mac security

Mac Security Test & Review 2022

Advantages

  • Has backup, disaster recovery, vulnerability assessment, and secure file-synch
  • Well suited to smaller businesses
  • Console is easy to navigate
  • Pages of the console can be customised
  • Geographically aware threat-feed feature

About the product

Acronis Cyber Protect Cloud with the Advanced Security pack is a security package for business networks. It provides a cloud-based console for managing the endpoint protection software. Details of the management console described here are applicable to all supported operating systems. In addition to malware protection, the product contains a variety of other cloud-based services, including backup, disaster recovery, and secure file-synchronisation. This review considers only the malware protection features, however. The product can manage networks with thousands of seats. We feel it would also be suitable for small businesses without dedicated IT support staff.

Management Console

The console is navigated from a single menu panel on the left-hand side. There are entries for Monitoring, Devices, Management, Protection, Software Management, Backup Storage, Reports, and Settings. The numbers shown to the right of each menu item represent items such as threats and alerts that the administrator should look at.

Monitoring\Overview page

This is the page you see when you first log on to the console. It’s shown in the screenshot above. It provides a graphical overview of the security and backup status of the network, using coloured doughnut and bar charts. There are panels for Protection status, Active alerts summary, Activities, Patch installation status, Missing updates by categories, and Disk health status. The Cyber protection panel across the top displays the items Backed up today, Malware blocked, Malicious URLs blocked, Existing vulnerabilities, and Patches ready to install. Details of recent alerts and other items are displayed in further panels at the bottom. You can customise the page by changing data settings for each panel, or adding/removing panels.

Monitoring\Alerts page

Here you can see alerts relating to malware detection, blocked URLs, and also the backup functions. These can be shown as a list, or as big tiles with details (as shown above). Information for malware detections includes the device, protection policy (Plan), file name and path, file hashes, threat name and action taken (e.g. quarantined). Clicking Clear removes the item from the Alerts page, but not the system logs.

Monitoring/Threat feed page

The Threat feed page displays warnings of current attacks and vulnerabilities to watch out for. Acronis tell us that this list is tailored to your geographic location, so that it only displays warnings that are relevant to you. The page may even warn you of natural disasters, where applicable. Clicking on the arrow symbol at the end of a threat entry opens a list of recommended actions to counteract that particular threat. These might be to run a malware scan, patch a program, or make a backup of your PCs or data.

Devices\All devices page

The Devices\All devices page lists the computers on the network. Sub-pages allow you to filter the view, e.g. by managed and unmanaged machines. You can see device type (virtual machine or hardware) and name, user account, and security status, amongst other things. The columns shown can be customised, so you can remove any you don’t need, and add e.g. IP address and operating system. Devices can be displayed as a list (as in the screenshot above), or large tiles with additional details. Selecting a device in the list opens up a menu panel on the right, from which you can see the applied protection policy, apply patches, see machine details/logs/alerts, change group membership, or delete the device from the console.

Management/Protection plans page

Under Management/Protection plans , you can see, create and edit the policies that control the anti-malware features of the platform. Again, if you click on an icon, an uncluttered menu pane slides out from the right with the appropriate details and controls. Amongst the functions that can be configured are real-time protection, network folder protection, action to be taken on malware discovery, exploit prevention, crypto-mining process detection, scheduled scanning, and exclusions. On other tabs of the menu pane, you can also configure other items such as URL filtering, vulnerability assessments and patch management.

Protection\Quarantine page

Under Protection, the Quarantine page lists the names of malicious files that have been detected, along with the date quarantined and device name. You can add columns for the threat name and applicable protection plan, using the page settings. A mini menu at the end of each entry lets you whitelist, restore or delete the selected items.

Protection\Whitelist page

The Whitelist page displays any applications that have been found during backup scanning and categorised as safe. A backup scanning plan has to be created in order to enable automatic whitelist generation.

Software Management pages

The Vulnerabilities page under Software Management is populated if a vulnerability assessment has been created in a protection plan and run at least once.

Reports page

The Reports page lists a number of topics for which reports can be generated, including Alerts, Detected threats, Discovered machines, Existing vulnerabilities and Patch management summary. Clicking on a report name opens up a details page for that item. The Alerts report page, for example, contains panels showing 5 latest alerts, Active alerts summary, Historical alerts summary, Active alerts details, and Alerts history. Coloured alert icons and doughnut charts serve to subtly highlight the most important items. As with other pages of the console, the Reports page can be customised.

Settings pages

Under Settings/Protection, you can set the schedule for protection definitions updates, and enable the Remote Connection function. The Agents page allows you to see the version of the endpoint agent installed on each client, and update this if necessary. If any devices are running outdated agents, an alert will be shown in the Settings/Agents entry in the menu panel of the console. This makes clear that you need to take action.

macOS Endpoint Protection Client

Deployment

Installation files in .DMG format can be downloaded by going to the Devices page and clicking the Add button. After performing a local installation on a Mac client, you have to click Register the machine in the client window. You then need to log on to the management console from the Mac client, find the device’s entry, and apply a protection plan.

User interface

The user interface on protected endpoints consists of a System Tray icon, which opens a small information panel when clicked. Here you can see the status of the real-time malware protection, and details of any scheduled backups. Settings for backup encryption and proxy server can also be changed here. Users can scan a drive, folder or file for malware by right-clicking it in macOS Finder.

Malware detection scenario

When we connected a flash drive containing malware samples to our test PC, and opened the drive in macOS Finder, Acronis did not immediately take any action. However, as soon as we tried to copy malware from the external drive to the Mac Desktop, Acronis blocked the copy process, and detected and quarantined the malicious files on the flash drive. No alert was shown.

Summary

Avast Security Free for Mac is a free antivirus program. The program is very simple to install, and most common features are easy to find in the clean, well-laid out GUI. Avast Security has highly effective on-access protection, which instantly detects and deletes malicious files when they are copied or downloaded. Alerts are clear and persistent, giving you time to read them. Standard user accounts cannot take any risky actions. The program is well suited to non-expert users due to its ease of use.

Installation

To set up Avast Security on your Mac, you just download and run the installer file, then double-click Install Avast Security. You can uninstall the program by clicking Avast Security in the macOS menu bar, then Uninstall Avast Security.

Finding essential features

Status, default scan, scan options, and quarantine are all found on the home page of the main program window. Settings (Preferences) can be opened from the menu in the top right-hand corner, or the macOS menu bar. Subscription information is not applicable, as the program is free. Updates can be run by clicking Preferences, General (as is standard for modern security programs, Avast Security for Mac runs automatic updates as well). You can scan a drive, folder or file from the Finder context menu, by clicking Scan with Avast. The help file is accessible from the Help menu in the Mac menu bar.

Alerts

When we disabled Avast’s real-time protection, the alert below was shown in the main program window. We were able to reactivate the protection by clicking Turn ON, and then setting all the slider buttons on the Core Shields page to ON.

When malware was detected in our functionality check, Avast displayed the alert shown below. No user action was required. The alert persisted until we closed it. We noted that it’s possible to browse through the alerts using the arrows in the top right-hand corner. They can be closed individually by clicking Got it, or all at once using the macOS close button in the top left-hand corner.

Malware detection scenarios

We found Avast Security for Mac to have highly sensitive and reliable on-access detection of malware. Malicious files that we downloaded or copied to the system were instantly detected and quarantined in all cases. When we tried to copy malware from a network share or external drive to the system, Avast not only prevented the files from being copied, but deleted the source malware on the network share or external drive as well.

By default, Avast does not automatically scan USB drives when they are connected, but this can be enabled in the program options. When we scanned a flash drive containing malware samples, Avast presented a list of the threats found; we just had to click Resolve Selected to quarantine them. We had to enter the macOS administrator password in order to allow the quarantine process to complete.

Quarantine and Logs

Virus Chest displays files that have been quarantined, and allows you to delete or (with an administrator account) restore any/all items.

System Tray menu

Advanced options

Power users with a macOS Administrator account can perform the following tasks (caution is advised):

  • Disable protection features (under Preferences\Shields)
  • Uninstall the program (using the Uninstall button in the installer file)
  • Restore items from quarantine

Standard macOS users (i.e. accounts without administrator rights) cannot perform any of these tasks, which we regard as optimal.

Help

A web page with basic FAQs and clear, simple text answers is provided. You can open it from the Help menu in the Mac menu bar.

Advertising

The Smart Scan feature promotes Avast’s paid security suite, Premium Security. At the end of the scan, it will display 3 “advanced issues”, namely vulnerability to ransomware, network threats and fake websites. If you click on Resolve All here, a purchase prompt for Avast Premium Security will be displayed. We also saw a pop-up alert with the same function.

Summary

AVG AntiVirus FREE for Mac is, as its name suggests, a free antivirus program. The program is very simple to install, and most common features are easy to find in the clean, well-laid out GUI. AVG AntiVirus has highly effective on-access protection, which instantly detects and deletes malicious files when they are copied or downloaded. Alerts are clear and persistent, giving you time to read them. Standard user accounts cannot take any risky actions. The program is well suited to non-expert users due to its ease of use.

Installation

To set up AVG AntiVirus on your Mac, you just download and run the installer file, then double-click AVG AntiVirus. You can uninstall the program by clicking AVG AntiVirus in the macOS menu bar, then Uninstall AVG AntiVirus.

Finding essential features

Status, default scan, scan options and updates are all found on the home page of the main program window. Settings (Preferences) can be opened from the menu in the top right-hand corner of the program window, or the macOS menu bar. Quarantine is found by clicking the Computer tile on the home page. Subscription information is not applicable, as the program is free. You can scan a drive, folder or file from the Finder context menu, by clicking Scan with AVG. The help page is accessible from the Help menu in the Mac menu bar.

Alerts

When we disabled AVG’s real-time protection, the alert below was shown in the main program window. We were able to reactivate the protection by clicking Computer, and then setting the slider button for File Shield to the “on” position.

When malware was detected in our functionality check, AVG displayed the alert shown below. No user action was required. The alert persisted until we closed it. We note that it’s possible to browse through multiple alerts using the arrows in the top right-hand corner. They can be closed individually by clicking Got it, or all at once using the macOS close button top right.

Malware detection scenarios

We found AVG AntiVirus FREE for Mac to have highly sensitive and reliable on-access detection of malware. Malicious files that we downloaded or copied to the system were instantly detected and quarantined in all cases. When we tried to copy malware from an external drive to the system, AVG not only prevented the files from being copied, but deleted the source malware on the external drive as well.

By default, AVG does not automatically scan USB drives when they are connected. However, you can activate a setting in the program’s preferences that will prompt you to scan external drives upon connection to your Mac.

When we scanned a flash drive containing malware samples, AVG presented a list of the threats found; we just had to click Resolve Selected to quarantine them.

Quarantine and Logs

The Quarantine page displays files that have been quarantined, and allows you to delete or (with an administrator account) restore any/all items.

System Tray menu

Advanced options

Power users with a macOS Administrator account can perform the following tasks (caution is advised):

  • Disable protection features (under Computer\File Shield)
  • Uninstall the program
  • Restore items from quarantine

Standard macOS users (i.e. accounts without administrator rights) cannot perform any of these tasks, which we regard as optimal.

Help

A help page with basic FAQs and clear, simple text answers is provided. You can open it from the Help menu in the macOS menu bar.

Advertising

The Smart Scan feature promotes AVG’s paid-for Mac security suite, Internet Security. At the end of the scan, it will display 3 “advanced issues”, namely vulnerability to ransomware, network threats and fake websites. If you click on Resolve All here, a purchase prompt for AVG Internet Security will be displayed.

Summary

Avira Antivirus Pro for Mac is a straightforward, paid-for antivirus program with a data-limited VPN feature. It is very simple to install, and all the available features are easy to find in the neat interface. In our functionality check, we found it to have very sensitive and reliable on-access protection against malware. Detection alerts do not require any user action, and standard user accounts cannot take any risky actions. The simplicity of the program makes it an excellent choice for non-expert users.

Installation

To set up Avira Antivirus Pro for Mac, you need to log in to your Avira account. You then download and run the installer, double-click the Avira icon, then click Accept and install. There are no options or decisions to make. When the program window first opens, you are prompted to run a Smart Scan. The program can be uninstalled by deleting it from the macOS Applications folder.

Finding essential features

Status, updates, default scan, scheduled scan, scan options, quarantine and subscription information can all be accessed from the main program window (screenshot above). You can also scan a drive, folder or file from the Finder context menu. The help feature is found in the Help menu in the Mac menu bar. Protection Options in the left-hand menu panel lets you activate or deactivate real-time protection and automatic scans of USB devices. Other settings (Preferences) can be accessed from the cogwheel icon in the top right-hand corner of the window.

Alerts

When we disabled Avira’s real-time protection, the alert below was shown in the main program window. We were able to easily reactivate the protection by clicking Turn on.

When malware was detected in our functionality check, Avira displayed a pop-up alert (shown below). No user action was required. The alert closed automatically after 5 seconds.

Malware detection scenarios

In our functionality check, we found Avira Antivirus Pro to have very sensitive and reliable on-access detection of malware. Malicious files that we downloaded or copied to the system were instantly detected and quarantined in all cases. When we tried to copy malware from an external drive to the system, Avira not only prevented the copy process, but also deleted the source malware on the external drive.

When we connected a USB flash drive to our Mac, Avira briefly displayed a prompt to scan it. We did this, and Avira automatically quarantined the malicious files without the need for any user action. A summary of the malware found, and action taken, was displayed in the main program window. We note that the scan prompt closed after 5 seconds, so you have to be quick to make use of it.

Quarantine and Logs

The Quarantine page of the program (screenshot below) shows you all the items that have been quarantined, along with the date when this happened. There are options to delete and restore any of the detected files (you have to enter administrator credentials to take either action).

System Tray menu

Advanced options

Power users with a macOS Administrator account can perform the following tasks (caution is advised):

  • Disable protection features (Protection Options page or System Tray menu)
  • Restore items from quarantine
  • Uninstall the program

Standard macOS users (i.e. accounts without administrator rights) cannot do any of these, which we regard as ideal.

Help

Avira Help (in the Help menu in the macOS menu bar) opens the product’s support page in a browser. This consists of simple text instructions for everyday tasks, some illustrated with screenshots. There is also a video to explain installation of the product.

Advertising

Antivirus Pro advertises Avira’s Prime service, via the Get Prime button in the menu panel.

Other points of interest

The program’s main window has both dark and light modes, which co-ordinate with the dark- and light-mode settings of macOS.

Summary

Bitdefender Antivirus for Mac is a paid antivirus program with ransomware protection, a data-limited VPN feature, and a browsing-protection add-in for Safari/Chrome/Firefox. We found it very straightforward to install and use. The user manual is easy to find, comprehensive, and very well produced. Effective real-time protection immediately detects and cleans malware on first contact. Overall, the product gets every important detail right, providing solid protection features in a very well-designed interface. Both expert and non-expert users should find it suitable for their needs.

Installation

After downloading and starting the installer file, you just need to double-click the setup package icon to start the setup wizard. You do not need to make any decisions, though you can change the interface language. When setup is complete, you need to create a Bitdefender account and sign in. An optional introductory tutorial then starts, after which the program window displays a recommendation to install the Traffic Light extension for Safari. After that, the Bitdefender window recommends configuring Safe Files, the product’s ransomware protection feature. Next, Bitdefender suggests setting up Apple’s Time Machine backup feature, and finally running a system scan. You can uninstall the program using its own uninstaller. This is found in the Bitdefender folder in the Finder Applications window.

Finding essential features

Status, quick and full scans, subscription information, settings and help are all directly accessible from the program’s Dashboard (home page). You can find custom scan, quarantine and scan exceptions under Protection. Update is in the Actions menu in the Mac menu bar. There is no scheduled scan function, but you can scan a drive, folder or file using the Finder context menu. Logs are shown under Notifications.

Alerts

When we disabled Bitdefender’s real-time protection, the alert below was shown in the main program window. We were able to reactivate the protection easily by clicking Enable.

When malware was detected in our functionality check, Bitdefender displayed the alert below. No user action was required, and the alert closed after 5 seconds.

Malware detection scenarios

In our functionality check, we found Bitdefender to have very sensitive and reliable on-access detection of malware. Malicious files that we downloaded or copied to the system were instantly detected and quarantined in all cases. When we connected a USB flash drive containing malware samples to our Mac, Bitdefender automatically scanned the drive and deleted the malware without any user action being required.

Quarantine and Logs

The Quarantine window lets you view and delete quarantined files. If you are using a macOS admin account, you can also restore files from here.

The right-hand pane of the quarantine window shows you the threat name. Notifications is the log feature. It displays events such as updates, component activation, and malware detections. These can be displayed all together, or filtered by importance (Critical, Warning, Information).

System Tray menu

Help

Antivirus for Mac Help in the macOS menu bar opens a very comprehensive manual in .PDF format. This covers all aspects of using the program, and includes a glossary of malware types. It is fully indexed, and very well illustrated with screenshots.

Advanced options

Power users with a macOS Administrator account can perform the following tasks (caution is advised):

  • Disable protection features (under Preferences)
  • Restore items from quarantine
  • Uninstall the program

Standard macOS users (i.e. accounts without administrator rights) cannot perform any of these tasks, which we regard as ideal.

Other points of interest

If you install the Traffic Light extension for Safari add-in, safety ratings are added to Google searches. For example, green tick (checkmark) symbols are used to indicate safe sites. There are similar add-ins for Firefox and Chrome.

About the product

CrowdStrike Falcon Pro is a security package for business networks. It provides a cloud-based console for managing the endpoint protection software. Details of the management console described here are applicable to all supported operating systems. As well as malware protection, the product includes investigative functions for analysing and remediating attacks. It can manage networks with thousands of devices. We note that CrowdStrike Falcon Pro is available as a fully managed service for organisations that desire a more hands-off solution to endpoint protection. CrowdStrike tell us that they have datacentres in the USA and EU, in order to comply with the respective data protection regulations.

Advantages

  • Investigative functions
  • Comprehensive search facilities
  • Clickable interface provides easy access to details pages
  • Encyclopaedia of known cybercriminal groups
  • Suitable for medium- to large-sized enterprises

Management Console

The console is navigated from the Falcon menu in the top left-hand corner of the console. This lists individual pages under headings such as Activity, Investigate, Hosts, Configuration, Dashboards and Users. You can easily bookmark any page of the console (using the bookmark symbol in the top left-hand corner of the page), and then go directly to that page using the Bookmarks section of the menu.

Activity\Dashboard page

This is the page you see when you first log on to the console (screenshot above). It shows various status items in large panels. There is a list of most recent detections, with a graphical severity rating. You can also see a graph of detections by tactic (e.g. Machine learning, Defense Evasion) over the past month. Terms from the MITRE ATT&CK Framework are used to show attack stages here. Some of the panels are linked to details pages. Thus, you can click on the New detections panel to open up the Detections details page.

Activity\Detections page

Here you can search a list of threat detections using a wide range of criteria. These include severity, malware tactics, detection technique, date and time, affected device, and logged-on user. For each detection, you can see full details, including a process tree view (screenshot below). You can assign a console user for remediation.

Activity\Quarantined Files page

As you would expect, this page lets you see files that have been quarantined by the system. You can see the filename, device name, number of detections counted on the network, user involved, status, and of course date and time of detection. Quarantined files can be released or deleted. Clicking the entry of a quarantined file opens a details panel with additional information. This includes file path for the location where it was detected, file hashes, file size, file version number, detection method and severity. There is a search function and a variety of filters you can use to find specific files within the quarantine repository.

Configuration\Prevention Policies page

Here you can create and edit the protection policies for endpoints. You can define behaviour for a number of different types of attack-related behaviour, such as ransomware, exploitation, and lateral movement. Some sensor components, such as Cloud Machine Learning and Sensor Machine Learning, have separate configurable levels for detection and prevention. 5 different levels of sensitivity can be set, ranging from Disabled to Extra Aggressive. Custom Indicators of Attack (IOA) can also be created and assigned here, and there’s an option to perform automated remediation of IOA detections.

Policies can be assigned to devices automatically by means of a naming system. For example, any device with “Win” in its name can be automatically put into a specific group of Windows computers, to which a particular policy is assigned. Devices/groups can be assigned more than one policy, whereby a policy hierarchy determines which one takes precedence.

Hosts\Host Management page

The Hosts/Host Management page lists all the installed devices. You can immediately see which ones are online. Additional information includes operating system, policy, security status and sensor version. Clicking on a device’s entry opens up a details panel for that device. Here you can find additional information, such as device manufacturer, MAC address, IP addresses and serial number.

Intelligence\Actors page

This page provides details of known cybercriminal groups. You can see the nations and industries that each one has targeted, along with technical details of the attack methods used. CrowdStrike tell us that this information is also available in Detection details when a detection is associated with a specific actor.

Investigate\Host Search page

The Investigate menu provides an extremely comprehensive search facility. It lets you search for devices, hashes, users, IP addresses, domains and events. On the Host Search page, you can look for specific devices. A separate menu bar allows you to look for specific aspects, such as Activity (including detections), Vulnerabilities and Custom Alerts.

macOS Endpoint Protection Client

Deployment

Installer files for the sensor (endpoint protection client) can be downloaded in .pkg format from Hosts\Sensor Downloads page. Half a dozen older versions of the sensor are available if you want. Local installation requires the use of the macOS Terminal – instructions are provided in the documentation.

User interface on macOS client

With the settings used for this test, no graphical user interface is provided, so users cannot interact with the program at all. Administrators can use a command-line interface (falconctl) via the macOS Terminal. Detected files are not deleted, but quarantined in situ.

Malware detection scenarios

In our functionality check, we found CrowdStrike Falcon Pro for macOS to have sensitive and reliable on-access detection of malware. Malware that we downloaded or copied to the system was instantly detected and quarantined in all cases.

Summary

Intego Mac Internet Security X9 is a paid-for security suite. In addition to anti-malware features, it also includes a firewall. This is a separate application within the bundle, called NetBarrier. In this review, we have focused on the antivirus application, VirusBarrier.

The program’s interface makes the most important functions easy to find and use. We found Mac Internet Security X9 to have sensitive on-access protection against malware. Standard user accounts cannot take any risky actions. Overall, the program is straightforward in use.

Installation

To set up Mac Internet Security X9, you just need to download and run the installer, then select Double Click to Install. The first page of the installer includes convenient links to the Getting Started user guide, and the uninstaller. The setup wizard is very straightforward, though you have to restart your Mac at the end of it. When you first open the program after the restart, you will be prompted to allow the program Full Disk Access in the macOS settings. The program can be uninstalled by re-running the installer file and double-clicking Uninstall.

Finding essential features

Status, quick/full/scheduled scans, settings (Preferences), logs and quarantine are all found on the program’s home page. You can scan a file, folder or drive using Finder’s right-click menu. The update, custom scan and help features are found in the Mac menu bar. The About box (VirusBarrier menu) shows the licence key and registered email address, but does not state when the licence expires.

Alerts

When we disabled Intego’s real-time protection, the alert below was shown in the main program window. We were able to reactivate the protection easily by clicking Turn On.

When malware was detected in our functionality check, Intego displayed the alert shown below. No user action was required. The alert persisted until we closed it.

Malware detection scenarios

In our functionality check, we found Intego to have sensitive on-access detection of malware. Malicious files that we downloaded or copied to the system were immediately detected and quarantined in situ. When we connected a USB flash drive containing malicious files to our Mac, Intego prompted us to scan it. We did this, and Intego automatically quarantined the malware. An alert like the one above was shown.

Quarantine and Logs

The quarantine feature is shown above. There are options to delete, repair or restore the quarantined files. If you click on an individual quarantined item, the path to its location will be shown in the status bar at the bottom.

Logs displays a list of all system events, including updates, scans and real-time detections, enabling/disabling real-time protection, and items added to or deleted from quarantine. The applicable date and time are shown, along with a traffic-light colour-coding system for each item. Malware finds are thus shown as red, quarantine actions as yellow, and enabling real-time protection as green.

System Tray menu

Help

There are 2 help items in the Mac menu bar. Show Basic Help displays an overlay that explains the principal features in the main program window. VirusBarrier Help opens a comprehensive online manual that covers installation, configuration and use of the program. It is generously illustrated with screenshots.

Advanced options

Power users with a macOS Administrator account can perform the following tasks (caution is advised):

  • Disable protection features
  • Restore items from quarantine
  • Uninstall the program

Standard macOS users (i.e. accounts without administrator rights) cannot perform any of the above tasks, which we regard as ideal.

Other points of interest

Whilst running our functionality check, we saw a notification from Intego that the contents of an attached USB flash drive had changed, along with a prompt to rescan the device.

VirusBarrier uses Intego’s own detection engine to detect macOS malware, but makes use of the Avira engine to detect Windows malware.

Summary

Kaspersky Internet Security for Mac is a paid-for security suite with browser add-ons, parental controls and a data-limited VPN. We found it very straightforward to use, with all the features easily accessible from the main program window or macOS menu bar. Effective on-access detection quarantines any malware downloaded or copied to the system. Users without administrator rights cannot disable the protection or uninstall the program. Overall, the product is well designed and reliable in operation.

Installation

Having downloaded and run the installer, you need to double-click Install Kaspersky Internet Security\Download and Install. The only technical options are whether to install network protection, encrypted web traffic inspection, and browser extension(s). The latter are provided for Safari, Google Chrome and Mozilla Firefox, and can be selected independently of each other. The program can be uninstalled by clicking Support\Uninstall in the Help menu of the macOS menu bar.

Finding essential features

Update, status, scan options (including scheduled scan) and subscription information can all be accessed directly from the program’s home page. Settings (Preferences), logs (Reports), quarantine (Detected Objects) and help are all in the macOS menu bar. Additionally, a link to quarantine is shown on the home page when quarantined items are present.

Alerts

When we disabled Kaspersky’s real-time protection, the alert below was shown in the main program window. We were able to reactivate the protection easily by clicking Enable.

Malware alerts

In our functionality check, Kaspersky detected malware silently, i.e. without any visual or audio alerts being shown.

Malware detection scenarios

In our functionality check, we found Kaspersky Internet Security for Mac to have reliable on-access detection of malware. Malicious files that we downloaded or copied to the system were detected and quarantined in all scenarios. When we tried to copy malware from a USB drive or network share, Kaspersky deleted not only the copied files on the Mac Desktop, but also the source malware on the USB drive or share. We noted a short delay, typically between 10 and 20 seconds, between the copy/download process completing and the files being detected by Kaspersky.

When we connected a USB flash drive containing malware samples to our Mac, Kaspersky prompted us to scan it. We did this, and Kaspersky automatically deleted the malicious files on it, with no user action required. However, no alert was shown. We note that the scan prompt closed after 5 seconds, so a user would have to be quick to make use of it.

Quarantine and Logs

The Detected Objects page shows quarantined items. By clicking on the ”…” symbol at the end of each line, you can delete or restore individual items. You can delete all quarantined items using the Delete All button. The Reports page shows the location of detected objects, action taken, threat type, threat name, and date/time of detection.

System Tray menu

Help

Kaspersky Internet Security Help is found in the Help menu in the macOS menu bar. It opens the product’s support page on the Kaspersky website, which contains simple, clear feature descriptions and text instructions for using the program.

Advanced options

Power users with a macOS Administrator account can perform the following tasks (caution is advised):

  • Disable protection features
  • Restore items from quarantine
  • Uninstall the program

Standard macOS users (i.e. accounts without administrator rights) cannot disable protection or uninstall the program, which we regard as ideal. Non-admin users can restore items from quarantine, although restored malware files are immediately re-detected and re-quarantined by default.

Other points of interest

Kaspersky Internet Security for Mac uses graphics in the program window that could be described as “intelligent”. The program detects whether it is installed on a Mac laptop or desktop system, and accordingly shows either a desktop or a laptop graphic. The Update and Scan icons animate when in use.

In our functionality check, we found that Kaspersky Internet Security for Mac did not display any alerts when malware was detected, even though notifications were enabled in both the application itself and the macOS settings for it. This did not affect detection/protection, however.

About the product

Trellix Endpoint Security (HX) is a security package for business networks. It provides a cloud-based console for managing the endpoint protection software. Details of the management console described here are applicable to all supported operating systems. A variety of console types is available. These include cloud-based, hardware appliance, virtual appliance, and Amazon-hosted. We describe the cloud-based console in this review. As well as malware protection, the product includes investigative functions for analysing and remediating attacks. The product is designed to handle very large organizations, with support for up to 100,000 endpoints per appliance.

Advantages

  • Attack investigation features
  • Variety of console types available
  • Suitable for medium- to large-sized enterprises
  • Comprehensive search feature
  • Containment feature lets you isolate infected devices

Management console

Dashboard

When you open the console, you will see an overview of key status items (screenshot above). These include the total number of hosts with alerts, with a breakdown by exploits and malware. Clicking on the Total hosts with alerts button opens the Hosts with Alerts page, shown below.

Hosts with alerts

As the name suggests, this page displays details of protected devices with alerts that have not yet been dealt with. If you click on the plus sign for a device, you can see a list of alerts for that device, in chronological order. With malware alerts, a wealth of detail is provided for each one. This includes status (e.g. quarantined), file path, MD5 and SHA1 hashes (but not SHA256), file size, last modified and last accessed times, process path, username of logged-on user, detection name, threat type, and times of first and last alerts for the item. Each threat can be acknowledged (marked as “read”), or marked as a false positive. You can also add comments to the threat details, for future investigation.

Alerts

For a threat-centric rather than a device-centric view, you can go to the Alerts page. Here you can sort threats by name, file path, first or last detections, and hostname or IP address of the respective device. The options Acknowledge, Mark False Positive and Add Comment are provided here too.

Acquisitions

From the Hosts page, you can acquire a file or various items of diagnostic data from an individual device. The Acquisitions menu lets you download files that have been acquired from hosts, in order to analyse them.

Enterprise Search

This feature allows you to search the network for a very wide variety of items. These include application name, browser version, hostname, various executables, file names/hashes/paths, IP address, port, process name, registry key, service name/status/type/mode, timestamp, URL, username and Windows Event Message.

Admin\Policies

Here you can configure numerous different aspects of the client protection policy. Examples are scans, whether to show alerts on the client, logging, malware scan settings, polling frequency, tamper protection, scan exclusions, management server address and malware detection settings. Scans can be set to run on a schedule, or after a signature update or device boot.

Admin\Host Sets

These are simply groups of computers. They can be defined according to a wide variety of criteria, or simply by dragging and dropping from the list of all devices. These groups are used to apply different protection policies.

Admin\Agent Versions

This lets you download current and older versions of the endpoint agent for Windows and Mac systems. The admin can thus e.g. avoid compatibility problems with a particular agent version on specific systems.

Admin\Appliance Settings

This page allows you to change settings for the management console itself. There are controls for date and time, user accounts, notifications, network settings and licences, and more.

macOS Endpoint Protection Client

Deployment

Installer files in .dmg format can be downloaded from the Admin menu, Agent Versions. As the name suggests, the current and earlier versions of the client are provided. The installer file can be run manually, or via a systems management product such as Jamf. If you install the product manually, you will need to remember to give the agent full disk access in the macOS settings. This is a necessary action to enable the product to work properly.

After installation, the Trellix agent takes some minutes to download the protection engine. Protection will not be enabled until this is complete.

User interface on macOS client

The user interface is completely hidden, and users cannot interact with the program at all. No detection alerts are shown.

Malware detection scenarios

In our functionality check, we found Trellix Endpoint Security for macOS to have very sensitive and reliable on-access detection of malware. Malware that we downloaded or copied to the system was instantly detected and quarantined in all cases. When we tried to copy malware from a USB drive to the system, Trellix not only prevented the malware copy process, but also deleted the source malware on the USB drive.

Summary

Trend Micro Antivirus for Mac is a paid-for antivirus program with camera and microphone protection, an anti-ransomware feature, and a web-protection add-in for Safari. We were particularly impressed with the very effective on-access malware detection. The help features are clear, and convenient to access. Installing and uninstalling are both straightforward, and the clean UI design makes the most important features very easy to access and use. Consequently, Trend Micro Antivirus for Mac would be particularly well suited to non-experts. For advanced users, a resizable quarantine window would be appreciated. However, overall the program has been very well thought out, and gets all the important things right.

Installation

After downloading and running the installer file, you start the setup wizard by clicking Install Trend Micro Antivirus. The User Support folder on the same page includes links to the following pages on the vendor’s website: System Requirements, Known Issues, and Quick Start Guide. There is also an uninstaller, with which you can later quickly and easily remove the program, should you need to.

The setup wizard is very straightforward. Aside from choosing whether to enter a licence key or use the trial version, there are no decisions to make. When it comes to the process of authorising Trend Micro extensions and permissions, the setup wizard provides a convenient “Verify” button, which checks whether you have successfully granted the necessary permissions. A Trend Micro Safari Extension is installed, and will be activated if you authorise this. When you first open the program, it prompts you to set up Camera and Microphone Protection and Ransomware Protection. For the latter, you can easily customise the default list of folders and drives to be protected.

Finding essential features

Status, update, default scan, scan options, subscription, logs/quarantine and help can be accessed directly from the Overview page (please see screenshot above). We note that the logging and quarantine functions are both found under Logs. Settings are found under Trend Micro Antivirus\Preferences in the Mac menu bar, as is to be expected for a macOS program. Scheduled scans can be configured in the Preferences dialog box.

Alerts

When we disabled real-time protection, the alert below was shown in the main window. We were able to reactivate the protection easily by clicking Fix Now.

When malware was detected in our functionality check, Trend Micro displayed an alert in the main window (shown below). No user action was required. The alert persisted until we closed it.

The alert box remains on display until you close it. If you click on View Results in the alert box, it opens the logs/quarantine page, and shows you what’s been detected.

Malware detection scenarios

In our functionality check, we found Trend Micro Antivirus for Mac to have exceptionally sensitive on-access detection of malware. Malware that we downloaded or copied to the system was instantly detected and quarantined in all cases. When we tried to copy malware from a network share or USB drive to the system, Trend Micro not only prevented the malware copy process, but also deleted the source malware on the USB drive or network share.

When we scanned a flash drive containing malware samples, Trend Micro automatically quarantined the malicious files without the need for any user action. At the end of the scan, a message box is displayed, showing a summary of the scan results. There is a button you can click on to see further details.

Quarantine and Logs

The quarantine and log functions are both accessed via the Logs page. Quarantine functionality, including options to restore or clean quarantined items, is reached by clicking List Quarantined Files on the Logs page. From here, you can view and delete or (with a macOS Administrator Account) restore any or all of the quarantined items.

As noted in previous years, the quarantine and log data is displayed in panels within small windows that cannot be resized or maximised. It is necessary to resize the columns is required to see all the content, and then scroll to the left to see all the data for one entry. We found this very inconvenient. However, it is possible to export the log as a .CSV file.

System Tray menu

Advanced options

Power users with a macOS Administrator account can perform the following tasks (caution is advised):

  • Disable protection features (using the slider buttons on the Overview page)
  • Restore items from quarantine (by clicking List Quarantined Files)
  • Uninstall the program

Standard macOS users (i.e. accounts without administrator rights) cannot perform any of the above tasks. We regard this as ideal.

Help

Clicking the ? icon in the bottom right-hand corner of the main window opens a context-sensitive online manual. This provides a simple, clear guide to the program’s features and how to use them, well illustrated with screenshots.

Advertising

Trend Micro Antivirus for Mac advertises its vendor’s freemium Cleaner One Pro program. There is a link to this in the More Tools page of the program window. Also, running a Smart Scan will find “junk files”, and prompt the user to get Cleaner One Pro to remove these.

Other points of interest

The Safari add-in shows safety ratings for sites in Google web searches. These use e.g. a green tick (checkmark) icon for safe sites.

In the Trend Micro folder in the macOS Applications window is a diagnostic toolkit. With a macOS Administrator account, you can stop/start components; delete temporary files; uninstall if the standard uninstaller has problems; troubleshoot; collect debugging info; upload quarantined files to the vendor; collect network logs; create scanning exclusions.

In our functionality check, we discovered that the link to the Quick Start Guide in the installer misdirected to a different page. We informed Trend Micro of this, and they have since fixed the issue.

android device

Mobile Security Review 2022

Avast

Mobile Security Free
6.48.1

mobile-appaudit-iconmobile-antimalware-iconmobile-safebrowsing-iconmobile-antitheft-iconmobile-antimalware-icon

Introduction

Avast Mobile Security Free is an ad-supported product which includes a variety of security-and privacy-oriented features such as malware scan, web and Wi-Fi security, Hack Alerts, and App Insights. Photo Vault and anti-theft functionality are also included, but with some limitations. Other app components, such as Junk Cleaner and Wi-Fi Speed, help the user monitor different aspects of the device. Avast asked us to test and review the free version of their product. Please note that Avast owns AVG, and the respective Android apps appear to be identical in functionality. There are some minor differences in the user interface, however.

Usage

Upon starting the app, the user must accept Avast’s Agreement and Privacy Policy. After viewing a brief overview of the features, the user can continue with the free and ad-supported app version by accepting the Consent Policy for custom ads. The user is then prompted to perform a first scan which requires the ”All files access” permission.

Anti-Malware

After the first device scan, the app suggests turning on the web protection, and also prompts the user to set up screen locking to protect private information. The user can start a deep scan, which includes apps and files on the internal storage; otherwise an app-only scan is performed.

The app provides further scan settings, such as the detection of PUA or apps with low reputations, which are enabled by default, and the option to scan apps during installation and upon launch. The file scanner can be used to scan individual files, folders, or the entire internal storage. The external storage (e.g. SD card) is not included when scanning the device storage.

Anti-Theft

Anti-theft commands are listed in the table below. The anti-theft setup requires the user to choose an app-specific PIN – optionally a pattern and/or fingerprint – and an account for resetting the PIN and accessing the web interface at my.avast.com.

The app must be granted various permissions, among which are device admin rights and appearing on top of other apps, in order to remotely control the device from the web interface. The user can execute the remote commands Locate, Lock, Mark as Lost, Siren, and Wipe. Basic information about the device, such as battery status and the time since the last communication, are also available. The Avast PIN and protection mechanisms can be modified via the web interface.

Upon receiving the location when executing the Locate command, we would welcome it if the web interface were automatically updated to display the new location. In our testing, we had to refresh the page manually.

Web & Wi-Fi Protection

The protection against malicious URLs and phishing websites offered by Web Shield requires the Accessibility permission, and works for different browser apps. The features Wi-Fi Security and Wi-Fi Speed monitor the network for security threats and test the connection speed, respectively. Automatic scanning of new networks is also possible.

App Audit

App Insights monitors installed apps and provides the user with detailed usage statistics for individual apps (e.g. screen time, storage, battery impact, mobile data used) over different time periods (daily, weekly, monthly). The user can also set a data usage limit and a corresponding alert. Furthermore, all installed apps are labelled with the risk categories “low”, “average”, and “high”, depending on the app’s permissions.

Additional Features

Photo Vault enables the user to store up to ten photos, which are then encrypted and hidden from other users and apps. Hack Alerts allows the user to check whether their email or any related accounts have been involved in a data breach. Junk Cleaner helps to free up storage space by removing unnecessary files. My Statistics shows a summary of security-related actions taken by Avast on the device, e.g. number of threats prevented.

Conclusion

Avast Mobile Security Free is a well-designed anti-malware application that gives the user access to many, but partially restricted, security features. Optimization and privacy-enhancing tools are also available. All the tested anti-theft commands sent to the device worked as expected.

Anti-Theft Details
Commands Web
Locate Displays location on Google Maps map. Tracking the device can be enabled.
Mark as Lost Triggers configured actions like tracking, lock, and siren.
Siren Activates/deactivates the phone siren.
Lock Locks/unlocks the phone.
Wipe Triggers a factory reset and wipes external storage.

AVG

AntiVirus Free
6.48.2

mobile-appaudit-iconmobile-antimalware-iconmobile-safebrowsing-iconmobile-antitheft-iconmobile-antimalware-icon

Introduction

AVG AntiVirus Free is an ad-supported product offering a comprehensive set of tools aimed at protecting the user’s security, among which are malware scan, web and Wi-Fi security, and Hack Alerts. The anti-theft and Photo Vault components are included as well, but have some limitations. Further app features allow the user to monitor different privacy and performance aspects of their device. AVG asked us to test and review the free version of their product. Please note that AVG is owned by Avast, and the respective Android apps appear to be identical in functionality. There are some minor differences in the user interface, however.

Usage

After installation, the user must agree to the vendor’s Privacy Policy and Agreement. The app then shows a short overview of the included features. To continue with the free and ad-supported version, the user must also accept the Consent Policy for personalized advertising. After that, the user is prompted to start a first scan of the device.

Anti-Malware

Prior to starting the first device scan, the app asks for access to all files and folders on the device. Additionally, the user can select a more thorough and deeper scan of apps and files on the internal storage. The external storage (e.g. SD card) is excluded from any scans.

The app also checks the device’s security settings, and warns of any disabled protection shields. The settings to treat PUA as malware, and to warn about apps with a poor reputation, are adjustable but already enabled by default.

Anti-Theft

Anti-theft commands are listed in the table below. During the setup of the anti-theft feature, the user must set an app-specific PIN, or optionally a pattern and/or fingerprint.

Furthermore, the app needs to be granted various permissions, among which are device admin rights and appearing on top of other apps. Remote commands such as Locate, Lock, Mark as Lost, Siren, and Wipe can be deployed from the web interface at my.avg.com, which requires a valid AVG account.

From here, the user is also able to modify the AVG PIN, the protection behaviour (lock phone, siren on lock), and view basic device information, such as the battery status.

In our testing, we found it a bit confusing that after successfully receiving the device location using the Locate command, the map was not automatically updated with the new location. We had to manually refresh the page in order to see the changes.

Web & Wi-Fi Protection

Once the app has been granted the Accessibility permission, the Web Shield component provides protection against phishing websites and malicious URLs for different browser apps. Wi-Fi Security scans the currently connected Wi-Fi network for security threats, while Wi-Fi Speed tests the quality of the connection in terms of download and upload speeds. If the corresponding feature is activated, the app also automatically scans new networks.

App Audit

App Insights lets the user monitor installed apps and gives information about how much time the user spends on each app, available storage space, which permissions the apps have been granted, and data consumption over a day, week, or month. The feature shows the risk level “high”, “average”, and “low” for each installed app, according to the permissions it accesses. To limit mobile data usage, a custom data plan can be set up.

Additional Features

Hack Alerts notifies users whenever sensitive information tied to their email or other accounts have been leaked. Photo Vault encrypts and stores up to ten images, which can only be accessed via the AVG PIN. Junk Cleaner analyses the storage for unnecessary files and helps to remove them. My Statistics summarizes all actions taken by AVG to protect the device, e.g. number of threats prevented.

Conclusion

The free and ad-supported version of AVG AntiVirus provides a well-designed and accessible security solution for Android, with an easy-to-use interface and multiple features aimed at protecting and optimizing the device. All tested anti-theft commands behaved as expected.

Anti-Theft Details
Commands Web
Locate Displays location on Google Maps map. Tracking the device can be enabled.
Mark as Lost Triggers configured actions like tracking, lock, and siren.
Siren Activates/deactivates the phone siren.
Lock Locks/unlocks the phone.
Wipe Triggers a factory reset and wipes external storage.

Avira

Antivirus Security Pro for Android
7.13.1

mobile-appaudit-iconmobile-antimalware-iconmobile-safebrowsing-iconmobile-antitheft-iconmobile-antimalware-icon

Introduction

Avira Antivirus Security Pro for Android is a paid-for product. In addition to malware protection, anti-theft, app locking, and permission manager, it provides microphone- and web-protection features, a data-limited VPN, and performance optimizer tools.

Usage

After installation, the user must agree to the EULA and Terms and Conditions, and also configure the data collection preferences of the app. Next, the app offers a dark mode to save battery. After that, the main screen shows up; from here, the user can start the first Smart Scan to check the device’s security and performance.

Anti-Malware

Before the first scan, the user must grant the app permission to access all files and folders on the internal and external device storage. If the permission is denied, only installed apps will be scanned. Besides malware, the scan looks for adware and PUAs by default. Riskware detection can be configured, and scans for a set time and day can be scheduled in the Smart Scan options. There is also an option to start an automatic scan when a storage device is connected, or a USB cable is unplugged. However, this feature did not work in our testing; no scan was started in these scenarios.

As part of the scan results, the user is prompted to optimize device memory by stopping background apps and removing large temporary files from the storage.

Anti-Theft

Anti-theft commands are listed in the table below. When activating anti-theft components, the app requests the necessary permissions and device admin rights to get full control over the device. In addition, the app advises the user to turn off the option ”Remove permissions if app is unused” in the system settings. The anti-theft screen displays the device’s current position on a map, and registered devices in the menu in the top right-hand corner. Of the three commands Locate, Lock, and Wipe, the last two can only be executed remotely by a second device that has the Avira app installed and is linked to the same user account.

During our testing, we noticed some usability issues which we would like to describe in more detail here. From a usability perspective, it is not clear how to properly set up the anti-theft feature. The user is prompted to grant access to the location without being informed why and which options to select (e.g. “allow while using”, “all the time”). We suggest providing at least a brief explanation before showing the permission prompt.

The app advises the user to set up an Android lock screen in advance, as this is absolutely necessary to remotely lock the device. However, when selecting the respective option in the anti-theft settings, the user gets redirected to the wrong Android system settings page (“Biometrics and security”). In that case, the user has to manually navigate to Android Settings > Lock screen.

Moreover, as the lock screen is already set up with a custom PIN, password, pattern, etc., it is unclear to us why an additional PIN needs to be entered and sent with the Lock command.

When sending the Lock command without any additional information (e.g. message or phone number), it will fail with the error message “Something went wrong”. From this, the user is not able to figure out what went wrong. We recommend giving more explanation and specifying why sending the command failed. In addition, sending any additional information has no effect, as it will not be shown anywhere on the target device screen.

Web & Wi-Fi Protection

The Web Protection feature detects phishing and other malicious websites while browsing the web with supported browsers. In addition, the user can black- or whitelist websites. The VPN service is limited to 100MB per day.

App Lock & Audit

App Lock restricts access to selected, sensitive apps by locking them using a PIN, pattern, or fingerprint. The user can choose between different locking behaviours (lock immediately, lock after predefined time intervals, lock when screen turns off). Additionally, there is an option to show a fake crash message when a locked app is accessed. In that case, the user needs to long tap the OK button which opens the prompt to unlock the app. The Permissions Manager shows all installed apps grouped by the permissions they request. Additionally, this feature shows which permissions the user has allowed or denied for certain apps.

Privacy Protection

Call Blocker can be used to block phone calls from specified contacts, if the Avira app is set as the default “caller ID & spam app”. The Identity Protection checks a specific email address for data breaches.

The Microphone Protection feature is supposed to give only selected apps access to the device microphone when turned on. However, there is no option to select apps for that but instead, a list of apps which need access to the microphone is shown. Moreover, the Google Play entry says that this feature (along with Camera Protection) is only available on Android 10 and lower, although it was visible on our test devices.

Conclusion

Avira Antivirus Security Pro for Android offers a large set of tools to enhance device security, protect the user against privacy leaks, device loss or theft, and increase the device’s performance. However, the app shows some flaws, especially during the setup of the anti-theft feature and when trying to remotely lock the device using the applicable command.

Anti-Theft Details
Commands App & Web
Locate Displays location on Google Maps.
Lock Locks the device with a 4-digit PIN (executable remotely).
Wipe Triggers a factory reset and wipes external storage (only executable remotely).

Bitdefender

Mobile Security for Android
3.3.167

mobile-appaudit-iconmobile-antimalware-iconmobile-safebrowsing-iconmobile-antitheft-iconmobile-antimalware-icon

Introduction

Bitdefender Mobile Security for Android is a paid-for, security- and privacy-oriented mobile security solution. An Autopilot mode, enabled by default, automatically takes care of security- and privacy-related issues on behalf of the user. Additional components such as Anti-Theft, Account Privacy, Scam Alert, and App Lock ensure that the user is protected against other threats.

Usage

Upon opening the app for the first time, the user must agree to Bitdefender’s subscription agreement, and either log in or create a new account. After that, the app helps the user to configure the necessary features, such as Malware Scanner and Web Protection, and to start the first device scan. On the main screen, the current device status is shown, and the user has access to all the app features.

Anti-Malware

The user can decide whether to run an app-only scan or a more thorough scan of the internal and external device storage by granting the “All files access” permission. Besides the scan result, a list of several malware types with a brief description is displayed. Bitdefender also provides details of detected malware.

Anti-Theft

Anti-theft components are listed in the table below. First, the necessary permissions, among which are device admin rights, need to be granted, and the user is asked to choose an app-specific PIN. In order to activate Snap Photo, the app requires permission to access the device camera. The remote commands Locate Device, Lock Device, Play Sound, and Erase Device can be sent from either the Bitdefender Central app or the web interface at central.bitdefender.com.

From the command interface, the user can see the device’s location and security status (along with a list of threats found on the device), and remotely start a scan. The Snap Photo feature silently takes a photo with the front camera and uploads it to the remote command interface, as well as storing it on the device, after the wrong PIN has been entered three times in a row.

In our test, we noticed that after sending the Lock command, a device with no pre-defined Android lock screen does not get locked. After reporting this issue to Bitdefender, they released an updated version. Now, a lock screen needs to be configured during the setup of the anti-theft feature in order to use the Lock command. The web interface informs the user that if an Android lock screen has been properly set up beforehand, this lock type will not be overwritten by the new lock code sent with the Lock command. However, Bitdefender plans to reuse this lock code in a future version of the app.

Web & Wi-Fi Protection

The Web Protection feature blocks malicious URLs and phishing websites in various browser apps. Bitdefender also offers a VPN service, providing up to 200 MB of data traffic per day while connected to an automatically chosen server. The option to warn the user each time the device connects to an open Wi-Fi is activated by default.

App Lock

The App Lock component limits access to chosen apps by locking them with a pre-defined PIN. In the settings, the user can decide how often protected apps should require the code. The Random Keyboard feature randomizes the number position on the keyboard each time the lock screen is displayed. Protected apps remain unlocked while connected to a Wi-Fi network marked as trusted. If Snap Photo is enabled, a photo is taken with the front camera after three failed unlock attempts with the PIN.

Privacy Protection

The Account Privacy feature lets the user check whether an email address has been compromised in a data breach. The email address to be checked needs to be verified with a confirmation code in advance. Scam Alert monitors incoming text messages and notifications for dangerous links and potential scams.

Conclusion

Bitdefender Mobile Security for Android provides a wide range of tools for monitoring the device’s security and privacy. All anti-theft features except the Lock command worked as expected in our test.

Anti-Theft Details
Commands Web
Locate Device
Displays location on Google Maps.
Play Sound Sounds an alarm on the device and/or shows a custom message (only when the device is unlocked).
Lock Device
Locks the device only if a pre-defined Android lock screen is configured.
Erase Device Triggers a factory reset and wipes external storage.
Additional Features
Snap Photo Takes a picture with the device’s front camera after 3 failed unlock attempts.

ESET

Mobile Security Premium
7.3.15

mobile-appaudit-iconmobile-antimalware-iconmobile-safebrowsing-iconmobile-antitheft-iconmobile-antimalware-icon

Introduction

ESET Mobile Security Premium is a paid-for and easy-to-use mobile security solution for Android. In addition to malware protection, anti-theft, and anti-phishing, it offers privacy-related features such as app auditing and locking, payment protection, and a call filter.

Usage

On the first start, the user must agree to the EULA and Privacy Policy, as well as selecting the proper country and language. Next, the app asks for the user’s consent to collect anonymous data. The user is then prompted to create an account, or log in to an existing one, prior to activating the product license. After granting the app the permission to access all files and folders, the first device scan starts immediately. All the features can be viewed and accessed on the main screen.

Anti-Malware

Users can choose between two scan levels: Smart (installed apps) and In-Depth (all files). In both cases, the internal and external device storage is scanned. Detection modules can be updated manually, and it is possible to toggle on-charge scans and to schedule scans.

Further settings allow the user to disable real-time protection for download folders, toggle the ESET LiveGrid reputation/feedback system, and to configure actions when removable media is connected. Additionally, the detection of potentially unwanted and unsafe applications can be controlled here. The Adware Detector can help with identifying installed apps that overlay the device screen with unwanted ads.

Anti-Theft

Anti-theft components are listed in the table below. During setup, the user needs to grant the app several permissions and device admin rights, and to configure a PIN to protect the anti-theft settings. The SIM card protection and other locking behaviours (e.g. number of unlock attempts, photo of the intruder) can be configured as well.

Once the device recognizes suspicious behaviour (e.g. removing device admin rights from the app), it will enter the “suspicious mode”. In this state, the app locks the device and regularly sends data (photos taken by the front and back camera, device’s location, and information about connected Wi-Fi networks) to the web interface at home.eset.com. The user can also trigger this mode from the web interface with one click. Device monitoring ends after 14 days but the user will receive a reminder via email 5 days before that time to extend the monitoring period. It is also possible to wipe all data from the device and to automatically save the last known location when the device battery will reach a critical level. A locked device can be unlocked either with the ESET account password or a custom unlock code obtained from the web interface.

Web & Wi-Fi Protection

The anti-phishing component protects a wide range of browser and social network apps against phishing attacks. The Network Inspector scans for vulnerable devices on the currently connected Wi-Fi network, and outputs relevant information about each device such as name, model, IP/MAC address, and OS.

App Lock & Audit

App Lock allows the user to protect selected apps from unauthorised access using a PIN or pattern. The locking type and behaviour (e.g. lock new apps after installation, lock after screen turns off) can be adjusted in the settings. With Security Audit, the user can review important device settings and permissions of installed apps (including system apps) in a clean overview.

Privacy Protection

With the Call Filter feature, the ESET app can be set as the default “caller ID & spam” app in order to block unknown/hidden numbers or contacts defined by custom rules. The Safe Launcher app (ESET Payment Protection) is installed along with the ESET app, and prevents malicious apps from reading and replacing on-screen information while using a protected banking or payment app.

Conclusion

ESET Mobile Security Premium offers comprehensive protection and security features against vulnerabilities and theft. It stands out for its particularly careful and brief descriptions of each setup step and various options. All anti-theft features worked flawlessly.

Anti-Theft Details
Commands Web
Device is missing Marks the device as lost and regularly triggers subsequent actions.
Track Automatically tracks the location and displays it on Google Maps when the device is marked as lost.
Play siren
Sounds an alarm on the device when marked as lost.
Lock
Automatically locks the device when marked as lost.
Wipe Triggers a factory reset and wipes the external storage when marked as lost.
Message Sends a message which is shown on the lock screen when device is marked as lost.
I recovered my device Stops the automatic device monitoring and unlocks the device.
Download activity All the pictures taken, and locations noted, can be downloaded as an archive.
Additional Features
Take Photo Automatically takes pictures with the device’s front and back camera when the device is marked as lost.
SIM Card Protection Locks the device when a (trusted) SIM card is removed.
Uninstall Protection Marks the device as lost when device admin rights are removed from the app.

G DATA

Mobile Security Android
27.4.6

mobile-appaudit-iconmobile-antimalware-iconmobile-safebrowsing-iconmobile-antitheft-iconmobile-antimalware-icon

Introduction

G DATA Mobile Security Android is a paid-for security solution that incorporates various security- and privacy-related features such as malware scan, anti-theft, web protection, and App Control. No free trial is offered, and the app is only available after purchasing a yearly license.

Usage

First, the user must accept the EULA and Privacy Policy, and decide whether to send anonymous and/or malware-related data. After logging into the account, the user is given a quick tour of the various app components, and then presented with the opportunity to adjust scan-related settings. After granting the app access to all files and folders, the user is redirected to the main screen, where the phone and app status is shown, a system scan can be started, and the protected apps can be managed. The other app components are available from the menu in the upper left-hand corner.

Anti-Malware

From the settings, the user can choose the scan type, whereby App scan is selected by default. A system scan allows the user to perform a full scan of the internal and external storage.

Signatures are configured to update automatically but can be downloaded manually as well. The options to check apps after installation, and to perform periodic scans, are enabled by default.

Anti-Theft

Anti-theft commands are listed in the table below. Various permissions, among which are device admin rights, need to be granted to the app to activate anti-theft. The device must also be added in the G DATA ActionCenter at ac.gdata.de – or alternatively the G DATA Mobile Security Center at msec.gdata.de – by either scanning a QR code or entering the activation code. The anti-theft settings further enable the user to locate the phone when the battery is low, and to trigger an alarm each time the headphones are disconnected or when a new SIM card is detected.

After successfully connecting the device to the web interface, the user can send the remote commands Locate Device, Trigger Signal Tone, Lock Screen, and Delete Personal Data. From the web interface, the user is able to modify in-app settings (including battery-friendly scan options), start scans, and access general device information, along with a list of actions taken by the AV app.

G DATA sends a notification to a pre-defined email address each time an anti-theft feature has been activated. The user can invite other people to the web interface via email, and regulate their access to a subset of anti-theft features.

In our test, we noticed that after sending the Lock command, a device with no pre-defined Android lock screen does not get locked. Instead, the web interface shows a status message, and an email is sent to the user’s inbox stating that executing the command failed. After we asked G DATA about this behaviour, they confirmed to improve the user experience in this regard.

Web Protection

Once enabled, the Web Protection feature blocks phishing websites and malicious URLs in supported browser apps. The user can configure this component to be used only when connected to a Wi-Fi network.

App Lock & Audit

To activate App Control, the user is prompted to set up a PIN, a security question, and a recovery email address. If an app is marked as protected, a lock screen is displayed each time a user launches the app, which will only be removed once the PIN has been entered. App Control shows further app information, such as the permissions granted by the user, and lets the user uninstall apps.

Conclusion

G DATA Mobile Security Android offers a sleek and easy-to-use graphical user interface, including essential security and privacy functions. Except for a minor issue in the Lock command, all anti-theft features worked as expected in our test.

Anti-Theft Details
Commands Web
Locate device Displays current or last-known location on Google Maps and sends email notification with link to Google Maps.
Trigger signal tone Rings an alarm on the device, which can only be deactivated by opening the G DATA app.
Lock screen Locks the device only if a pre-defined Android lock screen is configured.
Delete personal data Triggers a factory reset and wipes external storage.
Additional Features
SIM Card Protection Locks the device and sends the current location to the registered email address whenever the SIM card is changed.
Headphone Protection Locks the device and rings an alarm when the headset is disconnected.

Google

Play Protect & OS Features
30.4.17

mobile-appaudit-iconmobile-antimalware-iconmobile-safebrowsing-iconmobile-antitheft-iconmobile-antimalware-icon

Introduction

With Google Play Services and Google Mobile Services (GMS), Google-certified Android devices are equipped with several APIs (e.g. for security, privacy, location, accounts, backups) and preinstalled apps (e.g. Chrome, Gmail, Maps, Drive, YouTube) to help developers build more-advanced apps and to provide better user experience to mobile end-users. Play Protect, as part of this collection, is Google’s built-in malware protection, which monitors the device for malicious apps and APK files. Device security and privacy is further enhanced with anti-theft, browser protection, and app audit components.

Usage

Play Protect is preinstalled on supported Android devices, and can be found either via Play Store > Profile Icon > Play Protect or in Android Settings > Biometrics and Security > Google Play Protect.

Anti-Malware

Play Protect periodically scans the internal storage and notifies the user of malicious or potentially harmful apps, and apps that misuse permissions to access personal information, thus violating Google’s Developer Policy and Unwanted Software Policy. The settings “Scan apps with Play Protect” and “Improve harmful app detection” can be turned off and a list of permissions for unused apps can be reviewed.

Anti-Theft

Anti-theft commands are listed in the table below. The anti-theft feature Find My Device can be operated remotely from the web interface at google.com/android/find or using the standalone app from Google Play. Logging in to a Google account is mandatory for both methods. When the device is connected, the interface shows the current or last-known location, battery level, time, and name of the Wi-Fi the device is connected to. The user can lock the device with the existing locking mechanism or by setting a new lock PIN/password, and optionally display a message on the device screen. The option to erase the target device deletes all data from the device by forcing a factory reset.

Web Protection

The Google Chrome browser app for Android devices includes a safe browsing feature with “Standard protection”, which alerts users to dangerous sites and downloads. Users can switch to “Enhanced protection” for a deeper analysis and to get warnings about password breaches. Options for “Do not Track” and “Always use secure connections” are disabled by default.

App Audit

In the Android device Settings > Apps, all installed apps are listed, along with detailed information about their notifications and default-app settings, permissions (including special permissions), and device usage (e.g. mobile data, battery consumption, storage space). From here, users can also disable/uninstall the app, force an app stop, and adjust the permissions the app has requested. To give users even more insight into how apps affect their privacy, all apps can be sorted and viewed by dangerous permissions (e.g. location, camera, microphone) and permissions with special access (e.g. device admin rights, all files access, install unknown apps).

Conclusion

Google Play Protect is preinstalled on approved new Android devices, while older devices will receive updates for Play Services and GMS. All the security-related features, such as malware protection, anti-theft, and web protection, can be used for free with a Google account. Depending on the device model, manufacturers may provide their own device-related security features, which might overlap with pre-existing GMS apps such as Google Chrome and Find My Device. All anti-theft commands worked as expected.

Anti-Theft Details
Commands App & Web
Locate Displays the current or last-known location on Google Maps.
Secure Device Locks the device with a given PIN/password or the pre-defined locking mechanism. Optionally, a message and/or phone number to contact can be displayed on the locked device screen.
Erase Device Triggers a factory reset immediately or after next device restart and wipes external storage.

Kaspersky

Kaspersky Standard for Android
11.84.4

mobile-appaudit-iconmobile-antimalware-iconmobile-safebrowsing-iconmobile-antitheft-iconmobile-antimalware-icon

Introduction

Kaspersky Standard for Android is a well-rounded, paid-for mobile security solution. It offers a comprehensive set of tools to protect against malware, phishing, theft, and privacy violations. The app also includes a free but data-limited VPN. The app functionality can be extended by installing additional Kaspersky apps from within the app, such as battery optimizer or a QR scanner.

Usage

Upon first opening the app, the user must agree to Kaspersky’s EULA and Privacy Policy, and grant storage permission to the app. Next, the user must either activate an existing license or start a free trial week. On the app’s main screen, a database update as well as a quick scan are started automatically. The app prompts the user to configure and enable various security-related components, such as anti-theft and safe browsing, and suggests running a full device scan.

Anti-Malware

When starting a scan, the user is asked whether to start a quick (app-only) scan, a full scan including all files on the internal and external storage, or a selective scan of specific folders or files.

The scan settings offer fine-grained control of scan frequency and signature updates, in addition to customizable scan behaviour and actions that should be taken when malware is detected. The default scan settings include the detection of adware and auto-dialers and scanning of installed apps and APK files in the Downloads folder. The user can switch to the extended real-time protection, letting the app monitor all file activities and installed apps regularly.

Anti-Theft

Anti-theft commands are listed in the table below. The setup of the Where Is My Device feature requires the user to grant the app the necessary permissions as well as device admin rights, and to configure a secret code/pattern/fingerprint. Remote commands such as Lock & Locate, Mugshot, Alarm, and Data Wipe can be sent from the web interface at my.kaspersky.com.

Here, basic information, such as battery level and activated security features, as well as images taken by the Mugshot command, and the device location, are shown. All commands except for Data Wipe can include a custom message that is displayed on the lock screen. An email is sent after the commands Lock & Locate or Mugshot are successfully executed, and the results are automatically deleted from the web interface after 30 days.

The features SIM Watch and Uninstallation Protection lock the device when they detect a SIM card change or an attempt to uninstall the Kaspersky app, respectively.

Web Protection

The Safe Browsing component protects the user from phishing websites while browsing the web. The supported browsers are displayed in the settings.

Before using the free VPN component, the user must accept Kaspersky’s VPN policy. After that, the VPN auto-selects the server closest to the user’s current location and offers a daily traffic limit of 300 MB.

App Lock & Audit

After granting the necessary permissions, the App Lock feature allows the user to select and lock sensitive apps with the same secret code/pattern/fingerprint used for the anti-theft functions. The My Apps component shows apps grouped by dangerous and special permissions, and provides details about apps, including their permissions and data usage. Furthermore, installed apps can be removed from within this feature.

Privacy Protection

Call Filter automatically declines incoming calls from blacklisted contacts. The Data Leak Checker checks the email address connected to the Kaspersky account for data breaches. The Weak Settings Scan monitors the system settings for any vulnerabilities.

Conclusion

Kaspersky Standard for Android comprises a great set of security and privacy features, which are thoroughly explained by the help links in the upper right-hand corner. Features can be extensively customised, and additional apps can be incorporated. All the anti-theft commands worked flawlessly in our test.

Anti-Theft Details
Commands Web
Lock & Locate Locks the device, displays the location on Google Maps, and sends the location in an email.
Mugshot Locks the device and takes several pictures using the front camera.
Alarm Locks the device and rings an alarm.
Data Wipe Triggers a factory reset and wipes external storage.
Additional Features
SIM Watch Locks the device if the SIM card is removed or changed.
Uninstallation Protection Locks the device if device administrator rights are removed from the app.

Malwarebytes

Malwarebytes for Android
3.10.1

mobile-appaudit-iconmobile-antimalware-iconmobile-safebrowsing-icon-greymobile-antitheft-iconmobile-antimalware-icon

Introduction

Malwarebytes for Android is a paid-for mobile security product that provides a malware scanner, along with real-time and ransomware protection, a safe browsing feature, and app auditing.

Usage

Upon first launch, the app asks the user to give permission to access all files and folders on the device. After that, a database update is run in the background, and a full system scan can be started manually. The app advises the user to further enhance device security by giving it more privileges, excluding it from the battery optimization, and checking for unsecure system settings in the security audit.

Anti-Malware

The app scans the internal and external device storage, and shows detailed information about the apps and files being scanned, as well as malware found. When enabled, deeper system scans with additional rules are performed. Automatic updates are enabled by default and can be triggered manually. The user can schedule scans for different times and days, after a device boot, or a database update. Scans can be disabled if battery is low, or run only while charging. Giving the app device-admin rights enables full device control for its anti-ransomware remediation feature, and protects itself from being uninstalled easily.

Web Protection

If enabled, the Safe Browsing Scanner will warn the user of phishing and other malicious links. However, the feature does not attempt to block the malicious content.

App Audit

Your Apps shows the list of all system and other installed apps and provides further app details when granting the Usage-Access permission. The Privacy Checker scans and groups the apps according to the permissions they have acquired.

Conclusion

Malwarebytes for Android is a solid mobile security solution, which includes anti-malware, web protection and a detailed audit feature for installed apps. The steps for the initial setup and app settings are clearly explained and leave no questions unanswered. Although phishing websites are not actually blocked, the user does at least get a warning to close the page immediately.

Securion

OnAV
1.0.34

mobile-appaudit-iconmobile-antimalware-iconmobile-safebrowsing-iconmobile-antitheft-iconmobile-antimalware-icon

Introduction

Securion OnAV is an ultra-light and free-to-use AV product that only provides cloud-based malware detection. Without any user registration, it assigns a unique ID to each device to prevent double sign-ups. This review covers the English version of the app only, which differs from its original Korean counterpart.

Usage

First, the user must accept the EULA, Terms and Conditions, and the Privacy Policy. After that, the app asks for permission to appear on top of other apps and to access all files and folders, in order for its real-time protection to work properly. On the main screen, a simple menu listing the main functions is shown.

Anti-Malware

The app only scans the internal storage for malicious apps and files. Detected malware can be deleted selectively or all in one go. The information about previous scan results can be accessed from the Scan Log menu option in the main screen. The real-time protection can be turned on and off in the app settings.

We informed Securion about an issue in the malware scanner. The vendor quickly fixed it and released an updated version.

Conclusion

Securion OnAV is a free, user-friendly app that provides just malware protection capabilities. Detected malware is listed in the scan results, where it can be viewed and deleted directly.

Trend Micro

Mobile Security for Android
12.15.0

mobile-appaudit-iconmobile-antimalware-iconmobile-safebrowsing-iconmobile-antitheft-iconmobile-antimalware-icon

Introduction

Trend Micro Mobile Security for Android is a comprehensive, paid-for security product. Besides security features such as a malware scanner, anti-theft, web/Wi-Fi protection, and parental controls, it provides additional system tuning and privacy tools.

Usage

Upon the first app start, the user is prompted to accept Trend Micro’s License Agreement, Privacy, and Data Collection Notice. Next, the user must either activate a license, start a two-week trial, or continue with a limited free version. After that, an initial scan is started in the background. In addition to showing the scan result, the app recommends configuring various other features, including granting the necessary permissions. All the app features are directly accessible from the main screen, with the device status displayed at the top.

Anti-Malware

In the security scan settings, the user can set the protection level, which determines at which threat level the user should be notified. Other options are toggling real-time scanning, enabling a pre-install scan, including the external storage in scans, and if an app-only scan or a scan of the entire device storage should be performed.

Malware signature updates are run periodically (daily, weekly, or monthly) but can also be triggered manually.

Anti-Theft

Anti-theft commands are listed in the table below. The Lost Device Protection feature allows the user to issue remote commands such as Locate, Lock, or Wipe via the web interface mobilesecurity.trendmicro.com. An option to lock the phone whenever the SIM card is changed or removed is also included which did not work properly in our first testing. After we told Trend Micro about the issue, they quickly released a bugfix. If the Uninstall Protection is activated, the Trend Micro App can only be uninstalled with the account password or an unlock code. The Reset command is only supported on devices with Android 7.0 or lower. The Secret Snap feature can take a picture with the front camera after 3, 5 or 7 failed unlock attempts, which will be saved on the device and sent to a pre-defined email address.

Web & Wi-Fi Protection

Web Guard blocks links to malicious websites for directly supported apps. For apps that are not directly supported, the VPN protection needs to be activated to browse securely while using these apps. The blocking of phishing sites worked in all the supported browsers. The protection level can be set to “low”, “normal”, or “high”, and the user can define black- and whitelists of websites. The Wi-Fi Checker scans for suspicious interfaces on the current network.

Parental Controls

The parental controls feature is split into App Lock and Website Filter. With the first, selected apps can be protected with either the Trend Micro account password, a pattern, PIN, or fingerprint. The Website Filter can be set to three predefined levels (Child, Pre-Teen, and Teen), with each of them blocking websites belonging to categories deemed inappropriate for the specific age group. Moreover, custom filters, as well as white- or blacklists of individual websites, can be built. The website filter also works in combination with the VPN content filter for apps not directly supported by the Trend Micro app. As with Web Guard, blocking of websites worked with all supported browsers.

Additional Features

Fraud Buster scans incoming messages for phishing links and notifies the user of potential risks. The Social Network Privacy feature can be used to check the privacy settings of a Facebook or Twitter account. The Pay Guard Mobile feature monitors financial transactions made with installed banking and shopping apps. The app includes a System Tuner, which can free up memory space and extend battery life. The App Manager allows the user to view all installed apps, uninstall or disable apps at once, and remove unneeded setup files.

Conclusion

Trend Micro Mobile Security for Android offers a comprehensive set of security and privacy features, protecting the user against various threats on the device and while browsing the Internet. There are also extensive options to limit access to websites. All anti-theft features worked properly.

Anti-Theft Details
Commands Web
Locate Displays location on Bing Maps.
Lock Locks the device until either the Trend Micro password or a one-time unlock key from the web interface is entered.
Wipe Triggers a factory reset and wipes external storage.
Share Posts a Bing Maps link with the current location on Facebook.
Additional Features
SIM Card Lock
Locks the device if the SIM card is changed or removed.
Uninstall Protection Locks the device if device administrator rights are removed from the app.
Secret Snap Takes a picture with the front camera.