Mac OS X anti-virus software: More trouble than it's worth?

With dubious reports of a nascent malware menace threatening Mac OS X's current status as (for all intents and purposes) a virus-free platform, many readers have inquired about the need for installation Mac OS X anti-virus software.

Ask McAfee or Symantec and you'll be met with an implore that users purchase, install and regularly use their Mac OS X virus scanning software. With scare tactic statistics like "a 228 percent increase in malware attacks over the past three years" -- even though no single piece of Mac OS X malware has yet managed to successfully cause significant system damage or reliably spread -- it's easy to see why some users are taking the bait.

However, what the virus software companies aren't telling users in their barrage of press releases and dire statements to publications that dutifully pass claims of a rising threat onto readers as fact is that, to date, more problems have been caused by anti-virus software on Mac OS X systems than actual vulnerabilities thwarted. While this circumstance doesn't negate the potential utility of having anti-virus software installed, and won't let the cautious rest easier should the currently mythical Mac OS X attack horde materialize, it should give pause to users who feel coerced into purchasing anti-virus software.

First, let's look at some of the problems that have been caused, on a widespread basis, by Symantec's Norton AntiVirus:

• Ironically, a "highly critical" flaw was found in Norton AntiVirus. The vulnerability was as follows: During decompression of RAR files Symantec is vulnerable to multiple heap overflows allowing attackers complete control of the system(s) being protected. These vulnerabilities can be exploited remotely without user interaction in default configurations through common protocols such as SMTP. Symantec posted an antivirus based protection signature to LiveUpdate on December 20, 2005, providing a heuristic detection for potential exploits of the Symantec decomposer RAR archive vulnerability. The company also recommended that users 'Scan Compressed Files' to 'Off' in the Norton Auto-Protect pane of System Preferences to mitigate this vulnerability.
• Version 9.0 of Norton Antivirus spawned a file appropriately named "spacesuckingfile.xxxxxx" after it completed a virus scan. This was a temporary file that Norton AntiVirus created when scanning archives on your computer to help determine the amount of free space available on the disk before it begins unstuffing and scanning archives. The file contains no actual data and may be deleted. Normally, Norton AntiVirus deletes this file when scanning the archives is complete, though it may not be deleted automatically. Version 9.0.1 of Norton AntiVirus resolved this issue.
• The AutoProtect component of Norton AntiVirus produced an issue with apparent corruption of Mac OS X temp files that could result in spiking processor usage and complete system unresponsiveness.

Sophos Anti-Virus is another popular tool that has succumbed to its own flaws in an attempt to "protect" users against a malware threat.

A previous version of Sophos' AntiVirus software generated false positives for the "OSX/Inqtana.B worm", invoking users to delete critical application and system files and causing serious issues. Inqtana.B was a variant of OSX/Inqtana.A -- a Java based proof of concept bluetooth worm that affects older versions of Mac OS X 10.4.x (Tiger). The vulnerability did not affect Mac OS X 10.4.5 or Mac OS X 10.4.6, and had not been found in the wild. Despite that, Sophos' software was identifying "infected" files -- sometimes numbering in the thousands -- on Mac OS X 10.4.5 systems.

Sophos quickly resolved the issue, but results of the false positives were, in some cases, disastrous. Users who thought their systems were infected deleted dozens (in some cases hundreds) of critical files rendering some applications useless and eliminating important data.

Virex from McAfee (the company that released the aforementioned warning that Mac malware threats were up more than 200 percent in the past year) was a component of the .Mac subscribers package up until mid-2005, when Apple decided to pull the offering due to a number of issues documented here on MacFixIt, including slow overall system performance, constant fan activity, degraded performance in some applications and more. We also posted instructions for removing Virex from a Mac OS X system.

Intego's VirusBarrier X, which was the first anti-virus package to become a Universal binary and has been among the least problematic of commercial offerings, has also exhibited various issues through its lifetime.

In 2003, Virus Barrier X caused an issue where the system became totally unresponsive and refuses to start up properly from that moment forth.

Intego's later fixed the issue a March 2003 virus definition release.

Another minor issue was caused by VirusBarrier in late 2005, where hard drive space was rapidly decimated by the creation of several thousand tiny (4 KB) files spawned by VirusBarrier.

Fortunately, your best bet for Mac OS X virus protection at this point is completely free. ClamXav is a free graphical interface (GUI) for the open-source ClamAV virus checker. The ClamAV scanning routine is also built into some Mac OS X utilities like Tiger Cache Cleaner.

Even this tool, however, has been known to cause some issues -- particularly when installing software. In one case, application of the Adobe Illustrator CS2 12.0.1 updater was prevented by ClamXav's scanning operation.

The bottom line is that Mac OS X virus software has, collectively, precipitated more security flaws, slow-downs, accidental file deletions and overall system issues than perhaps any other grouping of software.

It's also important to remember that just because you have an AntiVirus software package installed and regularly scanning your hard drive does not -- by any means -- ensure you will not contract a Mac OS X virus should one materialize. Virus scanning software works by checking files on your hard drive against a pre-defined set of file types that could potentially be malware. Should the dreaded effective Mac OS X virus surface, current AntiVirus software will be rendered impotent against its spread until virus definitions are updated to account for the new type.

Some virus scanning software packages use routines to check for "suspicious" actions that could indicate the presence of malware, but the chances of such a routine actually stopping a cleverly crafted piece of malware are slim -- especially since there has yet to be a compelling piece of malware for Mac OS X to compare against.

In fact, the single best reason for installing anti-virus software on your Mac OS X system remains one of a good samaritan nature -- prevention of passing malware along to users of Windows systems.

For some practical tips on reducing the threat of contracting malware on your Mac, see our tutorial "10 simple steps for securing your Mac".

Resources