives one by one, in the left sidebar and click Open. Repeat the process to select additional drives.

4

3

When you have all the desired drives listed, shift click to select them all, then click Start Scan.


It is even easier in Sophos. There is a Menu item which pops up when you click the Sophos logo in the Finder top menu bar, or you can launch the application and use the Scan Now button.

Be careful though, this will scan literally everything, connected drives, mounted drive images, CDs, DVDs, and Flash drives, and it can take a very long time.


Scanning incoming email and downloads is what I consider the only necessary function of antivirus software on the Mac.

In ClamXav this is called Sentry. You have to tell it what to watch, but it is pretty easy to set up. Make sure the Subfolders checkboxes are checked.

In step 5 you can also choose to quarantine the threat (you'll be asked to set up a Quarantine folder) or just delete it. I've chosen quarantine simply because I'm curious to know what the threat is.

Note that the tilde, ~, stands for your Home Folder. This is pretty standard computer notation.

In Sophos, scanning incoming items is part of On-Access Scanning, so you can't just scan incoming without scanning everything you open, move, copy or install. This is overkill for the Mac, but the good news it that I haven't noticed any big impact on computer response, even when opening very large files. If you do find there is a problem with certain files, you can easily exclude them.


As I said on the previous page, scanning incoming is the only thing that I think is necessary for the Mac. (and that's primarily to catch Windows viruses that you might pass on to your friends on the Dark Side).

However, if you want additional belt and suspenders reassurance, you can set up scheduled scans of selected drives or specific files and folders.

Here is the setup in ClamXav to scan the Home folder (~), System folder and Library on the Hard drive.

The setup in Sophos has more steps, but is pretty straightforward.

You may first have to click the little triangle to reveal the part of the window for setting up Custom Scans.

1

Scheduled ScansSophos


2

3Sophos

Scheduled Scans (continued)

4

56

The next step is to click the + at the bottom right, which brings up a window where we can name our custom scan.

Step 4 is to click the + sign in this window to add what items to include in the scan, repeating steps 4, 5, and 6 until all items have been selected. (I've just chosen to scan the whole internal drive.)

Finally in step 7 you can choose Schedule, and set the day(s) and time(s) in the remaining steps.


Right-Click to Scan is a useful feature if you import stuff from CDs, DVDs or Flash drives, especially from Windows users, which might possibly contain malware.

Right- (or control- or 2 finger-) clicking on an item will bring up a Contextual Menu, with all sorts of useful stuff in it, including the Services menu, which many Mac users are totally unaware of. The Services menu contains several more useful items, in this case, scan with Sophos or scan with ClamXav, whichever you have installed.

Even though I have done it here temporarily, is NOT a good idea to have both installed at once. I'll come back to this later.

Sophos scans faster than ClamXav which takes about 50% longer. They both take a pretty good chunk of the available CPU. It's not as bad as it looks, as the % CPU scale is per processor. Since this is an Intel Core Duo, it has 2 processors and 200% available. However, the level shown here would make a noticeable difference in computer responsiveness, which is why, if you choose to do periodic scans, they should be scheduled for times when you aren't using the computer.


This is the key question, and the answer is "I don't know".

I have not been able to find any hard data online about the effectiveness of these two antivirus apps, although they both get generally good reviews.

And I certainly can't evaluate their effectiveness from my experience. In the 5 years I've been using ClamXav, I have found exactly 2 viruses (both Windows viruses) and in the 2 months with Sophos, none.

I haven't had any Mac malware incidents at all during this time, but that doesn't tell me much.

To put it another way, it is hard to tell if your shark repellant is working or not when you do your swimming in the pool at the Y.


OK, suppose a threat is detected. (the threat in this case is a harmless "test virus" downloadable from eicar.com).

In Sophos, as in ClamXav, you can choose to delete or quarantine the threat. I've chosen to quarantine it, so I can inspect it and deal with it via Sophos Quarantine Manager.

The threat is listed, along with available actions. For viruses, which as you recall embed their code in the code of other apps, one option is Clean Up. Sophos will attempt to remove the virus' code and restore the application code to its uninfected state. If it can't do this, it will delete the infected app.

1

Detected Threats - What Then?

3 4

2


ClamXav also gives you the option of quarantining or deleting the threat. You can look in the quarantine folder and see what kind of threat it is, but there is no option to try to clean up an infected file. Your only choice is to delete it.

If you are using ClamXav and are happy with it, I don't see a compelling reason to change. If you are starting from scratch, Sophos is a bit more user-friendly and Mac-like.


RecommendationsThe virus threat to the Mac is nonexistent and the threat from other malware like Trojans and Phishing is minimal. The best defense against Trojans and Phishing is user awareness, caution and a healthy skepticism.

Nevertheless, I choose to run antivirus software in a minimally intrusive manner: monitoring of incoming downloads and emails. This is primarily to prevent the spread of Windows viruses and other malware to friends on PCs. I personally don't schedule regular scans, but if you want additional reassurance, you could set up scheduled scans of user(s) Home Folder(s) and the System folder and Library on the internal Hard Drive.

This goes for any anti-virus software. You only want to have one AV app installed.

Sophos includes an Uninstaller on the installation disk image. Recent versions of ClamXav also include an uninstaller for the antivirus 'engine' and instructions for removing the application itself. If you didn't keep the installation disk image, simply download a new one to get the uninstaller.

I also recommend you go to System Preferences/Users & Groups/Login Items and make sure that there are no items with ClamX or Sophos here. If there are, remove them. Click the lock in the lower left, authenticate with an administrator user name and password, then select the item and click the - sign in the lower left.

p. 1 of 22 peter degroot 6/12/2012€¦ · two free mac antivirus apps!p. 1 of 22!peter degroot...

Documents