android device

Mobile Security Review 2023

Here we have outlined the structure of the following product reviews for each of the mobile security apps in this test. As the tested products include different feature sets, not every section regarding app features (except for Anti-Malware) might be applicable to them.

Introduction: We provide a concise overview of the product, stating its price model (free or paid) and highlighting its key features. We limit the number of features to the five basic security and privacy features (as denoted by the symbols in the top-right corner of the product review) and up to five additional features that we deem noteworthy. For easy comparison and better readability, we use standardized terms from our feature list which is found at the end of this report.

Usage: We briefly describe the first app start, initial app setup, and how to access the app features from the main app screen.

Anti-Malware: We explain what the malware scan does, if any suggestions for user actions are shown after the initial scan, what scan options (e.g., quick, full, scheduled scan) and settings for the detection behaviour are available, and mention interesting findings if malware is detected.

Anti-Theft: If applicable, we describe how to setup the feature, configure the available commands, and how to trigger them remotely. We also note additional settings and any faulty commands or misbehaviour upon execution. A table at the end of the product review shows a summary of the available anti-theft commands.

Web / Wi-Fi Protection: If applicable, we describe different protection capabilities against web threats and/or vulnerabilities on Wi-Fi networks. These include, for example, anti-phishing, VPN, and Wi-Fi scanner.

App Lock / Audit: If applicable, we describe the locking feature with its settings, which allows protecting selected apps from unauthorized access, and/or the feature to review key aspects of installed apps such as permissions, data usage, and storage space.

Parental Control: If applicable, we consider capabilities for regulating and monitoring children’s device activities and safeguarding them from inappropriate content. These include, for example, app locking, web filtering, and daily usage limits.

Privacy Protection: If applicable, we list several other features which can help further improving the user’s privacy, e.g., call filter, data leak checker, social network privacy scanner, protection against scam or malicious links in notifications and text messages.

Additional Features: We list additional app features which do not belong to one of the previous categories and we think are worth mentioning. These might include system optimizing tools to stop background apps or remove junk files and a task manager to uninstall/deactivate installed apps.

Conclusion: We give a short conclusion of the product, our experience with it, and leave a statement if any reviewed function did not work properly and was not fixed before this publication.

Avast

Mobile Security Free
23.3.2

mobile-appaudit-iconmobile-safebrowsing-iconmobile-antitheft-iconmobile-antimalware-icon

Introduction

Avast Mobile Security Free is an ad-supported product which includes a variety of security-and privacy-oriented features such as anti-malware, safe browsing, app audit, Wi-Fi security, data leak checker, and photo vault. Other app components, such as Clean Junk and Wi-Fi Speed, help the user monitor different aspects of the device. Avast asked us to test and review the free version of their product. Please note that Avast owns AVG, and the respective Android apps appear to be identical in functionality. There are some minor differences in the user interface, however.

Usage

Upon starting the app, the user must accept Avast’s Agreement and Privacy Policy. After viewing a brief overview of basic features, the user can continue with the free and ad-supported app version by accepting the Consent Policy for custom ads. The user is then prompted to perform a first scan of apps or all files, which requires the ”All files access” permission. All the features can be accessed from the menu in the top left-hand corner.

Anti-Malware

After the first device scan, the app suggests turning on the web protection, setting up a screen lock, and disabling battery optimization. The user can choose between a file scan and, deep scan, or select individual files/folders to scan the File Shield.

The external storage (e.g., SD card) is not included when scanning the device storage. The app provides further scan settings, such as the detection of PUP or apps with low reputations, which are enabled by default, and the option to scan apps during installation and upon launch. It is not possible to run a subsequent scan before resolving malware detections or other issues.

Web & Wi-Fi Protection

The protection against malicious URLs and phishing websites offered by Web Shield requires the Accessibility permission and works for different browser apps. The Network Inspector scans the currently connected Wi-Fi network for security threats which requires access to the device location. Automatic scanning of new networks is also possible.

App Audit

App Insights monitors installed apps regarding privacy and app permissions and provides the user with detailed app info and usage statistics (e.g., daily/weekly/monthly data usage, screen time). The user can also set a data usage limit and a corresponding alert. Furthermore, all installed apps are labelled with the risk categories “low”, “average”, and “high”, depending on the app’s permissions.

Additional Features

Photo Vault enables the user to securely store up to ten photos, which can only be accessed after entering the user-defined Avast PIN. Hack Alerts allows the user to check whether their email or any related accounts have been involved in a data breach.

The Wi-Fi Speed Test checks the Wi-Fi connection speed and Clean Junk helps to free up storage space by removing temporary or cached files. My Statistics shows a summary of security-related actions taken by Avast on the device, e.g., number of threats prevented.

Conclusion

Avast Mobile Security Free is a well-designed anti-malware application that gives the user access to many, but partially restricted, security features. Optimization and privacy-enhancing tools are also available. The app provides a step-by-step guide to setup each feature.

AVG

AntiVirus Free for Android
23.3.2

mobile-appaudit-iconmobile-safebrowsing-iconmobile-antitheft-iconmobile-antimalware-icon

Introduction

AVG AntiVirus Free for Android is an ad-supported product which includes a variety of security-and privacy-oriented features such as anti-malware, safe browsing, app audit, Wi-Fi security, data leak checker, and photo vault. Other app components, such as Clean Junk and Wi-Fi Speed, help the user monitor different aspects of the device. AVG asked us to test and review the free version of their product. Please note that AVG is owned by Avast, and the respective Android apps appear to be identical in functionality. There are some minor differences in the user interface, however.

Usage

Upon starting the app, the user must accept AVG’s Agreement and Privacy Policy. After viewing a brief overview of basic features, the user can continue with the free and ad-supported app version by accepting the Consent Policy for custom ads. The user is then prompted to perform a first scan of apps or all files, which requires the ”All files access” permission. All the features can be accessed from the menu in the top left-hand corner.

Anti-Malware

After the first device scan, the app suggests turning on the web protection, setting up a screen lock, and disabling battery optimization. The user can choose between a file scan and, deep scan, or select individual files/folders to scan the File Shield.

The external storage (e.g., SD card) is not included when scanning the device storage. The app provides further scan settings, such as the detection of PUP or apps with low reputations, which are enabled by default, and the option to scan apps during installation and upon launch. It is not possible to run a subsequent scan before resolving malware detections or other issues.

Web & Wi-Fi Protection

The protection against malicious URLs and phishing websites offered by Web Shield requires the Accessibility permission and works for different browser apps. The Network Inspector scans the currently connected Wi-Fi network for security threats which requires access to the device location. Automatic scanning of new networks is also possible.

App Audit

App Insights monitors installed apps regarding privacy and app permissions and provides the user with detailed app info and usage statistics (e.g., daily/weekly/monthly data usage, screen time). The user can also set a data usage limit and a corresponding alert. Furthermore, all installed apps are labelled with the risk categories “low”, “average”, and “high”, depending on the app’s permissions.

Additional Features

Photo Vault enables the user to securely store up to ten photos, which can only be accessed after entering the user-defined AVG PIN. Hack Alerts allows the user to check whether their email or any related accounts have been involved in a data breach.

The Wi-Fi Speed Test checks the Wi-Fi connection speed and Clean Junk helps to free up storage space by removing temporary or cached files. My Statistics shows a summary of security-related actions taken by AVG on the device, e.g., number of threats prevented.

Conclusion

AVG AntiVirus Free for Android is a well-designed anti-malware application that gives the user access to many, but partially restricted, security features. Optimization and privacy-enhancing tools are also available. The app provides a step-by-step guide to setup each feature.

Avira

Prime for Android
7.20.0

mobile-appaudit-iconmobile-safebrowsing-iconmobile-antitheft-iconmobile-antimalware-icon

Introduction

Avira Prime for Android is a paid-for security product. Besides malware protection, safe browsing, app lock, and app audit, it provides a data leak checker, unlimited VPN, and call blocking feature.

Usage

After installation, the user must agree to the EULA and Terms and Conditions, and the app asks for the consent to collect and process data for app and marketing improvements. Next, the app offers a dark mode to save battery. After that, the main screen shows up; from here, the user can start the first Smart Scan to check the device’s security. All the features are grouped by the navigation bar at the bottom. Upon performing certain actions (e.g., smart scan) or changing screens, the app title suddenly changed to “Avira Security” which is confusing to users as it refers to the free version of the app.

Anti-Malware

Before the first scan, the user must grant the app the “All files access” permission to scan for malware on the internal and external device storage. If the permission is denied, only installed apps will be scanned.

Besides malware, the scan looks for adware and PUAs by default. Riskware detection can be configured, and scans for a set time and day can be scheduled in the Smart Scan options. There is also an option to start an automatic scan when a storage device is connected, or a USB cable is unplugged. However, this feature did not work in our testing as no scan was started in these scenarios. As part of the scan results, the user is prompted to check their email address for data breaches.

In our testing, no clear detection alerts were shown. Only the Avira app icon silently appeared in the Android notifications area at the top which will get unnoticed by the user.

Web & Wi-Fi Protection

The Web Protection feature detects phishing and other malicious websites while browsing the web with supported browsers. In addition, the user can black- or whitelist websites. The app includes an unlimited VPN.

App Lock & Audit

App Lock restricts access to selected, sensitive apps by locking them using a PIN, pattern, or fingerprint. The user can choose between different locking behaviours (lock immediately, lock after predefined time intervals, lock when screen turns off). Additionally, there is an option to show a fake crash message when a locked app is accessed. In that case, the user needs to long tap the OK button which opens the prompt to unlock the app. The Permissions Manager lists all installed apps by the permissions they request. Additionally, it shows which permissions the user has allowed or denied for certain apps.

Privacy Protection

Call Blocker can be used to block phone calls from specified contacts, if the Avira app is set as the default “caller ID & spam app”. The Identity Protection checks a specific email address for data breaches.

Conclusion

Avira Prime for Android offers a large set of tools to enhance device security and protect the user against privacy leaks. Detection alerts are not clearly displayed and therefore, users might not get informed about a potential infection.

Bitdefender

Mobile Security
3.3.203

mobile-appaudit-iconmobile-safebrowsing-iconmobile-antitheft-iconmobile-antimalware-icon

Introduction

Bitdefender Mobile Security for Android is a paid-for, security- and privacy-oriented mobile security solution. An Autopilot mode, enabled by default, automatically takes care of security- and privacy-related issues on behalf of the user. Additional components such as anti-theft, safe browsing, app lock, data leak checker, data-limited VPN, Wi-Fi security, and scam protection (including SMS, instant messages) ensure that the user is protected against other threats.

Usage

Upon opening the app for the first time, the user must agree to Bitdefender’s subscription agreement, and either log in or create a new account. After that, the app helps the user to configure the necessary features, such as Malware Scanner and Web Protection, and starts the first device scan. The user can navigate through all the features using the menu bar at the bottom of the screen.

Anti-Malware

When granting the “All files access” permission, real-time protection with in-the-cloud detection of malicious apps and files on the internal and external storage is enabled. App Anomaly Detection and Download Scan can be activated as additional scan settings.

Besides the scan result, a list of several malware types with a brief description is displayed. Malware scan is only available with an active Internet connection.

Anti-Theft

Anti-theft components are listed in the table below. First, the necessary permissions, among which are device admin rights, need to be granted, and the user is asked to choose an app-specific PIN to protect the app settings. The remote commands Locate Device, Lock Device, Play Sound, and Erase Device can be sent from either the Bitdefender Central app or the web interface at central.bitdefender.com. A lock screen needs to be configured during the setup of the anti-theft feature in order to use the Lock command.

After granting access to the device camera, the Snap Photo feature silently takes a photo with the front camera, stores it on the device, and uploads it to the remote command interface when the wrong PIN has been entered three times in a row.

From the command interface, the user can see the device’s location and security status (along with a list of threats found on the device), and remotely start a scan.

Web & Wi-Fi Protection

The Web Protection feature blocks malicious URLs and phishing websites in various browser apps. Bitdefender also includes a VPN service, providing up to 200 MB of data traffic per day while connected to an automatically chosen server. The option to warn the user each time the device connects to an open Wi-Fi is activated by default.

App Lock

The App Lock component limits access to chosen apps by locking them with a pre-defined PIN or using biometrics (e.g., fingerprint, face recognition). In the settings, the user can decide how often protected apps should require the code and if protected apps remain unlocked while connected to a Wi-Fi network marked as trusted.

The Random Keyboard feature randomizes the number position on the keyboard each time the lock screen is displayed. If Snap Photo is enabled, a photo is taken with the front camera after three failed unlock attempts with the PIN.

Privacy Protection

The Account Privacy feature lets the user check whether an email address has been compromised in a data breach. The email address to be checked needs to be verified with a confirmation code in advance. Scam Alert monitors incoming text messages and notifications for dangerous links and potential scams. If Chat Protection is turned on, this accounts for chat messages received via certain social media apps as well.

Conclusion

Bitdefender Mobile Security provides a wide range of tools for monitoring the device security and user privacy. All anti-theft features worked as expected in our test.

Anti-Theft Details
Commands Web
Locate Device
Displays the location on Google Maps.
Play Sound Sounds an alarm on the device and/or shows a custom message.
Lock Device Locks the device only if a pre-defined Android lock screen is configured.
Erase Device Triggers a factory reset and wipes external storage.
Additional Features
Snap Photo
Takes a picture with the device’s front camera after 3 failed unlock attempts.

ESET

Mobile Security Premium
8.1.17

mobile-appaudit-iconmobile-safebrowsing-iconmobile-antitheft-iconmobile-antimalware-icon

Introduction

ESET Mobile Security Premium is a paid-for and easy-to-use mobile security solution for Android. In addition to malware protection, anti-theft, safe browsing (including messages and notification protection), and Wi-Fi security, it offers privacy-related features such as app audit, app lock, call filter, and payment protection.

Usage

On the first start, the user must agree to the EULA and Privacy Policy, as well as selecting the proper country and language. Next, the app asks for the user’s consent to collect anonymous data for diagnostics and marketing purposes. The user is then prompted to create an account, or log in to an existing one, prior to activating the product license. After granting the app the “All files access” permission, the user can start the first device scan. All the features can be accessed from the main screen or the menu.

Anti-Malware

Users can choose between two scan levels: Smart (installed apps, DEX/SO files, and archives) and In-depth (all files). In both cases, the internal and external device storage is scanned. Detection modules can be updated manually, and it is possible to toggle on-charge and scheduled scans.

Further settings allow the user to disable real-time protection for download folders, toggle the ESET LiveGrid reputation/feedback system, and to configure actions when removable media is connected. The detection of potentially unwanted/unsafe applications is disabled by default. The Adware Detector can help with identifying installed apps that overlay the device screen with unwanted ads.

Anti-Theft

Anti-theft components are listed in the table below. During setup, the user needs to grant the app several permissions and device admin rights, and configure a PIN to protect the app settings. The SIM card protection and other locking behaviours (e.g., number of unlock attempts, photo of the intruder) can be configured as well.

Once the device recognizes suspicious activities (e.g., removing device admin rights from the app), it will enter the “suspicious mode”. In this state, the app locks the device and regularly sends photos taken by the front and back camera, the device’s location, and information about connected Wi-Fi networks to the web interface at home.eset.com. The user can also trigger this mode from the web interface. It is possible to wipe all data from the device and automatically save the last known location when the device battery will reach a critical level. A locked device can be unlocked either with the ESET account password or a custom unlock code obtained from the web interface.

Web & Wi-Fi Protection

The anti-phishing component protects a wide range of browser apps against phishing attacks. If the respective options are enabled, it also detects and warns about dangerous links received in social media apps, SMS messages, and app notifications. The Network Inspector scans for vulnerable devices on the currently connected Wi-Fi network and gives device information such as name, model, IP/MAC address, and OS.

App Lock & Audit

App Lock allows the user to protect selected apps from unauthorised access using a PIN or pattern. The locking type and behaviour (e.g., lock new apps after installation, intruder alert) can be configured in the settings. With Security Audit, the user can review important device settings and permissions of installed apps (including system apps).

Privacy Protection

With the Call Filter feature, the ESET app can be set as the default “caller ID & spam” app in order to block or allow calls from specific phone numbers or contacts based on custom rules. The Safe Launcher feature (Payment Protection) is installed along with the ESET app and prevents malicious apps from reading or replacing on-screen information of protected apps.

Conclusion

ESET Mobile Security Premium offers the full range of protection and security features against vulnerabilities and theft. It stands out for its particularly careful and brief descriptions of each setup step and advanced settings. All anti-theft features worked flawlessly.

Anti-Theft Details
Commands Web
Device is missing Marks the device as lost and regularly triggers subsequent actions.
Track Automatically tracks the location and displays it on Google Maps when the device is marked as lost.
Play siren
Sounds an alarm on the device when marked as lost.
Lock
Automatically locks the device when marked as lost.
Wipe
Triggers a factory reset and wipes the external storage when marked as lost.
Message
Sends a message which is shown on the lock screen when device is marked as lost.
I have recovered my device Stops the automatic device monitoring and unlocks the device.
Download activity All the pictures taken, and locations noted, can be downloaded as an archive.
Additional Features
Take Photo
Automatically takes pictures with the device’s front and back camera when the device is marked as lost.
SIM Card Protection
Locks the device when a (trusted) SIM card is removed.
Uninstall Protection Marks the device as lost when device admin rights are removed from the app.

Google

Play Protect & OS Features
35.7.20

mobile-appaudit-iconmobile-safebrowsing-iconmobile-antitheft-iconmobile-antimalware-icon

Introduction

With Google Play Services and Google Mobile Services (GMS), Google-certified Android devices are equipped with several APIs (e.g., for security, privacy, location, accounts, backups) and preinstalled apps (e.g., Chrome, Gmail, Maps, Drive, YouTube) to provide better user experience to mobile end-users. Play Protect is Google’s built-in malware protection, which monitors the device for malicious apps and APK files. Device security and privacy is further enhanced with anti-theft, safe browsing, and app auditing.

Usage

Play Protect is preinstalled on supported Android devices and can be found either via the Play Store app or Android system settings.

Anti-Malware

Play Protect periodically scans the internal storage and notifies the user of malicious or potentially harmful apps downloaded from Google Play Store and other app sources. These include apps that hide or misrepresent important information and/or misuse permissions to access personal information, thus violating Google’s Developer Policy and Unwanted Software Policy.

The settings “Scan apps with Play Protect” and “Improve harmful app detection” can be turned off and permissions of apps, that have not been used for a few months, can be reviewed. Malware protection is only available with an active Internet connection.

Anti-Theft

Anti-theft commands are listed in the table below. The anti-theft feature Find My Device can be operated remotely from the web interface at google.com/android/find, or the standalone app on a second device. Logging into a Google account is mandatory, and the location must be turned on for the target device. The command interfaces show the current or last-known location, battery level, time, and name of the Wi-Fi the device is connected to.

The user can lock the device with the set locking mechanism or by creating a new lock PIN/password, and optionally display a message on the device screen. The option to erase the target device deletes all data from the internal and external device storage.

Web Protection

The Google Chrome browser app for Android includes a safe browsing feature with “Standard protection” enabled by default. Users are alerted about dangerous websites and downloads. When switching to “Enhanced protection”, URLs are submitted to the cloud for deeper analysis and users are warned if their passwords are exposed in a data breach. Options for “Do not Track” and “Always use secure connections” are disabled by default.

App Audit

In the Android system settings, all installed apps are listed, along with detailed information about their notifications and default-app settings, permissions, and device usage (e.g., mobile data, battery, storage).

Users can also disable/uninstall an app, force an app stop, and adjust the requested permissions. To give users even more insight into how apps affect their privacy, all apps can be sorted and viewed by dangerous permissions (e.g., location, camera, contacts) and permissions with special access (e.g., device admin rights, all files access, appear on top, install unknown apps).

Conclusion

Google Play Protect is preinstalled on certified Android devices, while older devices might receive updates for Play Services and GMS. All the security-related features, such as malware protection, anti-theft, and web protection, can be used for free with a Google account. Depending on the device model, manufacturers may provide their own device-related security features, which might overlap with pre-existing GMS apps such as Google Chrome and Find My Device. All anti-theft commands worked as expected.

Anti-Theft Details
Commands App & Web
Locate Displays the current or last-known location on Google Maps.
Secure Device Locks the device with a given PIN/password or the pre-defined locking mechanism. A message and/or phone number can be displayed on the locked device screen.
Erase Device Triggers a factory reset immediately, or after next device restart, and wipes the external storage.

Kaspersky

Plus for Android
11.100.4

mobile-appaudit-iconmobile-safebrowsing-iconmobile-antitheft-iconmobile-antimalware-icon

Introduction

Kaspersky Plus for Android is a well-rounded, paid-for mobile security solution for up to ten devices. It offers a comprehensive set of tools to protect against malware, phishing, theft, and privacy violations. The app functionality is extended by additional features such as app lock, app audit, Wi-Fi security, unlimited VPN, data leak checker, notification protection, and a system settings checker.

Usage

Upon first opening the app, the user must agree to Kaspersky’s EULA, Privacy Policy, and optionally, to the vendor’s statements about improving protection and data processing for marketing purposes. After granting the “All files access” permission, the user can either buy a subscription, activate an existing subscription, or start a free trial week. On the app’s main screen, a database update as well as a quick scan can be started. The app prompts the user to enable and configure various security-related components, such as anti-theft and safe browsing, run a full device scan, and turn off password visibility in the device settings. The user can access all the features from the menu bar at the bottom of the screen.

Anti-Malware

When starting a scan, the user is asked whether to perform a quick scan (app-only), a full scan including all files on the internal and external storage, or a selective scan of specific folders or files.

The scan settings offer fine-grained control of scan frequency and signature updates, in addition to customizable scan behaviour. The default settings include the detection of adware and auto-dialers, and scanning of installed apps and APK files. The user can switch to the extended real-time protection, letting them monitor all file and installed app activities, and change what action should be taken on detection.

Anti-Theft

Anti-theft commands are listed in the table below. The setup requires the user to grant the app the necessary permissions as well as device admin rights, and to configure a secret code/pattern/fingerprint. The SIM card and uninstallation protection can be enabled as well. Remote commands such as Lock & Locate, Mugshot, Alarm, and Data Wipe can be sent from the web interface at my.kaspersky.com. Here, basic information, such as battery level and activated security features, as well as the device location and images taken are shown. All commands except for Data Wipe can include a custom message that is displayed on the lock screen. An email is sent after the commands Lock & Locate or Mugshot are successfully executed, and the results are automatically deleted from the web interface after 30 days. The web interface also contains a device-specific recovery code used to unlock a device that has been locked remotely.

Web & Wi-Fi Protection

The Safe Browsing component protects the user from visiting phishing websites in supported browser apps. If enabled, any in-app link will be opened in Chrome. Before using the unlimited VPN service, the user must accept Kaspersky’s VPN statement. After that, it auto-selects the server closest to the device’s current location but you can also manually select from multiple other locations. The Smart Home Monitor notifies the user when a new device joins the Wi-Fi network.

App Lock & Audit

After granting the necessary permissions, the App Lock feature allows the user to select and lock sensitive apps with the same secret code/pattern/fingerprint used for the anti-theft functions. In our test, we were able to bypass the lock screen and access the protected app. After reporting the issue to Kaspersky, a fix was promptly released.

The My Apps component shows apps grouped by permissions, and provides details about apps, including their permissions, data usage and how much storage space they take. Furthermore, installed apps can be removed from within this feature.

Privacy Protection

Safe Messaging checks links received in text and instant messages and notifies the user about potential risks. Call Filter automatically declines incoming calls from blacklisted contacts. The Data Leak Checker checks specified email addresses for data breaches. The Weak Settings Scan monitors the system settings for any vulnerabilities.

Conclusion

Kaspersky Plus for Android comprises a great set of security and privacy features, which are thoroughly explained during setup. Features can be extensively customised. All the anti-theft commands worked flawlessly in our test.

Anti-Theft Details
Commands Web
Lock & Locate Locks the device, displays the location on Google Maps map, and sends the location in an email.
Mugshot Locks the device and takes several pictures using the front camera.
Alarm Locks the device and rings an alarm.
Data Wipe Triggers a factory reset and wipes external storage.
Additional Features
SIM Watch Locks the device if the SIM card is removed or changed.
Uninstall Protection Locks the device if device administrator rights are removed from the app.

Securion

OnAV
1.0.36

mobile-appaudit-iconmobile-safebrowsing-iconmobile-antitheft-iconmobile-antimalware-icon

Introduction

Securion OnAV is a slim and free-to-use security product that only provides malware protection. Without any user registration, it assigns a unique ID to each device to prevent double sign-ups. This review covers the English version of the app only, which differs from its original Korean counterpart.

Usage

First, the user must accept the EULA, Terms and Conditions, and the Privacy Policy. In order for its real-time protection to work properly, the app asks for permission to appear on top of other apps and to access all files on the device. On the main screen, a simple menu listing the main functions is shown.

Anti-Malware

The app only scans the internal storage for malicious apps and files. Detected malware can be deleted selectively or all in one go.

The information about previous scan results can be accessed from the Scan Log menu option in the main screen. The version of the detection engine can be viewed from the main menu and the real-time protection can be turned on and off in the app settings.

Conclusion

Securion OnAV is a free, user-friendly app that provides just malware protection capabilities. Detected malware is listed in the scan results, where it can be viewed and deleted directly.

Trend Micro

Mobile Security
15.5.0

mobile-appaudit-iconmobile-safebrowsing-iconmobile-antitheft-iconmobile-antimalware-icon

Introduction

Trend Micro Mobile Security is a comprehensive, paid-for security product. Besides security features such as a malware scanner, anti-theft, web/Wi-Fi protection, and notification protection it provides parental controls with app lock and age-based web filters, social-network privacy, payment protection, and an additional system tuning tool.

Usage

Upon the first app start, the user is prompted to accept Trend Micro’s License Agreement, Privacy, and Data Collection Notice. Next, the user must either activate a license or start a two-week trial. After a quick introduction of some security aspects, the user can grant the app all the necessary permissions or skip this step and grant them for each feature individually later. After that, an initial scan is started in the background. In addition to showing the scan results, the app recommends setting up various other features. All the app features are directly accessible from the main screen.

Anti-Malware

In the security scan settings, the user can set the protection level, which determines at which threat level the user should be notified, and toggle the real-time scan, pre-installation scan, and scan of the memory card.

For the latter, you can additionally choose between scanning apps only or all files. Malware signature updates can be triggered manually and run on schedule (daily, weekly, monthly).

Anti-Theft

Anti-theft commands are listed in the table below. The Lost Device Protection feature requires an unlock PIN/pattern to be set in advance and asks for device admin rights. It allows the user to issue remote commands such as Locate, Lock, or Wipe via the web interface mobilesecurity.trendmicro.com. The app shows a link to the help page which explains how to access the Lost Device Protection portal. An option to lock the phone whenever the SIM card is changed or removed is also included. The Uninstall Protection prevents the Trend Micro app from being removed without a password.

The Secret Snap feature can take a picture with the front camera after 3, 5 or 7 failed unlock attempts which will be saved in-app. However, no email was sent to the pre-defined email address. Trend Micro told us that they had a temporary issue in their backend which has now been fixed.

Web & Wi-Fi Protection

Web Guard blocks links to malicious websites for directly supported apps. For apps that are not directly supported, the additional VPN-based protection needs to be turned on. The protection level can be set to “low”, “normal”, or “high”, and the user can define black- and whitelists of websites. The Wi-Fi Checker scans for any security risks on the current Wi-Fi network.

Parental Controls

The parental controls feature is split into App Lock and Website Filter. With the first, selected apps can be protected with a PIN/pattern. The Website Filter can be set to three pre-defined levels (Child, Pre-teen, Teen), with each of them blocking websites belonging to categories deemed inappropriate for the specific age group. Moreover, custom filters as well as white- or blacklists of individual websites can be built. The website filter also works in combination with the VPN content filter of the Web Guard.

Privacy Protection

Fraud Buster scans incoming SMS/MMS messages and app notifications for phishing links and notifies the user of potential risks. The Social Network Privacy feature can be used to check the privacy settings of a connected Facebook or Twitter account. The Pay Guard Mobile feature monitors financial transactions made with selected apps.

Additional Features

The Memory Booster can free up memory space by stopping background apps. The App Manager allows the user to view all installed apps, uninstall or disable apps at once, and remove unneeded setup files. With Security Report, activities can be viewed in charts.

Conclusion

Trend Micro Mobile Security for Android offers a comprehensive set of security and privacy features, protecting the user against various threats on the device and while browsing the Internet. There are also extensive options to limit access to websites. All anti-theft features worked properly.

Anti-Theft Details
Commands Web
Locate Displays location on OpenStreetMaps.
Lock Locks the device until either the Trend Micro password or a one-time unlock key from the web interface is entered.
Wipe Triggers a factory reset and wipes external storage.
Additional Features
SIM Card Lock
Locks the device if the SIM card is changed or removed.
Uninstall Protection Locks the device if device administrator rights are removed from the app.
Secret Snap Takes a picture with the front camera.
mac security

Mac Security Test & Review 2023

Summary

Avast Security Free for Mac is a free antivirus program and well suited to non-expert users. Some of its key aspects are:

  • easy and straightforward installation and setup of core features
  • most common features displayed in a clean and well-laid-out GUI
  • different scan options and comprehensive settings, including scheduled scans
  • clear and persistent alerts
  • normal user accounts cannot take risky actions (e.g., disable protection, uninstall program)

Installation, Setup & Deinstallation

To set up Avast Security on your Mac, you just download and run the installer file from the vendor’s website. The initial setup is straightforward as the program guides you through step by step and provides brief explanations. You can uninstall the program by clicking Avast Security > Uninstall Avast Security in the macOS menu bar or opening the Avast Security Uninstaller directly from the macOS Applications folder.

General Handling & Essential Features

Protection status, smart scan, scan options (Virus Scans), protection features (Core Shields), and quarantine are all found on the home page of the main program window. Settings (Preferences) can be opened from the program menu in the top right-hand corner or the macOS menu bar. Subscription information is not applicable, as the program is free. A manual update can be triggered by clicking Check for Updates from the system tray icon or Avast Security in the macOS menu bar. The online help is accessible from the Help menu in the program menu which opens the support page in the default browser.

Protection

From Virus Scans on the home page, you can start a smart scan, deep scan of all drives and the system memory, external storage scan of connected storage devices, or targeted scan of specific files or folders. The latter can also be run from e.g., the Finder context menu. Scheduled scans can be configured as well. The detection behaviour and settings of the different scan types can be changed from Preferences. The detection of PUA is enabled by default. The Email Guardian scans emails of provided mail accounts and flags any that seem suspicious. In the free version, only mail apps installed on the Mac are supported (e.g., Apple Mail, Outlook).

Alerts

When we disabled Avast’s real-time protection (File Shield) or web protection (Web Shield) under Core Shields on the home page, an alert was shown in the main program window. To reactivate either protection feature, we had to manually go into Core Shields and turn it back on.

When malware was detected in our protection test, the program displayed the alert shown below. No user action was required, and the alert persisted until we closed it using the macOS close button in the top left-hand corner. We noted that multiple detections are combined into one single alert which you can browse through using the arrows in the top right-hand corner. Further details about the threat, such as the threat name, severity, file name/path, and process, are shown if the details section at the bottom of the alert is expanded.

Quarantine & Logs

The quarantine is directly accessible from the home page of the main program window and lists files that have been quarantined, along with the threat name, file name, file path, and date when this happened. It allows you to delete or (with an administrator account) restore any/all items.

Advanced Options

Only users with a macOS Administrator account can perform the following tasks (caution is advised):

  • Disable protection features (under Core Shields)
  • Uninstall the program
  • Restore items from the quarantine

Advertising

The Smart Scan feature promotes Avast’s paid-for security suites, Premium and Ultimate. At the end of the scan, it will display 3 “advanced issues”, namely vulnerability to ransomware, network threats and fake websites. If you click on Resolve All here, a purchase prompt for Avast Premium Security will be displayed. After dismissing the prompt, a second prompt appears offering a 60-day trial for Avast Ultimate. Clicking the Go Premium button on pages of other program features or the Upgrade your protection button of a detection alert leads to the same behaviour.

Summary

AVG AntiVirus Free for Mac is a free antivirus program and well suited to non-expert users. Some of its key aspects are:

  • easy and straightforward installation and guided setup of core features
  • most common features displayed in a clean and well-laid-out GUI
  • different scan options and comprehensive settings, including scheduled scans
  • clear and persistent alerts
  • normal user accounts cannot take risky actions (e.g., disable protection, uninstall program)

Installation, Setup & Deinstallation

To set up AVG AntiVirus on your Mac, you just download and run the installer file from the vendor’s website. The initial setup is straightforward as the program guides you through step by step and provides brief explanations. You can uninstall the program by clicking AVG AntiVirus > Uninstall AVG AntiVirus in the macOS menu bar or opening the AVG AntiVirus Uninstaller directly from the macOS Applications folder.

General Handling & Essential Features

Protection status, smart scan, scan options (Run Other Scans), and protection features (Computer, Web & Email) are all found on the home page of the main program window. The quarantine is accessible from the Computer tile on the home page. Settings (Preferences) can be opened from the program menu in the top right-hand corner or the macOS menu bar. Subscription information is not applicable, as the program is free. A manual update can be triggered by clicking Virus Definitions on the home page, or clicking Check for Updates from the system tray icon or AVG AnitVirus in the macOS menu bar. The online help is accessible from the Help menu in the program menu which opens the support page in the default browser.

Protection

From Run Other Scans on the home page, you can start a smart scan, deep scan of all drives and the system memory, external storage scan of connected storage devices, or targeted scan of specific files or folders. The latter can also be run from e.g., the Finder context menu. Scheduled scans can be configured as well. The detection behaviour and settings of the different scan types can be changed from Preferences. The detection of PUA is enabled by default.

Alerts

When we disabled AVG’s real-time protection (File Shield) under Computer, web protection (Web Shield) or email protection (Email Shield) under Web & Email on the home page, an alert was shown in the main program window. To reactivate either protection feature, we had to manually go into the mentioned menu tiles and turn it back on.

When malware was detected in our protection test, the program displayed the alert shown below. No user action was required, and the alert persisted until we closed it using the macOS close button in the top left-hand corner. We noted that multiple detections are combined into one single alert which you can browse through using the arrows in the top right-hand corner. Further details about the threat, such as the threat name, severity, file name/path, and process, are shown if the details section at the bottom of the alert is expanded.

Quarantine & Logs

The quarantine is quickly accessible from Computer on the home page of the main program window and lists files that have been quarantined, along with the threat name, file name, file path, and date when this happened. It allows you to delete or (with an administrator account) restore any/all items.

Advanced Options

Only users with a macOS Administrator account can perform the following tasks (caution is advised):

  • Disable protection features (under Computer and Web & Emails)
  • Uninstall the program
  • Restore items from the quarantine

Advertising

The Smart Scan feature promotes AVG’s paid-for security suite, Internet Security. At the end of the scan, it will display 3 “advanced issues”, namely vulnerability to ransomware, network threats and fake websites. If you click on Resolve All here, a purchase prompt for AVG Internet Security will be displayed. After dismissing the prompt, a second prompt appears offering a 60-day trial for it. Clicking the Go Premium button on pages of other program features or the Upgrade Your Protection button of a detection alert leads to the same behaviour.

Summary

Avira Prime for Mac is a paid-for antivirus program and an excellent choice for non-expert users. Some of its key aspects are:

  • simple and straightforward installation and guided setup of core features
  • all available features displayed in a well-organized and neat interface
  • different scan options and many settings, including scheduled scans and automatic USB scan
  • clear alerts
  • normal user accounts cannot take risky actions (e.g., disable protection, uninstall program)

Installation, Setup & Deinstallation

To set up Avira Prime for Mac, you need to log in to your Avira account, download and run the installer. The initial setup is straightforward as the program guides you through step by step and provides brief explanations. When the program window opens for the first time, you are prompted to run a Smart Scan. The program can be uninstalled by deleting it from the macOS Applications folder. The program’s window has both dark and light modes, which co-ordinate with the dark- and light-mode settings of macOS.

General Handling & Essential Features

Protection status, smart scan, scan options (Virus Scans), protection features (Protection Options), quarantine, and subscription information (My Account) can all be accessed from the main program window. Settings can be accessed from the cogwheel icon in the top right-hand corner of the window or the macOS menu bar. A manual update can be triggered by clicking Check for updates on the main program window. The online help is found in the Help menu in the macOS menu bar which opens the support page in the default browser.

Protection

From Virus Scans, you can start a quick scan of the most vulnerable device areas, full scan of the entire file system, or custom scan of selected files or folders. The latter can also be run from e.g., the Finder context menu. The Scheduler lets you define individual schedules of all the available scan options to run them regularly. The automatic scan of USB devices can be activated or deactivated from the Protection Options. From Settings, the detection behaviour and different scan settings can be changed.

Alerts

When we disabled Avira’s real-time protection or download protection under Protection Options, the alert below was shown in the main program window. The real-time protection can also be turned off via the system tray icon in the macOS menu bar. We were able to easily reactivate the protection by clicking Turn on.

When malware was detected in our protection test, the program displayed an alert in the form of a system notification shown below, including the file path where the threat was found and the action taken. No user action was required, and the alert closed automatically after a few seconds.

Quarantine & Logs

The Quarantine page of the program (screenshot below) shows you all the items that have been quarantined, along with the threat name, file name, file path, and date when this happened. There are options to delete and restore any of the detected files (you have to enter administrator credentials to take either action).

Advanced options

Only users with a macOS Administrator account can perform the following tasks (caution is advised):

  • Disable protection features (under Protection Options or system tray icon)
  • Uninstall the program
  • Delete and restore items from quarantine

Summary

Bitdefender Antivirus for Mac is a paid-for antivirus program which both expert and non-expert users should find suitable for their needs. Some of its key aspects are:

  • simple and straightforward installation and guided setup of core features
  • all available features displayed in a very well-designed interface
  • different scan options, ransomware protection, data-limited VPN, browsing-protection add-ins
  • clear in-program alerts but none shown in case of a malware detection
  • normal user accounts cannot take risky actions (e.g., disable protection, uninstall program)

Installation, Setup & Deinstallation

After downloading and running the installer from the vendor’s website, the setup wizard guides you through each installation and configuration step. When setup is complete, you need to create a Bitdefender account and sign in. An optional introductory tour then starts, after which the program window displays several recommendations, such as installing the browser extension for Safari/Chrome/Firefox (Traffic Light), configuring the ransomware protection feature (Safe Files), setting up Time Machine Protection, and running a system scan. The program can be uninstalled by opening the Bitdefender Uninstaller, which is found inside the Bitdefender folder of the macOS Applications folder. The program’s window has both dark and light modes, which co-ordinate with the dark- and light-mode settings of macOS.

General Handling & Essential Features

Protection status, scan options (quick and system scan), protection features, settings (Preferences), subscription information (My Account), and help are all directly accessible from the program’s Dashboard. The quarantine and list of scan exceptions can be found under Protection. A manual update can be triggered from the Actions menu in the macOS menu bar. The data-limited Bitdefender VPN as well as additional Anti-tracker browser extensions are available under Privacy. From Help, you can open a very comprehensive manual in PDF format or the support page in the default browser.

Protection

From Protection, you can start a quick scan of critical areas, system scan of all files and directories, or custom scan of specific files or folders. The latter can also be run from e.g., the Finder context menu. Settings for the ransomware protection are available as well. The program’s protection and detection behaviour can be changed from Preferences. If you install the Traffic Light browser extension, safety ratings (indicated by coloured symbols) are added to Google search results.

Alerts

When we disabled Bitdefender’s real-time protection via Preferences or the system tray icon in the macOS menu bar, the alert below was shown in the main program window. We were able to reactivate the protection easily by clicking Enable.

When malware was detected in our protection test, the program silently took action on the threat (e.g., immediately deleted it) as the system tray icon briefly changed upon detection. After manually opening the main program window, the detections appeared on the Notifications page. Apart from that, no clear detection alerts were shown.

When verifying the Notifications permission in the macOS system settings, we noticed that the notifications were allowed for Bitdefender Antivirus for Mac but the option was set to None by default. After changing it to Banners and re-running the protection test, the program displayed an alert in the form of a system notification shown below, including the threat name, file name, and action taken. No user action was required, and the alert closed automatically after a few seconds. However, the program did not give any hint during installation or usage about enabling notifications in the macOS system settings.

Quarantine & Logs

The Quarantine page of the program (screenshot below) lets you view all the items that have been quarantined, along with the threat name, file name, and date when the this happened. There are options to delete and restore any of the detected files (you have to enter administrator credentials to take either action). Notifications is the log feature which displays events such as updates, component activation, and malware detections. These can be displayed all together, or filtered by importance (Critical, Warning, Information).

Advanced Options

Only users with a macOS Administrator account can perform the following tasks (caution is advised):

  • Disable protection features (under Preferences)
  • Uninstall the program
  • Delete and restore items from quarantine

Summary

CrowdStrike Falcon Pro is a security package suitable for medium- to large-sized enterprise networks and provides a cloud-based console for managing the endpoint protection software. Some of its key aspects are:

  • investigative functions for analysing and remediating attacks
  • comprehensive search facilities
  • well-organized cloud-based console with easy access to details pages
  • encyclopaedia of known cybercriminal groups
  • clear alerts at endpoint

Management Console

The console is navigated from the menu in the top left-hand corner of the console. This lists different sections, such as Endpoint security, Threat intelligence, Investigate, Dashboards and reports, and Host setup and management, which group the individual pages. We will describe the most relevant sections and pages below. You can easily bookmark any page (using the bookmark symbol next to the page title at the top of the page), and then go directly to that page using the Bookmarks section of the menu.

Endpoint security > Activity dashboard page

This is the page you see when you first log on to the console. It shows various status items in large panels (screenshot above). There is a list of most recent detections, with a graphical severity rating. You can also see a graph of detections by tactic (e.g., Machine learning, Defense Evasion) over the past month. Terms from the MITRE ATT&CK Framework are used to show attack stages here. The New detections, SHA-based detections, and Prevented malware by host panels redirect to the Endpoint detections details page with the respective filters applied.

Endpoint security > Endpoint detections page

Here you can search a list of threat detections using a wide range of criteria. These include severity, malware tactics, detection technique, date and time, affected host, and logged-on user. For each detection, you can see full details, including a process tree view (screenshot below), and assign a console user for remediation.

Endpoint security > Quarantined files page

This page lets you see files that have been quarantined by the endpoint protection client. For each item, you can see the date and time when it was quarantined, file name, device name, number of AV detections, logged-on user, and its status. Quarantined files can be released, deleted, or downloaded in a password-protected archive. Clicking the entry of a quarantined file opens a panel with additional information, such as the file path, file hashes, file size, file type, detection method, and severity. There is a search function and a variety of filters you can apply to find specific files within the quarantine repository.

Endpoint security > Prevention policies page

Here you can create and edit the prevention policies for the supported OS endpoints. You can define the capabilities of the endpoint protection client for different types of attack-, detection-, and protection-related behaviour. In the case of Mac policies, you can configure components such as Enhanced Visibility, Quarantine, Execution Blocking, Unauthorized Remote Access, and Credential Dumping. Some sensor components, such as Cloud Machine Learning and Sensor Machine Learning, have separate configurable sensitivity levels for detection and prevention, ranging from Disabled to Extra Aggressive. Custom Indicators of Attack (IOA) can be created and assigned too. Policies can be assigned to devices automatically by means of a naming system, whereby a policy hierarchy determines which one takes precedence. For example, any device with “Mac” in its name can be automatically put into a specific group of Mac computers, to which one or more policies are assigned.

Host setup and management > Host management page

This page lists all the registered devices/hosts along with the host status, operating system, policy assignments, containment status, sensor version, and first/last seen date. Clicking on an entry opens a panel with additional details, such as device manufacturer, MAC address, IP addresses, and serial number. Like in other details pages, you can apply many different filters and search for specific hosts.

Threat intelligence > Actors page

This page provides details of known cybercriminal groups. You can see the nations and industries that each one has targeted, along with technical details of the attack methods used. CrowdStrike told us that this information is also available in Endpoint detections details when a detection is associated with a specific actor.

Investigate section

The Investigate section provides an extremely comprehensive search facility. It lets you search for specific aspects (e.g., hosts, hashes, users, IP addresses, domains, events), hunt for activities related to detections, files, or executables, view timelines of hosts, processes, and users, check reports about remote access, network logon, and geo location activities, and look for custom alerts and vulnerabilities (e.g., HiveNightmare, Log4Shell).

Endpoint Protection Client

Deployment

Installer files for the endpoint protection client (Sensor) can be downloaded from Host setup and management > Sensor downloads. Half a dozen older versions of the sensor are also available. Local installation requires the use of the macOS Terminal – instructions are provided in the documentation (Support and resources > Documentation).

General Handling

No graphical user interface is provided. Only users with a macOS Administrator account can interact with the sensor using its command-line interface (falconctl) via the macOS Terminal. For example, you can output sensor information and statistics (falconctl stats), load/unload the sensor (falconctl load / falconctl unload), and uninstall the sensor (falconctl uninstall). With the settings used for this test, detected files are not deleted but quarantined in situ.

Alerts

When malware was detected in our protection test, the sensor displayed an alert in the form of a system notification shown below, without further details about the threat. No user action was required, and the alert closed automatically after a few seconds.

Summary

Intego Mac Internet Security X9 is a paid-for antivirus program and a good choice for non-expert users. In addition to anti-malware features, it also includes a separate firewall application, called NetBarrier. In this review though, we have focused on the antivirus application, VirusBarrier. Some of its key aspects are:

  • simple and straightforward installation and setup of core features
  • all available features displayed in a clean GUI
  • different scan options, including scheduled scans and scans of mounted volumes
  • clear and persistent alerts
  • normal user accounts cannot take risky actions (e.g., disable protection, uninstall program)

Installation, Setup & Deinstallation

To set up Mac Internet Security X9, you just need to download and run the installer from the vendor’s website. The setup wizard is straightforward however, you have to manually open the program after installation. After that, you will be prompted to activate the product and allow the program Full Disk Access in the macOS system settings. The program can be uninstalled by re-running the installer and double-clicking Uninstall, or by deleting the Intego folder from the macOS Applications folder. The program’s window has both dark and light modes, which co-ordinate with the dark- and light-mode settings of macOS.

General Handling & Essential Features

Protection status, scan options (quick, full, scheduled scan), quarantine, list of scan exceptions (Trusted Files), and settings are all found on the Scan page of the main program window. A manual update can be triggered by clicking on the Malware Definitions link on the Scan page, or by selecting Check for Updates under the VirusBarrier menu or the system tray icon in the macOS menu bar. In all cases, the NetUpdate application opens which displays the update status, along with the days after which the protection expires, and related settings. The subscription information can be viewed in the About box of the VirusBarrier menu. The online help is found in the Help menu in the macOS menu bar which opens the support page in the default browser. Additionally, a basic help displays an overlay that explains the principal features in the main program window.

Protection

From the Scan page of the main program window or the File menu in the macOS menu bar, you can start a quick scan, full scan, or custom scan of specific files or folders. The latter can also be run from e.g., the Finder context menu. The automatic scan of volumes when they are mounted can be activated in Settings. On the Scan page, you can also configure scheduled scans (Schedule) as well as the program’s protection and detection behaviour (VirusBarrier Preferences). The program checks if the safe browsing feature of supported browsers (Safari, Chrome, Firefox) is enabled and warns you in case it is turned off. VirusBarrier uses Intego’s own detection engine to detect macOS malware but makes use of the Avira engine to detect Windows malware.

Alerts

When we disabled Intego’s real-time protection on the Scan page, the alert below was shown in the main program window. We were able to reactivate the protection easily by clicking Turn On.

When malware was detected in our protection test, the program showed the dialog and an alert in the form of a system notification, including the file name and action taken, shown below. No user action was required. The dialog persisted until we closed it and the alert closed automatically after a few seconds.

Quarantine & Logs

The Quarantine page of the program (screenshot below) shows you all the items that have been quarantined. There are options to delete, repair, or restore (trust) a single or all the quarantined files. If you click on an individual item, the path to its location will be shown in the status bar at the bottom.

Logs on the Scan page displays a list of all system events, including updates, scan and real-time detections, real-time protection status, and items added to or deleted from quarantine. The applicable date and time are shown, along with a traffic-light colour-coding system for each item. Malware finds are thus shown as red, quarantine actions as yellow, and enabling real-time protection as green.

Advanced Options

Only users with a macOS Administrator account can perform the following tasks (caution is advised):

  • Disable protection features (under Scan page, Settings, or system tray icon)
  • Uninstall the program

Summary

Kaspersky Plus for Mac is a paid-for antivirus program and an excellent choice for non-expert users. Some of its key aspects are:

  • simple and straightforward installation and guided setup of core features
  • all available features displayed in a well-organized and neat interface
  • different scan options and many settings, including scheduled scans and automatic USB scan
  • clear alerts
  • normal user accounts cannot take risky actions (e.g., disable protection, uninstall program)

Installation, Setup & Deinstallation

You can set up Kaspersky Plus for Mac by downloading and running the installer from the vendor’s website. The initial setup is straightforward as the program guides you through step by step and provides brief explanations. During that, you can enable additional protection features, such as Wi-Fi network protection and browser extensions for Safari/Chrome/Firefox. When setup is complete, the main program window displays several recommendations, such as activating automatic macOS updates, signing into My Kaspersky account, and installing missing browser extensions, the Kaspersky VPN or Password Manager apps. The program can be uninstalled by clicking Support > Uninstall in the Help menu of the macOS menu bar or by deleting it from the macOS Applications folder.

General Handling & Essential Features

Protection status, scan options (Scan), and subscription information (Profile) can all be accessed from the main program window. Settings, including all the protection features and list of scan exclusions (Trusted Zone), quarantine (Detected Objects), and help, which shows the support page in the default browser, are all in the macOS menu bar. A manual update can be triggered from Database Update in the main program window or by clicking Update Databases from the system tray icon.

Protection

From Scan, you can start a quick scan, full scan, or custom scan of selected files or folders. The latter can also be run from e.g., the Finder context menu. Scans can be scheduled from the cogwheel icon in the top right-hand corner and the settings. In addition to modifying the program’s detection behaviour and the named scan options, the external disk scan can be configured from the settings. The detection of stalkerware is enabled by default.

Alerts

When we disabled Kaspersky’s real-time protection or any other protection feature under Settings > Protection, a notification appeared, and an alert similar to the one below was shown in the main program window. The real-time protection can also be turned off via the system tray icon. We were able to easily reactivate either protection feature by clicking Enable.

When malware was detected in our protection test, the program displayed an alert in the form of a system notification shown below, including the file path, where the threat was found, and the action taken. No user action was required, and the alert closed automatically after a few seconds. Additionally, a link to the quarantine is shown on the home page of the main program window.

Quarantine & Logs

The Detected Objects page shows quarantined items, along with the threat name and file path. By clicking on the ”…” symbol at the end of each line, you can delete or restore individual items. You can delete all quarantined items using the Delete All button. The Reports window shows processed objects (detections) as well as activities about updates, scans, and the different protection features.

Advanced Options

Only users with a macOS Administrator account can perform the following tasks (caution is advised):

  • Disable protection features (under Settings or system tray icon)
  • Uninstall the program

Summary

Trellix Endpoint Security (HX) is a security package suitable for large-sized enterprise networks (up to 100,000 endpoints per appliance) and provides a cloud-based console for managing the endpoint protection software. Some of its key aspects are:

  • investigative functions for analysing and remediating attacks
  • comprehensive search facilities
  • variety of console types (cloud-based, hardware/virtual appliance, Amazon-hosted)
  • well-organized cloud-based console with easy access to details pages
  • containment feature to isolate infected devices

Management Console

The console is navigated from the menu at the top of the page. This lists different sections and pages, such as Dashboard, Alerts, Hosts, Acquisitions, Rules, Enterprise Search, and Admin. We will describe the most relevant sections and pages below.

Dashboard

When you login to the console, you will see an overview of key status items (screenshot above). These include the total number of hosts with alerts, with a breakdown by exploits and malware, recent file acquisitions, and contained/active/inactive hosts. Clicking on the Total hosts with alerts button opens the Hosts with Alerts page.

Hosts > Hosts with Alerts page

This page displays details of protected devices/hosts with alerts that have not yet been resolved. If you click on the plus sign for a host, you can view the list of its alerts, in chronological order and with a wealth of details. This includes detection type (e.g., signature detection), alert/detection times, scan type (e.g., on-access, on-demand), malware name/type, file status (e.g., quarantined), file metadata (e.g., path, MD5/SHA1 hash, size, last modified/accessed times), process path, username of logged-on user, and content version (signature). Each threat can be acknowledged (marked as “read”), or marked as false positive. You can also add comments for future investigation. From Quarantines, you can restore, delete, or acquire individual quarantined files for further analysis (see Acquisitions page shown below).

Alerts page

For a threat-centric rather than a device-centric view, you can go to the Alerts page. It shows a list of detected threats which you can sort or filter by name, file path, first/last event time, host name, or host IP address. Besides deleting alerts, options for Acknowledge, Mark False Positive, and Add Comment are provided here too. If you click on the threat name of a list item, the details view of the Hosts with Alerts page is opened.

Hosts > Host Management page

This page lists all the registered devices/hosts along with different attributes shown in filterable and sortable columns. The visibility of each column can be changed from a separate menu in the top right-hand corner. The attributes include, e.g., host name, online status, operating system information, username of logged-on user, containment status, installed agent version/signature, active protection/detection capabilities, and last seen date. Clicking on an entry reveals a panel with all the available device information.

Acquisitions page

This page lets you download files that have been acquired from hosts in order to analyse them. You can acquire files or various items of diagnostic data from an individual host on the Hosts with Alerts page.

Rules page

This page contains rules matching indicators of compromise (IOCs), exploit detections, or false positives in order to help identifying specific threats or suspicious behaviours on an endpoint. This rule collection is primarily maintained by Trellix’s Dynamic Threat Intelligence (DTI) cloud, but you can add your own enterprise-specific rules with individual conditions as well.

Enterprise Search page

On this page, you can extensively search the network for a wide variety of items. These include application name, browser version, host name, various executables, file names/hashes/paths, IP address, port, process name, registry key, service name/status/type/mode, timestamp, URL, username, and Windows Event Message.

Admin section

On the Policies page, you can add custom endpoint protection policies and configure numerous different aspects of existing ones. Examples of configurable categories are malware protection (e.g., detection options, definition updates, exclusions, quarantine actions), malware scans (e.g., scheduled scan), whether to show alerts on the host, event logging (e.g., information level, age), polling frequency, removal and tamper protection, resource usage, and management server address. On the Host Sets page, groups of hosts can be defined according to a wide variety of criteria, or simply by dragging and dropping from the list of all hosts. Different protection policies can be applied to each host set.

Endpoint Protection Client

Deployment

Current and older versions of the endpoint protection client (Agent) for Windows, macOS, and Linux systems can be downloaded from the Admin > Agent Versions page. The installer file can be run manually, or via a systems management product such as Jamf. In the former case, you will need to remember to give the agent Full Disk Access in the macOS system settings which is necessary for the product to work properly. After installation, the agent takes some minutes to download the protection engine before protection will be finally active.

General Handling & Alerts

With the settings used in this test, no user or command-line interface is provided in order to interact with the program on the host. When malware was detected in our protection test, no detection alerts were shown on the host.

Summary

Trend Micro Antivirus for Mac is a paid-for antivirus program and well suited to non-experts. Some of its key aspects are:

  • simple and straightforward installation and guided setup of core features
  • all available features displayed in a well-thought-out user interface
  • different scan options including scheduled scans; ransomware protection, browsing-protection add-ins
  • clear and persistent alerts
  • normal user accounts cannot take risky actions (e.g., disable protection, uninstall program)

Installation, Setup & Deinstallation

After downloading and running the installer from the vendor’s website, the setup wizard guides you through each installation and configuration step. Aside from choosing whether to enter a licence key or use the trial version, there are no decisions to make. When you first open the program, it prompts you to set up Camera and Microphone Protection and ransomware protection (Folder Shield). For the latter, you can easily customise the default list of folders to be protected. Additionally, the Safari extension Trend Micro Toolbar for Mac is installed and will be activated if you authorise this. The program can be uninstalled by using the uninstaller located inside the Trend Micro folder of the macOS Applications folder. The Trend Micro folder also contains a diagnostic toolkit used for troubleshooting and other problem-mitigating tasks (requires a macOS administrator account).

General Handling & Essential Features

Protection status, smart scan (Scan Now), scan options (Scans), protection features, and subscription information can all be accessed from the Overview page of the main program window. Quarantine can be found under Logs > List Quarantined Files. Settings provide access to a list of scan exclusions (Files Not Scanned) and the quarantine and are located under Trend Micro Antivirus in the macOS menu bar or the system tray icon. A manual update can be triggered directly from the Overview page, Protection menu in the macOS menu bar, or the system tray icon. The online help opens the support page in the default browser and is found in either the Help menu in the macOS menu bar, the system tray icon, or when clicking the ? icon located on several pages of the main program window.

Protection

From Scans, you can start a smart scan of the most critical areas, full scan of every file on the system, or custom scan of selected files or folders. Scheduled scans as well as the detection behaviour and scan options can be configured in the Scans page of the settings. The web protection and anti-ransomware feature can be modified from its respective subpage of the main program window. If you install the Trend Micro browser extension, safety ratings (indicated by coloured symbols) are added to Google, Bing, and Yahoo search results as well as web-based email services from Gmail and Yahoo. A Website Filter blocks access to selected websites based on rating scores, pre-defined filters (e.g., child, teenager, adult) or a user-defined blacklist.

Alerts

When we disabled Trend Micro’s real-time protection or web threat protection on the Overview page or from the Protection menu in the macOS menu bar, the alert below was shown in the main program window. The real-time protection can also be turned off via the system tray icon. We were able to easily reactivate either protection feature by clicking Fix Now.

When malware was detected in our protection test, the program displayed the alert shown below. No user action was required, and the alert persisted until we closed it. Clicking on View Results opens the logs/quarantine page and shows you what’s been detected.

Quarantine & Logs

The Logs page lists all the threats that have been detected, along with the threat name, file path, date when this happened, and action taken, under the log type Scan Results. Quarantine functionality, including options to delete, restore, or clean quarantined items (you have to enter administrator credentials to take either action), is reached by clicking List Quarantined Files.

As noted in previous years, the quarantine and log data are displayed in panels within small windows that cannot be resized or maximised. It is necessary to resize the columns to see all the content, and then scroll to the left to see all the data for one entry. We found this very inconvenient. However, it is possible to export the log as a .CSV file.

Advanced Options

Only users with a macOS Administrator account can perform the following tasks (caution is advised):

  • Disable protection features (under Overview)
  • Uninstall the program
  • Delete and restore items from quarantine

Advertising

The program advertises Trend Micro’s freemium Cleaner One Pro program. Running a Smart Scan will find “junk files” and prompt the user to get Cleaner One Pro to remove these. Additional freemium software is promoted on the pages Privacy Tools and Utility Tools of the main program window.

Anti-Phishing Certification Test 2023

Every year we publish the results of our phishing protection test. These tests evaluate the protection provided against phishing websites. These deceptive websites can pose a real threat to Internet users, as they attempt to steal sensitive information such as usernames, passwords, and credit card details.