Quick Links
No software is immune to attack, including macOS. The rising popularity of Apple computers has made them a prime target for malware. And security companies are increasingly offering antivirus for Macs, but do you really need it?Here's everything you need to know to protect your Mac from malware.
How macOS Protects Your Computer
Your Mac has many built-in security features to keep it safe. The bedrock of macOS (formerly Mac OS X) is a rock-solid Unix foundation. This is the same operating system on which BSD and Linux were built, and it's earned its reputation for reliability and security thanks to a robust permissions system.
To keep the platform secure, each Mac uses a suite of proprietary technologies. It might surprise you to learn your Mac already runs an anti-malware scanner in the background called Xprotect.
Whenever you open a file on your Mac, Xprotect scans and checks it against known macOS malware definitions. If it finds something suspicious, you see a warning that the file will damage your computer. When your Mac installs system updates, it also updates the malware definitions.
Another technology called Gatekeeper tries to prevent unknown applications from causing harm. By default, macOS blocks all software that isn't signed with an Apple-issued developer certificate or downloaded from the Mac App Store.
Not all unsigned apps are harmful. Developers who create free, open-source apps often cannot justify the $99 required to enter the Apple Developer Program and issue certificates. To circumvent Gatekeeper, go to System Preferences > Security & Privacy, and then click "Open Anyway" after you attempt to open an unsigned app.
To prevent signed apps and those distributed via the Mac App Store from damaging the operating system, Apple uses sandboxing. Sandboxing provides the app with everything it needs to perform its purpose and nothing else. When you run an app in a sandbox, you limit what it can do and provide additional permissions based on input.
Finally, system integrity protection (SIP) protects some of the most vulnerable parts of your system, including core system directories. Apple limits any potential damage from rogue software because it prevents apps from accessing these areas.
SIP also protects preinstalled apps, like Finder and Safari, from code injections that can change the way these apps function. If you restart your Mac and execute a Terminal command, you can disable SIP; but most people should leave it alone.
The Case for a Third-Party Antivirus
These security features all help protect your Mac from attack, but no platform is immune. New instances of macOS malware are discovered every year. Many of these slip through Apple's defenses by design, or they exploit a "zero-day" security flaw Apple hasn't been able to patch.
In June 2019, OSX/CrescentCore was discovered posing as an Adobe Flash Player installer disk image. The malware installed an app called Advanced Mac Cleaner, LaunchAgent or a Safari extension, checked for antivirus software, and then exploited unprotected machines. OSX/CrescentCore was signed with a developer certificate, so it infected machines for days before Apple caught it.
A month earlier, malware known as OSX/Linker took advantage of a "zero-day" flaw in Gatekeeper. Since Apple hadn't patched the security flaw when it was first reported earlier in the year, OSX/Linker slipped past Gatekeeper.
Hardware is another point of weakness in the chain. In early 2018, it was discovered that almost every CPU sold in the past two decades was affected by serious security flaws. These flaws became known as Spectre and Meltdown---and yes, your Mac was likely affected. The flaws could allow attackers to access data in parts of the system that were considered protected.
Apple eventually patched macOS to guard against Spectre and Meltdown. The exploits require that you download and run malicious software for it to do any harm, and there's no evidence that any Mac owners were directly affected. Meltdown and Spectre highlight the fact that even hardware outside Apple's control can result in serious security exploits.
In 2016, OSX/Keydnap infected the popular BitTorrent client Transmission. It attempted to steal login details from the system keychain and create a backdoor for future access to the system. This was the second incident in five months to involve Transmission. Again, because the infected version was signed with a legitimate certificate, Gatekeeper didn't catch it.
While the Mac App Store hopes to catch any unscrupulous apps, in 2017, several malicious ones passed Apple's review process. Apps like Adware Doctor, Open Any Files, and Dr. Cleaner posed as legitimate anti-malware software. However, they sent information---including browsing history and currently-running processes---to servers in China.
Because Gatekeeper implicitly trusts the Mac App Store, the software was installed with no additional checks. An app like this can't cause too much damage at a system-level thanks to Apple's sandboxing rules, but stolen information is still a significant security breach.
In August 2018, LoudMiner was discovered in pirated copies of VST (Virtual Studio Technology) plugins and Ableton Live 10. LoudMiner installs virtualization software that runs a Linux virtual machine and uses system resources to mine cryptocurrency. The exploit affected both Mac and Windows computers.
These are just a few examples of recent macOS security problems. Third-party antivirus software wouldn't catch all of them, nor would all of them directly result in a usable exploit (notably Meltdown and Spectre).
How You Can Reduce Your Risk of Infection
The single best thing you can do to protect your Mac from security vulnerabilities is to keep it updated. Apple responds to security vulnerabilities with small security fixes and larger OS updates. Head to System Preferences > Software Update to check for updates. It's best if you set your Mac to install updates automatically.
If you install software from unknown sources, it could also lead to an infection. For best results, only use software that's either from the Mac App Store or signed with a legitimate developer certificate.
As covered above, even if you do that, your system isn't immune, but it does provide a good deal of protection. If you have to install an unsigned app, make sure you download it from a reputable source. Some Mac application installers include junk software, just as they do on Windows.
If you download pirated software, it could lead to an infection. This is high-risk because when you download software from illegitimate sources, you're at the mercy of the uploader. You could expose yourself to more than you bargained for.
Adobe Flash is another source of malware and browser-based exploits. If you don't use it much, remove it from your system. Most websites have already transitioned away from Flash, and it'll be gone for good at the end of 2020. If you do have to use it, install Google Chrome and enable the sandboxed version of Flash.
Public unsecured wireless networks also pose security and privacy risks. Man-in-the-middle attacks occur over public hotspots, and they can allow someone to spy on your traffic. If you must use an unsecured public network, do so through a VPN.
And finally, for additional protection, you can install antivirus or anti-malware software to monitor your system.
Which Mac Security Software Should You Install?
Let's be clear: antivirus software for your Mac is not essential. If you follow the basic "common sense" practices covered above, the chances of infection remain low. Even with an antivirus, your system could fall victim to a new, undocumented infection. When one Mac is compromised, all are compromised, regardless of whether you run an antivirus.
Still, if it makes you feel more comfortable to have an antivirus on your Mac, that's just fine, and there are a few we recommend.
For a basic malware removal tool, try Malwarebytes. We like both the Windows and Mac versions. With the free version, you can scan your Mac for malware and remove anything it finds. If you want real-time protection (and again, you probably don't need it), we recommend Malwarebytes Premium ($39.99 per year).
We haven't conducted our own tests to find the "best" Mac antivirus package. But the following tools received top marks in AV-Test's macOS June 2019 roundup:
Another useful tool that detects malware is KnockKnock from Objective-See. KnockKnock doesn't specifically target malware, but rather, persistently installed software. Since malware often uses aggressive tactics to remain installed on a computer, KnockKnock finds and analyzes these processes.
KnockKnock is completely free to download and use. It doesn't remove tools, though, and it might flag some known safe processes. It cross-checks processes with VirusTotal and highlights any known malware in red.
Security-conscious Mac users should also check out Little Snitch. It's essentially a firewall that prompts you each time an application tries to connect to the internet. You can then approve or deny these requests to limit which applications can send and receive data, and the app remembers. Little Snitch is available as a free trial, and the full version is $45.
Never Assume Your Mac Is Safe
Even if you run all the security tools available to you, you should never assume your Mac is safe. No operating system or piece of hardware is immune to attack. Vulnerabilities can appear overnight with no warning.
The best thing you can do to protect your Mac is to keep it updated and install only signed software from approved developers and the Mac App Store.
And---in case you're wondering---the author of this piece doesn't have an antivirus on his Mac.