AV-Comparatives Mac Security Test & Review 2018

Introduction

It is an often-heard view that macOS computers don’t need antivirus protection. Whilst it is certainly true that the population of macOS malware is tiny compared to that for Windows and Android, there have been instances of macOS malware getting into the wild. Moreover, Apple Mac security needs to be considered in the wider context of other types of attacks.

In addition, it should be noted that Apple themselves ship some anti-malware capabilities within macOS. Firstly, there is “Gatekeeper”, which warns which warns when apps without a digital signature are run. Then, there is “XProtect”, which checks files against known-malware signatures. Finally, apple provide MRT (Malware Removal Tool). Gatekeeper and MRT are essentially invisible to users and have no direct user interface for the user. System updates are installed automatically using the update process. Despite the built-in capabilities, some security experts recommend strengthening the defenses by adding in a third-party antivirus package. There are many good reasons for this. Firstly, the approach taken by Apple might be adequate for well-established malware, but might not respond quickly enough to emerging threats. Secondly, you might want a broader base of malware evaluation.

Some vendors’ macOS security products can detect malware aimed at other operating systems too. Hence an AV program on your macOS computer could effectively handle Windows and Android malware too. Of course, there is no method by which Windows or Android malware could directly infect a macOS device. However, there are scenarios where you might well benefit from scanning for such threats. For example, if you are given a USB stick of photos by one friend, who asks you to make a copy for a second friend. They both use Windows, but you are using a macOS computer. There is Windows malware on the USB stick, and you make a copy of all the files. In this scenario, it is useful to be able to ensure that malware is not inadvertently passed on from one friend to another, even if your own machine is not at risk.

Mac security programs can offer other capabilities too. For example, browser extensions can identify web sites which are potentially phishing locations. Readers should note that Mac users are just as vulnerable to phishing attacks as users of e.g. Windows, as phishing sites function by deceiving the user rather than by altering the operating system or browser.

Other packages might offer VPN (virtual private network) capabilities which can be very useful when you need to operate your computer in an untrusted environment, like a public location, internet café or other place where you are not sure of the integrity of the connection. You might also want to replace macOS’ built-in parental control capabilities with third party tools, if you believe this is more appropriate to your family needs.

Before purchasing a Mac security solution, you also need to decide on the size and scope of the protection you wish to deploy. It might be for a single computer, or to a laptop and desktop. Or you might have a family environment. There might be a mixture of macOS laptops and desktops, but also other devices too like Windows desktops and laptops, along with iOS and Android phones and tablets. For this environment, a broader and more flexible licensing package might well be appropriate.

This could allow you to purchase e.g. 5 licenses and then distribute them amongst your collection of devices. It could also give you the flexibility to transfer licensing from one device to a new item, e.g. if you need to replace an aging Windows laptop with a new MacBook. Some packages offer cloud-based management interfaces. Usually this is to cover the licensing of the packages, but some can also be used to initiate malware scans and device updates and manage parental control capabilities.

Then there are packages which are really aimed at the business and corporate space. Here the macOS support is but one component of a much larger deployment and management infrastructure. This will cover all devices and operating systems, often running thousands of managed devices. Although it might be tempting to go for a larger and stronger solution than is appropriate for your organizational size, be aware that the larger platforms have significant up-front design, management and deployment overheads. This is required to allow these tools to scale to the sizes that they can support, and they usually bring in a level of day-to-day commitment which, although entirely proper and required in a larger enterprise, is simply beyond the capabilities and resourcing of a small company.

Experienced and responsible Mac users who are careful about which programs they install, and which sources they obtain them from, may well argue – very reasonably – that they are not at risk from Mac malware. However, we feel that non-expert users, children, and users who frequently like to experiment with new software, could definitely benefit from having security software on their Mac systems, in addition to the security features provided by the Mac OS itself. Readers who are concerned that third-party security software will slow their Mac down can be reassured that we considered this in our test; we did not observe any significant performance reduction during daily operations with any of the programs reviewed.

As with Windows computers, Macs can be made safer by employing good security practices. We recommend the following:

1. Do not use an administrator account for day-to-day computing
2. Use a sandboxed browser such as Google Chrome
3. Uninstall/disable the standalone Flash Player
4. Uninstall/disable Java unless it is essential for you
5. Keep your Mac operating system and third-party software up-to-date with the latest patches
6. Use secure passwords (the Mac includes the KeyChain password manager)
7. Deactivate any services such as Airport, Bluetooth or IPv6 that you don’t use
8. Be careful about which programs you install and where you download them from

Tested Products

We have reviewed and tested the following products for this report, using the newest version available in July 2018:

• Avast Free Mac Security 13.9
• Avira Antivirus Pro for Mac 3.10
• Bitdefender Antivirus for Mac 6.2
• BitMedic Antivirus 2.6
• CrowdStrike Falcon Prevent for Mac 4.9
• F-Secure SAFE for Mac 17.3
• Intego Mac Premium Bundle 10.9
• Kaspersky Internet Security for Mac 19.0
• Trend Micro Antivirus for Mac 8.0
• Webroot SecureAnywhere Internet Security Complete for Mac 9.0

We congratulate these manufacturers, who elected to have their products reviewed and tested, as we feel their commitment is a valuable contribution to improving security for Mac systems.

Test Procedure

Malware Protection Test

The malware protection test checks how effectively the security products protect a macOS system against malicious apps. The test took place in July 2018, and used very recent macOS malware that had appeared in the preceding few months. We used a total of 310 recent and representative samples of genuine malware that runs on current macOS systems (10.11 and higher).

A survey of Mac security experts showed that in total, several tens of thousands of unique mac samples had appeared in the first half of 2018. However, this figure might include many samples which could be classified as “potentially unwanted” – that is, adware and bundled software – depending on interpretation. Very many of the remaining (true malware) samples are often near-identical versions of the same thing, each with a tiny modification that just creates a new file hash. This enables the newly created file to avoid detection by narrow blacklist-based protection systems such as XProtect. There were in fact less than one dozen new families, and in total less than two dozen new variants, of true Mac malware seen in 2018. Some of these will only run on older versions of the macOS operating system. Consequently, the 310 samples used for the test represent an accurate guide to the current threat landscape, even if the sample size seems very small compared to what is commonly used for Windows.

As most Mac systems do not run any third-party security software, even these few threats could cause widespread damage. Precisely because a Mac security product only has to identify a small number of samples, we would expect it to protect the system against most (if not all) of the threats, so the protection rate required for certification is relatively high (99%).

Before the test, the Mac OS systems were updated and an image created; no further OS updates were then applied. Each program was installed on the freshly imaged machine and the definitions updated to the 10^th July 2018. The Mac remained connected to the Internet during the tests, so that cloud services could be used. A USB flash drive containing the malware samples was then plugged in to the test computer. At this stage, some antivirus programs recognised some of the samples. We then ran an-on demand scan of the flash drive, either from the context menu if available, or from the main program window if not. Samples found were quarantined or deleted. After this, any samples which had not been deleted or disabled by the real-time protection or scan were copied to the Mac’s hard disk. These remaining samples were then executed, providing the security product with a final chance to detect the malware. After each active infection, a full scan was performed, in order to give the products a chance to check for active malware.

Testcases

In addition to the Mac malware samples, we also scanned and executed a set of clean Mac programs to check for false positives. None of the programs we tested produced any false alarms.

Most of the Mac security products in our review claim to detect Windows malware as well as Mac malware, thus ensuring that the user’s computer does not inadvertently act as a conduit for programs that could attack Windows PCs. For this reason, we also checked if the Mac antivirus products detect Windows malware. We used 1,000 prevalent and current Windows malware samples; the procedure was identical to that for Mac malware, except that we did not make any attempt to run any of the samples that were not detected in the scan, as Windows programs cannot be executed under Mac OS.

Test Results

The table below shows protection results for the products in the review. The figures for Mac malware protection indicate the number of samples blocked at any stage of the testing procedure, i.e. regardless of whether the malware was detected/blocked in one of the on-demand scans, by real-time protection, or on-execution.

Product Reviews

Review Procedure

Here we have outlined the features and functionality that we have looked at for each program in this review.

What is it?

Here we look at the type of scenario the product is aimed at, including whether it is free or paid for.

Product installation and configuration

This describes how to get the product up and running on your Mac(s), starting with downloading the installer, and finishing with any post-setup tasks needed. These might include installing and allowing browser extensions, for example.

Ongoing use

Here we consider the interaction the user will have with the program when using the GUI to carry out everyday tasks. These include such things as monitoring status, responding to alerts, dealing with malware found, and running scans on the system and removeable devices.

Award levels reached in this Mac Security Review

This year, all of the products we have reviewed receive our Approved Security Product award.

A summary of the review is shown below. Users should also consider other factors, such as price and support, before choosing a product. We always recommend installing a trial version of any paid-for product before making a purchase.

Looking at the products, there are offerings from all of the well-known vendors: Avast, Avira, Bitdefender, F-Secure, Intego, Kaspersky Lab, Trend Micro and Webroot all offer strong products with a varying mix of capabilities. Always make sure that you are buying the appropriate bundle for your needs, and also be aware that there are often special offers and bundles which can offer a lower cost for first-year purchasing. It is also a good idea to watch out for indications of pricing that will apply from the second year, as this can sometimes be a significant rise in cost.

For each product, especially those with a wide range of capabilities, ensure that all of the functionality that you require has been installed. If there are web browser extensions, for example, then it is wise to enable these. Other functionality might be valuable to you, but not required immediately – parental control, VPN and so forth. Nevertheless, it is wise to ensure that you have a good working knowledge of the capabilities of package when you install it, so you are aware of what can be enabled later on if necessary.

BitMedic might be a good fit for your needs. However, we felt it had room for improvement in its user interface, configuration tools and daily operational performance.

In the business end of the market, CrowdStrike brings a very impressive array of capabilities to the medium and larger enterprise. The macOS component is just one part of the larger platform here, and the range of tools, the design and deployment flexibility, and the raw analytical power that it brings places it in quite a different space from normal home/small office-oriented AV packages. Such a platform requires significant investment both in the product itself, but also in the implementation. However, when deployed appropriate, supported within the enterprise, there is no doubt that macOS can be effectively managed within the broader business context.