Antivirus for macOS: the good, the bad and the ugly
In my first ever dataJAR blog post, I thought I would address the elephant in the room by exploring – yes, that is right – antivirus for Mac (no pressure here James).
What qualifies me to be able to talk on this subject? In a career that has spanned many years, I am grateful to have seen and set up the majority of antivirus software on macOS. Some good, some bad and some downright ugly. The following post will cover what to look out for when choosing the right software for you and your fleet.
Expecting ‘that’ conversation
Picture this – you see an email/calendar invite in your inbox from your manager titled ‘We need to discuss antivirus on the Macs’.
Your heart sinks. You know you have got a rough ride ahead.
The first thought that comes to mind every time is ‘but it is a Mac, it does not need any antivirus protection’.
While this is a common view shared by many, let us put some history behind this. In 2006, Apple ran a set of media campaigns stating ‘hey, I am a Mac, I do not get viruses’, opening up the issue of antivirus on the Mac which, for most IT professionals, is a moot subject. I mean, if Apple says it is OK, then we will get back to polishing our Xserves. The truth behind this perception, however, was at that time the Mac was not being targeted by virus makers as frequently as Windows was.
Heading back to the meeting, you realise this is not 2006 anymore; attackers do target macOS and you do need to address the situation. You nod and agree with your manager.
You ask: “Do you have anything in mind?”
You are already dreading the response of: “Yes we have been speaking to…”
In some scenarios this is not a bad thing. However, some organisations are not fully macOS based – there are a variety of platforms within any organisation. And yes, you guessed it, the end of that sentence was “…InfoSec”.
Evaluating equivalence, cross-compatibility and other myths
In this scenario, InfoSec has been in touch; on the ‘other’ platform they have been using ‘x software’. Your manager asks: “Can you try and make it work on the Mac fleet?”
This is the first mistake many businesses/institutions make. Just because a piece of software works well on the other platform, it does not mean it will be as effective or work at all on macOS. While there is no harm in taking a look, there are a couple of considerations and pitfalls to be aware of.
Firstly, hop onto the company’s website and look for the vendor’s documentation page. See if there is any documentation for macOS. This will, of course, make it easier to support/install/manage, as well as reveal how rough a ride you might be in for. If a vendor has poor macOS documentation, you could be about to test a product that may not be the best software for the fleet.
Secondly, do not be afraid to drop the vendor’s support team a message before you start any project of this undertaking. You can even make a simple enquiry such as: “Hey I am looking to install this on some devices, is there anything I should look out for?”, as this will help you ascertain how long it takes for them to respond (which will, regardless of the software you choose, will always be needed). In addition, some vendors can have the best documentation around, yet lack the level of macOS support required. No engineer wants the response: “macOS? Oh, on the other platform you do this”. Cue the dash for more coffee and a lot of sighing.
Finally, have a look for any pre-populated mobile configuration profiles that might be available to download directly from the vendor’s website. While most good vendors will document the settings and payloads required to manage/install their software, the really good ones will provide this for you.
It is worth mentioning at this point the software recommended by the InfoSec team might be great and works exactly as you hoped. However, this is not always the case and my recommendation at this point is to always push back.
A common theme within organisations is the Mac must have the same antivirus software as the other platforms; this is simply not the case. The Mac should have the best software for the Mac, not the other way around.
The selection process
In this scenario, the software recommended by the infoSec team just is not working as you require. Your manager agrees (hopefully) and now you go out to tender to find the right piece of software for your fleet.
We already know to check a vendor’s websites for documentation and such but what else should you look out for? Where do you start?
Ultimately it will come down to budget. There was a reason your manager wanted you to try the other piece of software first – it always comes as a package deal. This is where the ‘ugly’ happens. There definitely is such a thing as too cheap.
If a piece of software seems too good to be true, there is always a reason, even if it might work straight out of the box. Always try it on a few different models, such as both Intel and Apple Silicon Macs, as well as on a wide variety of macOS versions. Just because it works well in one scenario, does not mean it will work well on others. The best advice I can give is test, test, test. There is nothing worse than handing over cold hard cash, only to find it will not work on the CEO’s laptop because they are running ‘x version of the OS and have this piece of software that might affect the antivirus in a certain way.
I once deployed a piece of software that actually slowed down the scrolling speed of the macOS fleet, which was only noticed years later (safe to say, I was glad once it was replaced). Some software might require user interaction to enable parts; while this might be OK for smaller businesses, this will not scale for larger organisations.
Having worked with a wide variety of vendors, I have found they do not always play well with the Mac’s own inbuilt protection. You might get a scenario where the newly installed antivirus software creates a CPU spike on all of your fleet. This, at first, can be a problem. However there might always be a cause – maybe you turned on full system scans from a web or on-prem console to run too frequently. Maybe there is a bug in the software that needs to be raised with the support team. This is where you get the value added from your initial search bases. If you picked a good vendor, then the bug may already have a documented solution.
Another trait to be aware of is how the software is kept updated. You might have found a great piece of software that works well during your testing and initial deployment but you did not consider how to update it. Some software is pushed out via the vendor’s web or on-prem console. I would generally avoid on-premise software and always push for a cloud based provider, as on-premise can lead to devices being out of date quickly. With a cloud based deployment/provider it will update the devices more effectively as it will not require them being connected at all times to your internal network.
If a provider gives you the packages to deploy each time, I would also avoid this. You do not want to be packaging up each version and remembering to check in on the console for any releases. You might find your fleet is actually unprotected because it is not on ‘x version’, which includes ‘x patch’, which addresses ‘x issue’.
With cloud based deployment/updates, you can push the ownership back to the vendor. If they push out an update, it is their responsibility to make sure this works on the latest OS and hardware. Again, this is why you should choose a product with a great support team.
By doing your research and taking your time, it will help you a millions times over in the future. You should pick a piece of software that works out of the box, has impressive vendor support and does not negatively impact your macOS fleet in any way.
What do I look for when selecting a product?
To help you choose your next antivirus protection, I have summarised some key points to consider when purchasing for the Mac:
- rapid, effective technical support
- fits your needs and the needs of the business
- day-one support with OS releases
- good technical documentation
- provided with configuration profiles to deploy via your MDM
- no sudden CPU spikes/machine slowness
- seamless updating platform
- reporting
- automated quarantine/remediation
You will notice one thing missing from this list – the price. You must not be swayed by a piece of software based solely on its price; if it works, it works. Squeeze the budget, negotiate, or even beg to get the software you feel is right. Your organisation will thank you later. A decent choice will result in far less worry in the long run. It is just there, working and doing its thing.
So which is my preferred vendor/software choice on the Mac?
For some time now, my go-to solution has been Malwarebytes, which is also integrated within the dataJAR Defend solution. People often get confused and overlook this incredible product for its name (it does not only find malware). It truly does a fantastic job of protecting your fleet and, for me, ticked all the boxes. Personally, my main requirement is to set something up once and then not worry about it again. Malwarebytes does just that. I found it had amazing support along with great documentation. The product feels like it is aimed at macOS, rather than being a bolt-on or a ‘plus one tick in the box’ for the marketing/software team.
However, I understand this might not be the case for everyone. Remember to do your research and test, test, test.