How safe is Sophos?

---

Icelander wrote:

Here's one friends opinion

"

Here is my opinion. One mac virus has made it into the wild finally. It is actually dependant on the user to install it while installing some crap they downloaded from the web. This is unlike windows viruses which can install automatically. This mac virus has made 600,000 installs... comparing that to the millions upon millions of infected windows machines you're still **bleep** safe.

Now whether a mac anti virus is worth it or not is questionable. It certainly won't hurt... and it may help.
I know Sophos to be a good product. We used it at the city. Now it may run as root, but an anti virus that does not run as root cannot be effective. There would have to be a vulnerability in the anti virus itself in order for it to be used as a back door... this has been known to happen in the windows world. It just shows there is no substitute for using common sense while surfing the web.

This subject is making news for marketing reasons. The microsoft world would have you believe you are less safe using a mac. This is the first year microsoft has started losing market share in the operating systems. In 5 years I expect microsoft and apple to both be out of that game. My opinion."

---

Let me answer these points for your friend, as I've analysed the malware (Flashback) under discussion, as well as other pieces that didn't get so much publicity, but also defeat OS X security with no user interaction....

1) Mac viruses have been in the wild for years... however, Flashback is not a "virus" but a combination of worm, trojan, and generic malware. 

2) The version that got all the press got it because it used a drive-by exploit of Java to install silently onto your computer.  Once installed, it then asked for permission to gain root access, so it could infect all user accounts on the machine.  HOWEVER, it had already infected the currently used user account, and allowed the botnet controller to have full access to that user's account.  So anyone who browses the web through the same account they use for anything else is handing all of that over.  Plus, since the botnet controller can install new userland software on the machine at any time, they only need to fool the victim once to gain root access to the computer.

3) That said, if a user had locked down their Mac, setting secure access permissions, using a dual admin and regular user account configuration, and disabled Java and Flash by default (and JavaScript in their PDF readers), they would have minimized risk of infection.

4) The Flashback malware has infected more than 600,000 Macs at this point; it infected just under that amount by some industry estimates during the period when there was a known exploit (with working code) available in Java while Apple did not provide a patch.  After the patch was made available, people continued to get infected (likely a combination of factors... people not running software update in a timely manner, plus people running versions of OS X older than 10.6).  Remember: 600,000 computers may not be a large number, but that's no consolation if it's your machine that got infected -- and it's a sizeable percentage of overall Macs (not huge, but notable).  If you decide not to look both ways before crossing the street because the percentage of street crossing fatalities in your town is statistically insignificant compared to the major city nearby, you're likely to eventually become part of the statistic.

5) Is Mac AntiVirus worth it?  It could cause slowdowns in some (rare) situations, and combining root-level on-access analysis with automated backups and archiving can have some issues, but it's definitely worth testing it to find out for yourself.  If you see no problems in the first couple of days (Just like all software that installs as root, don't install it right before you have a critical deadline or such), chances are you'll be fine into the future.  Read some of the threads on this forum before installing to see what some of the issues are that you might experience, and what the fixes or work-arounds are for those situations.

6) Your friend is spot-on.  In order for anti-virus to be effective, it needs to run as root.  This means you have to trust your AV supplier not only to behave, but also that you have to trust them to produce relatively secure software.  However, this goes for any other software vendor who also requires administrator access to install their software; you're just as likely to see your computer attacked through, say, MS Office, OpenOffice, VLC, Plex, Safari or GarageBand as you are to see an attack via AV software.  This means you need to ensure that any software you install on your computer that requires administrator access during install be updated promptly when a security upgrade is released.  As your friend said, there is no substitute for common sense.

7) This subject is definitely making news for marketing reasons... but also for publicity reasons (that is, it's making news because publishers know it will get reader's eyeballs, so they can make more money on advertising).  However, the subject is also making news because it's newsworthy; after all, significantly more people have been affected by this piece of malware than most other Mac malware.  According to some personal rough heuristics (standard deviation not available, so these numbers are not official Sophos stats or industry stats), Flashback is currently (in the past week) making up around 30% of all Mac infections, about the same percentage as Fake Antivirus software installations (which made news around a year ago).  This leaves another 40% of various other malicious software, from fake codec installers to DNS changer trojans to trojanized "cracked" software available via torrent sites to targeted malware.

8) I'll not comment on the OS competition game.

---

Icelander wrote:

Here's one friends opinion

"

Here is my opinion. One mac virus has made it into the wild finally. It is actually dependant on the user to install it while installing some crap they downloaded from the web. This is unlike windows viruses which can install automatically. This mac virus has made 600,000 installs... comparing that to the millions upon millions of infected windows machines you're still **bleep** safe.

Now whether a mac anti virus is worth it or not is questionable. It certainly won't hurt... and it may help.
I know Sophos to be a good product. We used it at the city. Now it may run as root, but an anti virus that does not run as root cannot be effective. There would have to be a vulnerability in the anti virus itself in order for it to be used as a back door... this has been known to happen in the windows world. It just shows there is no substitute for using common sense while surfing the web.

This subject is making news for marketing reasons. The microsoft world would have you believe you are less safe using a mac. This is the first year microsoft has started losing market share in the operating systems. In 5 years I expect microsoft and apple to both be out of that game. My opinion."

---

Let me answer these points for your friend, as I've analysed the malware (Flashback) under discussion, as well as other pieces that didn't get so much publicity, but also defeat OS X security with no user interaction....

1) Mac viruses have been in the wild for years... however, Flashback is not a "virus" but a combination of worm, trojan, and generic malware. 

2) The version that got all the press got it because it used a drive-by exploit of Java to install silently onto your computer.  Once installed, it then asked for permission to gain root access, so it could infect all user accounts on the machine.  HOWEVER, it had already infected the currently used user account, and allowed the botnet controller to have full access to that user's account.  So anyone who browses the web through the same account they use for anything else is handing all of that over.  Plus, since the botnet controller can install new userland software on the machine at any time, they only need to fool the victim once to gain root access to the computer.

3) That said, if a user had locked down their Mac, setting secure access permissions, using a dual admin and regular user account configuration, and disabled Java and Flash by default (and JavaScript in their PDF readers), they would have minimized risk of infection.

4) The Flashback malware has infected more than 600,000 Macs at this point; it infected just under that amount by some industry estimates during the period when there was a known exploit (with working code) available in Java while Apple did not provide a patch.  After the patch was made available, people continued to get infected (likely a combination of factors... people not running software update in a timely manner, plus people running versions of OS X older than 10.6).  Remember: 600,000 computers may not be a large number, but that's no consolation if it's your machine that got infected -- and it's a sizeable percentage of overall Macs (not huge, but notable).  If you decide not to look both ways before crossing the street because the percentage of street crossing fatalities in your town is statistically insignificant compared to the major city nearby, you're likely to eventually become part of the statistic.

5) Is Mac AntiVirus worth it?  It could cause slowdowns in some (rare) situations, and combining root-level on-access analysis with automated backups and archiving can have some issues, but it's definitely worth testing it to find out for yourself.  If you see no problems in the first couple of days (Just like all software that installs as root, don't install it right before you have a critical deadline or such), chances are you'll be fine into the future.  Read some of the threads on this forum before installing to see what some of the issues are that you might experience, and what the fixes or work-arounds are for those situations.

6) Your friend is spot-on.  In order for anti-virus to be effective, it needs to run as root.  This means you have to trust your AV supplier not only to behave, but also that you have to trust them to produce relatively secure software.  However, this goes for any other software vendor who also requires administrator access to install their software; you're just as likely to see your computer attacked through, say, MS Office, OpenOffice, VLC, Plex, Safari or GarageBand as you are to see an attack via AV software.  This means you need to ensure that any software you install on your computer that requires administrator access during install be updated promptly when a security upgrade is released.  As your friend said, there is no substitute for common sense.

7) This subject is definitely making news for marketing reasons... but also for publicity reasons (that is, it's making news because publishers know it will get reader's eyeballs, so they can make more money on advertising).  However, the subject is also making news because it's newsworthy; after all, significantly more people have been affected by this piece of malware than most other Mac malware.  According to some personal rough heuristics (standard deviation not available, so these numbers are not official Sophos stats or industry stats), Flashback is currently (in the past week) making up around 30% of all Mac infections, about the same percentage as Fake Antivirus software installations (which made news around a year ago).  This leaves another 40% of various other malicious software, from fake codec installers to DNS changer trojans to trojanized "cracked" software available via torrent sites to targeted malware.

8) I'll not comment on the OS competition game.