by Peter Tippett and Kevin Long

This is Part III of a three-part series on OS X security. Please read Part I and Part II if you haven’t already.

If you ran Amtrak, would you install a missile defense system on your trains? Trains are certainly vulnerable to missile attack, and the cost of such an attack would be devastating. Luckily, trains are not commonly subjected to missile attack, so the cost of implementing such a defense is not justified.

Is the protection afforded by antivirus software (AV) worth the cost? First we’ll estimate the cost, then we’ll discuss the protection AV affords.

On the low end of the scale, Mac antivirus software costs roughly $40, and that cost repeats annually. There are free options available, but we’ll use $40/year as an estimate. However, the bulk of the cost resides elsewhere.

Antivirus software requires installation, configuration, and ongoing maintenance. Downloading updates utilizes bandwidth, AV operation utilizes system resources, and maintenance requires a time investment. To quantify that last point, we’ll estimate that running AV requires at least one minute of user time each day, whether through active engagement with the software, slower system performance, or slower Internet connectivity. If you value your time at $40 per hour, the cost of AV works out to over $240 per year. Had you installed AV in 2001 when you purchased your first OS X system, your AV investment would now exceed $2000 per system.

What would that investment buy you? To date, there are no known cases of Mac OS X users suffering significant data loss due to a virus. However, there have been at least three separate outbreaks of data loss due to OS X users running antivirus software. Vulnerabilities have also been introduced by antivirus software.

Antivirus software operates at a level where it can have a significant impact on system performance, and it also has the potential to affect crucial system files and data on the installed system. Numerous reports from a variety of sources suggest that negative performance impact is common, and outbreaks of significant data loss have occurred. One outbreak occurred when an antivirus product falsely identified system files as the Inqtana worm and deleted or quarantined them. On at least one large college campus, this translated to many hours of system reinstalls by IT professionals, and other locations suffered similar issues.

Apart from the small number of OS X viruses, the utility of Mac AV may be questioned by its lack of accountability. As there are few to no OS X viruses circulating in the wild, Mac antivirus software is not tested in the real world, and it is unlikely that AV vendors devote the resources necessary to make their OS X entries effectively on par with their Windows counterparts. There is also no certification program for such products, eliminating another avenue for accountability. (In the interest of full disclosure, note that ICSA Labs is an independent division of Verizon Business that offers vendor-neutral testing and certification of security products.)

For the time being, Mac users who install antivirus software on their systems may actually increase the risk to those systems by providing a new attack surface. Until the risk equation is significantly impacted, the RISK Team recommends that (with exceptions) antivirus need not be utilized in most situations as long as other security measures are in place.

The principal exceptions include instances in which an information security policy would be violated.

Back to our initial question: What’s a Mac user to do? Here are a few quick and effective security measures:

• Uncheck the “Open ’safe’ files after download” box in Safari’s General Preferences.
• Utilize your browser’s security features (anti-popup, anti-phishing, etc.).
• Run Software Update on a weekly basis, and install security updates as they are made available.
• In the Security System Preference, be sure the firewall is not set to “Allow all incoming connections”.
• Do not download, run, or share software from unknown sources.
• Do not open or share unexpected attachments received via email or instant messenger.
• Only connect to trusted wireless networks.
• In an enterprise environment, an anti-spam solution should be in place.

Apple provides more information about configuration in their client and server security guides, and there’s even information available for users who want to keep their systems extra secure.

For enterprise users, follow your corporate policy. The risk of a successful attack probably doesn’t change much in enterprises either way, and the addition of AV might introduce more vulnerabilities than it reduces, but the impact of failure is often greater in the enterprise setting. That means that even if the likelihood is small, the product of likelihood and impact can still be large enough to justify additional protection. In enterprises, we also need to include the threat of compliance failure which can get your organization on the front page of the paper, result in the loss of jobs, or cause fines every bit as problematic as an infection by a future worm, trojan, or virus. Many enterprises and standards are based on risk. If you are in a position to do so, you might be able to make a risk case to treat Mac and Linux desktops differently than Windows-based machines for all of the reasons stated in this series of posts.

Tags: anti-virus, antivirus, Apple, Apple security, AV, Inqtana, Leap, Leopard, Mac, Mac AV, Mac security, OS X, risk, RSPlug, Safari, security, Threat, Tiger, Vulnerability

This entry was posted on Tuesday, December 23rd, 2008 at 2:05 pm and is filed under Analysis. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.