This website uses cookies to ensure you get the best experience on our website.
Please note that by continuing to use this site you consent to the terms of our Privacy and Data Protection Policy .
Some of our partner services are located in the United States. According to the case law of the European Court of Justice, there is currently no adequate data protection in the USA. There is a risk that your data will be controlled and monitored by US authorities. You cannot bring any effective legal remedies against this.
Accept

Mac Security Test & Review 2021

Date June 2021
Language English
Last Revision June 30th 2021

Release date 2021-07-02
Revision date 2021-06-30
Test Period May - June 2021
Number of Testcases 538 Mac Malware
788 Mac PUA
500 Windows
Online with cloud connectivity checkbox-checked
Update allowed checkbox-checked
False Alarm Test included checkbox-checked
Platform/OS MacOS

Introduction

It is an often-heard view that macOS computers don’t need antivirus protection. Whilst it is certainly true that the population of macOS malware is very tiny compared to that for Windows and Android, there have still been many instances of macOS malware getting into the wild. Moreover, Apple Mac security needs to be considered in the wider context of other types of attacks.

In addition, it should be noted that Apple themselves ship some anti-malware capabilities within macOS. Firstly, there is “Gatekeeper”, which warns when apps without a digital signature are run. Then there is “XProtect”, which checks files against known-malware signatures. Finally, Apple provide the MRT (Malware Removal Tool). Gatekeeper and MRT are essentially invisible to users and have no direct user interface for the user. System updates are installed automatically using the update process. The effectiveness of Apple’s built-in anti-malware features have been questioned, however, and some security experts recommend strengthening the defences by adding in a third-party antivirus package. There are many good reasons for this. Firstly, the approach taken by Apple might be adequate for well-established malware, but might not respond quickly enough to emerging threats. Secondly, you might want a broader base of malware evaluation. Thirdly, macOS is not immune to bugs.

Some vendors’ macOS security products can detect malware aimed at other operating systems too. Hence an AV program on your macOS computer could effectively handle Windows and Android malware as well. There are scenarios where you might well benefit from scanning for such threats. For example, if you are given a USB stick of photos by one friend, who asks you to make a copy for a second friend. They both use Windows, but you are using a macOS computer. There is Windows malware on the USB stick, and you make a copy of all the files. In this scenario, it is useful to be able to ensure that malware is not inadvertently passed on from one friend to another, even if your own machine is not at risk.

Mac security programs can offer other capabilities too. For example, browser extensions can identify web sites which are potentially phishing locations. Readers should note that Mac users are just as vulnerable to phishing attacks as users of e.g. Windows, as phishing sites function by deceiving the user rather than by altering the operating system or browser.

Other packages might offer VPN (virtual private network) capabilities which can be useful when you need to operate your computer in an untrusted environment, or a public location such as an Internet café, where you are not sure of the integrity of the connection. You might also want to replace macOS’ built-in parental control capabilities with third party tools, if you believe this is more appropriate to your family needs.

Before purchasing a Mac security solution, you also need to decide on the size and scope of the protection you wish to deploy. It might be for a single computer, or for a laptop and desktop. Or you might have a family environment. There might be a mixture of macOS laptops and desktops, but also other devices too like Windows desktops and laptops, along with iOS and Android phones and tablets. For this environment, a broader and more flexible licensing package might well be appropriate.

This could allow you to purchase e.g. 5 licenses and then distribute them amongst your collection of devices. It could also give you the flexibility to transfer licensing from one device to a new item, e.g. if you need to replace an aging Windows laptop with a new MacBook. Some packages offer cloud-based management interfaces. Usually this is to cover the licensing of the packages, but some can also be used to initiate malware scans and device updates and manage parental control capabilities.

Then there are packages which are really aimed at the business and corporate space. Here the macOS support is but one component of a much larger deployment and management infrastructure. This will cover all devices and operating systems, often running thousands of managed devices. Although it might be tempting to go for a larger and stronger solution than is appropriate for your organizational size, be aware that the larger platforms have significant up-front design, management and deployment overheads. This is required to allow these tools to scale to the sizes that they can support, and they usually bring in a level of day-to-day commitment which, although entirely proper and required in a larger enterprise, is simply beyond the capabilities and resourcing of a small company.

Experienced and responsible Mac users who are careful about which programs they install, and which sources they obtain them from, may well argue – very reasonably – that they are not at risk from Mac malware. However, we feel that non-expert users, children, and users who frequently like to experiment with new software, could definitely benefit from having security software on their Mac systems, in addition to the security features provided by the macOS itself.

Readers who are concerned that third-party security software will slow their Mac down can be reassured that we considered this in our test; we did not observe any major performance reduction during the course of the test with any of the programs reviewed.

As with Windows computers, Macs can be made safer by employing good security practices. We recommend the following:

  1. Do not use an administrator account for day-to-day computing
  2. Keep your Mac operating system and third-party software up-to-date with the latest patches
  3. Use secure passwords (the Mac includes the KeyChain password manager)
  4. Deactivate any services such as Airport, Bluetooth or IPv6 that you don’t use
  5. Be careful about which programs you install and where you download them from

Tested Products

We have reviewed and tested the following products for this report, using the newest version available at time of testing in June 2021:

Additional information about the products and additional third-party engines/signatures used inside the products: Clario, FireEye and MacKeeper use the Bitdefender engine. Intego uses the Avira engine for detection of Windows malware. The products Clario and MacKeeper are developed by Clario.

Avast, Avira and MacKeeper all use a freemium model. Avast specifically asked us to test the free version.

We congratulate these manufacturers, who elected to have their products reviewed and tested, as we feel their commitment is a valuable contribution to improving security for Mac systems.

Test Procedure

The Malware Protection Test checks how effectively the security products protect a macOS Big Sur system against malicious apps. The test took place in June 2021, and used macOS malware that had appeared in the preceding few months. We used a total of 538 recent and representative malicious Mac samples.

In the first half of 2021, thousands of unique Mac samples were collected. However, this figure included many samples which could be classified as “potentially unwanted” – that is, adware and bundled software – depending on interpretation. Very many of the samples were often near-identical versions of the same thing (esp. for EvilQuest), each with a tiny modification that just creates a new file hash. This enables the newly created file to avoid detection by simple signature-based protection systems. There were in fact almost no new families, and only a few dozen really new variants, of true Mac malware seen in 2021. Some of these will only run on certain macOS versions. After careful consideration, we ended up with 538 Mac malware samples to be used in the test. We feel these reflect the current threat landscape, even if the sample size seems very small compared to what is commonly used for Windows. As most Mac systems do not run any third-party security software, even these few threats could cause widespread damage. Precisely because a Mac security product only has to identify a small number of samples, we would expect it to protect the system against most (if not all) of the threats, so the protection rate required for certification is relatively high.

Before the test, the macOS systems were updated and an image created; no further OS updates were then applied. Each program was installed on the freshly imaged machine and the definitions updated to the 10th June 2021. The Mac remained connected to the Internet during the tests, so that cloud services could be used. A USB flash drive containing the malware samples was then plugged in to the test computer. At this stage, some antivirus programs recognized some of the samples. We then ran a scan of the flash drive, either from the context menu or from the main program window. Any detected samples were removed. After this, any remaining samples which had not been detected by the real-time protection or scan were copied to the Mac’s hard disk. These remaining samples were (where possible) then executed, providing the security product with a final chance to detect the samples. In addition to the Mac malware samples, we also performed a false alarm test on a set of clean Mac programs to check for false positives. None of the programs we tested produced any false alarms.

To take account the increasing number of potentially unwanted applications on Mac, we also tested detection of 788 prevalent Mac PUAs. The testing methodology was the same as that for the malware testing described above.

Most Mac security products claim to detect Windows malware as well as Mac malware, thus ensuring that the user’s computer does not inadvertently act as a conduit for programs that could attack Windows PCs. For this reason, we also checked if the Mac antivirus products detect Windows malware. We used 500 prevalent and current Windows malware samples; the procedure was identical to that for Mac malware, except that we did not make any attempt to run any of the samples that were not detected in the scan, as Windows programs cannot be executed under macOS.

Test Results

The table below shows protection results for the products in the review. The figures for Mac malware protection indicate the number of samples blocked at any stage of the testing procedure, i.e. regardless of whether the malware was detected/blocked in one of the on-demand scans, by real-time protection, or on execution.

Product Mac Malware Protection
538 recent Mac samples
Mac PUA Protection
788 prevalent Mac PUA samples
Windows Malware Detection*
500 prevalent Windows malware samples
Avast Security for Mac 100% 99% 100%
Avira Antivirus Pro for Mac 99.8% 96% 100%
Bitdefender Antivirus for Mac 100% 99% 100%
Clario Clario
100%
98% 100%
Clario MacKeeper
100%
98% 100%
CrowdStrike Falcon Pro for Mac 99.8% 96% 94%
FireEye Endpoint Security for Mac 99.1% 96% 100%
Intego Mac Internet Security X9
100%
97% 100%
Kaspersky Internet Security for Mac 100% 96%** 100%
Trend Micro Antivirus for Mac 99.6% 98% 100%
* Detection of Windows threats on Macs can be seen as discretionary. Some products do not include detection for non-Mac threats or have limited detection capabilities due to technical constraints
** If PUA detection is manually enabled. All other consumer products had PUA detection on by default.

A list of antivirus programs for Mac can be seen here: https://www.av-comparatives.org/list-of-av-vendors-mac/

Product Reviews

Review format

Here we have outlined the features and functionality that we have looked at for each of the consumer programs in this review. With the enterprise products, which are managed using a cloud-based console, we have used a similar review format to that used in the Enterprise Main Test Series reports.

Summary

Here we describe the nature of the product and its features, including whether it is free or requires a subscription, and give an overview of our experience with it. Please note that all products protect against ransomware in the same way as for other types of malware. Where we have specifically mentioned “ransomware protection”, this means that specific user folders are monitored to prevent unauthorised changes.

Installation

This describes how to get the product up and running on your Mac(s), starting with downloading the installer, and finishing with any post-setup tasks needed. These might include installing and allowing browser extensions, for example. We note any options available, and whether you have to make any decisions during installation. There is also a note on how to uninstall the product, should you need to. Please note that when installing any antivirus product on macOS Big Sur (which was used for the tests and reviews), it is necessary to go into the System Preferences and give the program specific permissions, such as Full Disk Access. As this process is essentially identical for all products, we have not mentioned it in the individual reviews. However, non-expert users might consider asking for help with the installation of their chosen product, if they do not feel confident about doing it themselves.

Finding essential features

Here we consider how easy it is to find the most important functionality in each program: status, update, different types of scan including scheduled scans, subscription information (not applicable to free programs), quarantine, logs, settings and help.

Alerts: We look at how each program’s current protection status is displayed, what sort of warning is shown if real-time protection is disabled, and how to correct this. We also note what sort of alert is shown when malware is discovered, and whether the user needs to take any action in this case.

Malware detection scenarios: We run a functionality check to determine whether each program detects malware on access (e.g. when it is downloaded or copied to the system), or only on execution (i.e. when it is run). This is entirely separate from the malware protection test, and is run on different systems. We connect a USB flash drive containing a few samples of common Mac malware, which all the tested programs are known to detect. Some security programs will automatically detect the malware without the user needing to do anything; if not, we attempt to copy the malware samples onto the Desktop of the currently logged-on user. If this is possible, we then check on-execution detection by running the copied malicious files.

Quarantine and logs:We check the functionality that shows you which malicious items have been found, what information is provided about them, and what the options are for dealing with them (e.g. delete or restore).

Help: There is a brief description of each program’s main help feature (accessible from the program interface)

Advanced Options: We check whether users with macOS Standard user accounts can disable the antivirus protection features, make scan exclusions, restore items from quarantine, or uninstall the program. We regard it as ideal if only Administrator Accounts (not Standard User Accounts) can perform these tasks. This means that if you let someone else use your computer, you can create a Standard User Account for them, and they will not be able to compromise your Mac’s security. Of course, if you don’t share your computer, this point is not relevant to you.

Avast Security for Mac

Summary

Avast Security for Mac is a free antivirus program. The program is very simple to install, and most common features are easy to find in the clean, well-laid out GUI. Avast Security has highly effective on-access protection, which instantly detects and deletes malicious files when they are copied or downloaded. Alerts are clear and persistent, giving you time to read them. Standard user accounts cannot take any risky actions. The program is well suited to non-expert users due to its ease of use.

Installation

To set up Avast Security on your Mac, you just download and run the installer file, then double-click Install Avast Security. You can uninstall the program by clicking Avast Security in the menu bar, then Uninstall Avast Security.

Finding essential features

Status, default scan, scan options, and quarantine (Virus Chest), are all found on the home page of the main program window. Settings (Preferences) can be opened from the menu in the top right-hand corner, or the Mac menu bar. Subscription information is not applicable, as the program is free. Updates can be run by clicking Preferences, General (as is standard for modern security programs, Avast Security for Mac runs automatic updates as well). You can scan a drive, folder or file from the Finder context menu, by clicking Scan with Avast. The help file is accessible from the Help menu in the Mac menu bar.

Status alerts

When we disabled Avast’s real-time protection, the alert below was shown in the main program window. We were able to reactivate the protection by clicking Turn ON, and then setting all the slider buttons on the Core Shields page to ON.

Avast Security for Mac

Behaviour on malware detection

When malware was detected in our functionality check, Avast displayed the alert shown below. No user action was required. The alert persisted until we closed it. We noted that it’s possible to browse through the alerts using the arrows in the top right-hand corner. They can be closed individually by clicking Got it, or all at once using the macOS close button top right.

Avast Security for Mac

Malware detection scenarios

During our functionality check, we discovered a bug in Avast Mac Security running on macOS Big Sur. This caused on-access protection to be very unreliable (although on-execution detection was not affected). We informed Avast of this bug, and they released an updated version, which resolves the issue completely (as explained in the following paragraph). We recommend that users running Avast on Big Sur update the program to the latest release.

We found the bug-fixed release of Avast Security for Mac to have highly sensitive and reliable on-access detection of malware. Malicious files that we downloaded or copied to the system were instantly detected and quarantined in all cases. When we tried to copy malware from a network share or external drive to the system, Avast not only prevented the files from being copied, but deleted the source malware on the network share or external drive as well.

By default, Avast does not automatically scan USB drives when they are connected, but this can be enabled in the program options. When we scanned a flash drive containing malware samples, Avast presented a list of the threats found; we just had to click Resolve Selected to quarantine them.

Quarantine and Logs

Virus Chest displays files that have been quarantined, and allows you to delete or (with an administrator account) restore any/all items.

Avast Security for Mac

System Tray menu

Avast Security for Mac

Advanced options

Power users with a macOS Administrator account can perform the following tasks (caution is advised):

  • Disable protection features (under Preferences\Shields)
  • Uninstall the program (using the Uninstall button in the installer file)
  • Restore items from quarantine

Standard macOS users (i.e. accounts without administrator rights) cannot perform any of these tasks, which we regard as optimal.

Help

A help file with basic FAQs and clear, simple text answers is provided. You can open it from the Help menu in the Mac menu bar.

Advertising

The Smart Scan feature promotes Avast’s paid security suite, Premium Security. At the end of the scan, it will display 3 “advanced issues”, namely vulnerability to ransomware, network threats and fake websites. If you click on Resolve All here, a purchase prompt for Avast Premium Security will be displayed. We also saw a pop-up alert with the same function:

Avast Security for Mac
Avira Antivirus for Mac

Summary

Avira Antivirus Pro for Mac is a straightforward, paid-for antivirus program. It is very simple to install, and all the available features are easy to find in the neat interface. In our functionality check, we found it to have very sensitive and reliable on-access protection against malware. Detection alerts do not require any user action, and standard user accounts cannot take any risky actions. The simplicity of the program makes it an excellent choice for non-expert users.

Installation

To set up Avira Antivirus Pro for Mac, you need to log in to your Avira account. You then download and run the installer, double-click the Avira icon, then click Accept and install. There are no options or decisions to make. The program can be uninstalled by deleting it from the macOS Applications folder.

Finding essential features

Status, default scan, scheduled scan, scan options, preferences, quarantine and subscription information can all be accessed from the Status page of the program window (screenshot above). You can also scan a drive, folder or file from the Finder context menu. The help feature is found in the Help menu in the Mac menu bar. We could not find a manual update feature in the program (as is standard for modern security programs, Avira runs automatic updates). The preferences (Protection Options) are limited to switching real-time protection on or off.

Status alerts

When we disabled Avira’s real-time protection, the alert below was shown in the main program window. We were able to easily reactivate the protection by clicking Turn on.

Avira Antivirus for Mac

When malware was detected in our functionality check, Avira displayed an alert in the main window (shown below). No user action was required. The alert closed automatically after 5 seconds.

Avira Antivirus for Mac

Behaviour on malware detection

In our functionality check, we found Avira Antivirus Pro to have very sensitive and reliable on-access detection of malware. Malicious files that we downloaded or copied to the system were instantly detected and quarantined in all cases. When we tried to copy malware from a network share to the system, Avira not only prevented the copy process, but also deleted the source malware on the network share.

When we connected a USB flash drive to our Mac, Avira prompted us to scan it. We did this, and, Avira automatically quarantined the malicious files without the need for any user action. We note that the scan prompt closed after 5 seconds, so you have to be quick to make use of it.

Quarantine and Logs

The Quarantine page of the program (screenshot below) shows you all the items that have been quarantined, along with the date when this happened. There are options to delete and restore any of the detected files (you have to enter administrator credentials to take either action).

Avira Antivirus for Mac

System Tray menu

Avira Antivirus for Mac

We found a bug in version 1.6.0 of Avira Antivirus Pro for Mac on macOS Big Sur 11.4. Although the program installs and runs normally, the System Tray icon displays the “closed umbrella” symbol, which normally means that protection is inactive. The menu that opens when you click these states “Your antivirus protection is off”, but this is not correct. We verified that real-time protection works perfectly, despite the pessimistic System Tray icon/menu. Avira is aware of this issue, as it informs users of it on the support page of its website.

Advanced options

Power users with a macOS Administrator account can perform the following tasks (caution is advised):

  • Disable protection features (Protection Options page or System Tray menu)
  • Restore items from quarantine
  • Uninstall the program

Standard macOS users (i.e. accounts without administrator rights) cannot do any of these, which we regard as ideal.

Help

Avira Help (in the Help menu in the Mac menu bar) opens the product’s support page in a browser. This consists of simple text instructions for everyday tasks, some illustrated with screenshots. There is also a video to explain installation of the product.

Advertising

Antivirus Pro advertises Avira’s Prime service. There is a Get Prime button in the menu panel. Additionally, running the default Smart Scan finds “issues” such as tracking cookies that can only be fixed by subscribing to Prime. If you connect a USB drive to your Mac, Avira will prompt you to scan it. If you click on the prompt, a purchase prompt for Prime will appear, as automatic USB scanning is not included in Avira Antivirus Pro.

Summary

Bitdefender Antivirus for Mac is a paid antivirus program with ransomware protection, a data-limited VPN feature, and a browsing-protection add-in for Safari/Chrome/Firefox. We found it very straightforward to install and use. The user manual is easy to find, comprehensive, and very well produced. Effective real-time protection immediately detects and cleans malware on first contact. Overall, the product gets every important detail right, providing solid protection features in a very well-designed interface. Both expert and non-expert users should find it suitable for their needs.

Installation

After downloading and starting the installer file, you just need to double-click the setup package icon to start the setup wizard. You do not need to make any decisions, though you can change the interface language. When setup is complete, you need to create a Bitdefender account and sign in. An optional introductory tutorial then starts, after which the program window displays a recommendation to installthe Traffic Light extension for Safari. After that, the Bitdefender window recommends configuring Safe Files, the product’s ransomware protection feature. Next, Bitdefender suggests setting up Apple’s Time Machine backup feature, and finally running a system scan. You can uninstall the program using its own uninstaller. This is found in the Bitdefender folder in the Finder Applications window.

Finding essential features

Status, quick and full scans, subscription information, settings and help are all directly accessible from the program’s Dashboard (home page). You can find custom scan, quarantine and scan exceptions under Protection. Update is in the Actions menu in the Mac menu bar. There is no scheduled scan function, but you can scan a drive, folder or file using the Finder context menu. Logs are shown under Notifications.

Status alerts

When we disabled Bitdefender’s real-time protection, the alert below was shown in the main program window. We were able to reactivate the protection easily by clicking Enable.

When malware was detected in our functionality check, Bitdefender displayed the alert below. No user action was required, and the alert closed after 5 seconds.

Malware detection scenarios

In our functionality check, we found Bitdefender to have very sensitive and reliable on-access detection of malware. Malicious files that we downloaded or copied to the system were instantly detected and quarantined in all cases. When we connected a USB flash drive containing malware samples to our Mac, Bitdefender automatically scanned the drive and deleted the malware without any user action being required.

The right-hand pane of the quarantine window shows you the threat name. Notifications is the log feature. It displays events such as updates, component activation, and malware detections.

System Tray menu

Bitdefender Antivirus for Mac

Help

Antivirus for Mac Help in the Mac menu bar opens a very comprehensive manual in .PDF format. This covers all aspects of using the program, and includes a glossary of malware types. It is fully indexed, and very well illustrated with screenshots.

Advanced options

Power users with a macOS Administrator account can perform the following tasks (caution is advised):

  • Disable protection features (under Preferences)
  • Make scan exclusions
  • Restore items from quarantine
  • Uninstall the program

Standard macOS users (i.e. accounts without administrator rights) cannot perform any of these tasks, which we regard as ideal.

Other points of interest

If you install the Traffic Light extension for Safari add-in, safety ratings are added to Google searches. For example, green tick (checkmark) symbols are used to indicate safe sites. There are similar add-ins for Firefox and Chrome.

Clario Clario

Summary

Clario is a paid-for security suite. As well as malware protection, it includes a VPN, added protection for online shopping and banking, an ad blocker, and a live chat service you can use to ask the vendor about security-related issues. Setting the program up is not difficult, but requires the user to be proactive to enable all the features. We found Clario to have very sensitive and reliable on-access protection against malware. You have to proactively enable this after installation, however. The user interface is a little out of the ordinary, but very simple to use with a little practice.

Installation

To set up Clario, you need to log in to your Clario online account, then download and run the installer file. There are no options or decisions to make in the setup wizard. After installation, the main program window opens. This greets you with the message “let’s set up your protection”. Clicking on the associated arrow opens invitations to enter your email address to check for breaches, and get an online vulnerability check from a Clario expert.

At this stage, real-time protection is shown as “not active”. If you set this to active, Clario shows instructions for authorising its system extensions in the macOS security preferences. Once you have completed these steps, real-time protection is activated. Similarly, when you first run a scan, Clariowill prompt you to give it Full Disk Access in the Mac settings applet. Finally, there is a prompt on the program’s home page to install the Clario Secure Browsing extension for the Safari and Chrome browsers.

We noticed that when signing into the Mac with a new user account, Clario does not start automatically. However, if manually started, it will then auto-start for that user in future.

Clario can be uninstalled from the program’s Help menu in the Mac menu bar.

Finding essential features

Clario does not have a status display as such. The default scan is accessible from the program’s home page. If you click on any part of the Anti-malware tile on the home page (other than the Quick Scan button), you can access scan options, quarantine, and scan exceptions. There is no means of scheduling a scan. Preferences can be found by clicking the “head and shoulders” icon in the top right-hand corner of the window, or in the Mac menu bar. However, these only relate to the Clario account, and do not allow configuration of the program. The program does not have a manual update feature (as is standard for modern security programs, Clario runs automatic updates).

Status alerts

Real-time protection can be activated or deactivated using the slider switch on the program’s home page. The text next to the switch states “Active” or “Not active” as appropriate, but there is no actual warning when the protection is turned off.

When malware was detected in our functionality check, Clario displayed the alert shown below. No user action was required, and the alert closed after 5 seconds.

Clario Clario

Malware detection scenarios

In our functionality check, we found Clario to have highly sensitive and reliable on-access detection of malware. Malicious files that we downloaded or copied to the system were instantly detected and quarantined in all cases. When we tried to copy malware from a USB drive or network share to the system, Clario not only prevented the copy process, but also deleted the source malware on the external drive or share.

When we ran an on-demand scan of a USB flash drive containing malware samples, Clario automatically quarantined the malicious files, showed an alert, and displayed the results in the quarantine window.

Quarantine and Logs

The Quarantine page shows quarantined items, with detection name, file name and path. You can delete or whitelist and restore items, or use the program’s chat feature to ask a Clario expert what to do with a quarantined file. We note that neither date nor time of detection is shown, and that long file names or paths will be truncated. The window cannot be resized or maximised, so there is no way round this.

Clario Clario

System Tray menu

Clario Clario

Help

The help feature is accessed from the bubble symbol in the top right-hand corner of the window. It consists of a chat window, with which you can ask Clario for help. We tried this out, and immediately got a clear and helpful answer to our question. Obviously, a much more comprehensive test would be needed to accurately assess this service.

Advanced options

A macOS administrator account is required to uninstall the Clario program. However, both administrator and standard user accounts can disable protection features and restore items from quarantine. If you share your computer with anyone else, you can’t guarantee that it will remain protected.

Other points of interest

It is necessary to create a Clario account before buying the product. The status of individual protection components can be seen by clicking Areas on the left-hand side of the main window

Advertising

The program’s homepage invites users to install the Clario mobile app, although – as it states – this is already included in the subscription and does not require an additional purchase.

Summary

MacKeeper is a paid-for security suite. In addition to malware protection, it provides performance-tuning, software-updater, ad-blocking, VPN and identity-theft-protection features. All of these features can be conveniently accessed from a single menu panel. There is also a live chat service that allows you to ask MacKeeper support for assistance. In our functionality check, we found MacKeeper to have sensitive and reliable on-access protection against malware. You do have to proactively enable this after installation, however.

Installation

To set up MacKeeper, you just need to download and run the installer from the vendor’s website. The setup wizard is very simple, with no decisions to make. After setup completes and the program window opens, you will need to go to the Antivirus window and follow the instructions for allowing the macOS system extension and full disk access, which will enable real-time protection. Clario tell us that in the future, a new version will be released, in which real-time protection will be enabled by default.

You will also have to enter a licence key to activate the program. We note that MacKeeper asks for permission to access your reminders. The program can be uninstalled by dragging its icon from the Finder Applications folder to the bin.

Finding essential features

Status, default scan, scan options and help can all be accessed from the Antivirus page of MacKeeper. Quarantine is also shown here, if there is anything in it. Preferences and logs are located in the Mac menu bar. To find subscription information, you need to log in to your MacKeeper online account. There is no means of scheduling a scan.

Alerts

When we disabled MacKeeper’s real-time protection, the alert below was shown in the main program window. We were able to reactivate the protection easily by clicking Enable.

When malware was detected in our functionality check, MacKeeper displayed the alert shown below. No user action was required, and the alert closed after 5 seconds.

Malware detection scenarios

In our functionality check, we found MacKeeper to have sensitive and reliable on-access detection of malware. Malicious files that we copied or downloaded to the system were immediately detected and quarantined. When we ran an on-demand scan of a USB flash drive containing malware samples, MacKeeper displayed a list of the detected items in its main window. We were able to quarantine them all with a single click.

Quarantine and Logs

Quarantined items are shown in Antivirus Quarantine. Here, you can delete or restore individual or multiple items.

System Tray menu

Help

The Open Help Center item in MacKeeper’s Help menu opens the program’s help page on the vendor’s website. This provides clear, precise instructions for common tasks, very well illustrated with screenshots. The live chat service on the right-hand side of the window allows you to ask MacKeeper support for assistance. We tried this out, by asking a question about activating the product, and received an instant and helpful answer. Obviously, a much more comprehensive test would be needed to accurately assess this service.

Advanced options

A macOS administrator account is required to uninstall the MacKeeper program. However, both administrator and standard user accounts can disable protection features and restore items from quarantine. If you share your computer with anyone else, you can’t guarantee that it will remain protected.

Other points of interest

Although the product does not offer a free trial as such, the antivirus component is fully functional even before activation, so you can try it out before making a purchase.

When a new user logs on to the Mac, MacKeeper does not start automatically. The program has to be started manually, and real-time protection enabled from the Antivirus page. The new user will also need to log in with a MacKeeper account to enable the full functionality of the program. This does not require an additional licence, however.

About the product

CrowdStrike Falcon Pro is a security package for business networks. Details of the management console described here are applicable to all supported operating systems (macOS, Windows and Linux).

CrowdStrike Falcon Pro provides endpoint protection software for macOS and Windows workstations, plus Windows servers. This is managed using a cloud-based console. As well as malware protection, the product includes investigative functions for analysing and remediating attacks. It can manage networks with thousands of devices. We note that CrowdStrike Falcon Pro is available as a fully managed service for organisations that desire a more hands-off solution to endpoint protection. CrowdStrike tell us that they have datacentres in the USA and EU, in order to comply with the respective data protection regulations.

Advantages

  • Investigative functions
  • Comprehensive search facilities
  • Clickable interface provides easy access to details pages
  • Encyclopaedia of known cybercriminal groups

Suitable for medium- to large-sized enterprises

Management Console

The console is navigated from the Falcon menu in the top left-hand corner of the console. This lists individual pages under headings such as Activity, Investigate, Hosts, Configuration, Dashboards and Users. You can easily bookmark any page of the console, and then go directly to that page using the Bookmarks section of the menu.

Activity\Dashboard page

This is the page you see when you first log on to the console. It shows various status items in large panels. There is a list of most recent detections, with a graphical severity rating. You can also see a graph of detections by tactic (e.g. Machine learning, Defense Evasion) over the past month. Terms from the MITRE ATT&CK Framework are used to show attack stages here. Some of the panels are linked to details pages. Thus, you can click on the New detections panel to open up the Detections details page.

Activity\Detections page

Here you can search a list of threat detections using a wide range of criteria. These include severity, tactics, detection technique, time, status and triggering file. For each detection, you can see full details, including a process tree view. You can assign a console user for remediation.

Activity\Quarantined Files page

As you would expect, this page lets you see files that have been quarantined by the system. You can see the filename, device name, number of detections counted on the network, user involved, and of course date and time of detection. Quarantined files can be released or deleted. Clicking on a quarantined file opens a details panel with additional information. This includes file path for the location where it was detected, file hashes, file size, file version, detection method and severity. There is a search function and a variety of filters you can use to find specific files within the quarantine repository.

Configuration\Prevention Policies page

Here you can create and edit the protection policies for endpoints. You can define behaviour for a number of different types of attack-related behaviour, such as ransomware, exploitation, and lateral movement. Some sensor components, such as Cloud Machine Learning and Sensor Machine Learning have separate configurable levels for detection and prevention. 5 different levels of sensitivity can be set, ranging from Disabled to Extra Aggressive. Custom Indicators of Attack (IOA) can also be created and assigned here.

Policies can be assigned to devices automatically by means of a naming system. For example, any device with “Mac” in its name can be automatically put into a specific group of macOS computers, to which a particular policy is assigned. Devices/groups can be assigned more than one policy, whereby a policy hierarchy determines which one takes precedence.

Hosts\Host Management page

The Hosts/Host Management page lists all the installed devices. You can immediately see which ones are online. Additional information includes operating system, policy, security status and sensor version. Clicking on a device’s entry opens up a details panel for that device. Here you can find additional information, such as device manufacturer, MAC address, IP addresses and serial number.

Intelligence\Actors page

This page provides details of known cybercriminal groups. You can see the nations and industries that each one has targeted, along with technical details of the attack methods used. CrowdStrike tell us that this information is also available in Detection details when a detection is associated with a specific actor.

Investigate\Host Search page

The Investigate menu provides an extremely comprehensive search facility. It lets you search for devices, hashes, users, IP addresses, domains and events. On the Host Search page, you can look for specific devices. A separate menu bar allows you to look for specific aspects, such as Activity (including detections), Vulnerabilities and Installed Applications.

Mac Endpoint Protection Client

Deployment

Installer files for the sensor (endpoint protection client) can be downloaded in .pkg format from Hosts\Sensor Downloads page. Older versions of the sensor are available if you want. The installer file can be run manually, via a systems management product, or using an AD script. Manual installation requires use of the Terminal. Instructions for this can be found under Documentation\Falcon Sensor for Mac in the main menu.

 User interface on macOS client

With the settings used for this test, the user interface is completely hidden, and users cannot interact with the program at all. Detected files were not deleted, but quarantined in situ.

Malware detection scenarios

In our functionality check, we found CrowdStrike Falcon Pro for macOS to have sensitive and reliable on-access detection of malware. Malware that we downloaded or copied to the system was instantly detected and quarantined in all cases.

About the Product

FireEye Endpoint Security is a security package for business networks. Details of the management console described here are applicable to all supported operating systems (macOS, Windows and Linux).

FireEye Endpoint Security provides endpoint protection software for Windows and macOS workstations, plus Windows servers. A variety of console types is available. These include cloud-based, hardware appliance, virtual appliance, and Amazon-hosted. We describe the cloud-based console in this review. As well as malware protection, the product includes investigative functions for analysing and remediating attacks. The product is designed to handle very large organizations, with support for up to 100,000 endpoints per appliance.

Advantages

  • Attack investigation features
  • Variety of console types available
  • Suitable for medium- to large-sized enterprises
  • Comprehensive search feature
  • Containment feature lets you isolate infected devices

Management console

Dashboard

When you open the console, you will see an overview of key status items (screenshot above). These include the total number of hosts with alerts, with a breakdown by exploits and malware. Clicking on the Total hosts with alerts button opens the Hosts with Alerts page, shown below.

Hosts with alerts

As the name suggests, this page displays details of protected devices with alerts that have not yet been dealt with. If you click on the plus sign for a device, you can see a list of alerts for that device, in chronological order. With malware alerts, a wealth of detail is provided for each one. This includes status (e.g. quarantined), detection method (e.g. signature), file path, MD5 and SHA1 hashes (but not SHA256), file size, last modified and last accessed times, process path, username of logged-on user, detection name, threat type, and times of first and last alerts for the item. Each threat can be acknowledged (marked as “read”), or marked as a false positive. You can also add comments to the threat details, for future investigation.

Alerts

For a threat-centric rather than a device-centric view, you can go to the Alerts page. Here you can sort threats by name, file path, first or last detections, and hostname or IP address of the respective device. The options Acknowledge, Mark False Positive and Add Comment are provided here too.

Acquisitions

From the Hosts page, you can acquire a file or various items of diagnostic data from an individual device. The Acquisitions menu lets you download files that have been acquired from hosts, in order to analyse them.

Enterprise Search

This feature allows you to search the network for a very wide variety of items. These include application name, browser version, hostname, various executables, file names/hashes/paths, IP address, port, process name, registry key, service name/status/type/mode, timestamp, URL, username and Windows Event Message.

Policies

This feature is found in the Admin menu. Here you can configure numerous different aspects of the client protection policy. Examples are scans, whether to show the endpoint GUI on the client, logging, malware scan settings, polling frequency, tamper protection, scan exclusions, management server address and malware detection settings. Scans can be set to run on a schedule, or after a signature update or device boot.

Host Sets

These are simply groups of computers. They can be defined according to a wide variety of criteria, or simply by dragging and dropping from the list of all devices. These groups are used to apply different protection policies. The feature is found in the Admin menu.

Agent Versions

This is found in the Admin menu, and lets you download current and older versions of the endpoint agent for Windows and Mac systems. This allows the admin to e.g. avoid compatibility problems with a particular agent version on specific systems.

Appliance Settings

This page allows you to change settings for the management console itself, and is found in the Admin menu. There are controls for date and time, user accounts, notifications, network settings and licences, and more.

Mac Endpoint Protection Client

Deployment

Installer files in .dmg format can be downloaded from the Admin menu, Agent Versions. As the name suggests, the current and earlier versions of the client are provided. The installer file can be run manually, or via a systems management product such as Jamf. If you install the product manually, you will need to remember to give the agent full disk access in the macOS settings. This is a necessary action to enable the product to work properly.

After installation, the FireEye agent takes some minutes to download the protection engine. Protection will not be enabled until this is complete.

User interface on macOS client

The user interface is completely hidden, and users cannot interact with the program at all. No detection alerts are shown.

Malware detection scenarios

In our functionality check, we found FireEye Endpoint Security for macOS to have very sensitive and reliable on-access detection of malware. Malware that we downloaded or copied to the system was instantly detected and quarantined in all cases. When we tried to copy malware from a USB drive to the system, FireEye not only prevented the malware copy process, but also deleted the source malware on the USB drive.

Summary

Intego Mac Internet Security X9 is a paid-for security suite. In addition to anti-malware features, it also includes a firewall. This is a separate application within the bundle, called NetBarrier. In this review, we have focused on the antivirus application, VirusBarrier.

The program’s interface makes the most important functions easy to find and use. We found Mac Internet Security X9 to have sensitive and reliable on-access protection against malware. Standard user accounts cannot take any risky actions. Overall, the program is straightforward and reliable in use.

Installation

To set up Mac Internet Security X9, you just need to download and run the installer. The setup wizard is very straightforward, though you have to restart your Mac at the end of it. In our test, we found a bug in the program, which meant that real-time protection was not enabled by default. We reported this to Intego, who have now fixed the problem in the latest version. The program can be uninstalled by re-running the installer file and clicking Uninstall.

Finding essential features

Status, quick/full/custom/scheduled scans, settings, logs and quarantine are all found on the program’s home page. You can scan a file, folder or drive using Finder’s right-click menu. The update and help features are found in the Mac menu bar. The About box (VirusBarrier menu) shows the licence key and registered email address, but does not state when the licence expires.

Alerts

When we disabled Intego’s real-time protection, the alert below was shown in the main program window. We were able to reactivate the protection easily by clicking Turn On.

When malware was detected in our functionality check, Intego displayed the alert shown below. No user action was required. The alert persisted until we closed it.

Malware detection scenarios

In our functionality check, we found Intego to have sensitive and reliable on-access detection of malware. Malicious files that we downloaded or copied to the system were immediately detected and quarantined in situ. When we connected a USB flash drive to our Mac, Intego prompted us to scan it. We did this, and Intego displayed detected malware items in the detection dialog shown above.

Quarantine and Logs

The quarantine feature is shown above. There are options to delete, repair or restore the quarantined files. Logs displays a list of all system events, including updates, scans and real-time detections, enabling/disabling real-time protection, and items added to or deleted from quarantine. The applicable date and time are shown, along with a traffic-light colour-coding system for each item. Malware finds are thus shown as read, while enabling real-time protection is shown as green.

System Tray menu

Help

There are 2 help items in the Mac menu bar. Show Basic Help displays an overlay that explains the principal features in the main program window. VirusBarrier Help opens a comprehensive online manual that covers installation, configuration and use of the program. It is generously illustrated with screenshots.

Advanced options

Power users with a macOS Administrator account can perform the following tasks (caution is advised):

  • Disable protection features
  • Restore items from quarantine
  • Uninstall the program

Standard macOS users (i.e. accounts without administrator rights) cannot perform any of the above tasks, which we regard as ideal.

Other points of interest

VirusBarrier uses Intego’s own detection engine to detect macOS malware, but makes use of the Avira engine to detect Windows malware.

Summary

Kaspersky Internet Security for Mac is a paid-for security suite with browser add-ons and parental controls. We found it very straightforward to use, with all the features easily accessible from the main program window or macOS menu bar. In our functionality test, all the features worked exactly as expected. Effective on-access detection quarantines any malware downloaded or copied to the system. Users without administrator rights cannot disable the protection or uninstall the program. Overall, the product is well designed and reliable in operation.

Installation

Having downloaded and run the installer, you need to double-click Install Kaspersky Internet Security\Download and Install. The only technical options are whether to install network protection and the browser extension(s). The latter are provided for Safari, Google Chrome and Mozilla Firefox, and can be selected independently of each other. The program can be uninstalled by clicking Support\Uninstall in the Help menu of the macOS menu bar.

Finding essential features

Update, status, scan options (including scheduled scan) and subscription information can all be accessed directly from the program’s home page. Settings (Preferences), logs (Reports), quarantine (Detected Objects) and help are all in the Mac menu bar. Additionally, a link to quarantine is shown on the home page when quarantined items are present.

Alerts

When we disabled Kaspersky’s real-time protection, the alert below was shown in the main program window. We were able to reactivate the protection easily by clicking Enable.

Malware detection scenarios

When malware was detected in our functionality check, Kaspersky displayed the alert shown below. There was also an audio alert, in the form of a lion’s roar. No user action was required, and the alert closed after 5 seconds.

Malware detection scenarios

In our functionality check, we found Kaspersky Internet Security for Mac to have reliable on-access detection of malware. Malicious files that we downloaded or copied to the system were detected and quarantined in all scenarios. When we tried to copy malware from a USB drive or network share, Kaspersky deleted not only the copied files on the Mac Desktop, but also the source malware on the USB drive or share. We noted a short delay, typically between 10 and 20 seconds, between the copy/download process completing and the files being detected by Kaspersky.

When we connected a USB flash drive to our Mac, Kaspersky prompted us to scan it. We did this, and Kaspersky automatically deleted the malicious files on it and showed an alert. No user action was required. We note that the scan prompt closed after 5 seconds, so a user would have to be quick to make use of it.

Quarantine and Logs

The Detected Objects page shows quarantined items. By clicking on the ”…” symbol at the end of each line, you can delete or restore individual items (the latter only if you have an administrator account). You can delete all quarantined items using the Delete All button. The Reports page shows the location of detected objects, action taken, threat type, threat name, and date/time of detection.

System Tray menu

Help

Kaspersky Internet Security Help is found in the Help menu in the macOS menu bar. It opens the product’s support page on the Kaspersky website, which contains simple, clear feature descriptions and text instructions for using the program.

Advanced options

Power users with a macOS Administrator account can perform the following tasks (caution is advised):

  • Disable protection features
  • Restore items from quarantine
  • Uninstall the program

Standard macOS users (i.e. accounts without administrator rights) cannot perform any of the above tasks, which we regard as ideal.

Advertising

Kaspersky Internet Security for Mac promotes Kaspersky’s parental control product, Safe Kids. The Safe Kids button on the home page of Internet Security simply opens a download link to the Safe Kids product.

Other points of interest

In our functionality check, we found that malware detection alerts were initially not displayed, and there was no option to enable these. However, when we connected a USB flash drive to the system, a prompt to enable notifications appeared, which we accepted. After this, visible and audible notifications were activated, along with the option to enable or disable these in the macOS Preferences dialog.

Kaspersky Internet Security for Mac uses graphics in the program window that could be described as “intelligent”. The program detects whether it is installed on a Mac laptop or desktop system, and accordingly shows either a desktop or a laptop graphic. The Update and Scan icons animate when in use.

Summary

Trend Micro Antivirus for Mac is a paid-for antivirus program with camera and microphone protection, an anti-ransomware feature, and a web-protection add-in for Safari. We were particularly impressed with the very effective on-access malware detection. The help features are clear, and convenient to access. Installing and uninstalling are both straightforward, and the clean UI design makes the most important features very easy to access and use. Consequently, Trend Micro Antivirus for Mac would be particularly well suited to non-experts. For advanced users, a resizable quarantine window would be appreciated. However, overall the program has been very well thought out, and gets all the important things right.

Installation

After downloading and running the installer file, you start the setup wizard by clicking Install Trend Micro Antivirus. The User Support folder on the same page includes a list of system requirements, and a succinct, well-illustrated Quick Start Guide. There is also an uninstaller, with which you can later quickly and easily remove the program, should you need to. The setup wizard is very straightforward. Aside from choosing whether to enter a licence key or use the trial version, there are no decisions to make. When it comes to the process of authorising Trend Micro extensions and permissions, the setup wizard provides a convenient “Verify” button, which checks whether you have successfully granted the necessary permissions. A Trend Micro Safari Extension is installed, and will be activated if you authorise this. When you first open the program, it prompts you to set up Camera and Microphone Protection and Ransomware Protection. For the latter, you can easily customise the default list of folders and drives to be protected.

Finding essential features

Status, update, default scan, scan options, subscription, logs/quarantine and help can be accessed directly from the Overview page (please see screenshot above). We note that the logging and quarantine functions are combined under Logs. Settings are found under Trend Micro Antivirus\Preferences in the Mac menu bar, as is to be expected for a macOS program. Scheduled scans can be configured in the Preferences dialog box. There is a context-menu scan entry, which lets you scan a drive, folder or file in Finder by right-clicking it.

Status alerts

When we disabled real-time protection, the alert below was shown in the main window. We were able to reactivate the protection easily by clicking Fix Now.

When malware was detected in our functionality check, Trend Micro displayed an alert in the main window (shown below). No user action was required. The alert persisted until we closed it.

The alert box remains on display until you close it. If you click on View Results in the alert box, it opens the logs/quarantine page and shows you what’s been detected.

Malware detection scenarios

In our functionality check, we found Trend Micro Antivirus for Mac to have exceptionally sensitive on-access detection of malware. Malware that we downloaded or copied to the system was instantly detected and quarantined in all cases. When we tried to copy malware from a network share or USB drive to the system, Trend Micro not only prevented the malware copy process, but also deleted the source malware on the USB drive or network share.

When we scanned a flash drive containing malware samples, Trend Micro automatically quarantined the malicious files without the need for any user action.

Quarantine and Logs

The quarantine and log functions are both accessed via the Logs page. Quarantine functionality, including options to restore or clean quarantined items, is reached by clicking List Quarantined Files on the Logs page. From here, you can view and delete any or all of the quarantined items.

As noted in previous years, the quarantine and log data is displayed in panels within small windows that cannot be resized or maximised. It is necessary to resize the columns is required to see all the content, and then scroll to the left to see all the data for one entry. We found this very inconvenient.

System Tray menu

Advanced options

Power users with a macOS Administrator account can perform the following tasks (caution is advised):

  • Disable protection features (using the slider buttons on the Overview page)
  • Make scan exclusions (using the diagnostic toolkit)
  • Restore items from quarantine (by clicking List Quarantined Files)
  • Uninstall the program

Standard macOS users (i.e. accounts without administrator rights) cannot perform any of the above tasks. We regard this as ideal.

Help

Clicking the ? icon in the main window opens a context-sensitive online manual. This provides a simple, clear guide to the program’s features and how to use them, well illustrated with screenshots.

Advertising

Trend Micro Antivirus for Mac advertises its vendor’s freemium Cleaner One Pro program. There is a link to this in the More Tools page of the program window. Also, running a Smart Scan will find “junk files”, and prompt the user to get Cleaner One Pro to remove these.

Other points of interest

The Safari add-in shows safety ratings for sites in Google web searches. These use e.g. a green tick icon for safe sites.

In the Trend Micro folder in the macOS Applications window is a diagnostic toolkit. With a macOS Administrator account, you can stop/start components; delete temporary files; uninstall if the standard uninstaller has problems; troubleshoot; collect debugging info; upload quarantined files to the vendor; collect network logs; create scanning exclusions.

We noticed a couple of glitches in Trend Micro’s website when trying to purchase the product. The German website offers to send an installation CD in the post, but does not allow you to enter your street address. The USA website states “Autorenewal details in cart”, but these are in fact not provided in the shopping basket.

Award levels reached in this Mac Security Review

This year, the following Mac security vendors receive our Approved Security Product award: Avast, Avira, Bitdefender, Clario (for the Clario app), CrowdStrike, FireEye, Intego, Kaspersky and Trend Micro.

Unfortunately, Clario’s MacKeeper app did not meet all of the listed certification criteria.

A summary of the reviewed products is shown below. If you are thinking of getting a security product for your Mac, we recommend that you also consider other factors, such as price, additional features and support, before choosing a product. We also recommend installing a trial version of any paid-for product before making a purchase.

Avast Security for Mac is a fully-featured but easy-to-use free antivirus program. It displays clear and persistent malware detection alerts.

Avira Antivirus Pro for Mac is a paid-for antivirus product with a password manager and (limited) system clean-up features. It has a very simple, easy-to-navigate interface.

Bitdefender Antivirus for Mac is a paid-for antivirus product that includes ransomware protection in addition to anti-malware features. It has an excellent user manual

Clario Clario is a paid-for security suite that includes a VPN, added protection for online shopping and banking, and an ad blocker. It provides support via an integrated live chat service.

Clario MacKeeper is a paid-for security suite with additional security, privacy and performance-tuning features. It includes an integrated “Personal Tech Expert” (online chat service for technical queries).

CrowdStrike Falcon Pro for Mac is part of an endpoint protection package for enterprise networks. It has no user interface on client machines, and is managed using a web-based console.

FireEye Enterprise Security for Mac is part of an endpoint protection package for enterprise networks. The management is done by cloud console, and there is no GUI on client PCs.

Intego Mac Internet Security X9 is a paid-for security suite that includes a firewall in addition to malware protection. A simple but useful help feature explains the main functions using an overlay.

Kaspersky Internet Security for Mac is a paid-for security suite with additional protection for online financial transactions. It features intelligent icons in the program window.

Trend Micro Antivirus for Mac is a paid-for security suite with camera and microphone protection and an anti-ransomware feature. It features particularly sensitive real-time protection.

AV-Comparatives’ Mac Certification requirements

AV-Comparatives have strict criteria for certifying security programs. These are updated every year to take new technological developments into account. Certification by AV-Comparatives indicates that a product has proven itself to be effective, honest, transparent and reliable.

Possible reasons why a product may fail certification are listed below, though this is not necessarily an exhaustive list.

  • Poor Mac-malware detection rates (under 99% for Mac malware), poor Mac-PUA detection rates (under 75% for Mac PUA[1]) or false positives on common macOS software.
  • Significant performance issues (i.e. slowing down the system) that have a marked impact on daily use of the system.
  • Failure to carry out essential functions, such as updating, scanning, and detecting malware, reliably and in a timely fashion.
  • Untrue claims, such as stating that a macOS app also detects Windows malware, despite independent tests showing that detection of even prevalent Windows malware is (close to) non-existent.
  • Lack of real-time/on-access or on-execution scanning/protection. Providing only an on-demand scanner does not qualify for certification. Starting from 2021, for consumer products, real-time protection will have to be enabled by default after installation.
  • Being detected as PUA (or malware) by several different engines on multi-engine malware scanning sites (e.g. VirusTotal), either at the time of the test, or in the six months prior to it.
  • Scareware tactics in trial programs: exaggerating the importance of minor system issues, such as a few megabytes of space taken up by harmless but unnecessary files; fabricating security issues that do not exist.
  • Confusing or misleading functions, alerts or dialog boxes that could allow a non-expert user to take an unsafe action, or make them worry that there is a serious problem when in fact none exists.
  • For consumer products, very short trial periods (a few days only) combined with automatically charging for the product unless the user deliberately cancels the subscription. We regard 10 days as the minimum amount of time needed to assess a program.
  • “Trial” versions that do not make available all essential protection features such as real-time protection or ability to safely disable detected malware.
  • Bundling of other programs or changing existing system/app preferences (e.g. default search engine), without making clear to the user that this is happening and allowing them to opt out easily.

[1] What is “potentially unwanted” might be debatable, and a few apps that we would regard as PUA might be considered to be clean by some vendors. Consequently, this threshold is relatively low.

APPROVED
AvastAPPROVED
AviraAPPROVED
BitdefenderAPPROVED
ClarioAPPROVED
MacKeeperNOT APPROVED
CrowdStrikeAPPROVED
FireEyeAPPROVED
IntegoAPPROVED
KasperskyAPPROVED
Trend MicroAPPROVED

Copyright and Disclaimer

This publication is Copyright © 2021 by AV-Comparatives ®. Any use of the results, etc. in whole or in part, is ONLY permitted after the explicit written agreement of the management board of AV-Comparatives prior to any publication. AV-Comparatives and its testers cannot be held liable for any damage or loss, which might occur as result of, or in connection with, the use of the information provided in this paper. We take every possible care to ensure the correctness of the basic data, but a liability for the correctness of the test results cannot be taken by any representative of AV-Comparatives. We do not give any guarantee of the correctness, completeness, or suitability for a specific purpose of any of the information/content provided at any given time. No one else involved in creating, producing or delivering test results shall be liable for any indirect, special or consequential damage, or loss of profits, arising out of, or related to, the use or inability to use, the services provided by the website, test documents or any related data.

For more information about AV-Comparatives and the testing methodologies, please visit our website.

AV-Comparatives
(July 2021)