Main Nav

A rash of Flashback infections has us thinking about malware protection for our Macintoshes.  Is anyone using a product that you’d recommend (or recommend against!)?   If you are supporting malware protection for your Macintoshes, is the impact on system performance acceptable?   Is it effective in preventing or at least detecting infections?  Are updates timely?  Is it affordable?  

Thanks for any experience or insight you can share.  

Dean Williams, GSLC     
Information Security Officer                             
Enterprise Technology Services      
University of Vermont
Dean.Williams@uvm.edu | 802-656-1174 






Comments

We are using Trend Micro Office Scan plug-in for Mac.  The machines don’t seem to take any performance hit and early tests show that it is detecting / preventing some malware.  We have only been running it for a couple of weeks and haven’t put it through a thorough test.

 

Jason Rinne

Systems Administrator

500 E. College Street ∙ Marshall, MO 65340

P 660-831-4088 

rinnej@moval.edu



This document may contain confidential information and is intended solely for the use of the addressee. If you received it in error, please contact the sender at once and destroy the document. The document may contain information subject to restrictions of the Family Educational Rights and Privacy and the Gramm-Leach-Bliley Acts. Such information may not be disclosed or used in any fashion outside the scope of the service for which you are receiving the information.

 

We use Sophos.  It seems to run fine without any performance hits and the clients can now be managed via their Enterprise Console.

 

Ronald King

Security Engineer

http://security.nsu.edu

 

Message from r-safian@northwestern.edu

 

Perhaps this might be of interest?

 

http://arstechnica.com/apple/2012/05/hands-on-with-five-antivirus-apps-for-the-mac/

 

Message from safranj@greenmtn.edu

Another +1 for Sophos.  We are very happy with it!

We are using McAfee on the Macs with no noticeable performance issues. We just moved our Windows machines to FEP.

 

 

Tim Cappalli, ACMP CCNA | (802) 626-6456

Office of Information Technology (OIT) | Lyndon

» cappalli@lyndonstate.edu | oit.lyndonstate.edu

 

 

Sophos here as well. Older versions (a couple years back) were a bit resource-intensive but revs since then have been fine. Very stable and capable product. -- Jeff Giacobbe Montclair State University On 05/17/2012 03:30 PM, Jesse Safran wrote: > Another +1 for Sophos. We are very happy with it! >
We provide McAfee VirusScan for Mac to our campus. A co-worker of mine prefers Sophos. He ran some (unscientific) tests by installing various clients and copying files around. He timed each copy.. He shared his findings with me (see below). > I used a copy of my Library folder since it's 3.08 gigabytes and contains 32,819 files. I figured more files to scan will give me a better idea of performance. I disabled Time Machine and rebooted the Mac between each test copy so the environment was as nearly identical as I could make it for each run. Each test was in a terminal window with the command: > > time cp -pr Library-test/ Library-test-2 > > First, I did it twice with nothing installed. > > Real User Sys > 1m38.032s 0m0.998s 0m12.907s > 1m40.936s 1m0.008s 0m13.119s > > Then twice with McAfee installed. > > Real User Sys > 4m14.581s 0m1.196s 0m15.959s > 4m12.333s 0m1.198s 0m16.052s > > Wow! Over 4 minutes! Then I uninstalled McAfee and ran the test again with nothing. I should have gotten similar results to the first two runs. > > Real User Sys > 1m42.203s 0m0.996s 0m13.060s > > Yep, similar results. Then I installed the free version of Sophos for the Mac and gave it two runs. > > Real User Sys > 2m26.733s 0m0.985s 0m14.081s > 2m26.177s 0m0.978s 0m14.062s > > The extra overhead of scanning 32,819 files added 44 seconds to the copy using Sophos. Using McAfee it added 2.5 minutes (150 seconds) I am only presenting the facts and this email should not be interrupted me as endorsing any product. --Jason

Hi


McAfee antimalware here, I have to say keeping your Mac software updates current was primary protection vector we saw for Flashback. As Apple released the two or three OS patches we installed asap. I am saying its best to do both in tandem for best results set OS updates to daily and install automatically as a service for your Mac users, and have AV of one kind or another. Very few of our users disagree with this approach.




>>> On 5/17/2012 at 01:17 PM, in message <99589267-1F4D-430C-ACE0-5E75F39521D5@uvm.edu>, Dean Williams <dean.williams@UVM.EDU> wrote:

A rash of Flashback infections has us thinking about mal ware protection for our Macintoshes.  Is anyone using a product that you’d recommend (or recommend against!)?   If you are supporting mal ware protection for your Macintoshes, is the impact on system performance acceptable?   Is it effective in preventing or at least detecting infections?  Are updates timely?  Is it affordable?  


Thanks for any experience or insight you can share.  


Dean Williams, GSLC     

Information Security Officer                             

Enterprise Technology Services      

University of Vermont

Dean.Williams@uvm.edu | 802-656-1174 







Message from john.ladwig@so.mnscu.edu

Symantec Endpoint Protection 12 here, on a few Macs. 

 

SEP 11 used to eat most of the CPU and drive the fans to takeoff thrust once a week or shortly after a  restart.  12 is some better, but I still periodically end up with two navx processes running, and that drags things to a crawl.  It’s no third to kill the logged-in-user copy off, though.

 

Never seen it fire on anything, false or not, but our Macs have historically only been driven by the security team, who should generally be expected to be more careful than average.

 

Just started with the free Sophos package on the home Macs.  Other than the initial “all local disks” scan running for a *very* long time, it’s been unobtrusive.  That one found some circa-2k4 PC viruses in an old email attachments folder and dutifully quarantined them.  Haven’t noticed CPU consumption issues with Sophos so far.

 

   -jml

 

Also using Symantec Endpoint Protection 12.1 here.  We saw some issues with version 11 as John mention, but things have been very good with 12.1.  I like that the macs are centrally managed for reporting, just like our PC clients - pricing is also the same as our PC clients.  There haven't been many mac–only viruses show up, but it's been great for stopping the PC viruses that the macs had been carriers for.

Regards,
Brady Gallese
Susquehanna University

Louis:

Maybe I am misreading this, but Apple Updates did not offer protection in time, though patching is of course sound advice.
A Java vulnerability was not patched until after exploitation took place.
We did have good experience with anti-malware software if the user had it already installed.
We had poor experience with network security mitigation technologies.

References:

Sincerely,

Alex Everett, CISSP, CCNA
University of North Carolina
Chapel Hill, NC

Message from john.ladwig@so.mnscu.edu

Which “network security mitigation techniques,” didn’t work out for Flashback at your site?

 

   -jml

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Everett, Alex D
Sent: Thursday, May 17, 2012 3:51 PM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] Malware (antivirus) software for Macintosh

 

Louis:

 

Maybe I am misreading this, but Apple Updates did not offer protection in time, though patching is of course sound advice.

A Java vulnerability was not patched until after exploitation took place.

We did have good experience with anti-malware software if the user had it already installed.

We had poor experience with network security mitigation technologies.

 

References:

 

Sincerely,

 

Alex Everett, CISSP, CCNA

University of North Carolina

Chapel Hill, NC

 

On Thu, May 17, 2012 at 08:54:57PM +0000, John Ladwig wrote: > Which “network security mitigation techniques,” didn’t work out for Flashback > at your site? The majority of flashback infected machines were personal laptops that were already infected while on an off campus location. Almost all were student owned machines, but a few were faculty/staff. We would see IDS alerts < 10 seconds after the WPA login. We focused on detection+suspension, we had ~200 infections total. -- -- Justin Azoff -- Network Security & Performance Analyst
We use Intego VirusBarrier here. Didn't find the first cases, but is fairly good at cleaning them up afterward. It can be a bit too aggressive by default, but doesn't seem to impair performance much at all.
Alex
 
You are correct Apple knew about this we all know that a response was slow incoming. I am not sure why Flashback was a non-event for us, since I have a very small population on McAfee anti-malware 1.x or (9.1.0.4478) I spot checked critical systems at the start of this, what I found was tons of needed updates queued up. I guess what I said badly was you need an AV solution in place (McAfee does rather well on snow leopard and Mt lion ), but don't forget the importance of patching via updates if you have no other central solution for Mac patching. We also enable the Mac firewall and include that in our guidelines on securing Macs. No I would never say you don't need a Mac AV solution, the only box I have in my office completely free of threats is a tissue box.


 
 
Louis Aponte
Weber State University
 
On 5/17/2012 at 2:50 PM, in message <848EA831-20E8-4958-A96E-8715EC4A52A0@unc.edu>, "Everett, Alex D" <alex.everett@UNC.EDU> wrote:
Louis:

Maybe I am misreading this, but Apple Updates did not offer protection in time, though patching is of course sound advice.
A Java vulnerability was not patched until after exploitation took place.
We did have good experience with anti-malware software if the user had it already installed.
We had poor experience with network security mitigation technologies.

References:

Sincerely,

Alex Everett, CISSP, CCNA
University of North Carolina
Chapel Hill, NC

Well put, Louis.
There must be a good reason why you had fewer- maybe more systems with AV (it was a wake up call for many here) or more secure web surfing habits for your users.

Sincerely,

Alex Everett, CISSP, CCNA
University of North Carolina

Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.