Anti-Malware: Last One Out, Please Turn Off The Lights

It doesn't surprise me when someone says, like David Einstein of the San Francisco Chronicle, that there's no need for a Mac user to run anti-virus software. Though the most usual reason I see given is that there aren't any Mac viruses. (There are, but nowadays the main reason to run anti-malware on any platform is in order to catch other forms of malware.) David's reason might seem a bit more puzzling: he suggests that it's unnecessary because "Macs have fewer virus problems than Windows PCs". Well, let's assume he means malware rather than viruses.

Either way, that would seem an odd statement if you assumed that he meant "you only need AV on a platform that has lots of malware" (let's not get hung up on what constitutes a lot...), but the next paragraph makes it clear that he means something different: "But if you use common sense, you don't need virus protection even for Windows."

Well, that's a pretty bold statement. But he suggests that you need only to take "commonsense" precautions:

• Don't open email messages unless you trust the sender
• Don't download infected programs or install one from a disc or external drive
• "just deal with reputable sources"

Unfortunately, he doesn't go into any detail about how you ascertain that the sender address is genuine, how you avoid drive-by downloads and autorun-exploiting malware, how you assess "reputation", or how you can recognize the myriad social engineering ploys that are out there. Well, I'm not going to at this point, either: that would make this a pretty long post. But without that sort of information, this advice amounts to little more than a dangerous twist on "Be careful".

Why is it dangerous? Because it gives the impression that "common sense" is a replacement for security software. I wouldn't say it's absolutely impossible to run a system safely without an anti-malware program, but there's a bit more to it than only opening email from your mother. Of course, there are many people who don't know much about malware, but run AV so that they don't need to.

While I never advocate putting so much trust in AV that you don't bother to take other precautions and assume that AV will protect you from anything you choose to click on, it seems to me that running it is, for most people, more sensible than not running it. But hey, I'm no Einstein: maybe I need to look for an alternative career. :)

David ("but I would say that, wouldn't I?" Harley BA CISSP FBCS CITP
Director of Malware Intelligence

Tip of the hat to Bob McMillan (@bobmcmillan) who pointed this out with the immortal words "SF Chronicle: Web-based attacks don't exist."

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch (or @ESETblog)
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Also blogging at:
http://smallbluegreenblog.wordpress.com/
http://avien.net/blog
http://blogs.securiteam.com
http://blog.isc2.org/
http://macviruscom.wordpress.com/