> That’s not true, but it is quite rare because of the immense number and quality of security measures that are baked into modern Mac devices.
Mac has builtin antivirus software similar to "Windows Defender" but it's hidden to spread the myth that the Mac has something fundamentally different about its design to make it impossible to create viruses and malware. It's called XProtect:
And there are a bunch of other services running. From the arstechnica piece
> ... Apple has added multiple anti-malware features to macOS, though they're not always branded that way. Gatekeeper, app notarization, System Integrity Protection, the Signed System Volume, and access controls for hardware and software are all, one way or another, about proactively protecting system files from being tampered with and making sure that installed apps do what they say they're doing. Another under-the-hood tool, the Malware Removal Tool (MRT), behaved more like a traditional anti-malware scanner, periodically receiving definitions updates from Apple so that it could scan for and remove malware already present on your system.
> The built-in Windows defense tool – appropriately called Windows Defender – has gone from being virtually useless to pretty robust and experts agree that it’s adequate for most users.
Agreed. Last time I saw a third-party antivirus in a Windows machine was 10 years ago and it was due to company policy.
I see third party antivirus all the time. Specifically I've seen Setinel One and Sophos in enterprise applications like hospitals. I'm pretty sure the enterprise version of Defender costs money so you might as well use an alternative that better fits your admins' needs etc.
Sometimes I suspect they know it's a placebo, but don't care. Hospital admin fears ransomware, so all machines naturally need anti-virus. They go home feeling better.
Trying to convince my boss to let me run Linux because Defender sucks up 90% of my CPU monitoring my compiler. My builds go from ~5 minutes to ~30 seconds by running the build inside a basic Linux VM on the same hardware.
I've exempted every compiler process, all the files, the directories, everything. And yet I still see 90% "system" CPU usage while GCC gets whatever idle time is left.
Defender seems more aggressive than usual lately. I keep it mostly disabled for the time being. JetBrains for a while now has a pop-up in their IDEs on new project asking if you want to exempt that folder from scanning, but obviously that only helps if you have those permissions =\
I'm currently in a client issued laptop. i7 11800H, 32GB RAM, RTX 3060. Not bad but not a speed demon either.
cpu barely has to work and I have tons of tabs, youtube, twitch, docker containers, 3 IDEs open including IntelliJ IDEA Ultimate 3 different database servers running (SQL Server, PostgreSQL, MariaDb) and Google Drive is uploading some pictures.
> Antivirus software has to have full access to every part of your system so it can scan and remove things. Should the software become compromised, it can become the entry point...
That's precisely why it was never necessary.
> The internet is full of outdated cybersecurity advice that just won’t die but should, like “public WiFi is unsafe” and “you should change your passwords regularly.” For the more pedantic in the crowd...
> Antivirus software has to have full access to every part of your system so it can scan and remove things. Should the software become compromised, it can become the entry point...
To be sure, 3 Critical vulnerabilities patched in April 2024 are Windows Defender RCEs[1]. Insane.
> Antivirus software has to have full access to every part of your system so it can scan and remove things.
Removal/quarantining of bad files does require elevated privileges, but just scanning and warning, no. Let's take ClamAV as an example. It has three processes:
* clamonacc: runs as root, watches for file open/change/close events, does not do any parsing (so it is mostly safe, the only real problems that I encountered are file descriptor exhaustion attacks and slow/hanging filesystems like FUSE or NFS), just forwards the file descriptor to clamd via a socket
* clamd: runs unprivileged, gets pre-opened files to scan from clamonacc, runs virus-event scripts also unprivileged
* freshclam: runs unprivileged, does nothing except updating the virus databases and telling clamd about that, so no attack surface here
Not sure why you're being downvoted as I think it's a reasonable question to ask when someone's saying antivirus was never necessary.
Having seen a few friends' family computers degrade and behave unexpectedly when I was younger, there were definitely people out there who would have benefited.
However I think GP is drawing attention to the irony that, as an attack vector, antivirus software as it was conceived actually increased your surface area of risk in some ways.
Yup. I saw it happen to a machine once less than 15 minutes after installing Windows and putting it on the net. I think a lot of people nowadays forget how wild it was back then.
To clarify: is the referenced advice (public wifi bad, change passwords) pedantic and/or wrong, or is the statement (this advice is outdated) pedantic and/or wrong?
> built-in Windows defense tool – appropriately called Windows Defender – has gone from being virtually useless to pretty robust and experts agree that it’s adequate for most users.
Windows defender is not only useless. It actually deletes files without asking.
> Additionally, Windows 11 has made huge improvements in the security department and has learned from many of the mistakes that made past
Cough, some days ago hackers compromise Microsoft, ransomware is a good business...
I haven't run any in probably 15 years. Slightly possible I'm in a botnet or my nudes leaked but no money missing from my bank account and no drives wiped
Perfect thread detection was mathematically proven to be impossible.
So why install antivirus software?
It is just one more layer app that should run with elevated privileges, increasing both attack surface and trying to increase defense depth.
So why increase complexity, for unknown gains?
But nice of the article, to link tools that help you think about threats for iOS/macOS.
Meh, they will pry my crowdstrike from my cold, dead hands. That thing has saved me so much pain and suffering from the boomers/genx (and oddly zoomers) clicking patently stupid things....
There's enough questionable information in this that it's not worth engaging point by point, but here are a few things worth noting:
> changing your passwords regularly can have some potential benefits (mostly for companies)
No. This goes back to the way-too-broad Appendix A ("Estimating Password Entropy and Strength") of NIST SP 800-63 in 2004. Which explicitly says "Readers are cautioned against interpreting the following rules as anything more than a very rough rule of thumb method to be used for the purposes of E-authentication", but, you know, it's NIST and became a whole thing anyway.
NIST finally came out explicitly against rotation in 2017. The specific guidance since then: "Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator."
> Macs, for example, are notoriously secure
That's like saying Windows Phone is notoriously secure. I mean, maybe? But mostly nobody cares enough to attack them. Macs aren't directly targeted much because a) the business world doesn't run on them, and b) most attacks are credential phishing, i.e. platform-agnostic, for the handful of mac-using targets you might care about. There are still plenty of attacks on macs, pentesting tools for them, LOOBins, so on. Just most users aren't on macs, workloads aren't on macs, infrastructure (Exchange servers, domain controllers) isn't on macs. Probably it would be worthwhile to attack them more, honestly. Maybe the bad guys just haven't seen Moneyball yet.
> the vast majority of compromises [...] convince the targeted user to hand over their own credentials or download malicious software or otherwise convince the target to somehow give the attacker access
Well, yeah. Chrome replaced Internet Explorer, PDF.js replaced Acrobat Reader, the Microsoft Office Equation Editor replaced itself, Flash is gone. The exploitable computing surface today is way smaller than it was 10 years ago. At the same time, everyone's identities and accounts have moved to the cloud, so the juice-to-squeeze ratio of targeting a device is way down. Still happens every day, but rarely with exploits.
I'm not sure "you chose to run the malware, idiot" supports the claim that "you don't need antivirus", though. Like, people do dumb things sometimes. That's exactly why they might need antivirus. The built-in stuff is as good as anything else for consumers, so sure, stick with Defender or whatever. That's still antivirus. The ~98th percentile of people by tech-savviness should probably turn it on.
Mac has builtin antivirus software similar to "Windows Defender" but it's hidden to spread the myth that the Mac has something fundamentally different about its design to make it impossible to create viruses and malware. It's called XProtect:
https://arstechnica.com/gadgets/2022/08/apple-quietly-revamp...
And there are a bunch of other services running. From the arstechnica piece
> ... Apple has added multiple anti-malware features to macOS, though they're not always branded that way. Gatekeeper, app notarization, System Integrity Protection, the Signed System Volume, and access controls for hardware and software are all, one way or another, about proactively protecting system files from being tampered with and making sure that installed apps do what they say they're doing. Another under-the-hood tool, the Malware Removal Tool (MRT), behaved more like a traditional anti-malware scanner, periodically receiving definitions updates from Apple so that it could scan for and remove malware already present on your system.
This is no different from Windows Defender