This website uses cookies to ensure you get the best experience on our website.
Please note that by continuing to use this site you consent to the terms of our
Privacy and Data Protection Policy
.
Some of our partner services are located in the United States. According to the case law of the
European Court of Justice, there is currently no adequate data protection in the USA. There is a
risk that your data will be controlled and monitored by US authorities. You cannot bring any
effective legal remedies against this.
Accept
There is a common belief that macOS computers do not need antivirus protection. While it is true that macOS malware is much rarer compared to Windows and Android, there have still been many instances of macOS malware in the wild. Furthermore, Mac security must be considered in the broader context of various types of attacks.
macOS comes equipped with some built-in anti-malware capabilities: Gatekeeper, which warns when non-certified apps are run, and XProtect Remediator, which checks files against known malware signatures and remediates malware infections. These features operate mostly in the background, with occasional configuration options and alerts. System and security updates are automatically installed via the macOS update process. Other security features are included which harden the system: Sandboxing isolates apps from critical system components, user data, and other apps, limiting the damage they can do. File Vault encrypts the hard drive to protect the data from unauthorised access. Since macOS 10.15 (Catalina), apps need explicit permission to access user files and other sensitive information, such as the camera and microphone. Additionally, macOS separates system files and user data on different disk volumes, making it harder for malware to cause system issues.
The effectiveness of Apple’s built-in anti-malware features is sometimes questioned. Some security experts recommend adding a third-party antivirus solution for several reasons: Apple’s approach might be adequate for well-established malware but might not respond quickly enough to emerging threats, third-party solutions offer deeper malware analysis and cover a wider range of threats, and macOS is not immune to bugs. Although the likelihood of harmful apps entering the App Store is low, any app that bypasses Apple’s review process could have serious implications for Mac users, as macOS built-in protections would recognise it as safe by design. Some antivirus programs for macOS can also detect malware targeting other operating systems, such as Windows and Android. This is beneficial in scenarios where malware might be transferred between systems via an USB stick, even if the Mac itself is not at risk. Additional features, such as web protection and network monitoring, can help identify phishing websites. Mac users are just as susceptible to phishing as Windows users since phishing deceives users rather than operating systems. VPN capabilities can be useful when using the Mac in untrusted environments, such as public Wi-Fi networks at Internet cafés or airports.
Experienced and responsible Mac users who are cautious about which programs they download/install and from where, might reasonably argue that they are not at high risk for Mac malware. However, non-expert users, children, and those who frequently try new software could benefit from additional security software on their Macs.
The market for macOS anti-malware products is limited due to the smaller threat landscape compared to Windows. However, our annual Mac testing shows that evaluated vendors are committed to threat research and continuous product improvement, providing effective security solutions against evolving threats. We strongly encourage other security vendors to actively participate in third-party tests to ensure their products meet current standards and expectations. For those worried that third-party security software might slow down their Mac, our tests found no significant performance reduction with any reviewed programs.
Best Practices for Enhancing Mac Security
As with Windows computers, Macs can be made safer by employing good security practices. We recommend the following:
Do not use an administrator account for day-to-day computing.
Use secure passwords (iCloud Keychain) or passkeys (biometric identification such as Touch/Face ID) and enforce multi-factor authentication wherever possible.
Deactivate any services such as Airport, Bluetooth, or IPv6 that you do not use.
Be careful about which programs you install and where you download them from.
Pay attention when granting programs permissions to sensitive system areas or information.
Be wary of opening any links that you receive via e.g., email.
Keep your macOS and third-party software up to date with the latest patches.
Regularly back up your data using Time Machine or another backup solution.
Use a VPN to secure your Internet connection, especially on public Wi-Fi networks.
Use a certified antivirus program for Mac to provide an additional layer of protection.
For this test, we used macOS Sonoma, including the latest security patches, which was the most recent macOS version at time of testing. We have reviewed and tested the following products for this report, using the newest version available at time of testing (May 2024):
Additional information about the products and additional third-party engines/signatures used inside the products: Trellix uses the Bitdefender engine. Intego uses the Avira engine for detection of Windows malware. AVG is a rebranded version of Avast. Avast/AVG specifically asked us to test their free version.
We congratulate these manufacturers, who elected to have their products reviewed and tested, as we feel their commitment is a valuable contribution to improving security for Mac systems.
Test Procedure
This test checks how effectively the security products protect a macOS system against malicious apps. The test took place in May 2024, and used macOS malware that had appeared in the preceding months. We used a total of 643 recent and representative malicious Mac samples.
In the first half of 2024, thousands of unique Mac samples were collected. However, many of these could be classified as “potentially unwanted” – that is, adware and bundled software – depending on interpretation. Often, these samples were near-identical, with only minor modifications creating new file hashes to evade simple signature-based detection systems. There were almost no new malware families and only a few genuinely new variants of true Mac malware in 2024 (even less than in 2023), some of which only run on specific macOS versions. After careful consideration, we selected 643 recent and prevalent Mac malware samples for testing, which we believe accurately represent the current threat landscape although this sample size is very small compared to Windows. However, it is significant given that most Mac systems do not use third-party security software and even a few threats can cause widespread damage. Because Mac security products only need to identify a small number of samples, we expect them to protect the system against most (if not all) of the threats, so the detection rate required for certification is relatively high. For the test, the macOS system was updated to its latest version and imaged. Each security product was installed on a fresh machine image, and its definitions were updated to May 2, 2024. The Mac systems remained connected to the Internet throughout the test to utilize cloud services. A USB flash drive containing the malware samples was inserted into the test machines, and some antivirus programs detected samples at this stage. We then scanned the flash drive, removing any detected samples. Undetected samples were copied to the Mac’s system disk and executed, giving the security products a final chance to detect them. Additionally, we tested for false positives using a set of clean Mac programs. None of the security products produced any false alarms.
Testcases
To address the rising number of potentially unwanted applications (PUAs) on Mac systems, we conducted an additional test to evaluate the detection capabilities of the products. Specifically, we assessed the detection of 750 prevalent Mac PUAs using the same methodology as for malware detection. Many Mac security products assert that they can identify both Mac and Windows malware to prevent the user’s computer from transmitting harmful programs to Windows PCs. To test this claim, we evaluated if the Mac antivirus products can detect prevalent and current Windows malware. We used 500 samples and followed the same procedure used for Mac malware detection, excluding any undetected samples since Windows programs cannot be executed under macOS.
Test Results
The table below shows the protection results of the tested products. We would like to point out that while some products may sometimes be able to reach 100% protection rates in a test, it does not mean that these products will always protect against all threats. It just means that they were able to detect 100% of the widespread samples used in this particular test. We do not round up scores to 100% if there are misses. Programs with a score of 100% thus had zero misses. For PUA, the highest score possible is capped at 99% due to the nature of the files.
Product
Mac Malware Protection 643 samples
Mac PUA Protection 750 samples
Windows Malware Detection* 500 samples
Avast Free Security Free for Mac
100%
98%
100%
AVG AntiVirus Free for Mac
100%
98%
100%
Bitdefender Antivirus for Mac
100%
99%
100%
Bitdefender GravityZone Business**
100%
99%
100%
CrowdStrike Falcon Pro for Mac
99.8%
98%
0%
Intego Mac Internet Security X9
99.1%
93%
100%
Kaspersky Premium for Mac
100%
99%
100%
Trellix Endpoint Security (HX) for Mac
100%
99%
100%
* Detection of Windows threats on Macs can be seen as discretionary. Some products do not include detection for non-Mac threats or have limited detection capabilities due to technical constraints
**Full product name: Bitdefender GravityZone Business Security Premium for Mac.
Product Reviews
Review Format
Here we have outlined the structure of the following product reviews for each of the consumer programs in this test. For the enterprise products we have used a slightly different review format which includes a brief product summary and sections about the cloud-based management console (e.g., dashboard, host management, detections, policies, investigation) as well as the endpoint protection client (e.g., deployment, general handling, alerts).
Summary: We briefly describe the nature of the product and highlight selected key aspects, such as whether it is free or paid, important security features, and our overall experience with it. Please note that all products protect against ransomware in the same way as for other types of malware. Where we have specifically mentioned “ransomware protection”, it means that specific user folders are monitored to prevent unauthorised changes.
Installation, Setup & Uninstallation: We describe how to get the product up and running on your Mac, starting with downloading the installer and finishing with any post-setup tasks needed, such as installing and enabling browser extensions. We record any options available, and whether you have to make any decisions during installation. There is also a note on how to uninstall the product, should you need to. Please be aware that when installing any antivirus product on macOS Sonoma (which was used for the tests and reviews), it is necessary to go into the macOS system settings and enable the program’s system extensions as well as grant the program specific permissions, such as Notifications or Full Disk Access. Since this process is essentially identical for all products, we have not mentioned it in the individual reviews.
General Handling & Essential Features: We consider how easy it is to find the most important functionality: protection status, different scan options, protection features, quarantine, subscription information (not applicable to free programs), update, settings, and help.
Protection: We describe the available scan options, including smart/full/custom scan, external storage scan, and scheduled scans, how and where to trigger them, and briefly mention any special detection settings that are enabled by default, e.g., detection of PUA or stalkerware. We might also give additional information about third-party detection engines and other relevant malware protection features, such as browser/email/ransomware protection.
Alerts: We look at how the current protection status is displayed, what sort of warning is shown if real-time protection or any other protection feature is disabled, and how to correct this. We also note what type of alert is shown when malware is discovered, and whether the user needs to take any action in this case.
Quarantine & Logs: We check the functionality that shows you which malicious items have been found, what information is provided about them, and what the actions are for dealing with them. If available from the program window, we will also note the types of data and events being logged by the program.
Advanced Options: We check whether only users with a macOS Administrator account can disable the protection features, uninstall the program, or restore/delete items from quarantine. We regard it as ideal if only administrators (not standard macOS users) can perform at least the first two tasks.
Avast Security Free for Mac is a free antivirus program for non-expert users. Some of its key aspects are:
Simple and hassle-free installation and setup of core features.
Clean and well-organised presentation of all features through tiles.
Various scan options and comprehensive settings, including scheduled scans.
Clear and persistent alerts that keep users informed of any issues.
Prevention of risky actions by normal user accounts (e.g., disable protection, uninstall program).
Installation, Setup & Uninstallation
To set up the program, simply download and run the installer file available on the vendor’s website. The setup process is intuitive, with the program guiding you through each step and providing brief explanations along the way. You can uninstall the program by navigating to Avast Security >Uninstall Avast Security in the macOS menu bar or running the Avast Security Uninstaller directly from the macOS Applications folder.
General Handling & Essential Features
The main program window shows the protection status along with an action to run a smart scan, further scan types (Virus Scans), coreprotection features (Core Shields), additional security features (e.g., Traffic Monitor, Network Inspector, Email Guardian), and quarantine. Settings (Preferences) can be opened from the program menu in the top right-hand corner or the macOS menu bar. Subscription information is not applicable since the program is free. A manual update can be triggered by clicking Check for Updates under the system tray icon or Avast Security in the macOS menu bar. From the Help menu, you can access the online help on the vendor’s support web page.
Protection
From Virus Scans on the home page, you can initiate a smart scan, deep scan encompassing all drives and system memory, external storage scan for connected devices, or targeted scan of specific files and folders. The latter can also be run from the Finder context menu. Configure scheduled scans and adjust the detection behaviour for the different scan types under Preferences. The detection of PUA is enabled by default. The Email Guardian scans emails of specified mail accounts and flags any suspicious ones. Note that in the free version, only mail apps installed on the Mac (e.g., Apple Mail, Outlook) are supported. The Traffic Monitor (deactivated by default) allows you to track where apps send data and the amount of data transmitted on an interactive world map.
Alerts
If Avast’s real-time protection (File Shield) or web protection (Web Shield) within Core Shields is disabled, an alert will be shown in the main program window. To re-activate either protection feature, you must manually navigate to Core Shields and turn it back on.
When malware was detected during our protection test, the program displayed an alert as depicted below. No user action was required, and the alert persisted until we closed it using the macOS close button in the top left-hand corner. Multiple detections are consolidated into a single alert which can be navigated through using the arrows in the top right-hand corner. Further details about the threat, including the threat name, severity, file name/path, and process, can be viewed by expanding the details section at the bottom of the alert.
Quarantine & Logs
The quarantine is directly accessible from the home page and displays a list of quarantined files along with their threat name, file name/path, and date of detection. From here, you can delete or, with an administrator account, restore any/all items.
Advanced Options
Only users with a macOS Administrator account can perform the following tasks:
Disable protection features (under Core Shields).
Uninstall the program.
Restore items from the quarantine.
Advertising
Upon completing a Smart Scan, the program encourages the user to upgrade to paid security suites, Premium and Ultimate, to fix advanced issues like ransomware vulnerability, network threats, and fake websites. Clicking on Resolve All prompts a purchase for Avast Premium Security, followed by a 60-day trial offer for Avast Ultimate in a second prompt if the first prompt was dismissed. These upgrade prompts also occur when clicking Go Premium on other program feature pages or the Upgrade your protection button in a detection alert.
AVG AntiVirus Free for Mac is a free antivirus program for non-expert users. Some of its key aspects are:
Simple and hassle-free installation and setup of core features.
Clean and well-organised presentation of all features through tiles.
Various scan options and comprehensive settings, including scheduled scans.
Clear and persistent alerts that keep users informed of any issues.
Prevention of risky actions by normal user accounts (e.g., disable protection, uninstall program).
Installation, Setup & Uninstallation
To set up the program, simply download and run the installer file available on the vendor’s website. The setup process is intuitive, with the program guiding you through each step and providing brief explanations along the way. You can uninstall the program by navigating to AVG AntiVirus >Uninstall AVG AntiVirus in the macOS menu bar or running the AVG AntiVirus Uninstaller directly from the macOS Applications folder.
General Handling & Essential Features
The main program window shows the protection status along with an action to run a smart scan, further scan types (Run Other Scans), and coreprotection features (Computer, Web & Email). The quarantine is located under the Computer tile and settings (Preferences) can be accessed from the program menu in the top right-hand corner or the macOS menu bar. Subscription information is not applicable since the program is free. A manual update can be triggered by clicking Virus Definitions on the home page, or by navigating to Check for Updates under the system tray icon or AVG AntiVirus in the macOS menu bar. From the Help menu, you can access the online help on the vendor’s support web page.
Protection
From Run Other Scans on the home page, you can initiate a smart scan, deep scan encompassing all drives and system memory, external storage scan for connected devices, or targeted scan of specific files and folders. The latter can also be run from the Finder context menu. Configure scheduled scans and adjust the detection behaviour for the different scan types under Preferences. The detection of PUA is enabled by default.
Alerts
If AVG’s real-time protection (File Shield) within Computer, web protection (Web Shield) or email protection within Web & Email is disabled, an alert will be shown in the main program window. To re-activate either protection feature, you must manually navigate to the respective menu tile and turn it back on.
When malware was detected during our protection test, the program displayed an alert as depicted below. No user action was required, and the alert persisted until we closed it using the macOS close button in the top left-hand corner. Multiple detections are consolidated into a single alert which can be navigated through using the arrows in the top right-hand corner. Further details about the threat, including the threat name, severity, file name/path, and process, can be viewed by expanding the details section at the bottom of the alert.
Quarantine & Logs
The quarantine is quickly accessible from Computer on the home page and displays a list of quarantined files along with their threat name, file name/path, and date of detection. From here, you can delete or, with an administrator account, restore any/all items.
Advanced Options
Only users with a macOS Administrator account can perform the following tasks:
Disable protection features (under Computer and Web & Emails).
Uninstall the program.
Restore items from the quarantine.
Advertising
Upon completing a Smart Scan, the program encourages the user to upgrade to the paid security suite, Internet Security, to fix advanced issues like ransomware vulnerability, network threats, and fake websites. Clicking on Resolve All prompts a purchase for AVG Internet Security, followed by a 60-day trial offer for it in a second prompt if the first prompt was dismissed. These upgrade prompts also occur when clicking Go Premium on other program feature pages or the Upgrade your protection button in a detection alert.
Bitdefender Antivirus for Mac is a paid-for antivirus program for expert and non-expert users. Some of its key aspects are:
Simple and hassle-free installation and setup of core features.
Clean and well-designed interface showcasing all features.
Various scan options, ransomware protection, data-limited VPN, and browsing-protection add-ins.
Clear alerts that keep users informed of any issues.
Prevention of risky actions by normal user accounts (e.g., disable protection, uninstall program).
Installation, Setup & Uninstallation
Once you have downloaded and launched the installer from the vendor’s website, the setup wizard will walk you through each step of installation and configuration. After setup is complete, you will be prompted to create a Bitdefender account and sign in. An optional introductory tour of the program interface then starts, followed by the program window displaying several recommendations, such as installing the browser extension (Traffic Light), configuring ransomware protection (Safe Files), setting up Time Machine Protection, and initiating a system scan. The program’s window supports both dark and light modes, which correspond with the dark- and light-mode settings of macOS. The program can be uninstalled by opening the Bitdefender Uninstaller located in the Bitdefender folder of the macOS Applications folder.
General Handling & Essential Features
The program’s Dashboard provides direct access to the protection status, scan types (quick and system scan), protection features, settings, subscription information (My Account), and help resources. The quarantine and list of scan exceptions are located under Protection. A manual update can be triggered from the Actions menu in the macOS menu bar. Privacy includes a data-limited Bitdefender VPN and additional Anti-tracker browser extension. Help gives you access to a very comprehensive PDF manual and the support web page.
Protection
From the Protection menu, you can start a quick scan of critical areas, system scan covering all files and folders, or custom scan targeting specific files or folders. The latter can also be run from the Finder context menu. Web protection is supported for the Safari, Chrome, and Firefox browsers via the Traffic Light browser extension, which also adds safety ratings (indicated by coloured symbols) to Google search results. Options for the ransomware protection are available as well. The protection and detection behaviours can be adjusted from the Settings menu.
Alerts
If Bitdefender’s real-time protection is disabled via Settings or the system tray icon in the macOS menu bar, an alert will be shown in the main program window. The protection can be re-activated by clicking Enable.
When malware was detected during our protection test, the program displayed an alert as depicted below, containing details such as the threat name, file name, and action taken. No user action was required, and the alert closed automatically after a few seconds.
Quarantine & Logs
The Quarantine allows you to review all the quarantined items, along with the threat name, file name, and date of detection. You can choose to delete and restore any detected files, requiring administrator credentials for either action. Notifications serves as a log, showing events such as updates, component activation, and malware detections. These can be viewed collectively or filtered by importance (Critical, Warning, Information).
Advanced Options
Only users with a macOS Administrator account can perform the following tasks:
Bitdefender GravityZone Business Security Premium is a security package designed for enterprises, providing endpoint protection for file servers, desktops, laptops, and physical/virtual machines and a cloud-based console for centralized management. Some of its key aspects are:
Investigative functions for attack analysis and remediation.
Comprehensive search capabilities.
Well-organized cloud-based console with intuitive navigation to detailed information.
Containment feature to isolate infected endpoints.
Prioritized alerts for admins and clear alerts at endpoint for users.
Management Console
The console is navigated from the menu on the left side of the console. This lists different sections, such as Monitoring, Incidents, Threats Xplorer, Quarantine, Policies, and Network, which group the individual pages. We will describe the most relevant sections and pages below.
Monitoring > Executive Summary page
This is the page you see when you first log on to the console. It shows various key status items in large panels (screenshot above), providing you information about the managed endpoints, blocked threats/websites/attack techniques, incidents, and remediation actions for the last 24 hours, 7 days, or 30 days. The topmost blocked threat types are visualised over time and a risk score reflects the risk potential of the network. The summary can be exported as a report in CSV or PDF format and sent to the current user’s email address. The panel titles redirect you to the respective detail pages.
Incidents page
The Incidents page displays a list of all EDR/XDR incidents generated from suspicious or malicious activities on the endpoints in the last 90 days. Each incident is classified by timestamps when it was created and last updated, its status, a severity score, the assignee responsible for handling it, the affected endpoints, and action taken. Clicking on an item’s ID lets you navigate to the details page with further information.
The Graph view provides a hierarchical and interactive visualisation of the incident, allowing you to trace the attack from its entry point through different attack phases down to the event that finally triggered the incident. By selecting a node, you can access comprehensive details about the affected endpoint, threat, and related process or file in the panel on the right. Quick actions for investigation and remediation, such as viewing on VirusTotal/Google, quarantining file, or adding to blocklist/exceptions, can be performed directly from this view. At the top, you can change the incident’s status, assignee, and priority. The Events view lists related detection alerts and system events with a detailed description in chronological order. Under the Response view, you can access and monitor different actions and statuses in response to the incident.
Threats Xplorer page
In contrast to Incidents, this page offers a threat-centric view of each detected threat in the network. Detection events are classified and filterable by various attributes, such as category, threat type, remediation action, and endpoint name. Selecting a detection reveals more details, including threat type/name, detection date/module/technology, action taken, file path/hash, and affected endpoint name/type/IP. Quick actions such as adding to blocklist/exclusions, running an on-demand scan, or isolating endpoint can be performed.
Quarantine page
This page provides a detailed overview of the quarantined files, including endpoint name/IP, detected file path, threat name, and quarantine date, from all managed endpoints. You can customize the view by various filters and perform actions such as add to exclusions, restore, retrieve, delete, or empty quarantine.
Policies page
On this page, you can manage existing or create new policies. The capabilities of the endpoint protection client can be extensively configured for different types of attack-, detection-, and protection-related behaviour. In the case of Mac policies, you can configure components such as Antimalware, Network Protection, Patch Management, Device Control, Encryption, and Incidents Sensor. Antimalware components, such as On-Access and On-Execute, have different sensitivity levels for protection, ranging from Permissive to Aggressive. Additionally, custom administrator-defined settings can be applied to the On-Access setting. Policies can be assigned to endpoints by either manually selecting individual endpoints to which you want to assign policies on the Network page, or automatically by custom assignment rules which define predefined criteria, such as network settings (e.g., IP address, network type, hostname), users/user groups, or tags, endpoints must meet.
Network page
The Network page serves as a centralized hub for managing all endpoints within the organization. The list has filterable columns displaying endpoint details, such as name, OS version/type, machine type (workstation or server), and users. Symbols and colours next to each endpoint name indicate its network object type and status. You can perform different actions on individual endpoints, including running tasks (e.g., malware scan, isolate endpoint, update agent), creating quick reports, assigning policies, tagging, or deleting endpoints. Clicking on an endpoint’s name opens its details page which shows comprehensive information about the endpoint, endpoint protection client, activated protection modules, assigned policies, and scan results.
Endpoint Protection Client
Deployment
Installer files for the endpoint protection client (Agent) can be created and downloaded from Network > Installation Packages. When creating an installation package, you can specify the protection modules and settings to be applied to the endpoint. After installation, you will need to grant the agent Full Disk Access in the macOS system settings. The agent requires a few minutes to download the latest updates before full protection becomes active.
General Handling
The main program window displays the status of the configured protection modules and provides an option to manually update the protection engine. In the macOS menu bar, you can initiate a quick, full, or custom scan and check for updates under Actions, and access the event logs (History) and quarantine under Bitdefender Endpoint Security Tools.
Alerts
When malware was detected during our protection test, the agent displayed an alert as depicted below, containing details such as the threat name, file name, and action taken. No user action was required, and the alert closed automatically after a few seconds.
CrowdStrike Falcon Pro is a security package designed for medium- to large-sized enterprise networks, providing a cloud-based console for centralized management of endpoint protection. Some of its key aspects are:
Investigative functions for attack analysis and remediation.
Comprehensive search capabilities.
Well-organized cloud-based console with intuitive navigation to detailed information.
Containment feature to isolate infected endpoints.
Prioritized alerts for admins and clear alerts at endpoint for users.
Management Console
The console is navigated from the menu in the top left-hand corner, providing access to all EDR/XDR functions and tools related to incidents, detections, investigation, remediation, reporting, and endpoint management. We will describe the most relevant sections and pages below. You can easily bookmark any page by clicking on the bookmark symbol next to the page title at the top, which is later accessible via the Bookmarks section.
Endpoint security > Activity dashboard page
This is the page you see when you first log on to the console. It presents key status indicators in large panels (screenshot above). You find a list of most recent detections with severity ratings and detection method (Tactic & Technique), SHA-based detections, and prevented malware by host. There is also a bar chart displaying detections by tactic (e.g., Machine learning, Defense Evasion, Credential Access) over the past month. The dashboard shows the number of new detections and the current CrowdScore, which represents the likelihood that the company network is under attack and is based on the current highest scores of the generated incidents. The panel items redirect you to sections and details pages with the respective filters applied.
Endpoint security > CrowdScore incidents page
This page lists all incidents generated from detections, associated processes, and the connections between them, such as thread injections or lateral movement, on the endpoints. It shows relevant information such as incident score, detections, host details, attack timeline, and ticket information regarding investigation. Clicking on an incident opens a summary preview, from where you can navigate to the full incident details page. The details page gives you comprehensive insights of the incident, including a brief description of objectives and techniques, host and process information related to the attack, in different views: Summary, Table, Graph, and Events timeline. You can immediately isolate the affected host from the company network using “Network contain” or perform an “Incident event search” using CrowdStrike Query Language (CQL).
Endpoint security > Endpoint detections page
On this page, you have the capability to search the list of threat detections using a wide range of criteria. This includes severity level, malware tactics, detection technique, date and time of detection, affected host, and logged-on user. Each detection entry provides detailed information, including a timeline, when clicked (screenshot below). Within the details panel, you can edit the status to assign a console user for remediation, contain the host promptly, and access the full detection details page which resembles the one from incidents.
Endpoint security > Quarantined files page
This page displays files that have been quarantined by the endpoint protection client. Each entry shows the date and time when it was quarantined, file name, hostname, logged-on user, and its status. You have the option to release, delete, or download quarantined files in a password-protected archive. Clicking on an entry opens a panel with additional information, such as the file path, file hash, detection method, and severity. You can also apply various filters to narrow down the search for specific files.
Endpoint security > Prevention policies page
This page lets you create and edit prevention policies for endpoints of supported platforms. You can define the capabilities of the endpoint protection client in relation to different attack, detection, and protection behaviours. For Mac policies, you can configure components such as Sensor Visibility, Next-Gen Antivirus (Cloud Machine Learning, Sensor Machine Learning, Quarantine, On Write), Malware Protection (Execution Blocking), Behaviour-Based Prevention (Unauthorized Remote Access IOAs, Credential Dumping). The Cloud Machine Learning and Sensor Machine Learning components have separate configurable sensitivity levels for detection and prevention, ranging from Disabled to Extra Aggressive. Custom indicators of attack (IOA) rule groups and host groups can be assigned to a policy, whereby a policy hierarchy determines which one takes precedence.
Host setup and management > Host management page
On this page, all the registered endpoints are listed. You can customize the table columns to show details such as hostname, host status, OS version, IP/MAC addresses, policy assignments, username, sensor version, timestamps, and many others. Clicking on an entry opens a panel with additional information. Like in other details pages, you can apply various filters and search for specific hosts.
Investigate section
The Investigate section provides a highly comprehensive search facility. It allows you to search for specific aspects, such as events, hosts, users, hashes, and IP addresses, hunt for activities related to detections, files, or executables, view timelines of hosts and processes, check reports about remote access, network logon, and geo location activities, and look for vulnerabilities, including HiveNightmare and Log4Shell.
Endpoint Protection Client
Deployment
The recommended installation method is to use an MDM server solution to distribute the profile provided by CrowdStrike to the endpoints prior to the deployment process. This avoids manual authorization steps on the endpoints. Alternatively, you can deploy the standalone installer file to individual hosts and perform manual installation and setup. Installer files for the endpoint protection client (Sensor) and supported platforms can be downloaded from Host setup and management > Sensor downloads, where several older sensor versions are also available. The installer provides step-by-step instructions to guide you through the local installation and setup process.
General Handling
The sensor application consists of only one window which shows sensor status information. Only users with a macOS Administrator account can interact with the sensor using its command-line interface (falconctl) via the macOS Terminal. For example, you can output sensor information and statistics (falconctl stats) and uninstall the sensor (falconctl uninstall). With the settings used for this test, detected files are not deleted but quarantined in situ.
Alerts
When malware was detected during our protection test, the sensor displayed an alert as depicted below, without further details about the threat. No user action was required, and the alert closed automatically after a few seconds.
Intego Mac Internet Security X9 is a paid-for antivirus program for non-expert users. In addition to anti-malware features, it also includes a separate firewall application, called NetBarrier. In this review though, we have focused on the antivirus application, VirusBarrier. Some of its key aspects are:
Simple and hassle-free installation and setup of core features.
Clean GUI that neatly presents all available features.
Various scan options, including scheduled scans and USB scan.
Clear and persistent alerts that keep users informed of any issues.
Prevention of risky actions by normal user accounts (e.g., disable protection, uninstall program).
Installation, Setup & Uninstallation
To set up the program, simply download and run the installer file available on the vendor’s website. The setup process is intuitive, but you need to manually open the program after installation in order to continue with the product activation and granting the program Full Disk Access in the macOS system settings. The program’s window supports both dark and light modes, which correspond with the dark- and light-mode settings of macOS. You can uninstall the program by re-running the installer and double-clicking Uninstall, or deleting the Intego folder from the macOS Applications.
General Handling & Essential Features
The Scan page of the main program window gives access to the protection status, scan types (quick, full, scheduled scan) and settings. The quarantine and list of scan exceptions (Trusted Files) can be found on two separate pages. A manual update can be triggered by clicking on the Installed Malware Definitions link in the main program window, or by selecting Check for Updates under the VirusBarrier menu or the system tray icon in the macOS menu bar. This opens the NetUpdate application, displaying the update status, days until protection expires, and related settings. The subscription information can be viewed in the About box of the VirusBarrier menu. From the Help menu in the macOS menu bar, you can open the online help on the vendor’s support web page. Additionally, a basic help displays an overlay that explains the principal features within the main program window.
Protection
From the Scan page of the main program window or the File menu in the macOS menu bar, you can start a quick scan, full scan, or custom scan of specific files or folders. The latter can also be run from the Finder context menu. You can configure scheduled scans (Schedule) on the Scan page as well as the program’s protection and detection behaviour, including the action after a volume is mounted, under VirusBarrier Preferences. The program also checks if the safe browsing feature of supported browsers (Safari, Chrome, Firefox) is activated and warns you if it is turned off. VirusBarrier uses Intego’s own detection engine to identify macOS malware and the Avira engine to detect Windows malware.
Alerts
If Intego’s real-time protection is disabled on the Scan page, an alert will be shown in the main program window. The protection can be re-activated by clicking Turn On.
When malware was detected during our protection test, the program displayed a dialog and alert as depicted below, containing details such as the threat name, file name, and action taken. No user action was required. The dialog persisted until we closed it and the alert closed automatically after a few seconds.
Quarantine & Logs
The Quarantine lists all the quarantined items. You can choose to delete, repair, and restore (trust) any detected files. If you click on an individual item, the path to its location will be shown in the status bar at the bottom.
Logs on the Scan page displays a list of system events, including updates, scan and real-time detections, real-time protection status changes, and items added to or deleted from quarantine. Each event is accompanied by the applicable date and time and a traffic-light color-coding system used to indicate the severity or status (malware finds = red, quarantine actions = yellow, updates and active real-time protection = green).
Advanced Options
Password protection (to prevent unauthorised changes to program settings) is disabled by default under Settings > Advanced. By enabling it, only users with a macOS Administrator account can perform the following tasks:
Disable protection features (under Scan page or system tray icon).
Kaspersky Premium for Mac is a paid-for antivirus program tailored for non-expert users seeking robust protection. Some of its key aspects are:
Simple and hassle-free installation and setup of core features.
Clean and well-organised interface showcasing all features.
Various scan options and comprehensive settings, including scheduled scans and USB scan.
Clear alerts that keep users informed of any issues.
Prevention of risky actions by normal user accounts (e.g., disable protection, uninstall program).
Installation, Setup & Uninstallation
To set up the program, you must first login to your Kaspersky account on the vendor’s website. On the customer portal, download and launch the installer. The setup process is intuitive, with the program guiding you through each step and providing brief explanations along the way. You have the option to enable additional protection features, such as Wi-Fi network protection and browser extensions for Safari/Chrome/Firefox. Once the setup is complete, the main program window displays several recommendations, such as activating automatic macOS updates or location services and installing missing browser extensions, the Kaspersky VPN or Password Manager apps (which are included in this Premium tier). You can uninstall the program by navigating to Help > Support > Uninstall in macOS menu bar or by deleting it from the macOS Applications folder.
The program cannot verify if the old extension is installed, so it suggests removing it after installing the new one. This could be confusing for users who do not have the old extension installed. Kaspersky acknowledges this issue and plans to clarify the deletion process for the Kaspersky Security extension or potentially eliminate this step altogether.
General Handling & Essential Features
The main program window shows the protection status, scan types (Scan), subscription information, recommendations and other quick actions. Settings, including all protection features and a list of scan exclusions (Trusted Zone), quarantine (Detected Objects), and help, which opens the support page in the default browser, are located in the macOS menu bar. A manual update can be triggered by selecting Database Update in the main program window or clicking Update Databases under the system tray icon.
Protection
From Scan, you can initiate a quick scan, full scan, or custom scan of selected files and folders. The latter can also be run from the Finder context menu. Scans can be scheduled using the cogwheel icon in the top right-hand corner or from the settings menu. Additionally, you can modify the program’s detection behaviour, scan types, and external disk scan. The detection of stalkerware is enabled by default. On the main page, there is also a feature to block access to the webcam.
Alerts
If the program’s real-time protection or any other protection feature under Settings > Protection is disabled, an alert will be shown in the main program window. The real-time protection can also be turned off via the system tray icon. The protection can be re-activated by clicking Enable.
When malware was detected during our protection test, the program displayed an alert as depicted below, containing details such as the file path and action taken. No user action was required, and the alert closed automatically after a few seconds. Additionally, a link to the quarantine is shown on the home page of the main program window.
Quarantine & Logs
The Detected Objects page lists quarantined items, along with the threat name and file path. By clicking on the ”…” symbol at the end of an item, you can choose to delete or restore the item. Moreover, there is an option Delete All to delete all quarantined items. Under Protection >Reports in the macOS menu bar, you can view details of processed objects (detections) as well as activities related to updates, scans, and various protection features.
Advanced Options
Only users with a macOS Administrator account can perform the following tasks:
Disable protection features (under Settings or system tray icon).
Trellix Endpoint Security (HX) is a security package tailored for large enterprise networks, supporting up to 100,000 endpoints per appliance and offering a cloud-based console for centralized management. Some of its key aspects are:
Investigative functions for attack analysis and remediation.
Well-organized cloud-based console with intuitive navigation to detailed information and prioritized alerts for admins.
Containment feature to isolate infected endpoints.
Management Console
Different sections and pages can be navigated from the console’s menu at the top of the page. We will describe the most relevant ones below.
Dashboard
Upon logging into the console, you will encounter an overview of key status items. This includes the total number of hosts with alerts, categorized by exploits and malware, recent file acquisitions, and contained/active/inactive hosts.
Hosts > Hosts with Alerts page
This page displays detailed information about protected devices/hosts with unresolved alerts. By clicking the plus sign next to a host, you will get a chronological list of alerts with comprehensive details, including detection type (e.g., signature detection), alert/detection times, scan type (e.g., on-access, on-demand), malware name/type, file status (e.g., quarantined), file metadata (e.g., path, MD5/SHA1 hash, size, last modified/accessed times), process details (e.g., path, PID, username of logged-on user). A threat can be acknowledged (marked as “read”) or marked as false positive. Additionally, you can add comments for future investigation. On the Quarantines tab, you can restore, delete, or acquire individual quarantined files for further analysis (see Acquisitions page).
Alerts page
This page allows you to view threats from a threat-centric perspective rather than a device-centric. It shows a list of detected threats that can be sorted or filtered by different criteria, including name, file hash/path, first/last event time, host name, or host IP address. In addition to deleting alerts, options to Acknowledge, Mark False Positive, and Add Comment are available. Clicking on the threat name will open its detail view on the Hosts with Alerts page.
Acquisitions page
This page lets you view and download files that have been acquired from hosts (see Hosts with Alerts page).
Rules page
This page contains a collection of rules that match indicators of compromise (IOCs), exploit detections, or false positives to aid in identifying specific threats or suspicious behaviours on an endpoint. This rule set is primarily maintained by Trellix’s Dynamic Threat Intelligence (DTI) cloud, but you can also create custom indicator rules with individual conditions for your environment.
Enterprise Search page
On this page, you can conduct extensive searches for threats or threat indicators on the protected endpoints by choosing different search terms from a predefined list. These include application name, browser version, host name, various executables, file names/hashes/paths, IP address, port, process name, registry key, service name/status/type/mode, timestamp, URL, username, Windows Event Message, and many more.
Admin section
This section provides options to modify server settings and policies. On the Policies page, you can add custom endpoint protection policies and configure various aspects of existing ones. Examples of configurable categories are exploit guard protection (windows only), malware scans (e.g., scan on install, scheduled scan), polling, malware protection (e.g., detection options, definition updates, exclusions, quarantine actions), removal and tamper protection, resource usage, and event logging (e.g., information level, age). On the Host Sets page, you can define groups of hosts based on a variety of criteria or by simply dragging and dropping hosts from the list. Different protection policies can then be applied to each host set.
Endpoint Protection Client
Deployment
The latest version of the endpoint protection client (Agent) for Windows, macOS, and Linux systems can be downloaded from the Admin > Agent Versions page. The installer file can be run manually, or deployed through a systems management product such as Jamf. In the former case, you will need to grant the agent Full Disk Access in macOS system settings, as this is necessary for the product to function properly. After installation, the agent requires a few minutes to download the protection engine before full protection becomes active.
General Handling & Alerts
With the settings used in this test, no user interface or command-line interface is provided for interaction directly on the host machine. Furthermore, no detection alerts were shown on the host when malware was detected during our protection test.
This year, the following Mac security vendors receive our Approved Mac Security Product award: Avast, AVG, Bitdefender, CrowdStrike, Intego, Kaspersky, and Trellix.
A summary of the reviewed products is shown below. If you are thinking of getting a security product for your Mac, we recommend that you also consider other factors, such as price, additional features, and support before choosing a product. We also recommend installing a trial version of any paid-for product before making a purchase.
Avast Security Free for Mac is a freely accessible and comprehensive antivirus solution with an intuitive user interface. It provides clear and persistent alerts when malware is detected.
AVG AntiVirus Free for Mac offers an extensive set of anti-malware features at no costs. Its user-friendly interface makes navigation straightforward, and malware alerts are clear and persistent.
Bitdefender Antivirus for Mac is a paid-for antivirus product featuring malware protection, a data-limited VPN, and ransomware protection. The user interface is sleek and user-friendly.
Bitdefender GravityZone Business Security Premium for Mac is a security package designed for enterprises, providing endpoint protection and centralized management via a cloud-based console for various devices.
CrowdStrike Falcon Pro for Mac is an enterprise-grade security package, designed for large enterprise networks. It operates via a command-line client interface and is managed through a web-based console.
Intego Mac Internet Security X9 is a paid-for security suite that integrates malware protection with a firewall. The simple user interface provides easy access to all features, with prominent malware detection alerts.
Kaspersky Premium for Mac offers comprehensive malware protection and other security features in a paid package. It encompasses all functions in a well-organized user interface and clearly displays malware detection alerts.
Trellix Endpoint Security (HX) for Mac is a versatile endpoint protection package for large enterprise networks. It is managed via a web-based console and silently operates on the client machine.
AV-Comparatives’ Mac Certification requirements
AV-Comparatives have strict criteria for certifying security programs. These are updated every year to take new technological developments into account. Certification by AV-Comparatives indicates that a product has proven itself to be effective, honest, transparent and reliable.
Possible reasons why a product may fail certification are listed below, though this is not necessarily an exhaustive list.
Poor Mac-malware detection rates (under 99% for Mac malware[1]), poor Mac-PUA detection rates[2] (under 85% for Mac PUA[3]) or false positives on common macOS software. Please note that detection of Windows malware is not a certification requirement.
Significant performance issues (i.e. slowing down the system) that have a marked impact on daily use of the system.
Failure to carry out essential functions, such as updating, scanning, and detecting malware, reliably and in a timely fashion.
Untrue claims, such as stating that a macOS app also detects Windows malware, despite independent tests showing that detection of even prevalent Windows malware is very poor (as noted above, Windows malware detection is not in itself a requirement for certification).
Lack of real-time/on-access or on-execution scanning/protection. Providing only an on-demand scanner does not qualify for certification. For consumer products, real-time protection has to be enabled by default after installation.
Being detected as PUA (or malware) by several different engines on multi-engine malware scanning sites (e.g. VirusTotal), either at the time of the test, or in the six months prior to it.
Scareware tactics in trial programs: exaggerating the importance of minor system issues, such as a few megabytes of space taken up by harmless but unnecessary files; fabricating security issues that do not exist.
Confusing or misleading functions, alerts or dialog boxes that could allow a non-expert user to take an unsafe action, or make them worry that there is a serious problem when in fact none exists.
For consumer products, very short trial periods (a few days only) combined with automatically charging for the product unless the user deliberately cancels the subscription. We regard 10 days as the minimum amount of time needed to assess a program.
“Trial” versions that do not make available all essential protection features such as real-time protection or ability to safely disable detected malware.
Bundling of other programs or changing existing system/app preferences (e.g. default search engine), without making clear to the user that this is happening and allowing them to opt out easily.
[1] Starting from 2025, the minimum detection rate for Mac malware will be 95%.
[2] For consumer products, the PUA detection threshold must be reached using default settings.
[3] What is “potentially unwanted” might be debatable, and some apps that we would regard as PUA might be considered to be clean by some vendors. Consequently, this threshold is relatively low.