| Release date | 2020-06-29 |
| Revision date | 2020-06-22 |
| Test Period | June 2020 |
| Number of Testcases | 207 Mac Malware 400 Mac PUA 500 Windows |
| Online with cloud connectivity |  |
| Update allowed | |
| False Alarm Test included | |
| Platform/OS | MacOS |
It is an often-heard view that macOS computers don’t need antivirus protection. Whilst it is certainly true that the population of macOS malware is very tiny compared to that for Windows and Android, there have been instances of macOS malware getting into the wild. Moreover, Apple Mac security needs to be considered in the wider context of other types of attacks.
In addition, it should be noted that Apple themselves ship some anti-malware capabilities within macOS. Firstly, there is “Gatekeeper”, which warns when apps without a digital signature are run. Then there is “XProtect”, which checks files against known-malware signatures. Finally, Apple provide the MRT (Malware Removal Tool). Gatekeeper and MRT are essentially invisible to users and have no direct user interface for the user. System updates are installed automatically using the update process. The effectiveness of Apple’s built-in anti-malware features have been questioned, however, and some security experts recommend strengthening the defences by adding in a third-party antivirus package. There are many good reasons for this. Firstly, the approach taken by Apple might be adequate for well-established malware, but might not respond quickly enough to emerging threats. Secondly, you might want a broader base of malware evaluation. Thirdly, macOS is not immune to bugs.
Some vendors’ macOS security products can detect malware aimed at other operating systems too. Hence an AV program on your macOS computer could effectively handle Windows and Android malware as well. There are scenarios where you might well benefit from scanning for such threats. For example, if you are given a USB stick of photos by one friend, who asks you to make a copy for a second friend. They both use Windows, but you are using a macOS computer. There is Windows malware on the USB stick, and you make a copy of all the files. In this scenario, it is useful to be able to ensure that malware is not inadvertently passed on from one friend to another, even if your own machine is not at risk.
Mac security programs can offer other capabilities too. For example, browser extensions can identify web sites which are potentially phishing locations. Readers should note that Mac users are just as vulnerable to phishing attacks as users of e.g. Windows, as phishing sites function by deceiving the user rather than by altering the operating system or browser.
Other packages might offer VPN (virtual private network) capabilities which can be useful when you need to operate your computer in an untrusted environment, or a public location such as an Internet café, where you are not sure of the integrity of the connection. You might also want to replace macOS’ built-in parental control capabilities with third party tools, if you believe this is more appropriate to your family needs.
Before purchasing a Mac security solution, you also need to decide on the size and scope of the protection you wish to deploy. It might be for a single computer, or for a laptop and desktop. Or you might have a family environment. There might be a mixture of macOS laptops and desktops, but also other devices too like Windows desktops and laptops, along with iOS and Android phones and tablets. For this environment, a broader and more flexible licensing package might well be appropriate.
This could allow you to purchase e.g. 5 licenses and then distribute them amongst your collection of devices. It could also give you the flexibility to transfer licensing from one device to a new item, e.g. if you need to replace an aging Windows laptop with a new MacBook. Some packages offer cloud-based management interfaces. Usually this is to cover the licensing of the packages, but some can also be used to initiate malware scans and device updates and manage parental control capabilities.
Then there are packages which are really aimed at the business and corporate space. Here the macOS support is but one component of a much larger deployment and management infrastructure. This will cover all devices and operating systems, often running thousands of managed devices. Although it might be tempting to go for a larger and stronger solution than is appropriate for your organizational size, be aware that the larger platforms have significant up-front design, management and deployment overheads. This is required to allow these tools to scale to the sizes that they can support, and they usually bring in a level of day-to-day commitment which, although entirely proper and required in a larger enterprise, is simply beyond the capabilities and resourcing of a small company.
Experienced and responsible Mac users who are careful about which programs they install, and which sources they obtain them from, may well argue – very reasonably – that they are not at risk from Mac malware. However, we feel that non-expert users, children, and users who frequently like to experiment with new software, could definitely benefit from having security software on their Mac systems, in addition to the security features provided by the macOS itself.
Readers who are concerned that third-party security software will slow their Mac down can be reassured that we considered this in our test; we did not observe any significant performance reduction during daily operations with any of the programs reviewed.
As with Windows computers, Macs can be made safer by employing good security practices. We recommend the following:
We have reviewed and tested the following products for this report, using the newest version available in June 2020:
We congratulate these manufacturers, who elected to have their products reviewed and tested, as we feel their commitment is a valuable contribution to improving security for Mac systems.
The Malware Protection Test checks how effectively the security products protect a macOS system against malicious apps. The test took place in June 2020, and used macOS malware that had appeared in the preceding few months. We used a total of 207 recent and representative malicious Mac samples.
In the first half of 2020, thousands of unique mac samples were collected. However, this figure includes many samples which could be classified as “potentially unwanted” – that is, adware and bundled software – depending on interpretation. Very many of the samples are often near-identical versions of the same thing, each with a tiny modification that just creates a new file hash. This enables the newly created file to avoid detection by narrow blacklist-based protection systems such as XProtect. There were in fact almost no new families, and only some dozens of really new variants, of true Mac malware seen in 2020 – the number of real macOS malware decreased. Some of these will only run on older versions of the macOS operating system. The 207 samples used for the test represent an accurate guide to the current threat landscape, even if the sample size seems very small compared to what is commonly used for Windows. As most Mac systems do not run any third-party security software, even these few threats could cause widespread damage. Precisely because a Mac security product only has to identify a small number of samples, we would expect it to protect the system against most (if not all) of the threats, so the protection rate required for certification is relatively high.
Before the test, the macOS systems were updated and an image created; no further OS updates were then applied. Each program was installed on the freshly imaged machine and the definitions updated to the 8th June 2020. The Mac remained connected to the Internet during the tests, so that cloud services could be used. A USB flash drive containing the malware samples was then plugged in to the test computer. At this stage, some antivirus programs recognized some of the samples. We then ran a scan of the flash drive, either from the context menu or from the main program window. Any detected samples were removed. After this, any remaining samples which had not been detected by the real-time protection or scan were copied to the Mac’s hard disk. These remaining samples were (where possible) then executed, providing the security product with a final chance to detect the samples. In addition to the Mac malware samples, we also performed a false alarm test on a set of clean Mac programs to check for false positives. None of the programs we tested produced any false alarms.
As noted above, there has been a big increase in the number of potentially unwanted applications recently. To take account of this, we tested detection of 400 prevalent Mac PUAs. The testing methodology was the same as that for the malware testing described above.
Most Mac security products claim to detect Windows malware as well as Mac malware, thus ensuring that the user’s computer does not inadvertently act as a conduit for programs that could attack Windows PCs. For this reason, we also checked if the Mac antivirus products detect Windows malware. We used 500 prevalent and current Windows malware samples; the procedure was identical to that for Mac malware, except that we did not make any attempt to run any of the samples that were not detected in the scan, as Windows programs cannot be executed under macOS.
The table below shows protection results for the products in the review. The figures for Mac malware protection indicate the number of samples blocked at any stage of the testing procedure, i.e. regardless of whether the malware was detected/blocked in one of the on-demand scans, by real-time protection, or on execution.
| Product | Mac Malware Protection 207 recent Mac samples |
Mac PUA Protection 400 prevalent Mac samples |
Windows Malware Detection* 500 prevalent Windows samples |
|---|---|---|---|
| Avast Security for Mac | 100% | 100% | 100% |
| AVG Internet Security for Mac | 100% | 100% | 100% |
| Avira Antivirus Pro for Mac | 100% | 100% | 99% |
| Bitdefender Antivirus for Mac | 100% | 100% | 100% |
| CrowdStrike Falcon Prevent for Mac | 99.5% | 98% | 86% |
| FireEye Endpoint Security for Mac | 100% | 100% | 99% |
| Kaspersky Internet Security for Mac | 100% | 99%** | 100% |
| Pocket Bits BitMedic Pro Antivirus |
88.9% | 49% | 19% |
| Trend Micro Antivirus for Mac | 99.5% | 99% | 99% |
| * Detection of Windows threats on Macs can be seen as discretionary. Some products do not include detection for non-Mac threats or have limited detection capabilities due to technical constraints ** If PUA detection is manually enabled. All other consumer products had PUA detection on by default. |
|||
A list of antivirus programs for Mac can be seen here:
https://www.av-comparatives.org/list-of-av-vendors-mac/
Here we have outlined the features and functionality that we have looked at for each program in this review.
Here we describe the nature of the product and its features, including whether it is free or requires a subscription, and give an overview of our experience with it.
This describes how to get the product up and running on your Mac(s), starting with downloading the installer, and finishing with any post-setup tasks needed. These might include installing and allowing browser extensions, for example. We note any options available, and whether you have to make any decisions during installation. There is also a note on how to uninstall the product, should you need to. Please note that when installing any antivirus product on macOS Catalina (which was used for the tests and reviews), it is necessary to go into the System Preferences and give the program specific permissions, such as Full Disk Access. As this process is essentially identical for all products, we have not mentioned it in the individual reviews. However, non-expert users might consider asking for help with the installation of their chosen product, if they do not feel confident about doing it themselves.
Here we consider how easy it is to find the most important functionality in each program: status, update, different types of scan including scheduled scans, subscription information (not applicable to free programs), quarantine, logs, settings and help.
Status alerts: It’s important to know whether your security program is working properly. We look at how the current status is displayed, what sort of warning is shown if real-time protection is disabled, and how to correct this.
Behaviour on malware detection: We run a functionality test to determine how each program behaves when it encounters malware. This is entirely separate from the malware protection test, and is run on different systems. We connect a USB flash drive containing a few samples of common Mac malware, which all the tested programs are known to detect. Some security programs will automatically detect the malware without the user needing to do anything; if not, we attempt to copy the malware samples onto the Desktop of the currently logged-on user. We note at which stage the malware is detected, and what sort of alert is shown. For programs that do not automatically detect and delete/quarantine the malware when the external drive is connected, we attempt to run the malware directly from the external drive.
Quarantine and logs: We check the functionality that shows you which malicious items have been found, what information is provided about them, and what the options are for dealing with them (e.g. delete or restore).
Help: There is a brief description of each program’s main help feature (accessible from the program interface)
Advanced Options: We check to see if both administrators and standard users can disable protection features, make scan exclusions, restore items from quarantine, or uninstall the program.
Avast Security for Mac is a free antivirus program. The program is very simple to install, and most common features are easy to find in the clean, well-laid out GUI. Avast Security has highly effective on-access protection, which instantly detects any malware and prevents it being copied to the system. Alerts are clear and persistent, giving you time to read them. A “Fix-All” button lets you easily reactivate any disabled protection components.
To set up Avast Security on your Mac, you just download and run the installer file, then double-click Install Avast Security. You can change the installation folder, if you so choose. The default installation includes the Google Chrome browser, but you can opt out of this in the setup wizard. There is also the opportunity to upgrade to the Premium version. You can uninstall the program by clicking Avast Security in the menu bar, then Uninstall Avast Security.
Status, default scan, scan options, and quarantine (Virus Chest), are all found on the home page of the main program window. Settings (Preferences) can be opened from the menu in the top right-hand corner, or the Mac menu bar. Subscription information is not applicable, as the program is free. Updates can be run by clicking Preferences, General (as is standard for modern security programs, Avast Security for Mac runs automatic updates as well). You can scan a drive, folder or file from the Finder context menu, by clicking Scan with Avast. The help file is accessible from the Help menu in the Mac menu bar.
If real-time protection is disabled, warnings are displayed on the Status page. To reactivate the protection, click Turn ON, and then set the all the slider buttons on the Core Shields page to ON.
When you connect an external drive, Avast Security takes no action. However, as soon as you start browsing through folders containing malware, the on-access detection springs into action and starts detecting the malicious files. An example alert is shown below. It persists until you close it.
Virus Chest displays files that have been quarantined, and allows you to delete or (with an administrator account) restore any/all items.
A help file with basic FAQs and clear, simple text answers is provided. You can open it from the Help menu in the Mac menu bar.
Power users with a macOS Administrator account can perform the following tasks (caution is advised):
Standard macOS users (i.e. accounts without administrator rights) cannot perform either of these tasks, which we regard as optimal.
An advertising strip along the bottom of the main program window promotes Avast’s paid-for security packages. We also noticed a pop-up for the anti-ransomware feature of these products while we were testing the program.
AVG Internet Security for Mac is a paid-for security suite with email, web, phishing and ransomware protection. The program is simple to install, and we were able to find almost all the essential functions easily. Overall, the program is very suitable for non-expert users. It has all the essential security functions, and largely executes them well. AVG’s on-access detection dealt with malware samples on an external drive very effectively, and displayed a well-designed alert dialog box. We liked the fact that the help search box can find menu items as well as help-file content. However, we were surprised to see that AVG have removed the Fix All button that used to be displayed when protection was disabled. Such a feature is a very useful and more-or-less standard feature for antivirus programs. We also felt that the advertising for AVG’s paid VPN product somewhat exaggerates the risks of using a standard unencrypted Internet connection.
To set up AVG AntiVirus for Mac, just download and run the installer, and double-click Install AVG AntiVirus. The installation wizard is very simple. There are no decisions to make, but you can change the location of the installation folder if you want. You can uninstall the program by clicking AVG Internet Security in the Mac menu bar, then Uninstall AVG Internet Security.
On the program’s home page you can find status, update, default scan and scan options (including scheduled scans). You can scan a drive, folder or file by right-clicking it and clicking Scan with AVG in the Finder context menu. You can open quarantine by double-clicking the Computer tile on the homepage. There is no separate log feature. General Settings can be found under Preferences in the AVG Antivirus menu in the Mac menu bar, as is normal for macOS programs. Protection settings for the Computer and Web & Email components can be found by clicking their respective tiles on the home page. The help feature is found in the menu of the same name. You can see subscription information by clicking AVG Internet Security/Subscriptions in the menu bar.
If real-time protection is disabled, very obvious red warning messages are shown on the home page. Unlike previous versions of the product, the current AVG Internet Security does not have a Fix All button. We do not understand why AVG have removed this very useful functionality. To reactivate the protection, you have to click the Computer tile and set the slider switch to the “on” position.
When you connect an external drive to your Mac, AVG does not take any immediate action. However, as soon as you open a folder on the drive that contains malware, AVG’s on-access protection immediately detects and quarantines the malicious files. A sample alert is shown below:
The alert persists until you close it. You can browse through the detected threats using the arrow buttons in the top right-hand corner. You can also get more information about each threat by clicking See details in the bottom right-hand corner. This area includes a convenient link to quarantine.
The quarantine and logs features are combined in the Quarantine window. Here, you can see a list of quarantined threats, along with the path to their original location, plus the date and time of detection. You can delete or restore any or all items here. The “breadcrumb trail”, used to show the location where the malware was detected, uses a clever trick. Many of the steps in the trail are compressed, so as to fit the entire trail into the window. However, if you mouse over any compressed step, the text is expanded so that you can read it in full. No additional information about the detected malware is available, however.
Clicking Help in the Mac menu bar, then AVG Internet Security help, opens a simple help file with basic FAQs, such as “How do I keep my Mac secure?” and “What is File Shield?”. Simple but clear text answers are provided. The menu also includes a search box, with which you can look for items in the help file. It will also find menu commands. For example, if you type “preferences”, it will show you a link to the Preferences dialog box. This is a neat and convenient way of accessing program commands.
Power users with a macOS Administrator account can perform the following tasks (caution is advised):
Standard macOS users (i.e. accounts without administrator rights) cannot perform any of the above tasks. We regard this as ideal.
An advertising strip frequently appears along the bottom of the program, as shown below. This states that “privacy issues” have been found. Clicking on Resolve opens a separate window, which displays a number of warnings such as “Anyone can see what you do online”. If you click on Resolve All, a purchase page for AVG Secure VPN opens.
Avira Antivirus Pro for Mac is a straightforward, paid-for antivirus program. It is very simple to install, and all the important features are easy to find in the interface. Real-time protection is very sensitive, and automatically detects malware on external drives when you connect them. The program’s built-in help feature is very limited in its scope. However, overall the program is well designed and intuitive to use.
Avira Antivirus Pro for Mac is a straightforward, paid-for antivirus program. It is very simple to install, and all the important features are easy to find in the interface. Real-time protection is very sensitive, and automatically detects malware on external drives when you connect them. The program’s built-in help feature is very limited in its scope. However, overall the program is well designed and intuitive to use.
Status, default scan, scheduled scan, scan options, quarantine, and settings can all be accessed from the Scanner (home) page of the program window. You can update signatures from the System Tray icon menu. Subscription information can be found by clicking Account\My Account and logging in. The help feature is found in the Help menu in the Mac menu bar. You can scan a drive, folder or file from the Finder context menu. You can also drag and drop items to be scanned onto the appropriate area of the Scanner page.
If real-time protection is disabled, an alert is shown in the main program window. You can reactivate protection by clicking Enable all services.
When you connect an external drive, Avira automatically detects and quarantines the malware found, and displays an alert. This closes automatically after a few seconds.
The Quarantine page of the program shows you all the items that have been quarantined, along with the date and time this happened. There are options to delete, rescan and restore any of the detected files. If you move your mouse pointer over an individual quarantined item, a More info link will be displayed. This lets you find out more about the threat and where it was detected.
Activity shows a log of all system events, including detections, scans, updates, warnings and component activation/deactivation.
Avira Help (in the Help menu in the Mac menu bar) displays overlay balloons explaining the menu items in the program interface. This provides a clear and simple introduction to the program’s features, but is obviously limited in its scope.
Power users with a macOS Administrator account can perform the following tasks (caution is advised):
Standard macOS users (i.e. accounts without administrator rights) cannot do any of these, which we regard as ideal.
Avira Antivirus Pro for Mac makes unusually clear use of the Mac menu bar. Only two menus are displayed – Avira and Help – which makes it easy to find what you want.
Bitdefender Antivirus for Mac is a paid antivirus program with ransomware protection, a data-limited VPN feature, and a browsing-protection add-in for Safari/Chrome/Firefox. We found it very straightforward to install and use. The user manual is easy to find, comprehensive, and very well produced. Effective real-time protection immediately detects and cleans malware on first contact. Overall, the product gets every important detail right, providing solid protection features in a very well-designed interface. Both expert and non-expert users should find it suitable for their needs.
After downloading and starting the installer file, you just need to double-click the setup package icon to start the setup wizard. You do not need to make any decisions, though you can change the interface language and the location of the installation folder. When setup is complete, you need to create a Bitdefender account and sign in. An optional introductory tutorial then starts, after which the program window displays a recommendation to install the Traffic Light extension for Safari. After that, the Bitdefender window recommends configuring Safe Files, the product’s ransomware protection feature. Next, Bitdefender suggests setting up Apple’s Time Machine backup feature, and finally running a system scan. Whilst the setup process is certainly longer than for most other antivirus programs, everything is clearly explained as you go along. You can uninstall the program from the Bitdefender icon in the Finder Applications window.
Status, quick and full scans, subscription information, settings and help are all directly accessible from the program’s Dashboard (home page). You can find custom scan, quarantine and scan exceptions under Protection. Update is in the Actions menu in the Mac menu bar. There is no scheduled scan function, but you can scan a drive, folder or file using the Finder context menu. Logs are shown under Notifications.
If real-time protection is disabled, an alert is shown in the status area of the main window.
You can reactivate the protection by clicking Enable.
If you connect an external drive containing malware, Bitdefender’s real-time protection immediately detects and cleans the infected files. The alert below is shown:
The message box closes itself once all detected items have been shown:
The message box closes itself once all detected items have been shown
The Quarantine window lets you view and delete quarantined files. If you are using a macOS admin account, you can also restore files from here.
The right-hand pane of the quarantine window shows you the threat name. However, there is no means of accessing any more information about this.
Notifications is the log feature. It displays events such as updates, component activation, and malware detections.
Antivirus for Mac Help in the Mac menu bar opens a very comprehensive manual in .PDF format. This covers all aspects of using the program, and includes a glossary of malware types. It is fully indexed, and very well illustrated with screenshots.
Power users with a macOS Administrator account can perform the following tasks (caution is advised):
Standard macOS users (i.e. accounts without administrator rights) cannot perform any of these tasks, which we regard as ideal.
If you install the Traffic Light extension for Safari add-in, safety ratings are added to Google searches. For example, green tick (checkmark) symbols are used to indicate safe sites. There are similar add-ins for Firefox and Chrome.
CrowdStrike Falcon Prevent is a security package for business networks. Details of the management console described here are applicable to all supported operating systems (macOS, Windows and Linux). Falcon allows you to look for malicious activities and adversaries (nation state, eCrime, or hacktivist actors). The cloud-based management console can be run from the cloud on any modern browser.
CrowdStrike Falcon is a very comprehensive platform. It provides not only AV services within an organization, but also a comprehensive set of detection and analysis services. We note that CrowdStrike Falcon is available as a fully managed service for organizations that desire a more hands-off solution to endpoint protection. Otherwise, it is aimed at the larger organization, and is not really a “fit and forget” product. Basic everyday monitoring and management tasks are simple enough, even with minimal understanding of its operations. However, the product’s capabilities are sufficiently deep that making some investment of time for learning is worthwhile to realize maximum value. CrowdStrike tell us that learning modules are available on-line or via external consultancy.
The management infrastructure comes pre-packaged for you in a cloud console and requires no on-premises equipment – only a modern browser. Deployment of the client “sensor” (agent) is quite simple here. It relies on the download of the installation package appropriate to the target platform. For macOS clients, activation requires the use of a simple Terminal command, which is described in the product’s support pages.
Once installed, the Falcon Sensor is almost invisible to the end user. Docker support allows the installation of the Falcon agent on hosts running Docker.
Deployment across an organisation will take planning and appropriate tools. This includes preparation for the appropriate layers of policy to be applied to users. Once this work has been done, deployment should be quite straightforward.
The management console is based in a web browser, as you would expect from a cloud-based solution. Two-factor authentication is required to log in, and support for single sign-on solutions is available. There is a menu of buttons down the left-hand side, and this menu can be expanded by clicking on the Falcon icon at the top left. The major items are Activity, Investigate, Hosts, Configuration, Dashboards, Discover, Intelligence, Users, and Support.
Activity is the first place to start work once the platform is up and running. There is a strong dashboard here, with the most important items brought into view. Good graphics show detections by scenario over the last 30 days, and you can click through here into the Detections submenu to view more detail. You get a strong reporting infrastructure, with a good choice of filter options presented front and centre here. You can also examine quarantined files and real-time response sessions here too.
The Investigate menu takes you into a comprehensive search facility. This covers hosts, hashes, users, IP addresses, domain and event searching. This is aimed at locating specific issues across the network estate in the recent history. The default is 24 hours, pre-set filters are provided up to 60 days, and customization options are available.
The Hosts/Host Management page, shown above, lists all the device installations, by version and platform. It provides immediate understanding of which devices are offline or disconnected. From here, you can go to the Sensor Download menu and download sensor installations for all the platforms.
The Configuration menu is the heart of the policy driven process within CrowdStrike Falcon. From here, you create policy definitions which cover all aspects of the AV and prevention processes of the platform. And then you apply that process to groups of installations. You can have different policies for Windows, Mac and Linux clients here too.
The Dashboards menu gives access to the executive summary view of the estate. There are detailed graphics for detections by scenario and severity, and identifications of the top 10 users, hosts and files with most detections. This is just the tip of a very deep iceberg, allowing for comprehensive analysis of what is happening. You can search by almost anything, and use this to discover what has happened on the network during an outbreak. This includes where something entered, how it attempted to execute, what processes it used, and how it was contained. Getting through this is not for the fainthearted, but it cannot be denied that you have very powerful set of audit and analysis tools here.
The Discover menu allows you to discover devices, users and applications on the network. You can search by application inventory, asset, MAC address, accounts and other app/process-based inventory. You can also review user account information including domain accounts, local accounts and their password reset status.
The Intelligence menu takes you into an overview of the current landscape threat as perceived by CrowdStrike. This can be categorised by different factors. Examples include geographical origin of threat, target industry, target country, and motivation (espionage/criminal/Hactivist and destruction). Each threat is detailed by these parameters. Clicking View Profile on the threat takes you to a comprehensive analysis and explanation of that specific threat. This is a comprehensive resource, which is unusual and most welcome.
The User menu allows you to create the usual user profiles for administrators and other activities within the platform. There are pre-built roles already created for Endpoint Manager, Event Viewer, Administrator, Analyst, Investigator, Real Time Responder, and others. You can map these roles onto existing internal working structures, or to custom-build new roles as required.
The CrowdStrike Store allows you to extend the capabilities of the Falcon platform with a host of ready-to-go partner apps and add-ons.
On the end-user client, the default setting is to have the client completely invisible to the user. No alerts or user interface are shown. In our test, we found that malware copied to the test system was immediately detected and deleted on access.
FireEye Endpoint Security is a security package for business networks. Details of the management console described here are applicable to all supported operating systems (macOS, Windows and Linux).
FireEye Endpoint Security customers have the option of purchasing a physical appliance, a virtual appliance or a cloud-based management console. We have reviewed the cloud-based console here. The product is designed to handle the largest of organizations, with support for up to 100,000 endpoints per appliance. There are agents available for Windows clients and servers, macOS, and various Linux distributions.
FireEye Endpoint Security is a highly powerful platform. It includes signature-based, behavioural and machine-learning engines. A core strength is in the acquisition of data from the agent for analysis and subsequent decision-making process. This allows the admin to hunt down and investigate any threats that might bypass initial detection. This deep insight enables analysis and response across the largest of enterprises. There is however a significant entry cost in terms of training. This is required for both the initial configuration and ongoing operations. To get the most out of FireEye Endpoint Security, security operations teams should have some knowledge of investigations. Alternatively, FireEye can assist with their Managed Defence practice. However, it should deliver a level of insight and operational management which is at the bleeding edge.
The cloud console requires no significant installation. Client installers can be downloaded from the Admin menu/Agent Versions page, and deployed onto the client machines. Setup is very simple, with no decisions to make.
The management console is quite different from a conventional centralised AV product. The emphasis is on detection and response. This involves acquisition of data from clients, analysis of it, and then responding appropriately. The platform has an extremely powerful and extensive set of information gathering tools. These allow you to build comprehensive queries of almost any type. These are then dispatched to the clients. Analysing this information is the core of the server product. You could treat FireEye as a straightforward AV package, allowing the engines to process malware as it is found. However, the real strength comes in the analysis and containment capabilities. There is little work required to configure the platform once the agents are deployed. Of course, you can build custom policies if you wish. But it is likely that global default settings will be the bedrock of the deployment. There isn’t much in the way of handholding in the initial setup process for the smaller organisation. Clearly the product is aimed at the more professional, larger organisation. It also assumes there will be training and consultancy for deployment.
The management console is not a tool to be dipped into occasionally. Unlocking its huge power needs considerable understanding of what the platform offers and how to achieve it. There is little handholding here. The product is aimed squarely at the large corporate space, where training and consultancy will be provided. From that point of view, this is not a product for the SME space. Firstly, you need to understand what FireEye is trying to achieve. It relies on threat detection, plus data gathering and analysis. The emphasis here is solidly on information acquisition, analysis and reporting. This allows the administrator to gather information from a wide array of client machines. The information can then be processed, allowing you to take actions based upon it.
There is a basic front-page overview of the status of the deployed agents. This allows you to drill down into more detail. As an ongoing view, this is probably sufficient. The power comes once you drill into the Hosts, Enterprise Search, Acquisitions and Rules sections. The essential component here is building search routines to find what you are looking for. You can request containment of the device. This locks out the user whilst informing them of the centralised management control. You can then to dig through what is happening. This ability to lock out a device is a key component of the handling of a widespread malware event. It should not be underestimated how much technical and systems knowledge is required to get the best from this. This is not a criticism. Indeed, for a hard-core IT administrator, it is a great strength to have access to this level of query and analysis of the network.
The macOS desktop protection software is entirely invisible to the user. There is no GUI, and no alerts are shown when detections are made. If the user should inadvertently copy a malicious file to their system, FireEye will detect and quarantine it on access.
Kaspersky Internet Security for Mac is a paid-for security suite with browser add-ons and parental controls. We found it very straightforward to use, with all the features easily accessible from the main program window or macOS menu bar. In our functionality test, all the features worked exactly as expected. Sensitive on-access detection immediately quarantines any malware copied to the system. Users without administrator rights cannot disable the protection or uninstall the program. Overall, the product provides solid protection for your Mac.
Having downloaded and run the installer, you need to double-click Install Kaspersky Internet Security\Download and Install. The only option is whether to install the browser extension(s). These are provided for Safari, Google Chrome and Mozilla Firefox, and can be selected independently of each other. The program can be uninstalled by clicking Kaspersky Internet Security Support\Uninstall in the Help menu of the macOS menu bar.
Update, status, scan options, scheduled scan and subscription information can all be accessed directly from the program’s home page. Settings (Preferences), logs (Reports), quarantine (Detected Objects) and help are all in the Mac menu bar. Additionally, a link to quarantine is shown on the home page when quarantined items are present.
If real-time protection is disabled, a warning is shown in the main program window. You can reactivate the protection by clicking Enable.
When you connect an external drive, KIS prompts you to scan the drive. If you choose not to do this, and then try to copy malware from the external drive to the macOS system, KIS immediately detects and quarantines the malware. In our functionality test, the malware was detected silently, i.e. without an alert being shown.
The Quarantine page shows detected items. By clicking on the”…” at the end of each line, you can delete or restore individual items (the latter only if you have an administrator account). You can delete all quarantined items using the Delete All button. No additional information about detected malware is provided. The Reports page shows the location of detected objects, action taken, threat type, threat name, and date/time of detection.
Kaspersky Internet Security Help is found in the Help menu in the macOS menu bar. It contains simple, clear feature descriptions and text instructions for using the program.
The Update and Scan icons on the home page animate when in use.
Power users with a macOS Administrator account can perform the following tasks (caution is advised):
Standard macOS users (i.e. accounts without administrator rights) cannot perform any of the above tasks, which we regard as ideal.
BitMedic Pro is a paid-for antivirus program for Mac, which can be bought from the Apple Store. It is a one-off purchase, i.e. there is no further subscription to pay, and you can use the product without time limits. In some ways, BitMedic Pro is a well-designed antivirus program, with a clear, easy-to-use interface. We particularly liked the pop-up warning in the event that real-time protection is disabled. Unfortunately, it is let down by some unusual behaviour in some situations. Firstly, unless you deliberately enable the option in the settings, the program will not start at all when you log on to your Mac. Thus, there will be no real-time protection at all. We also found some very unusual and confusing behaviour with relation to scanning and malware detection. Additionally, we did not see any evidence that BitMedic has effective real-time protection that would detect malware on file copy or on execution. We informed PocketBits of these issues, and they have told us that they intend to rectify them in a later build.
The program is installed via the Apple Store. When BitMedic Pro first starts, you have to confirm your Home Directory and give it permission to scan this. Later, it asks for permission to access the Desktop and Downloads folders. There’s also a startup wizard, which explains scan types, browser privacy and adware, scheduled scans and real-time protection. We note that very unusually, BitMedic Pro doesn’t start automatically when you log in to macOS, unless you enable this in the settings. PocketBits tell us that they are considering changing this, so that the program auto-starts by default. You can uninstall the program by shutting it down from the System Tray icon, then dragging its icon from the Finder Applications window to the Bin.
There is a status display at the top of the window. However, this only indicates whether malware has been found recently, not whether real-time protection is on. The status of real-time protection can be seen in the System Tray icon. PocketBits inform us that they are considering adding this item to the main window as well. Quick and full scans can both be run from the Antivirus Scan panel on the home page. Custom scans can be run by dragging a drive, folder or file to the panel of the same name in the program window. Scheduled scans can be set under System Settings\Scheduled Scans. There is no Finder context menu. Scan exceptions can be set under System Settings\Whitelist. We could not find a manual update feature. Settings are easily found in the System Settings panel on the home page. Unusually for a Mac program, there is no Preferences entry in the program’s menu in the Mac Menu Bar, although the manufacturers say they may add this in a later build. There is no quarantine feature. Logs can be accessed from the Result Log panel in the main window. Subscription information is not applicable, because the program is sold as a one-off purchase that doesn’t need renewing. Help can be found by clicking Visit our website in the bar at the bottom of the window.
If real-time protection is disabled, a pop-up alert is shown in the top right-hand corner of the screen (screenshot below). This displays even if the program window is closed, and persists until you dismiss it. If protection is switched off when you shut down the Mac, the warning prompt will be displayed as soon as you log on after the next start. We regard this as a very good idea, as it ensures users are alerted if protection is disabled.
You can reactivate the protection by clicking Turn On in the System Tray menu. We suggest that adding a “Turn On” button to the alert box would be a good idea, as not all users will be aware of the System Tray icon functions.
In our functionality test, we connected an external drive containing Mac malware to our test system, and BitMedic Pro prompted us to scan the drive. We selected the option to scan. After displaying a message that signatures were being updated, BitMedic stopped its activities and showed the messages seen below:
We examined the contents of our USB flash drive and found that the malware was still intact. We then ran a manual scan of the drive, and this time, the malware was detected, and deleted once we clicked on Clean. In an attempt to reproduce this effect, we cleaned the flash drive, recopied our malware samples to it, and reconnected it to our test system. BitMedic again offered to scan the drive, and again we accepted. BitMedic then immediately displayed the messages shown below:
When we copied a folder of malware from the USB stick to the Mac Desktop and scanned it, BitMedic behaved as expected of an antivirus program. That is to say, the scan found the malware first time around, and deleted it when we clicked on Clean. If the same folder was copied again, a second scan also found and deleted the malware first time.
In a separate part of our functionality test, we connected a flash drive containing unaltered malware but did not accept the offer to scan the drive. We were able to copy all our malware samples to the Desktop of the test system without any interference or alerts by BitMedic. When we attempted to execute some samples, a macOS warning was displayed, indicating that the files were harmful and should be deleted. Thus we have not found any evidence that BitMedic has real-time protection that will detect malware on file copy or on execution.
We also encountered a further case of unexpected behaviour by BitMedic when scanning malware. We copied a malicious file from a USB drive to the Mac Desktop, and then scanned it by dragging it to the Custom Scan panel in the BitMedic window. The program immediately detected two items and displayed them in the program window, along with a button marked Clean. After we clicked on this, the following messages were displayed in the program window:
We consider the combination of “Found threats removed”, “0 threats removed” and “Your system is clean” to be extremely confusing. In fact, the threats had not been cleaned, and the file could still be executed without any intervention or warning from BitMedic.
We note that BitMedic states on its website “Health Monitor watches selected locations 24/7 for any changes. It will automatically detect any harmful changes and any viruses. Remember, this applies to changes only. We recommend scanning the folder first to ensure that it is 100% virus-free and then monitoring it after.” As there is no guarantee that BitMedic (or any other AV program) would detect new malware in its first scan, we consider it to be risky only to rescan files if they change. This is because new signature updates might detect malware in files already on the disk, which had been missed with older definitions.
BitMedic Pro does not have a quarantine function. Suspected malware is deleted for good, and thus cannot be restored in case of e.g. false alarms. The logs feature displays the detection name, location, plus date and time of detected items. It distinguishes between “Viruses” (malware) and “Adware”.
The online help service relating to the antimalware features is limited to 4 topics: User Guide; What is an EICAR virus test file?; How to prevent adware; Resetting browser preferences to default. The User Guide provides simple text instructions, very well illustrated with screenshots, for the essential features of the app.
Power users with a macOS Administrator account can perform the following tasks (caution is advised):
Standard macOS users (i.e. accounts without administrator rights) can disable protection, and set scan exclusions, but not uninstall the program. We could not find a means of password protecting the settings. Users who share their Mac with someone else should be aware that it’s thus not possible to prevent other users disabling protection.
Trend Micro Antivirus for Mac is a paid-for antivirus program with camera and microphone protection, an anti-ransomware feature, and a web-protection add-in for Safari. We were particularly impressed with the very sensitive on-access malware detection. The help features are clear, and convenient to access. Installing and uninstalling are both straightforward, and the clean UI design makes the most important features very easy to access and use. Consequently, Trend Micro Antivirus for Mac would be particularly well suited to non-experts. A couple of minor improvements could be made to the quarantine function. However, overall the program has been very well thought-out, and gets all the important things right.
After downloading and running the installer file, you start the setup wizard by clicking Install Trend Micro Antivirus. The User Support folder on the same page includes a list of system requirements, and a succinct, well-illustrated Quick Start Guide. There is also an uninstaller, with which you can quickly and easily remove the program, should you need to.
The setup wizard is very straightforward. Aside from choosing whether to enter a licence key or use the trial version, there are no decisions to make. You can change the location of the installation folder. The final page of the wizard has a screenshot of the macOS System Tray, showing you how to access the program from the Trend Micro icon. When you first open the program, it prompts you to set up Camera and Microphone Protection and Ransomware Protection. For the latter, you can easily customise the default list of folders and drives to be protected.
Status, update, default scan, scan options, subscription, logs/quarantine and help can be accessed directly from the Overview page (please see screenshot above). We note that the logging and quarantine functions are combined under Logs. Settings are found under Trend Micro Antivirus\Preferences in the Mac menu bar, as is to be expected for a macOS program. Scheduled scans can be configured in the Preferences dialog box. There is a context-menu scan entry, which lets you scan a drive, folder or file in Finder by right-clicking it.
If real-time protection is disabled, the alert below is shown in the main window. You can reactivate the protection by clicking Fix Now.
When you connect an external drive, Trend Micro’s on-access protection immediately starts scanning the drive. In our test, malware samples were detected and quarantined immediately in this scenario. We regard this as exemplary behaviour. The alert below is shown when malware is detected:
The alert box remains on display until you close it. If you click on View Results in the alert box, it opens the logs/quarantine page and shows you what’s been detected.
The quarantine and log functions are combined in the Logs page. From here, you can view and delete any or all of the quarantined items.
Whilst viewing and deleting detected items is simple, power users may feel there is some room for improvement in the quarantine functionality. Firstly, as noted in previous years, the window is small and cannot be resized. This means some scrolling and dragging of columns is required to see all the content (although the list can be exported to a .CSV file). Secondly, threat names are shown by default in the main Logs window, whilst file names are shown in the List of Quarantined Files. You can see the file names as well in the Logs window (to correlate them with threat names), but you have to expand the Where Found column and then scroll to the end of it. Finally, no direct way to find more details of the malware items is provided, although they can be manually looked up in Trend Micro’s online threat encyclopaedia.
Clicking the ? icon in the main window opens a context-sensitive online manual. This provides a simple, clear guide to the program’s features and how to use them, well illustrated with screenshots.
Power users with a macOS Administrator account can perform the following tasks (caution is advised):
Standard macOS users (i.e. accounts without administrator rights) cannot perform any of the above tasks. We regard this as ideal.
The Safari add-in shows safety ratings for sites in Google web searches. These use e.g. a green tick icon for safe sites.
In the Trend Micro folder in the macOS Applications window is a diagnostic toolkit. With a macOS Administrator account, you can stop/start components; delete temporary files; uninstall if the standard uninstaller has problems; troubleshoot; collect debugging info; upload quarantined files to the vendor; collect network logs; create scanning exclusions.
This year, the following Mac security programs receive our Approved Security Product award: Avast, AVG, Avira, Bitdefender, CrowdStrike, FireEye, Kaspersky and Trend Micro.
Unfortunately, the product made by Pocket Bits did not reach certification standard this year. This was due to the low protection rate against Mac malware, and because we found several problems with the product.
A summary of the reviewed products is shown below. If you are thinking of getting a security product for your Mac, we recommend that you also consider other factors, such as price, additional features and support, before choosing a product. We also recommend installing a trial version of any paid-for product before making a purchase.
Avast Security for Mac is a simple, easy-to-use antivirus program for home users. It uses the “freemium” model, i.e. some features are only available in the paid-for premium versions.
AVG Internet Security for Mac is a paid-for consumer security suite with ransomware protection. It is easy to set up and use.
Avira Antivirus Pro for Mac is a straightforward antivirus product suitable for home users and small businesses. It is simple to install and use.
Bitdefender Antivirus for Mac is a paid-for antivirus product that includes ransomware protection. It has a very well-designed interface and excellent user manual, and is suited to home users and small offices.
CrowdStrike Falcon Prevent for Mac is part of an endpoint protection package for enterprise networks. It has no user interface on client machines, and is managed using a web-based console.
FireEye Enterprise Security for Mac is part of an endpoint protection package for enterprise networks. The management is done by cloud console, and there is no GUI on client PCs.
Kaspersky Internet Security for Mac is a security suite with parental controls. It is suitable for home users and small offices. Its interface is well designed and easy to use.
Pocket Bits BitMedic Pro Antivirus is a straightforward consumer antivirus program with a clean graphic design. Unfortunately, it displays some unexpected and confusing behaviour when it comes to detection and removal.
Trend Micro Antivirus for Mac includes camera and microphone protection and an anti-ransomware feature, in addition to malware protection. It is suitable for home users and small offices, and ideal for non-expert users due to its very straightforward design and operation.
AV-Comparatives have strict criteria for certifying security programs. These are updated every year to take new technological developments into account. Certification by AV-Comparatives indicates that a product has proven itself to be effective, honest, transparent and reliable.
PUA detection was not a certification factor this year[1]. However, we would expect a good Mac antivirus program to detect at least 75% of prevalent Mac PUAs[2].
Possible reasons why a product may fail certification are listed below, though this is not necessarily an exhaustive list.
[1] Next year, PUA detection will be a requirement for certification.
[2] What is “potentially unwanted” might be debatable, and a few apps that we would regard as PUA might be considered to be clean by some vendors. Consequently, this threshold is relatively low.
| Avast | APPROVED |
| AVG | APPROVED |
| Avira | APPROVED |
| Bitdefender | APPROVED |
| CrowdStrike | APPROVED |
| FireEye | APPROVED |
| Kaspersky | APPROVED |
| PocketBits | NOT APPROVED |
| Trend Micro | APPROVED |
This publication is Copyright © 2020 by AV-Comparatives ®. Any use of the results, etc. in whole or in part, is ONLY permitted after the explicit written agreement of the management board of AV-Comparatives prior to any publication. AV-Comparatives and its testers cannot be held liable for any damage or loss, which might occur as result of, or in connection with, the use of the information provided in this paper. We take every possible care to ensure the correctness of the basic data, but a liability for the correctness of the test results cannot be taken by any representative of AV-Comparatives. We do not give any guarantee of the correctness, completeness, or suitability for a specific purpose of any of the information/content provided at any given time. No one else involved in creating, producing or delivering test results shall be liable for any indirect, special or consequential damage, or loss of profits, arising out of, or related to, the use or inability to use, the services provided by the website, test documents or any related data.
For more information about AV-Comparatives and the testing methodologies, please visit our website.
AV-Comparatives
(June 2020)
