Jamf Nation Community

We are using McAfee as well. We turned off the firewall (have the native OS X fw running) and application protection (all about risk management). It was Application Protection that was killing us. This had to be done in local preferences so a couple defaults commands took care of it. Having them running was hosing software installs and usability. We recently received a hotfix for McAfee Security itself as well as one for ePO. It makes the install a 5 step nightmare, but in our testing it seems to work. Haven't deployed fully yet.

@nkalister good to hear that it can work... i am still trying to figure out when exactly the slowdowns happen. Opening iMovie, for example, results in the McAfee menu item briefly showing an exclamation mark while the whole system pauses for 10 seconds, but only once after each login. strange stuff...

I've used both Kaspersky and Sophos on Macs

ClamAVx

@ cvgs most likely your issues revolve around your scans. You should look at setting your scans for write only. That resolved some of our issues with McAfee when we were using them. Other issues came up that just made switching to Sophos a better option.

I'm using ClamXav here - have MCX handling the preferences, and so far it's worked very well.

SEP is an option, but I avoid Symantec like the plague. Too many bad experiences.

@jhbush1973 our settings have been most relaxed to the point of doing nothing - the system still was slow as molasses sometimes. However, it looks like the upgrade to 1.2.0 fixed the slowness for us.

one thing CVGS- we bought the license for mcafee's antivirus only- no firewall, no application protection. We tested the version with the firewall and app protection, and I saw many of the same issues you're seeing.

Another (belated) vote for Sophos. The management console is nothing to write home about, and getting the update procedure down is finicky, but once it works, it works well.

Currently SEP 12, not managed by any Symantec server. We are managing via the Casper Suite. I've been told to switch to TrendMicro and it will be managed with Tivoli.

We are a mixed environment 80% Windows 7 clients and 20% Mac, Servers are mostly Windows 2008 R2 running on Hyper-V cluster. With that in mind here's our state of play.

We have been using Sophos on all machines with an internal update server and this was working very nicely for us. Being a school we get very good education rates on MS stuff and with SCCM2012 that includes System Centre Endpoint Protection. So we have just moved from Sophos to MS SCEP for all Windows machines and I was testing deployment of ClamXAV when MS announced that SCEP was available for Mac and with SCCM2012 SP1 there would be support for local hosting of updates for SCEP for Mac. So I have packaged, tested and deployed SCEP to all our Macs and have to say that so far it is all going swimmingly. For the moment they are getting updates through our proxy but once SP1 is out we will host updates locally.

Regards

Lincoln

We use Sophos for windows server and clients and Macs.
It functions a lilttle better on windows but if you have SSD on your laptops, there's nothing to worry about.

Pretty good protection too.

Does anyone have any more recent thoughts on this post? We have encountered some performance issues with Sophos Cloud, and are considering switching. We also need a solution that will support Linux servers. Does anyone have a solution that they are super happy with? Would also like something that plays nicely with FileVault.

@ajohnson whatever you do, I'd stay away from Trend Micro. Their PC software is fine, but their Mac software is terrrrrrible.

We've been pretty happy with Sophos (Enterprise Console) for our Macs. It's gotten a little tricky to deploy, but @rtrouton is always on the case.

Our preference is still Sophos as the enterprise console works well with Active Directory to automatically configure all the client side settings. Most of our clients are already using McAfee on their Windows computers so we end up having to deploy that quite often. Neither are pkgs and so require a command to get them installed.

Does anyone have an opinion on eset vs Sophos? We've been a happy sophos customer for about five years, but the eset console is tempting.

I have a post showing how I'm currently packaging Sophos Enterprise 9.2.x for my own shop:

https://derflounder.wordpress.com/2015/02/26/deploying-sophos-enterprise-anti-virus-for-mac-9-2-x/

I've been supporting Macs for a long time, and this is question comes up with regularity on a variety of different forums over the years.

Time and time again, I generally see more nods of acceptance towards Sophos.

I've never used it, but fewer people seem complain about using Sophos v.s. 'the others'

Alexis,

We are content with Symantec. They just rewrote the app before X.9 and it works well. We are in their beta program and get to test beta OS X with their beta client. They have been very responsive and helpful with our beta feedback

They have released the X.9 and X.10 client the same day Apple released.

The two downsides that I see is that the client .pkg is created on the server so you have to update your Symantec management server before you can create the client .pkg. Also the virus defs are in the client .pkg so the defs are out of date in you build the day after you update your server. As you don't update the server or the installer that often. We had a small issue with the X.9 client auto updating (and we scripted a solution) but the X.10 client has been rock solid.

C

we are using mcafee.

Just finished a POC with the Sophos AV & Enterprise Console and was very happy with it (for my use - and usual disclaimers). Their sales people connected me with technical people whenever I had questions during the free trial and were very helpful. I found that between JamfNation, @rtrouton @tkimpton and Sophos' own KB and communities that there were vast and rich resources to navigate me through most of the unknowns. I, too, wanted to try ESET before making my final decision but the help resources weren't as plentiful and, frankly, their sales people seemed uninterested in a small installation such as ours, and were rather "disengaged". After they sent me some very outdated Mac materials, I gave up on them.
An independent review of various Mac AV client's effectiveness placed Sophos at the top in all categories but one (ESET was first in that category and second in all the others). I easily integrated the alert logs with our InfoSec's Splunk tool so they are happy. I can dig around for the link to the review (it was from late 2014) if you wish. If JN had some sort of double-blind email system for registered and verified members, I'd send you a redacted copy of my detailed POC that I submitted to management. Or, if you have a disposable email address, post it here and I'll email you all of the info. I'm funny about public disclosure of personal info. I spelled out my name on JN-IRC the other day and immediately broke out in hives. :-)

We use Sophos with the Enterprise Console running on a 'Doze Server 2008 R2 VM. We have an update manager (VM) for US/UK and one for APAC (VM). Can't say we have had any complaints from users, unlike SEP 12 which we moved away from. We do keep our users machines in warranty though, so there aren't many if any clunkers kicking around.

Thanks for all the responses! I'm wondering if anyone has used Sophos Enterprise in the past and has any familiarity with their cloud offering? We are using Sophos Cloud, and I'm not finding it to be as seamless as it sounds like the on prem offering is.

Sorry, we're using on premise as my company is very wary of anything outside of our own data center. Otherwise, I would have just dropboxed the aforementioned docs to you. :) I have seen some threads around here of people moving in that direction (Sophos Cloud) and I'm sure someone will chime in. This community is awesome despite my own penchant for obscure humor and/or emotional responses.

Looks like this thread has com back to life.

For those of you using ClamXav, would you be able to share how you enabled scheduled scans and/or Sentry, if applicable?

Thanks.

@chriscollins Can you please expand on 'terrrrrrible'?

Buggy? Unstable? Resource-intensive? Intrusive? OS/software compatibility issues? Hard to install/manage/update? Any insight would be helpful.

I'm running ClamXav (i.e.; clamav + the GUI wrapper), but my IT dept recently purchased the Trend Micro Enterprise Suite - so there is a push to install (or at least consider installing) Trend Micro Security (Mac) 2.x on our ~300 Mac workstations. I have it on (2) IT test Macs running 10.10.2 Yosemite now.

Where to go, what to choose?

• At my former employment, we used McAfee, and it's something I'll never do again. 25% of our CPU cycles needlessly wasted doesn't make me happy.
• At my new employment, when I started a couple years ago, they used Trend for both Windows and Macs. It was terrible.. on Windows. The number of re-images due to infection was excessively high, and techs had started installing WSE on PCs as a result. Eventually the powers that be were convinced that Trend had to go and we've currently with SCEP on Windows. Frankly cheaper, but not much better than Trend. But this is about Macs, so.. No one had installed Trend on a Mac in ages and it wasn't even a package in Casper, so that should tell you how popular it was.
• Norton AV... hahahahahahahahahahahahahahahaha..... hahahahaha. We use PGP here, so I've had plenty of dealings with Symantec. I don't think they'll be getting any more of our money or time, if I can help it.
• Many many moons ago, I tried Intego. It was ok, but their business practices over the last few years has been reckless ('proof of concepts released into the wild to sell AV'). So they're out.
• Once it was available, I moved to ClamXav and I've been quite happy with it for my own use.

Now at my new employment, we're again at a crossroads where none of my predecessors have bothered with modern AV and it's become my job to choose and deploy something. Naturally I'm inclined to go with ClamX, EXCEPT they are no longer a freeware company. They've gone to pay-for (which is totally understandable!). If I'm going to end up paying licenses, then I want to make sure I'm getting something good. The general consensus here on JAMFNation seems to be that Sophos is the way to go, however, I have no interest in taking on the management of a yet another enterprise solution that requires a server-based console and management, strictly so some exec can check a box that says 'AV compliant on Macs'.

So here I am, which way to go?

1. ClamX is lightweight and I can configure it to act sanely. I've used it for a long time and I'd like to support the little guy. I know it won't spend tons of time sucking CPU cycles needlessly. But it has no centralized enterprise level solution (do I care?). It's also a little ugly (do I care?). They will be reasonable with an EDU-based-bulk licensing scheme.
2. Sophos is Enterprise level software. But I need a centralized server to run/control it from (I don't want to have to manage that too). It's considerably more heavyweight in terms of CPU cycle usage, from what I have read. I don't know what the EDU-based-bulk licensing would cost yet, but suspect it will be more than ClamXav. In the long run, will this be a better choice when someone asks what we're using?

Jacques,

Symantec rebuilt SEP for the Mac for X.9. I am not saying that it's perfect, but it is many times better than it was.

Also another plus for SEP is that since X.8 Symantec has delivered a working version on the day that Apple release a new OS... i.e. X.8, X.9 and X.10.

They also have a beta program that let's us test ahead of the OS release.

C

PS. Nobody has been able to convince me, that the built in AV is not enough. Last time I checked Apple is doing a reasonably good job.

I've heard good things in general about Sophos on the Mac. As good as any AV product can get at least (they basically of all suck by nature)
But I would agree with @yellow If I could convince the org I work for to ditch McAfee I would in a heartbeat. Unfortunately, due to some "ins" and some buddy buddy stuff that is going on between McAfee reps and our InfoSec team, it seems it would take an act like their product erasing data across the entire company to even get them to admit its just so bad. I'm not even talking about just the Mac. Its bad on Windows too.

I can't say any specifics but we have McAfee on some servers and it has a habit of really running up the CPU. Bad bad bad.

My lovely Macs use Sophos and it's lovely. McAfee is staying as far away from my Macs as possible.

Sophos here as well.

It just works effortlessly in the background and is seemless for integration with the management console, our Windows/Mac are all running it and it's rare it to cause any problems with user base of 400 desktops, oldest being 2010 iMac,

Majority of users don't even know if it's there

Sophos here as well with no real complaints, at least on the client side.

There are a few things I wish it would do for automatically, like putting systems into groups based on some criteria, like naming patterns. As far as I know it can't do that. When a machine is imaged, the client is installed and it phones home it goes into a default container. You have to manually move it into the preferred group.

You can make it go into groups based on AD as well, but only when you trigger an import, again...based on what I recall. Perhaps that's changed.

We use Webroot Secure Anywhere

SEP 12.1.6 Enterprise here. It's crap, don't buy it. It's always happy to scan your email for PC trojans, though.

ClamAV or Sophos or even better... nothing. Bosses don't like to hear the "we dont use antivirus" talk though.

Bosses don't like to hear the "we dont use antivirus" talk though.

No, they don't. However, if you can have it intelligently they may budge. If you're using a large AV vendor's product you should have some infection rates and such, and perhaps even infection vector if you combine information from a proxy/firewall. Add in remediation tickets from your help desk system and you may end up with a compelling argument that the vectors of infection (like drive-bys) are passing through AV like swiss cheese, don't end up on Macs to begin with and that good security practice is 80% user education.

Does anyone extend their security controls beyond antivirus? What are these? Does anyone have any recommendations on the following:
- Data Loss Prevention
- File Integrity Monitoring
- Firewalls (location aware)

We've historically used Sophos on everything but starting this school year we're going antivirus-free on the student machines and moving to Kaspersky for our staff machines. I'd be curious to hear about any experiences anyone has had with Kaspersky.

We used McAfee way back in the day - I won't go back.
We have been using ClamXav. Though it never caught the three adware problems (the only malware we've ever received on our Macs), but we used Adware Medic, which did a great job cleaning them out.

So now that ClamXav has gone commercial (good for you, Mark Allan!), we've been researching, trying to determine if we even need third party protection, given recent Mac OS anti-virus initiatives. If we do stay with some third party solution, we'll be contemplating Sophos vs ClamXav. We're a pretty small shop, so will probably stick with the lean and mean ClamXav along with Adware Medic. Oh wait, they've got commercial solutions as well, though apparently nothing yet for active scanning on the Mac. But you can still get Adware Medic as Malwarebytes Anti-Malware application for removal.