Summary

Avast Security Free for Mac is a free antivirus program and well suited to non-expert users. Some of its key aspects are:

• easy and straightforward installation and setup of core features
• most common features displayed in a clean and well-laid-out GUI
• different scan options and comprehensive settings, including scheduled scans
• clear and persistent alerts
• normal user accounts cannot take risky actions (e.g., disable protection, uninstall program)

Installation, Setup & Deinstallation

To set up Avast Security on your Mac, you just download and run the installer file from the vendor’s website. The initial setup is straightforward as the program guides you through step by step and provides brief explanations. You can uninstall the program by clicking Avast Security > Uninstall Avast Security in the macOS menu bar or opening the Avast Security Uninstaller directly from the macOS Applications folder.

General Handling & Essential Features

Protection status, smart scan, scan options (Virus Scans), protection features (Core Shields), and quarantine are all found on the home page of the main program window. Settings (Preferences) can be opened from the program menu in the top right-hand corner or the macOS menu bar. Subscription information is not applicable, as the program is free. A manual update can be triggered by clicking Check for Updates from the system tray icon or Avast Security in the macOS menu bar. The online help is accessible from the Help menu in the program menu which opens the support page in the default browser.

Protection

From Virus Scans on the home page, you can start a smart scan, deep scan of all drives and the system memory, external storage scan of connected storage devices, or targeted scan of specific files or folders. The latter can also be run from e.g., the Finder context menu. Scheduled scans can be configured as well. The detection behaviour and settings of the different scan types can be changed from Preferences. The detection of PUA is enabled by default. The Email Guardian scans emails of provided mail accounts and flags any that seem suspicious. In the free version, only mail apps installed on the Mac are supported (e.g., Apple Mail, Outlook).

Alerts

When we disabled Avast’s real-time protection (File Shield) or web protection (Web Shield) under Core Shields on the home page, an alert was shown in the main program window. To reactivate either protection feature, we had to manually go into Core Shields and turn it back on.

When malware was detected in our protection test, the program displayed the alert shown below. No user action was required, and the alert persisted until we closed it using the macOS close button in the top left-hand corner. We noted that multiple detections are combined into one single alert which you can browse through using the arrows in the top right-hand corner. Further details about the threat, such as the threat name, severity, file name/path, and process, are shown if the details section at the bottom of the alert is expanded.

Quarantine & Logs

The quarantine is directly accessible from the home page of the main program window and lists files that have been quarantined, along with the threat name, file name, file path, and date when this happened. It allows you to delete or (with an administrator account) restore any/all items.

Advanced Options

Only users with a macOS Administrator account can perform the following tasks (caution is advised):

• Disable protection features (under Core Shields)
• Uninstall the program
• Restore items from the quarantine

Advertising

The Smart Scan feature promotes Avast’s paid-for security suites, Premium and Ultimate. At the end of the scan, it will display 3 “advanced issues”, namely vulnerability to ransomware, network threats and fake websites. If you click on Resolve All here, a purchase prompt for Avast Premium Security will be displayed. After dismissing the prompt, a second prompt appears offering a 60-day trial for Avast Ultimate. Clicking the Go Premium button on pages of other program features or the Upgrade your protection button of a detection alert leads to the same behaviour.

Summary

AVG AntiVirus Free for Mac is a free antivirus program and well suited to non-expert users. Some of its key aspects are:

• easy and straightforward installation and guided setup of core features
• most common features displayed in a clean and well-laid-out GUI
• different scan options and comprehensive settings, including scheduled scans
• clear and persistent alerts
• normal user accounts cannot take risky actions (e.g., disable protection, uninstall program)

Installation, Setup & Deinstallation

To set up AVG AntiVirus on your Mac, you just download and run the installer file from the vendor’s website. The initial setup is straightforward as the program guides you through step by step and provides brief explanations. You can uninstall the program by clicking AVG AntiVirus > Uninstall AVG AntiVirus in the macOS menu bar or opening the AVG AntiVirus Uninstaller directly from the macOS Applications folder.

General Handling & Essential Features

Protection status, smart scan, scan options (Run Other Scans), and protection features (Computer, Web & Email) are all found on the home page of the main program window. The quarantine is accessible from the Computer tile on the home page. Settings (Preferences) can be opened from the program menu in the top right-hand corner or the macOS menu bar. Subscription information is not applicable, as the program is free. A manual update can be triggered by clicking Virus Definitions on the home page, or clicking Check for Updates from the system tray icon or AVG AnitVirus in the macOS menu bar. The online help is accessible from the Help menu in the program menu which opens the support page in the default browser.

Protection

From Run Other Scans on the home page, you can start a smart scan, deep scan of all drives and the system memory, external storage scan of connected storage devices, or targeted scan of specific files or folders. The latter can also be run from e.g., the Finder context menu. Scheduled scans can be configured as well. The detection behaviour and settings of the different scan types can be changed from Preferences. The detection of PUA is enabled by default.

Alerts

When we disabled AVG’s real-time protection (File Shield) under Computer, web protection (Web Shield) or email protection (Email Shield) under Web & Email on the home page, an alert was shown in the main program window. To reactivate either protection feature, we had to manually go into the mentioned menu tiles and turn it back on.

When malware was detected in our protection test, the program displayed the alert shown below. No user action was required, and the alert persisted until we closed it using the macOS close button in the top left-hand corner. We noted that multiple detections are combined into one single alert which you can browse through using the arrows in the top right-hand corner. Further details about the threat, such as the threat name, severity, file name/path, and process, are shown if the details section at the bottom of the alert is expanded.

Quarantine & Logs

The quarantine is quickly accessible from Computer on the home page of the main program window and lists files that have been quarantined, along with the threat name, file name, file path, and date when this happened. It allows you to delete or (with an administrator account) restore any/all items.

Advanced Options

Only users with a macOS Administrator account can perform the following tasks (caution is advised):

• Disable protection features (under Computer and Web & Emails)
• Uninstall the program
• Restore items from the quarantine

Advertising

The Smart Scan feature promotes AVG’s paid-for security suite, Internet Security. At the end of the scan, it will display 3 “advanced issues”, namely vulnerability to ransomware, network threats and fake websites. If you click on Resolve All here, a purchase prompt for AVG Internet Security will be displayed. After dismissing the prompt, a second prompt appears offering a 60-day trial for it. Clicking the Go Premium button on pages of other program features or the Upgrade Your Protection button of a detection alert leads to the same behaviour.

Summary

Avira Prime for Mac is a paid-for antivirus program and an excellent choice for non-expert users. Some of its key aspects are:

• simple and straightforward installation and guided setup of core features
• all available features displayed in a well-organized and neat interface
• different scan options and many settings, including scheduled scans and automatic USB scan
• clear alerts
• normal user accounts cannot take risky actions (e.g., disable protection, uninstall program)

Installation, Setup & Deinstallation

To set up Avira Prime for Mac, you need to log in to your Avira account, download and run the installer. The initial setup is straightforward as the program guides you through step by step and provides brief explanations. When the program window opens for the first time, you are prompted to run a Smart Scan. The program can be uninstalled by deleting it from the macOS Applications folder. The program’s window has both dark and light modes, which co-ordinate with the dark- and light-mode settings of macOS.

General Handling & Essential Features

Protection status, smart scan, scan options (Virus Scans), protection features (Protection Options), quarantine, and subscription information (My Account) can all be accessed from the main program window. Settings can be accessed from the cogwheel icon in the top right-hand corner of the window or the macOS menu bar. A manual update can be triggered by clicking Check for updates on the main program window. The online help is found in the Help menu in the macOS menu bar which opens the support page in the default browser.

Protection

From Virus Scans, you can start a quick scan of the most vulnerable device areas, full scan of the entire file system, or custom scan of selected files or folders. The latter can also be run from e.g., the Finder context menu. The Scheduler lets you define individual schedules of all the available scan options to run them regularly. The automatic scan of USB devices can be activated or deactivated from the Protection Options. From Settings, the detection behaviour and different scan settings can be changed.

Alerts

When we disabled Avira’s real-time protection or download protection under Protection Options, the alert below was shown in the main program window. The real-time protection can also be turned off via the system tray icon in the macOS menu bar. We were able to easily reactivate the protection by clicking Turn on.

When malware was detected in our protection test, the program displayed an alert in the form of a system notification shown below, including the file path where the threat was found and the action taken. No user action was required, and the alert closed automatically after a few seconds.

Quarantine & Logs

The Quarantine page of the program (screenshot below) shows you all the items that have been quarantined, along with the threat name, file name, file path, and date when this happened. There are options to delete and restore any of the detected files (you have to enter administrator credentials to take either action).

Advanced options

Only users with a macOS Administrator account can perform the following tasks (caution is advised):

• Disable protection features (under Protection Options or system tray icon)
• Uninstall the program
• Delete and restore items from quarantine

Summary

Bitdefender Antivirus for Mac is a paid-for antivirus program which both expert and non-expert users should find suitable for their needs. Some of its key aspects are:

• simple and straightforward installation and guided setup of core features
• all available features displayed in a very well-designed interface
• different scan options, ransomware protection, data-limited VPN, browsing-protection add-ins
• clear in-program alerts but none shown in case of a malware detection
• normal user accounts cannot take risky actions (e.g., disable protection, uninstall program)

Installation, Setup & Deinstallation

After downloading and running the installer from the vendor’s website, the setup wizard guides you through each installation and configuration step. When setup is complete, you need to create a Bitdefender account and sign in. An optional introductory tour then starts, after which the program window displays several recommendations, such as installing the browser extension for Safari/Chrome/Firefox (Traffic Light), configuring the ransomware protection feature (Safe Files), setting up Time Machine Protection, and running a system scan. The program can be uninstalled by opening the Bitdefender Uninstaller, which is found inside the Bitdefender folder of the macOS Applications folder. The program’s window has both dark and light modes, which co-ordinate with the dark- and light-mode settings of macOS.

General Handling & Essential Features

Protection status, scan options (quick and system scan), protection features, settings (Preferences), subscription information (My Account), and help are all directly accessible from the program’s Dashboard. The quarantine and list of scan exceptions can be found under Protection. A manual update can be triggered from the Actions menu in the macOS menu bar. The data-limited Bitdefender VPN as well as additional Anti-tracker browser extensions are available under Privacy. From Help, you can open a very comprehensive manual in PDF format or the support page in the default browser.

Protection

From Protection, you can start a quick scan of critical areas, system scan of all files and directories, or custom scan of specific files or folders. The latter can also be run from e.g., the Finder context menu. Settings for the ransomware protection are available as well. The program’s protection and detection behaviour can be changed from Preferences. If you install the Traffic Light browser extension, safety ratings (indicated by coloured symbols) are added to Google search results.

Alerts

When we disabled Bitdefender’s real-time protection via Preferences or the system tray icon in the macOS menu bar, the alert below was shown in the main program window. We were able to reactivate the protection easily by clicking Enable.

When malware was detected in our protection test, the program silently took action on the threat (e.g., immediately deleted it) as the system tray icon briefly changed upon detection. After manually opening the main program window, the detections appeared on the Notifications page. Apart from that, no clear detection alerts were shown.

When verifying the Notifications permission in the macOS system settings, we noticed that the notifications were allowed for Bitdefender Antivirus for Mac but the option was set to None by default. After changing it to Banners and re-running the protection test, the program displayed an alert in the form of a system notification shown below, including the threat name, file name, and action taken. No user action was required, and the alert closed automatically after a few seconds. However, the program did not give any hint during installation or usage about enabling notifications in the macOS system settings.

Quarantine & Logs

The Quarantine page of the program (screenshot below) lets you view all the items that have been quarantined, along with the threat name, file name, and date when the this happened. There are options to delete and restore any of the detected files (you have to enter administrator credentials to take either action). Notifications is the log feature which displays events such as updates, component activation, and malware detections. These can be displayed all together, or filtered by importance (Critical, Warning, Information).

Advanced Options

Only users with a macOS Administrator account can perform the following tasks (caution is advised):

• Disable protection features (under Preferences)
• Uninstall the program
• Delete and restore items from quarantine

Summary

CrowdStrike Falcon Pro is a security package suitable for medium- to large-sized enterprise networks and provides a cloud-based console for managing the endpoint protection software. Some of its key aspects are:

• investigative functions for analysing and remediating attacks
• comprehensive search facilities
• well-organized cloud-based console with easy access to details pages
• encyclopaedia of known cybercriminal groups
• clear alerts at endpoint

Management Console

The console is navigated from the menu in the top left-hand corner of the console. This lists different sections, such as Endpoint security, Threat intelligence, Investigate, Dashboards and reports, and Host setup and management, which group the individual pages. We will describe the most relevant sections and pages below. You can easily bookmark any page (using the bookmark symbol next to the page title at the top of the page), and then go directly to that page using the Bookmarks section of the menu.

Endpoint security > Activity dashboard page

This is the page you see when you first log on to the console. It shows various status items in large panels (screenshot above). There is a list of most recent detections, with a graphical severity rating. You can also see a graph of detections by tactic (e.g., Machine learning, Defense Evasion) over the past month. Terms from the MITRE ATT&CK Framework are used to show attack stages here. The New detections, SHA-based detections, and Prevented malware by host panels redirect to the Endpoint detections details page with the respective filters applied.

Endpoint security > Endpoint detections page

Here you can search a list of threat detections using a wide range of criteria. These include severity, malware tactics, detection technique, date and time, affected host, and logged-on user. For each detection, you can see full details, including a process tree view (screenshot below), and assign a console user for remediation.

Endpoint security > Quarantined files page

This page lets you see files that have been quarantined by the endpoint protection client. For each item, you can see the date and time when it was quarantined, file name, device name, number of AV detections, logged-on user, and its status. Quarantined files can be released, deleted, or downloaded in a password-protected archive. Clicking the entry of a quarantined file opens a panel with additional information, such as the file path, file hashes, file size, file type, detection method, and severity. There is a search function and a variety of filters you can apply to find specific files within the quarantine repository.

Endpoint security > Prevention policies page

Here you can create and edit the prevention policies for the supported OS endpoints. You can define the capabilities of the endpoint protection client for different types of attack-, detection-, and protection-related behaviour. In the case of Mac policies, you can configure components such as Enhanced Visibility, Quarantine, Execution Blocking, Unauthorized Remote Access, and Credential Dumping. Some sensor components, such as Cloud Machine Learning and Sensor Machine Learning, have separate configurable sensitivity levels for detection and prevention, ranging from Disabled to Extra Aggressive. Custom Indicators of Attack (IOA) can be created and assigned too. Policies can be assigned to devices automatically by means of a naming system, whereby a policy hierarchy determines which one takes precedence. For example, any device with “Mac” in its name can be automatically put into a specific group of Mac computers, to which one or more policies are assigned.

Host setup and management > Host management page

This page lists all the registered devices/hosts along with the host status, operating system, policy assignments, containment status, sensor version, and first/last seen date. Clicking on an entry opens a panel with additional details, such as device manufacturer, MAC address, IP addresses, and serial number. Like in other details pages, you can apply many different filters and search for specific hosts.

Threat intelligence > Actors page

This page provides details of known cybercriminal groups. You can see the nations and industries that each one has targeted, along with technical details of the attack methods used. CrowdStrike told us that this information is also available in Endpoint detections details when a detection is associated with a specific actor.

Investigate section

The Investigate section provides an extremely comprehensive search facility. It lets you search for specific aspects (e.g., hosts, hashes, users, IP addresses, domains, events), hunt for activities related to detections, files, or executables, view timelines of hosts, processes, and users, check reports about remote access, network logon, and geo location activities, and look for custom alerts and vulnerabilities (e.g., HiveNightmare, Log4Shell).

Endpoint Protection Client

Deployment

Installer files for the endpoint protection client (Sensor) can be downloaded from Host setup and management > Sensor downloads. Half a dozen older versions of the sensor are also available. Local installation requires the use of the macOS Terminal – instructions are provided in the documentation (Support and resources > Documentation).

General Handling

No graphical user interface is provided. Only users with a macOS Administrator account can interact with the sensor using its command-line interface (falconctl) via the macOS Terminal. For example, you can output sensor information and statistics (falconctl stats), load/unload the sensor (falconctl load / falconctl unload), and uninstall the sensor (falconctl uninstall). With the settings used for this test, detected files are not deleted but quarantined in situ.

Alerts

When malware was detected in our protection test, the sensor displayed an alert in the form of a system notification shown below, without further details about the threat. No user action was required, and the alert closed automatically after a few seconds.

Summary

Intego Mac Internet Security X9 is a paid-for antivirus program and a good choice for non-expert users. In addition to anti-malware features, it also includes a separate firewall application, called NetBarrier. In this review though, we have focused on the antivirus application, VirusBarrier. Some of its key aspects are:

• simple and straightforward installation and setup of core features
• all available features displayed in a clean GUI
• different scan options, including scheduled scans and scans of mounted volumes
• clear and persistent alerts
• normal user accounts cannot take risky actions (e.g., disable protection, uninstall program)

Installation, Setup & Deinstallation

To set up Mac Internet Security X9, you just need to download and run the installer from the vendor’s website. The setup wizard is straightforward however, you have to manually open the program after installation. After that, you will be prompted to activate the product and allow the program Full Disk Access in the macOS system settings. The program can be uninstalled by re-running the installer and double-clicking Uninstall, or by deleting the Intego folder from the macOS Applications folder. The program’s window has both dark and light modes, which co-ordinate with the dark- and light-mode settings of macOS.

General Handling & Essential Features

Protection status, scan options (quick, full, scheduled scan), quarantine, list of scan exceptions (Trusted Files), and settings are all found on the Scan page of the main program window. A manual update can be triggered by clicking on the Malware Definitions link on the Scan page, or by selecting Check for Updates under the VirusBarrier menu or the system tray icon in the macOS menu bar. In all cases, the NetUpdate application opens which displays the update status, along with the days after which the protection expires, and related settings. The subscription information can be viewed in the About box of the VirusBarrier menu. The online help is found in the Help menu in the macOS menu bar which opens the support page in the default browser. Additionally, a basic help displays an overlay that explains the principal features in the main program window.

Protection

From the Scan page of the main program window or the File menu in the macOS menu bar, you can start a quick scan, full scan, or custom scan of specific files or folders. The latter can also be run from e.g., the Finder context menu. The automatic scan of volumes when they are mounted can be activated in Settings. On the Scan page, you can also configure scheduled scans (Schedule) as well as the program’s protection and detection behaviour (VirusBarrier Preferences). The program checks if the safe browsing feature of supported browsers (Safari, Chrome, Firefox) is enabled and warns you in case it is turned off. VirusBarrier uses Intego’s own detection engine to detect macOS malware but makes use of the Avira engine to detect Windows malware.

Alerts

When we disabled Intego’s real-time protection on the Scan page, the alert below was shown in the main program window. We were able to reactivate the protection easily by clicking Turn On.

When malware was detected in our protection test, the program showed the dialog and an alert in the form of a system notification, including the file name and action taken, shown below. No user action was required. The dialog persisted until we closed it and the alert closed automatically after a few seconds.

Quarantine & Logs

The Quarantine page of the program (screenshot below) shows you all the items that have been quarantined. There are options to delete, repair, or restore (trust) a single or all the quarantined files. If you click on an individual item, the path to its location will be shown in the status bar at the bottom.

Logs on the Scan page displays a list of all system events, including updates, scan and real-time detections, real-time protection status, and items added to or deleted from quarantine. The applicable date and time are shown, along with a traffic-light colour-coding system for each item. Malware finds are thus shown as red, quarantine actions as yellow, and enabling real-time protection as green.

Advanced Options

Only users with a macOS Administrator account can perform the following tasks (caution is advised):

• Disable protection features (under Scan page, Settings, or system tray icon)
• Uninstall the program

Summary

Kaspersky Plus for Mac is a paid-for antivirus program and an excellent choice for non-expert users. Some of its key aspects are:

• simple and straightforward installation and guided setup of core features
• all available features displayed in a well-organized and neat interface
• different scan options and many settings, including scheduled scans and automatic USB scan
• clear alerts
• normal user accounts cannot take risky actions (e.g., disable protection, uninstall program)

Installation, Setup & Deinstallation

You can set up Kaspersky Plus for Mac by downloading and running the installer from the vendor’s website. The initial setup is straightforward as the program guides you through step by step and provides brief explanations. During that, you can enable additional protection features, such as Wi-Fi network protection and browser extensions for Safari/Chrome/Firefox. When setup is complete, the main program window displays several recommendations, such as activating automatic macOS updates, signing into My Kaspersky account, and installing missing browser extensions, the Kaspersky VPN or Password Manager apps. The program can be uninstalled by clicking Support > Uninstall in the Help menu of the macOS menu bar or by deleting it from the macOS Applications folder.

General Handling & Essential Features

Protection status, scan options (Scan), and subscription information (Profile) can all be accessed from the main program window. Settings, including all the protection features and list of scan exclusions (Trusted Zone), quarantine (Detected Objects), and help, which shows the support page in the default browser, are all in the macOS menu bar. A manual update can be triggered from Database Update in the main program window or by clicking Update Databases from the system tray icon.

Protection

From Scan, you can start a quick scan, full scan, or custom scan of selected files or folders. The latter can also be run from e.g., the Finder context menu. Scans can be scheduled from the cogwheel icon in the top right-hand corner and the settings. In addition to modifying the program’s detection behaviour and the named scan options, the external disk scan can be configured from the settings. The detection of stalkerware is enabled by default.

Alerts

When we disabled Kaspersky’s real-time protection or any other protection feature under Settings > Protection, a notification appeared, and an alert similar to the one below was shown in the main program window. The real-time protection can also be turned off via the system tray icon. We were able to easily reactivate either protection feature by clicking Enable.

When malware was detected in our protection test, the program displayed an alert in the form of a system notification shown below, including the file path, where the threat was found, and the action taken. No user action was required, and the alert closed automatically after a few seconds. Additionally, a link to the quarantine is shown on the home page of the main program window.

Quarantine & Logs

The Detected Objects page shows quarantined items, along with the threat name and file path. By clicking on the ”…” symbol at the end of each line, you can delete or restore individual items. You can delete all quarantined items using the Delete All button. The Reports window shows processed objects (detections) as well as activities about updates, scans, and the different protection features.

Advanced Options

Only users with a macOS Administrator account can perform the following tasks (caution is advised):

• Disable protection features (under Settings or system tray icon)
• Uninstall the program

Summary

Trellix Endpoint Security (HX) is a security package suitable for large-sized enterprise networks (up to 100,000 endpoints per appliance) and provides a cloud-based console for managing the endpoint protection software. Some of its key aspects are:

• investigative functions for analysing and remediating attacks
• comprehensive search facilities
• variety of console types (cloud-based, hardware/virtual appliance, Amazon-hosted)
• well-organized cloud-based console with easy access to details pages
• containment feature to isolate infected devices

Management Console

The console is navigated from the menu at the top of the page. This lists different sections and pages, such as Dashboard, Alerts, Hosts, Acquisitions, Rules, Enterprise Search, and Admin. We will describe the most relevant sections and pages below.

Dashboard

When you login to the console, you will see an overview of key status items (screenshot above). These include the total number of hosts with alerts, with a breakdown by exploits and malware, recent file acquisitions, and contained/active/inactive hosts. Clicking on the Total hosts with alerts button opens the Hosts with Alerts page.

Hosts > Hosts with Alerts page

This page displays details of protected devices/hosts with alerts that have not yet been resolved. If you click on the plus sign for a host, you can view the list of its alerts, in chronological order and with a wealth of details. This includes detection type (e.g., signature detection), alert/detection times, scan type (e.g., on-access, on-demand), malware name/type, file status (e.g., quarantined), file metadata (e.g., path, MD5/SHA1 hash, size, last modified/accessed times), process path, username of logged-on user, and content version (signature). Each threat can be acknowledged (marked as “read”), or marked as false positive. You can also add comments for future investigation. From Quarantines, you can restore, delete, or acquire individual quarantined files for further analysis (see Acquisitions page shown below).

Alerts page

For a threat-centric rather than a device-centric view, you can go to the Alerts page. It shows a list of detected threats which you can sort or filter by name, file path, first/last event time, host name, or host IP address. Besides deleting alerts, options for Acknowledge, Mark False Positive, and Add Comment are provided here too. If you click on the threat name of a list item, the details view of the Hosts with Alerts page is opened.

Hosts > Host Management page

This page lists all the registered devices/hosts along with different attributes shown in filterable and sortable columns. The visibility of each column can be changed from a separate menu in the top right-hand corner. The attributes include, e.g., host name, online status, operating system information, username of logged-on user, containment status, installed agent version/signature, active protection/detection capabilities, and last seen date. Clicking on an entry reveals a panel with all the available device information.

Acquisitions page

This page lets you download files that have been acquired from hosts in order to analyse them. You can acquire files or various items of diagnostic data from an individual host on the Hosts with Alerts page.

Rules page

This page contains rules matching indicators of compromise (IOCs), exploit detections, or false positives in order to help identifying specific threats or suspicious behaviours on an endpoint. This rule collection is primarily maintained by Trellix’s Dynamic Threat Intelligence (DTI) cloud, but you can add your own enterprise-specific rules with individual conditions as well.

Enterprise Search page

On this page, you can extensively search the network for a wide variety of items. These include application name, browser version, host name, various executables, file names/hashes/paths, IP address, port, process name, registry key, service name/status/type/mode, timestamp, URL, username, and Windows Event Message.

Admin section

On the Policies page, you can add custom endpoint protection policies and configure numerous different aspects of existing ones. Examples of configurable categories are malware protection (e.g., detection options, definition updates, exclusions, quarantine actions), malware scans (e.g., scheduled scan), whether to show alerts on the host, event logging (e.g., information level, age), polling frequency, removal and tamper protection, resource usage, and management server address. On the Host Sets page, groups of hosts can be defined according to a wide variety of criteria, or simply by dragging and dropping from the list of all hosts. Different protection policies can be applied to each host set.

Endpoint Protection Client

Deployment

Current and older versions of the endpoint protection client (Agent) for Windows, macOS, and Linux systems can be downloaded from the Admin > Agent Versions page. The installer file can be run manually, or via a systems management product such as Jamf. In the former case, you will need to remember to give the agent Full Disk Access in the macOS system settings which is necessary for the product to work properly. After installation, the agent takes some minutes to download the protection engine before protection will be finally active.

General Handling & Alerts

With the settings used in this test, no user or command-line interface is provided in order to interact with the program on the host. When malware was detected in our protection test, no detection alerts were shown on the host.

Summary

Trend Micro Antivirus for Mac is a paid-for antivirus program and well suited to non-experts. Some of its key aspects are:

• simple and straightforward installation and guided setup of core features
• all available features displayed in a well-thought-out user interface
• different scan options including scheduled scans; ransomware protection, browsing-protection add-ins
• clear and persistent alerts
• normal user accounts cannot take risky actions (e.g., disable protection, uninstall program)

Installation, Setup & Deinstallation

After downloading and running the installer from the vendor’s website, the setup wizard guides you through each installation and configuration step. Aside from choosing whether to enter a licence key or use the trial version, there are no decisions to make. When you first open the program, it prompts you to set up Camera and Microphone Protection and ransomware protection (Folder Shield). For the latter, you can easily customise the default list of folders to be protected. Additionally, the Safari extension Trend Micro Toolbar for Mac is installed and will be activated if you authorise this. The program can be uninstalled by using the uninstaller located inside the Trend Micro folder of the macOS Applications folder. The Trend Micro folder also contains a diagnostic toolkit used for troubleshooting and other problem-mitigating tasks (requires a macOS administrator account).

General Handling & Essential Features

Protection status, smart scan (Scan Now), scan options (Scans), protection features, and subscription information can all be accessed from the Overview page of the main program window. Quarantine can be found under Logs > List Quarantined Files. Settings provide access to a list of scan exclusions (Files Not Scanned) and the quarantine and are located under Trend Micro Antivirus in the macOS menu bar or the system tray icon. A manual update can be triggered directly from the Overview page, Protection menu in the macOS menu bar, or the system tray icon. The online help opens the support page in the default browser and is found in either the Help menu in the macOS menu bar, the system tray icon, or when clicking the ? icon located on several pages of the main program window.

Protection

From Scans, you can start a smart scan of the most critical areas, full scan of every file on the system, or custom scan of selected files or folders. Scheduled scans as well as the detection behaviour and scan options can be configured in the Scans page of the settings. The web protection and anti-ransomware feature can be modified from its respective subpage of the main program window. If you install the Trend Micro browser extension, safety ratings (indicated by coloured symbols) are added to Google, Bing, and Yahoo search results as well as web-based email services from Gmail and Yahoo. A Website Filter blocks access to selected websites based on rating scores, pre-defined filters (e.g., child, teenager, adult) or a user-defined blacklist.

Alerts

When we disabled Trend Micro’s real-time protection or web threat protection on the Overview page or from the Protection menu in the macOS menu bar, the alert below was shown in the main program window. The real-time protection can also be turned off via the system tray icon. We were able to easily reactivate either protection feature by clicking Fix Now.

When malware was detected in our protection test, the program displayed the alert shown below. No user action was required, and the alert persisted until we closed it. Clicking on View Results opens the logs/quarantine page and shows you what’s been detected.

Quarantine & Logs

The Logs page lists all the threats that have been detected, along with the threat name, file path, date when this happened, and action taken, under the log type Scan Results. Quarantine functionality, including options to delete, restore, or clean quarantined items (you have to enter administrator credentials to take either action), is reached by clicking List Quarantined Files.

As noted in previous years, the quarantine and log data are displayed in panels within small windows that cannot be resized or maximised. It is necessary to resize the columns to see all the content, and then scroll to the left to see all the data for one entry. We found this very inconvenient. However, it is possible to export the log as a .CSV file.

Advanced Options

Only users with a macOS Administrator account can perform the following tasks (caution is advised):

• Disable protection features (under Overview)
• Uninstall the program
• Delete and restore items from quarantine

Advertising

The program advertises Trend Micro’s freemium Cleaner One Pro program. Running a Smart Scan will find “junk files” and prompt the user to get Cleaner One Pro to remove these. Additional freemium software is promoted on the pages Privacy Tools and Utility Tools of the main program window.