Mac Security Test & Review 2025

Date May 2025
Language English
Last Revision June 5th 2025
Release date 2025-06-13
Revision date 2025-06-05
Test Period May 2025
Number of Testcases 899 Mac Malware
750 Mac PUA
500 Windows
Online with cloud connectivity checkbox-checked
Update allowed checkbox-checked
False Alarm Test included checkbox-checked
Platform/OS MacOS

Introduction

macOS has long enjoyed a reputation for robust security and is often seen as a “hardened” alternative to Windows. Although malware targeting macOS remains far less common than on Windows and Android, there have still been numerous real-world instances. In fact, attackers no longer regard Macs as secondary targets (https://www.macworld.com/article/670537/do-macs-need-antivirus.html, https://objective-see.org/blog/blog_0x7D.html). In 2023 and 2024, a surge of sophisticated information-stealers, most notably Atomic Stealer (AMOS), its fork Poseidon, and CloudChat, dominated new macOS threats. These cloud-controlled services harvest browser cookies, saved passwords, Keychain data, cryptocurrency wallet credentials, and even extract logins from popular password managers, VPN configurations, and FTP clients.

Distribution tactics have evolved accordingly, with threat actors now relying more on targeted malvertising campaigns and social-engineering schemes rather than user-installed adware bundles. Examples include cloned download sites offering “popular” Mac apps that instead serve up malicious disk images, deceptive Google ads, fake utilities (e.g., video-chat tools, VPN clients), trojanised installers, and phishing emails embedding PDF-masquerading apps. Consequently, both everyday users and enterprises must supplement basic vigilance with multi-layered defences: modern endpoint protection with real-time malware scanning, DNS and web filtering to block malicious ads, and EDR solutions to detect abnormal system behaviours before data is lost.

Out of the box, macOS delivers basic anti-malware capabilities. XProtect is Apple’s signature-based scanner that automatically checks new and modified apps against a database of known malware signatures and remediates infections. Gatekeeper ensures that only apps signed by verified developers and notarized by Apple can run on your Mac. Both features operate mostly in the background, with occasional configuration options and alerts. Complementing these measures, System Integrity Protection (SIP) locks down system-critical files and folders so that even system processes with root privileges cannot alter them. macOS isolates running processes through sandboxing and requires explicit permission for apps to access user files and other sensitive information, such as the camera, microphone, or location. By separating system files onto a read-only volume apart from user data, macOS further reduces the attack surface for malware. System and security updates are automatically installed through the standard macOS software-update process.

Apple’s approach might be adequate for well-established malware but might not respond quickly enough to emerging threats. Although the likelihood of harmful apps entering the App Store is low, any app that bypasses notarization will appear “safe” to macOS’s built-in protections. Third-party antivirus solutions with heuristic and behavioural engines can catch zero-day and fileless attacks that signature-only scanners might miss, while web- and phishing-protection browser extensions block malicious URLs before they load. Some Mac antivirus programs can also detect malware targeting other operating systems, such as Windows and Android, when it is inadvertently transferred between systems via an USB drive.

Experienced macOS users who carefully vet every download may feel their risk is low, but non-expert users, children, and those who frequently try new software could benefit from the extra layer of security a third-party antivirus provides.

Because macOS faces a smaller threat landscape than Windows, its market for anti-malware products is naturally more limited. Nevertheless, our annual Mac security tests consistently show that participating vendors are committed to threat research and continuous product improvement, delivering effective protection against evolving threats. We strongly encourage all security vendors to submit their solutions to independent, third-party evaluations, ensuring they meet current industry standards and user expectations. And for anyone worried that third-party antivirus might slow down their Mac, our tests found no meaningful impact on system performance with any of the reviewed products.

Best Practices for Enhancing Mac Security

As with Windows computers, Macs can be made safer by employing good security practices. We recommend the following:

  • Do not use an administrator account for day-to-day computing.
  • Use secure passwords (iCloud Keychain) or passkeys (biometric identification such as Touch/Face ID) and enforce multi-factor authentication wherever possible.
  • Deactivate any services such as Airport, Bluetooth, or IPv6 that you do not use.
  • Be careful about which programs you install and where you download them from.
  • Pay attention when granting programs permissions to sensitive system areas or information.
  • Be wary of opening any links that you receive via e.g., email.
  • Keep your macOS and third-party software up to date with the latest patches.
  • Regularly back up your data using Time Machine or another backup solution.
  • Use a VPN to secure your Internet connection, especially on public Wi-Fi networks.
  • Use a certified antivirus program for Mac to provide an additional layer of protection.
    A list of antivirus programs for Mac can be seen here: https://www.av-comparatives.org/list-of-av-vendors-mac/

Tested Products

For this test, we used macOS Sequoia with the latest security patches, which was the most recent macOS version available at time of testing. The following products were reviewed and tested for this report, using the latest available versions as of May 2025:

Additional information about the products and additional third-party engines/signatures used inside the products: Avast, AVG, and Norton are products of Gen Digital and use the Avast engine. Intego uses the Avira engine for detecting Windows malware. Trellix uses the Bitdefender engine. Avast/AVG/Avira specifically asked us to test their free version.

We congratulate these manufacturers, who elected to have their products reviewed and tested, as we feel their commitment is a valuable contribution to improving security for Mac systems.

Test Procedure

This test checks how effectively the security products protect a macOS system against malicious apps. The test took place in May 2025, and used macOS malware that had appeared in the preceding months. We used a total of 899 recent and representative malicious Mac samples.

In the first half of 2025, thousands of unique Mac samples were collected. However, many of these could be classified as “potentially unwanted” – that is, adware and bundled software – depending on interpretation. Often, these samples were near-identical, with only minor modifications creating new file hashes to evade simple signature-based detection systems. After careful consideration, we selected 899 recent and prevalent Mac malware samples for testing, which we believe accurately represent the current threat landscape although this sample size is very small compared to Windows. However, it is significant given that most Mac systems do not use third-party security software and even a few threats can cause widespread damage. Because Mac security products only need to identify a small number of samples, we expect them to protect the system against most (if not all) of the threats, so the detection rate required for certification is relatively high. For the test, the macOS system was updated to its latest version and imaged. Each security product was installed on a fresh machine image, and its definitions were updated to May 8, 2025. The Mac systems remained connected to the Internet throughout the test to utilize cloud services. A USB flash drive containing the malware samples was inserted into the test machines, and some antivirus programs detected samples at this stage. We then scanned the flash drive, removing any detected samples. Undetected samples were copied to the Mac’s system disk and executed, giving the security products a final chance to detect them. Additionally, we tested for false positives using a set of clean Mac programs. None of the security products produced any false alarms.

To address the rising number of potentially unwanted applications (PUAs) on Mac systems, we conducted an additional test to evaluate the detection capabilities of the products. Specifically, we assessed the detection of 750 prevalent Mac PUAs using the same methodology as for malware detection. Many Mac security products assert that they can identify both Mac and Windows malware to prevent the user’s computer from transmitting harmful programs to Windows PCs. To test this claim, we evaluated if the Mac antivirus products can detect prevalent and current Windows malware. We used 500 Windows samples and followed the same procedure used for Mac malware detection, excluding any undetected samples since Windows programs cannot be executed under macOS.

Settings

All Mac consumer products were tested with default settings. Enterprise environments typically involve product configuration by a system administrator, following vendor’s guidelines. Therefore, we invited all vendors to configure their respective enterprise products accordingly. The scores achieved reflect performance under the specific settings detailed below.

  • CrowdStrike Falcon Pro: Everything enabled and set to “Extra Aggressive”.
  • Trellix: In “Malware Protection”, “Signature and Heuristic Detection”, “Cloud Lookup”, “Quarantine”, “Quarantine Malicious Archives” were enabled. “Exploit Guard” and all prevention actions were also enabled.

Test Results

The table below shows the protection results of the tested products. We would like to point out that while some products may sometimes be able to reach 100% detection rates in a test, it does not mean that these products will always protect against all threats. It just means that they were able to detect 100% of the widespread samples used in this test. We do not round up scores to 100% if there are misses. Programs with a score of 100% thus had zero misses. For PUA, the highest score possible is capped at 99% due to the nature of the files.

Product Mac Malware Protection
889 samples		 Mac PUA Protection
750 samples		 Windows Malware Detection*
500  samples
Avast Free Security for Mac 100% 99% 100%
AVG AntiVirus Free for Mac 100% 99% 100%
Avira Free Security for Mac 99.3% 98% 100%
Bitdefender Antivirus for Mac 99.4% 99% 100%
CrowdStrike Falcon Pro for Mac 99.8% 98% 0%
Intego Mac Internet Security X9 97.1% 97% 100%
Kaspersky Premium for Mac 100% 99% 100%
Norton AntiVirus Plus for Mac 100% 99% 100%
Trellix Endpoint Security (HX) for Mac 99.4% 99% 100%
* Detection of Windows threats on Macs can be seen as discretionary. Some products do not include detection for non-Mac threats or have limited detection capabilities due to technical constraints

Product Reviews

Review Format

Here we have outlined the structure of the following product reviews for each of the consumer programs in this test. For the enterprise products we have used a slightly different review format which includes a brief product summary and sections about the cloud-based management console (e.g., dashboard, host management, detections, policies, investigation) as well as the endpoint protection client (e.g., deployment, general handling, alerts).

Summary: We briefly describe the nature of the product and highlight selected key aspects, such as whether it is free or paid, important security features, and our overall experience with it. Please note that all products protect against ransomware in the same way as for other types of malware. Where we have specifically mentioned “ransomware protection”, it means that specific user folders are monitored to prevent unauthorised changes.

Installation, Setup & Uninstallation: We describe how to get the product up and running on your Mac, starting with downloading the installer and finishing with any post-setup tasks needed, such as installing and enabling browser extensions. We record any options available, and whether you have to make any decisions during installation. There is also a note on how to uninstall the product, should you need to. Please be aware that when installing any antivirus product on macOS Sequoia (which was used for the tests and reviews), it is necessary to go into the macOS system settings and enable the program’s system extensions as well as grant the program specific permissions, such as Notifications or Full Disk Access. Since this process is essentially identical for all products, we have not mentioned it in the individual reviews.

General Handling & Essential Features: We consider how easy it is to find the most important functionality: protection status, different scan options, protection features, quarantine, subscription information (not applicable to free programs), update, settings, and help.

Protection: We describe the available scan options, including smart/full/custom scan, external storage scan, and scheduled scans, how and where to trigger them, and briefly mention any special detection settings that are enabled by default, e.g., detection of PUA or stalkerware. We might also give additional information about third-party detection engines and other relevant malware protection features, such as browser/email/ransomware protection.

Alerts: We look at how the current protection status is displayed, what sort of warning is shown if real-time protection or any other protection feature is disabled, and how to correct this. We also note what type of alert is shown when malware is discovered, and whether the user needs to take any action in this case.

Quarantine & Logs: We check the functionality that shows you which malicious items have been found, what information is provided about them, and what the actions are for dealing with them. If available from the program window, we will also note the types of data and events being logged by the program.

Advanced Options: We check whether only users with a macOS Administrator account can disable the protection features, uninstall the program, or restore/delete items from quarantine. We regard it as ideal if only administrators (not standard macOS users) can perform at least the first two tasks.

Avast Security for Mac

Summary

Avast Security Free for Mac offers a solid, user-friendly antivirus solution tailored for non-expert users. Its clean interface, straightforward setup, and reliable malware protection make it a good choice for Mac users seeking essential security without cost. Some of its key aspects are:

  • Effortless installation and setup of core features.
  • Modern, tile-based interface for easy navigation.
  • Various scan options and settings, including scheduled scans.
  • Clear and persistent alerts that keep users informed of any issues.
  • Administrative safeguards to prevent unauthorised changes.

Installation, Setup & Uninstallation

To set up the program, simply download and run the installer file available on the vendor’s website. The setup process is intuitive, with the program guiding you through each step and providing brief explanations along the way. You can uninstall the program via the macOS menu bar or by running the Avast Security Uninstaller directly from the macOS Applications folder.

General Handling & Essential Features

The main program window displays the protection status prominently, alongside quick access to smart scan, further scan options (Virus Scans), protection features (Core Shields), additional security features (e.g., Traffic Monitor, Network Inspector, Email Guardian), and quarantine. Settings (Preferences) are accessible via the program menu or the macOS menu bar. Subscription information is not applicable since the program is free. Manual updates can be initiated by clicking Check for updates under the system tray icon or program name in the macOS menu bar. Online help is available via the Help menu, directing users to Avast’s comprehensive support resources.

Protection

From Virus Scans on the home page, users can perform smart scans, deep scans encompassing all drives and system memory, external storage scans for connected devices, or targeted scans of specific files and folders. The latter can also be run from the Finder context menu. Scheduled scans and detection behaviours are customizable under Preferences; the detection of PUA is enabled by default. The Email Guardian scans emails of specified mail accounts for suspicious content. Note that the free version only supports mail apps installed on the Mac like Apple Mail and Microsoft Outlook. The Traffic Monitor provides insights into data transmission across apps, including the geographic locations of connected servers displayed on an interactive map.

Alerts

If real-time protection (File Shield) or web protection (Web Shield) within Core Shields is disabled, Avast displays a persistent alert in the main program window. To re-activate either protection feature, click Turn ON, which takes you to Core Shields to re-enable it.


When malware was detected during our protection test, an alert window appeared as depicted below. No user action was required, and the alert persisted until manually closed. Multiple detections are consolidated into a single alert, navigable via on-screen arrows. Expanding the details section at the bottom of the alert reveals further information, including the threat name, severity, file name/path, and associated process.


Quarantine & Logs

The quarantine is directly accessible from the home page and lists all isolated threats, along with details such as the threat name, file name/path, and detection date. Users can delete or, with administrative privileges, restore items.

Advanced Options

To enhance security, only users with macOS Administrator accounts can:

  • Disable protection features (under Core Shields).
  • Uninstall the program.
  • Restore items from quarantine.

Advertising

In-app messages inform about unresolved issues, such as ransomware vulnerability, network threats, and fake websites. When users attempt to address these flagged issues, Avast prompts them to purchase Avast Premium. If the initial upgrade offer is declined, a follow-up prompt appears, offering a 60-day free trial of Avast Ultimate as an incentive. Similar upgrade suggestions may also appear in detection alerts.

AVG AntiVirus Free for Mac

Summary

AVG AntiVirus Free for Mac offers a solid, user-friendly antivirus solution tailored for non-expert users. Its clean interface, straightforward setup, and reliable malware protection make it a good choice for Mac users seeking essential security without cost. Some of its key aspects are:

  • Effortless installation and setup of core features.
  • Modern, tile-based interface for easy navigation.
  • Various scan options and settings, including scheduled scans.
  • Clear and persistent alerts that keep users informed of any issues.
  • Administrative safeguards to prevent unauthorised changes.

Please note that AVG is owned by Avast, and both security apps offer identical core functionality. However, there are some differences in their user interfaces.

Installation, Setup & Uninstallation

To set up the program, simply download and run the installer file available on the vendor’s website. The setup process is intuitive, with the program guiding you through each step and providing brief explanations along the way. You can uninstall the program via the macOS menu bar or by running the AVG AntiVirus Uninstaller directly from the macOS Applications folder.

General Handling & Essential Features

The main program window displays the protection status prominently, alongside quick access to smart scan, further scan options (Run Other Scans), and protection features (Computer, Web & Email). The quarantine can be found under Computer and settings (Preferences) are accessible via the program menu or the macOS menu bar. Subscription information is not applicable since the program is free. Manual updates can be initiated by clicking Virus Definitions on the home page or Check for updates under the system tray icon or program name in the macOS menu bar. Online help is available via the Help menu, directing users to AVG’s comprehensive support resources.

Protection

From Other Scans on the home page, users can perform smart scans, deep scans encompassing all drives and system memory, external storage scans for connected devices, or targeted scans of specific files and folders. The latter can also be run from the Finder context menu. Scheduled scans and detection behaviours are customizable under Preferences; the detection of PUA is enabled by default.

Alerts

If real-time protection (File Shield) within Computer, web protection (Web Shield) or email protection within Web & Email is disabled, AVG displays a persistent alert in the main program window. To re-activate either protection feature, you must manually navigate to the respective menu tile and turn it back on.

When malware was detected during our protection test, an alert window appeared as depicted below. No user action was required, and the alert persisted until manually closed. Multiple detections are consolidated into a single alert, navigable via on-screen arrows. Expanding the details section at the bottom of the alert reveals further information, including the threat name, severity, file name/path, and associated process.


Quarantine & Logs

The quarantine is quickly accessible from Computer on the home page and lists all isolated threats, along with details such as the threat name, file name/path, and detection date. Users can delete or, with administrative privileges, restore items.

Advanced Options

To enhance security, only users with macOS Administrator accounts can:

  • Disable protection features (under Computer and Web & Emails).
  • Uninstall the program.
  • Restore items from quarantine.

Advertising

In-app messages inform about unresolved issues, such as ransomware vulnerability, network threats, and fake websites. When users attempt to address these flagged issues, AVG prompts them to purchase AVG Internet Security. If the initial upgrade offer is declined, a follow-up prompt appears, offering a 60-day free trial of it as an incentive. Similar upgrade suggestions may also appear in detection alerts.

Avira Free Security for Mac

Summary

Avira Free Security for Mac is an intuitive antivirus solution well-suited for non-technical users seeking effective protection at no cost. Some of its key aspects are:

  • Effortless installation and setup of core features.
  • Clean, organized interface with all features easily accessible.
  • Various scan options and settings, including scheduled scans, as well as browsing-protection addons.
  • Clear, informative alerts.
  • Administrative safeguards to prevent unauthorised changes.

Installation, Setup & Deinstallation

Installation begins by logging into your Avira account at my.avira.com, followed by downloading and running the installer. The setup process is guided and user-friendly, offering brief explanations throughout. On first launch, users are prompted to run a Smart Scan to check for common vulnerabilities. The program supports macOS’s dark and light modes for a cohesive user experience. You can uninstall the program by simply deleting it from the macOS Applications folder.

General Handling & Essential Features

The main program window displays key components including protection status, smart scan, further scan options (Virus Scans), protection features (Protection Options), and quarantine. Subscription information is not applicable since the program is free. Settings can be accessed via the cogwheel icon in the upper-right hand corner of the interface or from the macOS menu bar. Manual updates are triggered by selecting Check for updates on the Status page. The online help is available through the Help menu in the macOS menu bar, which opens Avira’s support page in the default browser.

Protection

On the Virus Scans page, you can perform quick scans of device areas most susceptible to infection, full scans covering the entire file system, or custom scans of selected files or folders. The latter can also be run from the Finder context menu. The Scheduler allows users to automate any of the available scan options. Under Settings, users can configure detection behaviour and adjust different scan parameters for more tailored protection.

Alerts

If real-time protection or download protection within Protection Options is disabled, Avira displays an auto-dismissible system notification and persistent alert in the main program window. The real-time protection can also be turned off via the system tray icon in the macOS menu bar. Either protection feature can be re-enabled by simply clicking Turn on.

When malware was detected during our protection test, an alert appeared as depicted below, detailing the threat file path and action taken. No user action was required, and the alert closed automatically after a few seconds.


Quarantine & Logs

The Quarantine lists all isolated threats, along with details such as the threat name, file/path, and detection date. Only users with administrative privileges can delete and restore quarantined items.

Advanced Options

To enhance security, only users with macOS Administrator accounts can:

  • Disable protection features (under Protection Options or system tray icon).
  • Uninstall the program.
  • Delete and restore items from quarantine.

Bitdefender Antivirus for Mac

Summary

Bitdefender Antivirus for Mac is a premium security solution designed for both novice and advanced users. It combines a sleek interface with robust protection features, a custom VPN, and browser security extensions. Some of its key aspects are:

  • Effortless installation and setup of core features.
  • Intuitive, well-designed interface showcasing all features.
  • Various scan options, ransomware protection, data-limited VPN, and browsing-protection addons.
  • Clear alerts that keep users informed of any issues.
  • Administrative safeguards to prevent unauthorised changes.

Installation, Setup & Uninstallation

Once the installer is downloaded and launched from the vendor’s website, the setup wizard walks you through each step. After installation, users are prompted to create or sign in to a Bitdefender account. An optional tour introduces key features, and the program recommends enabling app notifications in the macOS system settings, installing the browser extension (Traffic Light), configuring ransomware protection (Safe Files), setting up Time Machine Protection, and initiating a system scan. The interface adapts to macOS’s dark and light modes for a seamless user experience. You can uninstall the program via the Bitdefender Uninstaller found in the macOS Applications folder.

General Handling & Essential Features

The Dashboard provides clear visibility into the protection status and quick access to scan options (quick and system scan), protection features, settings, subscription information (My Account), and help resources. The quarantine and scan exceptions are located under Protection. Manual updates can be triggered from the Actions menu in the macOS menu bar. Privacy includes the data-limited Bitdefender VPN and additional Anti-tracker browser extension. A detailed PDF manual and online support can be accessed via Help.

Protection

From the Protection menu, users can perform a quick scan of critical areas, system scan covering all files and folders, or custom scan targeting specific files or folders. The latter can also be run from the Finder context menu. Web protection is provided through the Traffic Light browser extension, compatible with Safari, Chrome, and Firefox, which also adds safety ratings to search engine results. The anti-ransomware feature protects user-specific folders as well as Time Machine backups from unauthorised changes. Detection behaviours and protection settings can be customized in the Settings menu.

Alerts

If real-time protection is disabled via Settings or the system tray icon in the macOS menu bar, Bitdefender displays a persistent alert on the main program window. Re-activating protection is as simple as clicking the Enable button.

When malware was detected during our protection test, an alert appeared as depicted below, detailing the threat name, file name, and action taken. No user action was required, and the alert closed automatically after a few seconds.


Quarantine & Logs

The Quarantine lists all isolated threats, providing details such as the threat name, file name, and detection date. Only users with administrative privileges can delete and restore quarantined items. The Notifications page logs events such as signature updates, component activations, and malware detections, which can be filtered by severity levels (Critical, Warning, Information).

Advanced Options

To enhance security, only users with macOS Administrator accounts can:

  • Disable protection features (under Settings).
  • Uninstall the program.
  • Delete and restore items from the quarantine.

CrowdStrike Falcon Pro for Mac

Summary

CrowdStrike Falcon Pro is a robust endpoint security solution tailored for medium to large enterprise environments. It provides cloud-based centralized management, advanced detection and response capabilities, and real-time protection through its lightweight endpoint protection client. Some of its key aspects are:

  • Investigative functions for attack analysis and incident response.
  • Advanced search capabilities for hunting and threat correlation.
  • Well-structured, intuitive cloud console with access to granular details.
  • Containment feature to isolate compromised endpoints.
  • Clear, user-level alerts on endpoints and prioritized threat notifications for administrators.

Management Console

The cloud console is navigable via the menu in the top-left corner, providing access to all EDR/XDR functions ranging from incident response and threat detections to endpoint administration and reporting. Pages can be bookmarked for quick navigation via the Bookmarks section using the icon beside each page title. The most relevant sections and pages are described below.

Endpoint security > Activity Dashboard page

The landing page displays key threat metrics in large panels, including a list of recent detections categorized by severity and detection method (Tactic & Technique), SHA-based detections, prevented malware by host, a monthly bar chart of detections by tactics, and the current CrowdScore, which reflects the likelihood of an ongoing attack on the company network based on active incidents. All dashboard items are clickable and redirect to the relevant detail pages with the respective filters applied.

Endpoint Security > CrowdScore Incidents page

This section presents all incidents derived from detection events, showing associated processes, attack vectors (e.g., thread injection, lateral movement), and contextual relationships. Each incident includes a score, detection details, host metadata, attack timeline, and investigation ticket status. Clicking on an incident opens a summary preview, with an option to explore the full incident details across multiple views: Summary, Table, Graph, and Events Timeline. Admins can isolate compromised hosts instantly using the Network Contain option or further investigate with Incident Event Search and the CrowdStrike Query Language (CQL).

Endpoint Security > Endpoint Detections page

This page provides granular control for analysing detections. Administrators can filter detection entries using a wide range of parameters, including severity, tactic, technique, date/time, host, and more. Selecting an entry opens a comprehensive timeline alongside a details panel. From here, you can take key actions such as editing the detection status, assigning a user for remediation, immediately containing the affected host, and accessing the full detection details page.

Endpoint Security > Quarantined Files page

On this page, quarantined items are listed with metadata including timestamp, file name, hostname, logged-on user, and status. Administrators can release, delete, or download files in password-protected archives. Clicking on an entry opens a panel with additional information such as file path, file hash, detection method, and severity. Filters help narrow results for faster triage.

Endpoint Security > Prevention Policies page

This page allows you to create and customize prevention policies across supported platforms by defining how endpoint protection clients detect and respond to threats. For macOS, you can manage components such as Sensor Capabilities, Sensor Visibility, Next-Gen Antivirus (On Write, Quarantine, Cloud Machine Learning, Sensor Machine Learning), Malware Protection (Execution Blocking), Behaviour-Based Prevention (Unauthorised Remote Access IOAs, Credential Dumping IOAs). Machine learning components have configurable sensitivity levels, ranging from Disabled to Extra Aggressive. Custom host groups and indicators of attack (IOA) rule groups can be assigned per policy, whereby a policy hierarchy determines which one takes precedence.

Host Setup and Management > Host Management page

All registered endpoints are listed here, with customizable columns displaying attributes such as hostname, status, OS version, IP addresses, sensor version, and assigned policies. Clicking on an entry opens the details panel, and advanced filtering makes it easy to search for specific systems.

Investigate section

This area provides deep forensic and hunting capabilities. Administrators can search for hosts, events, users, file hashes, IP addresses, activities related to detections or files, and more. Additional tools include timelines of hosts and processes as well as reports on remote access and geolocation activity.

Endpoint Protection Client

Deployment

The recommended method is to deploy the Sensor via an MDM server using a configuration profile supplied by CrowdStrike. This approach streamlines deployment and avoids manual authorization steps on endpoints. Alternatively, standalone installers can be used for manual setup. Sensor packages are downloadable under Host Setup and Management \ Sensor Downloads, with multiple older versions available for compatibility. The installation process includes step-by-step guidance for local setup.

General Handling

The Falcon Sensor app runs with a minimal interface, showing only status information. Administrative interaction is conducted via the falconctl command-line utility. Example commands include falconctl stats for sensor information and statistics or falconctl uninstall for removal. With the settings used for our protection test, detected threats are not deleted but quarantined in situ.

Alerts

When malware was detected during our protection test, an alert appeared as depicted below, providing minimal information. No user action was required, and the alert closed automatically after a few seconds.

Intego Mac Internet Security X9

Summary

Intego Mac Internet Security X9 is a paid-for security suite combining antivirus protection (VirusBarrier) and a firewall (NetBarrier). While its modular design may require navigating between separate applications, its focused feature set provides robust protection tailored specifically to Mac users. In this review though, we mainly focused on VirusBarrier. Some of its key aspects are:

  • Effortless installation and setup of core features.
  • Simple, clean interface that neatly integrates all features.
  • Various scan options, including scheduled scans and USB scans.
  • Clear and persistent alerts that keep users informed of any issues.
  • Administrative safeguards to prevent unauthorised changes.

Installation, Setup & Uninstallation

To set up the program, simply download and run the installer file available on the vendor’s website. The setup process is intuitive and guides you through each step. Post-installation, users must manually launch VirusBarrier to complete product activation and grant Full Disk Access within the macOS system settings. The interface adapts to macOS’s dark and light modes, ensuring a cohesive user experience. You can uninstall the program by re-running the installer and double-clicking Uninstall, or by deleting the Intego folder from the macOS Applications folder.

General Handling & Essential Features

The Scan page of the main program window displays the protection status, scan options (quick, full, scheduled scan) and settings. Quarantine and scan exceptions (Trusted Files) are available via dedicated tabs. Updates can be initiated and managed via the NetUpdate application, accessible through the Installed Malware Definitions link in the main program window or via the Check for Updates option in the macOS menu bar. Subscription information is displayed under VirusBarrier > About in the macOS menu bar. The Help menu gives access to help resources both online and within the program.

Protection

VirusBarrier supports quick scans, full scans, and custom scans of specific files or folders. The latter can also be run from the Finder context menu. Users can configure scheduled scans (Schedule) on the Scan page and customize the protection and detection behaviour, including the action after a volume is mounted, under VirusBarrier Preferences. The program also checks if safe browsing features of supported browsers (Safari, Chrome, Firefox) are activated and alerts users if they are turned off. VirusBarrier employs Intego’s proprietary detection engine for macOS malware and Avira’s engine to identify Windows malware.

Alerts

If real-time protection is disabled on the Scan page, Intego displays a persistent alert in the main program window. The protection can be re-activated by clicking Turn On.

When malware was detected during our protection test, a dialog and alert appeared as depicted below, detailing the threat name, file name, and action taken. No user action was required. The dialog persisted until manually closed, while accompanying alerts auto-dismissed after a few seconds.

Quarantine & Logs

The Quarantine lists all detected threats, along with their file names. Users can delete, repair, and restore (trust) any files. Selecting an item reveals its original file path in the status bar. Logs on the Scan page provides a chronological record of system events, including updates, scans, detections, real-time protection status changes, and quarantine actions. Events are color-coded (red for malware detections, yellow for quarantine actions, green for updates and active real-time protection) and accompanied by the applicable date and time.

Advanced Options

By default, password protection for altering program settings is disabled but can be enabled under Settings > Advanced. Once activated, only users with macOS Administrator accounts can:

  • Disable protection features (under Scan page or system tray icon).
  • Uninstall the program.
  • Delete and restore items from quarantine.

Kaspersky Premium for Mac

Summary

Kaspersky Premium for Mac is a paid antivirus solution offering strong and user-friendly protection ideal for non-expert users. It combines a streamlined interface with comprehensive security and privacy features. Some of its key aspects are:

  • Effortless installation and setup of core features.
  • Clean, well-organised interface showcasing all features.
  • Various scan options and comprehensive settings, including scheduled and USB scans, as well as browsing-protection addons.
  • Clear alerts that keep users informed of any issues.
  • Administrative safeguards to prevent unauthorised changes.

Installation, Setup & Uninstallation

Setup begins by logging into your Kaspersky account at my.kaspersky.com, followed by downloading and running the installer. The process is intuitive, with step-by-step guidance and brief explanations provided throughout. You can optionally enable additional protection features, such as Wi-Fi network protection and browser extensions for Safari, Chrome, and Firefox. Once installed, the main program window displays several recommendations, such as enabling automatic macOS updates, activating location services, and installing missing browser extensions as well as supplemental tools like Kaspersky VPN and Password Manager (both included in the Premium plan). You can uninstall the program by navigating to Help > Support > Uninstall in the macOS menu bar or by deleting it from the macOS Applications folder.

One potential point of confusion during setup is that the program cannot detect whether an older version of the browser extension is installed. As a result, it may prompt users to delete the previous version even if none is present. Kaspersky has acknowledged this and is working to either clarify the process or eliminate the step entirely in future updates.

General Handling & Essential Features

The main program window provides a clear overview of the protection status, scan options (Scan), subscription information, other system insights, and useful quick actions for privacy tools, such as webcam access blocker and smart home monitor. Settings, which includes protection features and scan exclusions (Trusted Zone), quarantine (Detected Objects), and online help, which opens Kaspersky’s support page in the default browser, are accessible via the macOS menu bar. Manual updates can be triggered either from the main program window via Database Update or the macOS menu bar.

Protection

From Scan, users can perform quick scans, full scans, or custom scans of specific files and folders. The latter can also be run from the Finder context menu. Scans can be scheduled from here or the Settings menu. Users can customize detection behaviour and scan options, including external disk scans, as well; the detection of stalkerware is enabled by default.

Alerts

If any protection feature is disabled via Settings > Protection, Kaspersky displays a persistent alert in the main program window. The real-time protection can also be turned off from the system tray icon in the macOS menu bar. Re-enabling protection is straightforward – just click Enable.

When malware was detected during our protection test, an alert appeared as depicted below, with details such as the threat file path and action taken. No user action was required, and the alert closed automatically after a few seconds. Additionally, a shortcut to the quarantine is shown on the Home page of the main program window.

Quarantine & Logs

The Detected Objects page lists all isolated threats, along with their threat names and file paths. Clicking the ”…” menu next to each item allows users to delete or restore the file. A Delete All option is also available for bulk removal. Under Protection > Reports in the macOS menu bar, users can view detailed logs of processed objects (detections), updates, scans, and various protection features.

Advanced Options

To enhance security, only users with macOS Administrator accounts can:

  • Disable protection features (under Settings or system tray icon).
  • Uninstall the program.

Norton AntiVirus Plus for Mac

Summary

Norton AntiVirus Plus for Mac is a premium antivirus solution designed to deliver solid protection to Mac users. Its modern, polished interface encompasses essential security features, but users can add further safeguards through browser extensions and other applications. Some of its key aspects are:

  • Effortless installation and setup of core features.
  • Modern, intuitive interface for easy navigation.
  • Various scan options and comprehensive settings, including scheduled scans.
  • Clear and persistent alerts that keep users informed of any issues.
  • Administrative safeguards to prevent unauthorised changes.

Please note that Norton, like Avast and AVG, is a product of Gen Digital. These various security apps offer identical core functionality, though there are some differences in their user interfaces.

Installation, Setup & Uninstallation

To install the program, you must log into your Norton account at my.norton.com, download the installer file and run it on your Mac. Users are guided through a step-by-step wizard with brief explanations. You can uninstall the program via the macOS menu bar or by running the Norton Uninstaller directly from the macOS Applications folder.

General Handling & Essential Features

The main program window offers an overview of the protection status, alongside quick access to quick scan, further scan options (Scans), core protection features (Security), settings, and subscription information. Under Security, users can find the quarantine and scan exceptions within the Antivirus component. Manual updates can be triggered via the LiveUpdate component or by selecting Check for updates from the macOS menu bar. Online help is available via the Help menu, providing links to Norton’s comprehensive support resources.

Protection

Under Scans on the Home or Security page, users can perform quick scans, full scans, and targeted scans of specific files and folders. The latter can also be run from the Finder context menu. Scheduled scans can be configured under the Custom scans tab. Web protection is handled by the integrated Safe Web component, while the Intrusion Prevention module protects against network-based attacks, such as those exploiting vulnerable programs or originating from compromised network devices. The Smart Firewall helps users monitor and control network activities of installed apps, including the geographic locations of connected servers visualised on an interactive map.

Alerts

If real-time protection (Auto-Protect) within Security > Antivirus is disabled, Norton displays a persistent alert in the main program window. Re-activating protection is as simple as clicking the Enable button.


When malware was detected during our protection test, an alert window appeared as depicted below. No user action was required, and the alert persisted until manually closed. Multiple detections are consolidated into a single alert, navigable via on-screen arrows. Expanding the details section at the bottom of the alert reveals further information, including the threat name, severity, file name/path, and associated process.


Quarantine & Logs

The quarantine is accessible from Security > Quarantine and lists all isolated threats, along with details such as the threat name, file name/path, and detection date. Users can delete or, with administrative privileges, restore items.

Advanced Options

To enhance security, only users with macOS Administrator accounts can:

  • Disable protection features (under Security > Antivirus).
  • Uninstall the program.
  • Restore items from quarantine.
  •  

Trellix Endpoint Security (HX) for Mac

Summary

Trellix Endpoint Security (HX) is an enterprise-grade endpoint protection solution designed for large-scale deployments, supporting up to 100,000 endpoints per appliance. It offers a centralized management console available in multiple formats (cloud-hosted, appliance-based, or Amazon-hosted) and is equipped with advanced investigative and containment capabilities. Some of its key aspects are:

  • Robust investigation and remediation tools for detailed threat analysis.
  • Powerful, flexible search facility across endpoints and event data.
  • Intuitive, well-organized cloud console with drill-down views.
  • Containment feature to isolate compromised endpoints.
  • Prioritized threat notifications for administrators.

Management Console

Navigation through the console is handled via a top-page menu, granting access to key components such as threat monitoring, host management, search tools, and administrative controls. The most relevant sections and pages are described below.

Dashboard

Upon login, users are presented with an overview of system health and threat activity. This includes metrics such as the total number of hosts with alerts, split into four different categories, along with summaries of recent file acquisitions and the status of contained/active/inactive hosts.

Hosts > Hosts with Alerts page

This page lists all protected hosts with unresolved security alerts. Expanding an entry reveals a chronological breakdown of alerts with details, including detection type (e.g., signature-based), timestamps, scan type (on-access, on-demand), malware type and name, file status (e.g., quarantined), file attributes (path, hashes, size, modification/access times), and process information (e.g., PID, process path, associated user). Administrators can perform actions such as marking alerts as acknowledged or false positives, adding investigation comments, or managing quarantined items via the Quarantines tab.

Alerts page

This section provides a threat-centric view, displaying a list of all detected threats across the company network. Threats can be sorted or filtered by attributes such as name, file path or hash, host name or IP address, or event timestamps.

Available actions include Acknowledge, Mark as False Positive, Delete, and Add Comment. Clicking on an entry’s name redirects to its full detail view under the Hosts with Alerts page.

Acquisitions page

This page lists all files acquired from endpoints, typically for forensic purposes. Acquisitions are generally initiated from the Hosts with Alerts page and can be downloaded securely for offline analysis.

Rules page

This page houses preconfigured and custom detection logic for identifying specific threats or suspicious behaviours. These rules include indicators of compromise (IOCs), exploit patterns, and known false positives, managed largely by the Trellix’s Dynamic Threat Intelligence (DTI) cloud. Administrators can also create custom rules with specific detection conditions for their organization’s environment.

Enterprise Search page

This powerful search feature enables deep forensic investigation and threat hunting workflows across all connected endpoints using predefined criteria. Supported search terms include application names, file and executable attributes (e.g., name, path, type, hash), network and web-related details (e.g., IP address, port, URL, DNS, browser, cookie, page), usernames, registry keys, process and service information, timestamps, system events, and many more.

Admin section

This section allows for system configuration and policy management. On the Policies page, you can define and customize endpoint protection policies, covering Exploit Guard Protection (Windows only), Malware Scans (e.g., scan on install, scheduled scan), Polling intervals, Malware Protection (e.g., detection options, definition updates, exclusions, quarantine actions), Removal Protection, Tamper Protection, Logging behaviours, and further agent settings. On the Host Sets page, hosts can be grouped dynamically based on certain criteria or manually via drag-and-drop. Policies can then be assigned to each host set.

Endpoint Protection Client

Deployment

The latest agent versions for macOS, Windows, and Linux are available under Admin > Agent Versions. Deployment can be manual or automated using system management tools like Jamf. Manual installs require the Full Disk Access permission to be granted in the macOS system settings to ensure full functionality. After installation, the agent takes several minutes to initialize and download the necessary protection components.

General Handling & Alerts

The macOS agent operates silently in the background, without a local user interface or command-line access for interaction. During our protection test, no on-screen alerts were displayed on the host system upon malware detection. All detection events are visible and manageable solely through the management console.

Award levels reached in this Mac Security Review

The perfect Mac security product for all users does not exist. As with e.g. Windows products, we recommend drawing up a short list of products that might be suitable for you after reading our reviews about the advantages and disadvantages of each product. You can then install and test free trial versions of the candidate products for a few days (one at a time) to help make your decision easier. You should also consider other factors, such as price, additional features, and support before choosing a product.

All products tested this year qualify for our “Approved Mac Security” award. To be certified, each product had to meet our stringent Mac certification requirements.

Avast Security Free for Mac combines solid malware protection with an intuitive user interface at no costs. It displays clear, persistent alerts upon threat detection.

AVG AntiVirus Free for Mac offers reliable anti-malware features for free. Its user-friendly interface is easy to navigate, and malware detection alerts are clear and persistent.

Avira Free Security for Mac is a free and straightforward antivirus solution providing effective protection in a clean and accessible interface.

Bitdefender Antivirus for Mac is a premium antivirus product that delivers robust malware protection with ransomware defences in a sleek user interface and a custom, data-limited VPN.

CrowdStrike Falcon Pro for Mac is a powerful enterprise-grade security platform for medium to large organizations, offering centralized web-based management with advanced detection and response features.

Intego Mac Internet Security X9 is a paid security suite that includes malware protection and firewall capabilities. Its streamlined user interface provides easy access to all features, and malware detection alerts are displayed prominently.

Kaspersky Premium for Mac offers a comprehensive, paid-for security solution with advanced malware protection and privacy features. All functions are wrapped in a well-organized user interface and malware detection alerts are clearly displayed.

Norton AntiVirus Plus for Mac encompasses strong malware protection and further security features in a modern, polished user interface. It displays clear, persistent alerts upon threat detection.

Trellix Endpoint Security (HX) for Mac is a versatile endpoint protection platform for large-scale enterprise networks, managed entirely through a web-based console and operating silently on client systems.

APPROVED
AvastAPPROVED
AVGAPPROVED
AviraAPPROVED
BitdefenderAPPROVED
CrowdStrikeAPPROVED
IntegoAPPROVED
KasperskyAPPROVED
NortonAPPROVED
TrellixAPPROVED

Copyright and Disclaimer

This publication is Copyright © 2025 by AV-Comparatives ®. Any use of the results, etc. in whole or in part, is ONLY permitted after the explicit written agreement of the management board of AV-Comparatives prior to any publication. AV-Comparatives and its testers cannot be held liable for any damage or loss, which might occur as result of, or in connection with, the use of the information provided in this paper. We take every possible care to ensure the correctness of the basic data, but a liability for the correctness of the test results cannot be taken by any representative of AV-Comparatives. We do not give any guarantee of the correctness, completeness, or suitability for a specific purpose of any of the information/content provided at any given time. No one else involved in creating, producing or delivering test results shall be liable for any indirect, special or consequential damage, or loss of profits, arising out of, or related to, the use or inability to use, the services provided by the website, test documents or any related data.

For more information about AV-Comparatives and the testing methodologies, please visit our website.

AV-Comparatives
(June 2025)