Update: The KB article referenced is now offline. You can see the archived version here.
Update 2: On Tuesday evening, Apple told Macworld that the KB article was removed because it was outdated and inaccurate; Mac OS X includes adequate security protection out of the box. The BBC has also rolled back the story, and has a more detailed post on the issue. Not sure I'm completely in agreement with this approach from Apple.... --MR
When the concepts of "antivirus" and "Mac OS X" approach each other in the blogosphere, the usual outcome is more heat than light. The current example of keyboards outpacing brainwaves has emerged from a storm of posts on various sites, mostly tracing back to security analyst/Washington Post writer Brian Krebs and AppleInsider's Aidan Malley. Both pointed to a "recently published" Apple KB article that listed a trio of AV applications available for Mac OS X.
More shocking to this pair of pundits: the KB article actually went so far as to encourage Mac users to buy, install and use antivirus software -- even "multiple antivirus utilities" to prevent the spread of malware, which was trumpeted by a ZDnet headline. What now? Is Apple's security story on the marketing front now undermined by the quiet truthtelling of the support site? Should Justin Long apologize to John Hodgman? Are cats and dogs now living together? Is the BBC picking up the story (yes, unfortunately, it is)?
The relevant quote from the shiny new KB article that has caused such commotion:
Apple encourages the widespread use of multiple antivirus utilities so that virus programmers have more than one program to circumvent, thus making the whole virus writing process more difficult.
Let's be fair: Apple's prose isn't helping matters, because while we all know that "widespread use of multiple antivirus utilities" doesn't mean you should be installing multiple AV tools on your one, single Mac -- the point is that the ecosystem should have variation, making it harder for malware writers to attack the entire population with one well-crafted exploit -- that fine distinction appears to have been lost on some of those who encountered this "new" KB article.
This, of course, brings us to point #2: a careful reading (or really, any reading at all) of the KB item shows the "Old article: 4454" legend at the top right. Yes, Apple does sometimes update KB articles, and in this case the same exact "multiple utilities" copy has been on the support site for a while -- the article was
originally publishedpresent on Apple's site in June of 2007, and was updated simply to reflect current versioning on the Intego and Symantec AV products.
[Correspondents have pointed out that the sequence number of the KB article places the original version of it back in 1992. That version clearly dealt with Mac OS Classic antivirus apps, and isn't really on the same narrative track as the once-but-current Mac OS X incarnation -- but it's a valid point that Apple has had a public notice of available security tools for many years (who remembers Disinfectant and Vaccine?). Records of the KB4454 URL on archive.org indicate that there was something at that address as far back as September 2001, but cached copies are not available.]
So, to sum up, Apple's recommendations have changed not a whit in 18 months. Everyone who is decrying the sad state of security on the Mac -- or, conversely, crediting Apple for waking up and smelling the coffee -- is chasing his or her cybertail with a great deal of enthusiasm. Malware on the Mac, such as there is, is still almost exclusively delivered via social engineering, so please don't install random video codecs downloaded from porn sites. That said, the commercial and free AV options for the Mac are pretty stable, and they're certainly worth exploring if you want to be a good computing citizen who doesn't relay Windows malware from friend to friend unknowingly. Read on for my top five tips when/if installing AV tools on your Mac.
Hat tip to MacDailyNews for linking the original KB article from the Internet Archive.
Mike's Five Tips for Peaceful AV on the Mac:
- To go forward, back up. Even the least intrusive AV utility requires access to your Mac's filesystem and processes at a very low level in order to do its job properly. A bug could render your machine inoperable and your data inaccessible (making the cure just as bad as the disease). Be sure to have a solid backup prior to installing your AV tool, and get a performance snapshot (either via Xbench or simple stopwatch checks of common operations) before proceeding.
- If it's slow, let them know. The pre-install performance 'sense of the Mac' noted above is important because of the most common AV side effect: loss of 'teh snappy' as the overhead of AV scanning drags your Mac down. We'll get to the ways to avoid most slowdowns next, but if you've done everything by the book and you're still suffering laggy-Mac syndrome, it's crucial to tell your software vendor about it and make sure they're aware of the issue.
- The exceptions are the rules. By far the most important performance tweak to any AV tool is setting good exceptions. Just like you should be excluding big, blobby monolithic data sets from Spotlight indexing, you should do the same with your AV tool. Specifically, on the Mac, the prime candidates for exclusion are the Microsoft User Database (Entourage & Exchange users found this out the hard way with SAV 10, as the once-a-minute modifications to the mail database triggered repeated, and painful, scans of the entire huge file) and any virtual machines or frequently-modified disk images (VMware and Parallels users, take note). Most AV vendors have specific instructions for dealing with FileVault home folders as well -- primarily that they don't play well together.
- Leave the LAN alone. Most AV apps have a preference or checkbox to avoid scanning network volumes. Make sure this is set correctly -- you do not want to bring a shared drive or fileserver to its knees with an ill-advised scan.
- News Flash: Beware Flash. With the increasing prevalence of sophisticated server-side email antivirus scanners, the historical problem of malware-in-mail is far less of an issue for most corporate and big-service email users than it used to be... which leaves one primary vector for malware infections: flash drives and iPods. It's a pain and a drag, but if you operate in a file-sharing world where PC users are trading data with you on a regular basis, you should have your AV app set to scan drives on mount. If it's slowing you down too much, a scheduled scan once a week of any frequently-used drives will help keep your portable media safely in compliance.