Anti-malware on macOS 🙄

[Nycturne]

Yes, but since Apple allows running iOS apps on the Mac unmodified, that can of worms is already open. Apps that run using the "Designed for iPad" destination will run on the Mac, with MSAL, using the iOS-style keychain.

As I said, I'm not close enough to this stuff to really get into details. It's very possible that this part of the conversation has become two people debating a straw man and we'd have no real way of knowing. So at this point, I think I'll back down, as all I have is idle speculation.

But with my time at a particular, large, bureaucratic software developer, I've learned to cut the engineers at least some slack that they know what they are doing. Direction/priorities are one thing, but generally the engineers in a situation like this aren't doing this because they want to. I've also been on the receiving end of the "why can't you just support X?" stick fairly recently for things that I have tried and failed to influence, so I have sympathy for teams where the same could very well be true.

The fact that MAUI would also benefit from supporting this suggests there is definitely more than meets the eye.

 

[theorist9]

My university requires that Trellix Endpoint Security (formerly FireEye HX) be installed on devices that access its systems. I have it on my Mac, and it doesn't seem to cause issues. But I've never had malware on any Mac I've owned (at least none I was aware of!), so I suspect it adds no value for my use case. Having said that, I do also have Malwarebytes installed, because it was recommended to me by Apple Support, and because it scans my computer just once/day and is thus pretty non-invasive.

FWIW, here's a 2021 quote from Federighi acknowledging there is an unacceptable (by Apple's standards) level of malware on Macs ( https://www.macworld.com/article/670537/do-macs-need-antivirus.html ). However, that doesn't address your question, which is whether there's ever been a documented case in which a 3rd-party anti-malware program has prevented or detected the installation of malware that MacOS did not, i.e., whether these provide any benefit to Macs.

 

[Andropov]

But with my time at a particular, large, bureaucratic software developer, I've learned to cut the engineers at least some slack that they know what they are doing. Direction/priorities are one thing, but generally the engineers in a situation like this aren't doing this because they want to. I've also been on the receiving end of the "why can't you just support X?" stick fairly recently for things that I have tried and failed to influence, so I have sympathy for teams where the same could very well be true.

The fact that MAUI would also benefit from supporting this suggests there is definitely more than meets the eye.

Ah, absolutely. I don't think it's because of engineers not wanting to implement this either. My guess (but as you say, pure speculation) is that the macOS-style keychain API allows something the iOS keychain doesn't, and they have chosen not to ship an "inferior" (or maybe less secure?) product than their existing (macOS) solution. Which is a decision that would be taken by higher-ups.

My university requires that Trellix Endpoint Security (formerly FireEye HX) be installed on devices that access its systems. I have it on my Mac, and it doesn't seem to cause issues. But I've never had malware on any Mac I've owned (at least none I was aware of!), so I suspect it adds no value for my use case.

The problem with this topic is that if an event is uncommon enough, personal experience is mostly meaningless. Like you, I've never had malware on any Mac, but I also haven't ever needed to call the fire department either. Doesn't mean there's no need for one. But it's hard to know if it's actually effective without seeing it in action.

That said, it's relieving to see that your Endpoint Security solution doesn't cause any issues / annoyances.

FWIW, here's a 2021 quote from Federighi acknowledging there is an unacceptable (by Apple's standards) level of malware on Macs ( https://www.macworld.com/article/670537/do-macs-need-antivirus.html ). However, that doesn't address your question, which is whether there's ever been a documented case in which a 3rd-party anti-malware program has prevented or detected the installation of malware that MacOS did not, i.e., whether these provide any benefit to Macs.

Yeah the malware situation has worsened as the Mac has gained popularity. But I think Apple is doing a good job at stopping new malware threats still.

 

[Roller]

My university requires that Trellix Endpoint Security (formerly FireEye HX) be installed on devices that access its systems. I have it on my Mac, and it doesn't seem to cause issues. But I've never had malware on any Mac I've owned (at least none I was aware of!), so I suspect it adds no value for my use case. Having said that, I do also have Malwarebytes installed, because it was recommended to me by Apple Support, and because it scans my computer just once/day and is thus pretty non-invasive.

FWIW, here's a 2021 quote from Federighi acknowledging there is an unacceptable (by Apple's standards) level of malware on Macs ( https://www.macworld.com/article/670537/do-macs-need-antivirus.html ). However, that doesn't address your question, which is whether there's ever been a documented case in which a 3rd-party anti-malware program has prevented or detected the installation of malware that MacOS did not, i.e., whether these provide any benefit to Macs.

Does your university only require the endpoint security solution on devices that connect directly to its network onsite, or does the requirement also apply to personally-owed computers that access its systems remotely?

 

[theorist9]

Does your university only require the endpoint security solution on devices that connect directly to its network onsite, or does the requirement also apply to personally-owed computers that access its systems remotely?

It's the latter.

 

[Roller]

It's the latter.

Interesting, thanks.

Given the issue originally presented in this thread, I still think it's best to follow company requirements, even if you don't think doing so makes it safer.

 

[Nycturne]

Does your university only require the endpoint security solution on devices that connect directly to its network onsite, or does the requirement also apply to personally-owed computers that access its systems remotely?

I‘ll just add that the latter is true for the organization I work for as well. But generally the push is that laptops/desktops will be provided by the company, while smartphones are generally more BYOD unless you are in sales or the like.

EDIT: The end result is that folks don’t connect to company resources except from a limited set of devices, which I think is actually one of the goals. Make the end user think if it’s worth attaching every iPhone and iPad to corporate resources or not.

 

[Andropov]

Unfortunately it looks like there are some anti-malware solutions out there that use significant CPU power. And by significant I mean rivaling in CPU usage with the kernel (ie +700% CPU usage while using the computer for other tasks)

This can be fine-tuned, but I still think it's hilarious that this can be deemed a reasonable out-of-the-box experience for a software vendor.

 

[Andropov]

This thread is funnier now, in light of recent events

I still appreciate the nuance discussed in this thread. But the productivity impact (high CPU usage), plus the fact that an anti-malware company just bricked PCs on a scale that seemingly dwarfs outages caused by malware makes this a tough sell.

 

[diamond.g]

This thread is funnier now, in light of recent events

I still appreciate the nuance discussed in this thread. But the productivity impact (high CPU usage), plus the fact that an anti-malware company just bricked PCs on a scale that seemingly dwarfs outages caused by malware makes this a tough sell.

Does Crowdstrike run in user mode on macOS and Linux? I guess it does bring up the question of how useful malware scanning is on macOS/Linux (seems like not very).

 

[Andropov]

Does Crowdstrike run in user mode on macOS and Linux? I guess it does bring up the question of how useful malware scanning is on macOS/Linux (seems like not very).

It runs as root. It needs to, for the kind of analysis it attempts to do.

 

[NotEntirelyConfused]

I wasn't here for the initial discussion.

I will say, in partial defense of 3rd-party antimalware tools, that they can be much much better for remediation. Or rather, infinitely better than Apple's, because Apple does not offer any remediation at all. Whereas when my idiot friend brings me his laptop that he's managed to infect by browsing porn sites or whatever, I can run the freeware version of Malwarebytes on it, and it will actually fix the problem. At least, that's how it played out in the two instances where this happened.

That's not a particular endorsement of malwarebytes, BTW - there may well be something better out there. MWB is annoying as it wants to install a long-running process and menu bar extension but it's not bad enough for me to go to the trouble of removing it from my friend's machine - next time he calls me I can just tell him to click the thing in the menu bar, etc. As the free version doesn't do live scanning, there's no perceptible drain on CPU or IO.

This is also not especially relevant to the corporate setting.

There is also one other thing that does matter in all settings. Antimalware tools live and die by the speed at which they incorporate new learning about malware - both signatures and patterns. Apple has no particular competitive pressure driving it to get out updates for XProtect one day sooner (or one week or month!). There have been multiple occasions where Apple has been slower than 3rd parties to get out new signatures. I have no solid data on whether or not that's significant but my impression is that it might well be.