Mac Security Test & Review 2013
|Test Period||July 2013|
|Number of Testcases||20 Mac, 500 Windows|
|Online with cloud connectivity|
|False Alarm Test included|
In February 2013, Reuters and many other news agencies reported that Mac computers used by Apple’s own staff had been infected by malware and then used to launch an attack on Facebook. Apple admitted that some of their systems had indeed been compromised. Whilst this is in itself only a single small incident, it nonetheless proves that the Mac OS cannot be regarded as immune to malware attacks. The growing number of Mac users means that cybercriminals are increasingly targeting the platform, and there have been a number of other reliable reports of Mac malware attacks. Even if the number of malicious programs and successful infections is very small compared to those affecting Windows PCs, it is clear that the issue of Mac security needs to be taken seriously. As with Windows computers, Macs can be made safer by employing good security practices. We recommend the following:
- Never use an administrator account for day-to-day computing
- Use a sandboxed browser such as Google Chrome
- Uninstall/disable the standalone Flash Player
- Uninstall/disable Java
- Keep your Mac operating system and third-party software up-to-date with the latest patches
- Use secure passwords (the Mac includes the KeyChain password manager)
- Deactivate any services such as Airport, Bluetooth or IPv6 that you don’t use
- Consider employing security software on your Mac
We have reviewed and tested the following products for this report, using the newest version available in July 2013:
In this year’s review of antivirus programs for the Mac, we have taken a detailed look at the most important features and functionality of each program, using a similar format to our Summary Review for Windows programs. Even if there are fewer malicious programs aimed at Macs than at Windows PCs, the nature of those that do exist is essentially similar to their Windows counterparts, and so we feel that Mac antivirus software should function in a similar way, too.
First, we look at the installation routine of the software. At the very least, this should have a simple option for non-expert users, though a custom option that allows expert users a variety of configuration options is a welcome bonus. We also check what means are available to uninstall the program. After installation, we start the program and check whether the main window offers essential status information and protection functions. We would expect to see a status display that indicates whether the virus definitions are up to date and real-time protection is enabled, as these are the most important factors in ensuring the computer is protected. We also check (if possible) to see what sort of warning is shown when real-time protection is turned off; we feel that a clear warning should be shown, along with an easy means of rectifying the problem, such as a button or link that either reactivates the protection or opens a dialog box where this can be done manually. Another item we consider important is an update button, so that the user can ensure malware definitions are completely up to date. Of course, this does not apply to programs that are entirely cloud-based. The program interface should in our opinion also provide an easy means of running a scan, whereby we would hope to find options for a full system scan and a custom scan of a particular folder or drive. We check the OS X Finder context menu to see if the program has added a scan entry; this is not essential, but nonetheless a very convenient method of running a scan on a particular drive or folder. In the case of paid programs, we look to see if the subscription information (or a link to it) is displayed in the main program window; the user should know when it would be necessary to renew the subscription, in order to keep the Mac protected at all times. Finally, we check whether the help feature is easily accessible.
Particularly for a family computer, it is important that users with non-administrator accounts should not be able to deactivate important functions of the antivirus program such as real-time protection. We therefore log on to our test Mac using a non-administrator account (specified as such in the settings of the antivirus program, if necessary) and attempt to disable real-time protection, and then to uninstall the program completely.
A useful function in an antivirus program is the ability to schedule a scan, so that the computer will be checked regularly for malware without the user having to remember to do it. We look to see if each program in our test configures a scheduled scan by default, and how to set one up if not. We also note any options as to what should happen if a scheduled scan is missed.
We try to find out what sort of notification each program provides in the event that a threat is discovered. To do this, we use AMTSO’s Feature Settings Check pages (https://www.amtso.org/security-features-check/). This is intended to test the functionality of the features of antivirus programs using the EICAR test file (manual and drive-by download), a similar PUA (potentially unwanted application) test file, a test phishing site, and a test of cloud protection. The latter works by using a test file similar to EICAR, the definition for which is only ever kept in the cloud, not locally, by all participating vendors. We must stress that using the Feature Settings Check is NOT a detection test, and a program should not be considered inferior if it fails to respond to one of these tests. We have used it in this review purely as a means to demonstrating the alerts produced by a Mac antivirus program when a threat is discovered. We feel that when a threat is discovered, a good antivirus program should inform the user that this has happened; if a web page or download is blocked without any explanation, the user will very probably just be confused as to why this has happened. A warning message should make either clear that the threat has already been blocked/quarantined, and that no further action is necessary, or have a clear default option such as Block/Delete/Quarantine, which does not require the user to make a decision about whether a page or file is safe. Any option to view the page/download the file, to be used by advanced users, should be significantly less obvious/less accessible than the default “safe” option.
The last area of each program that we look at is the documentation and help features offered by each vendor. These may include user manuals, a local help feature, online help and knowledge base articles. We feel that at a minimum, a program should provide some guide to everyday tasks such as updating and scanning, ideally illustrated with screenshots. A search function, whereby the user can type in a term such as “scan exclusions” without having to browse through all available articles, is also highly desirable.
To conclude our review of each Mac antivirus program, we summarise our overall impressions and note any areas where we feel the software is very good, as well as suggesting possible improvements.
Malware Protection/Detection Test
In addition to the interface review described above, we have also conducted actual malware protection tests to see how effectively the Mac security products protect the system against malware. For this test, we used 20 recent and prevalent samples of Mac malware that are not blocked by Mac OS X Mountain Lion itself. All are distinctly malicious, functioning programs and were seen in-the-field in 2013. As usual, we did not include any potentially unwanted or grey samples (adware, hacking tools, etc.) in the set. We also excluded component files (which could be in the thousands) as these cannot run and do not pose a risk by themselves; certain magazine tests tend to use such files just because they are detected by various products, but we consider components to be irrelevant. We ended up with a test set consisting of 20 malicious Mac apps found in-the-field that pose a risk to users, and should be covered by Mac Security products. In our opinion, these 20 malicious Mac apps represent a substantial part of all recent Mac malware from the first half of 2013.
The number of malicious programs that can currently attack Mac OS X Mountain Lion is thus very limited. However, as most Mac systems do not run any third-party security software, even these few threats could cause widespread damage. Precisely because a Mac security product only has to identify a small number of samples, we would expect it to protect the system against all threats that have not yet been blocked by OS X itself.
Before the test, the Mac OS X was updated and an image created; no further OS X updates were then applied. Each program was installed on the freshly imaged machine and the definitions updated to the 19th July 2013. A USB flash drive containing the malware samples was then plugged in to the test computer. At this stage, some antivirus programs recognised some of the samples. We then ran an-on demand scan of the flash drive, either from the context menu if available, or from the main program window if not. Finally, we attempted to run any of the malware samples that had not yet been detected.
Of the Mac security products tested, all except Quick Heal protected against every one of the 20 Mac malware samples. No false alarms were encountered with any of the products (over a small set of very common installed Mac apps).
Some (but not all) of the Mac security products in our review claim to detect Windows malware as well as Mac malware, thus ensuring that the user’s computer does not inadvertently act as a conduit for programs that could attack Windows PCs. For this reason, we have also checked if the Mac antivirus products in our review detect Windows malware. We used around 500 very prevalent Windows malware samples; the procedure was identical to that for Mac malware, except that we did not make any attempt to run any of the samples that were not detected in the scan, as Windows programs cannot be executed under Mac OS. AVIRA, ESET, Kaspersky, QuickHeal, Sophos and KromTech detected all the Windows malware samples. F-Secure and Intego did not detect all the prevalent Windows malware samples (although the majority of them), whereby F-Secure state that they provide only limited coverage of Windows malware in their Mac products.
The chart and table below show the protection results for the products in the review. The figures for Mac malware protection indicate the number of samples blocked at any stage of the testing procedure, i.e. regardless of whether the malware was detected/blocked in one of the on-demand scans, by real-time protection, or on-execution.
|Product||Mac Malware Protection
20 recent samples
|AVIRA Free Mac Security||100%|
|ESET Cyber Security Pro||100%|
|F-Secure Anvi-Virus for Mac||100%|
|Intego Mac Premium Bundle||100%|
|Kaspersky Internet Security for Mac||100%|
|Quick Heal Total Security for Mac||50%|
|Sophos Anti-Virus for Mac Home Edition||100%|
Award levels reached in this Mac Security Review
Copyright and Disclaimer
This publication is Copyright © 2013 by AV-Comparatives ®. Any use of the results, etc. in whole or in part, is ONLY permitted after the explicit written agreement of the management board of AV-Comparatives prior to any publication. AV-Comparatives and its testers cannot be held liable for any damage or loss, which might occur as result of, or in connection with, the use of the information provided in this paper. We take every possible care to ensure the correctness of the basic data, but a liability for the correctness of the test results cannot be taken by any representative of AV-Comparatives. We do not give any guarantee of the correctness, completeness, or suitability for a specific purpose of any of the information/content provided at any given time. No one else involved in creating, producing or delivering test results shall be liable for any indirect, special or consequential damage, or loss of profits, arising out of, or related to, the use or inability to use, the services provided by the website, test documents or any related data.
For more information about AV-Comparatives and the testing methodologies, please visit our website.