Antivirus in an Enterprise environment

jarednichols
Honored Contributor

Hi-

I'm interested in seeing what people use for their AV solutions. We currently use McAfee Security for Mac, but it's resource heavy and it's serviced by another department. (We're piggy backing for now on their service.)

Thankfully, I have the latitude to choose the solution that meets our needs. I've given VirusBarrier a look and while I appreciate that it's Mac-centric, it's a bit *too* Mac-centric as it requires Mac OS X on the backend. With Apple out of the Enterprise game, I'm not comfortable with a Mac Mini or Mac Pro in the datacenter, nor would our datacenter guys go for it. If Apple would let the server OS be virtualized in something like an Enterprise-level VMWare, this would be moot.

So, I'm looking at ClamAV. Does anyone currently manage it with Casper? What are your experiences, good/bad/indifferent?

I'm open to other solutions, as long as they can run on Enterprise infrastructure (i.e. Not an Apple OS.) One that came to mind was Sophos', but I don't know if their Mac product is anything but the free home one I've seen (can't seem to find anything but that and their FDE for Mac solutions on their site).

Thanks for any & all input.

92 REPLIES 92

sanaumann
New Contributor III

McAfee Endpoint Protection for Mac.

jarednichols
Honored Contributor
Does anyone extend their security controls beyond antivirus? What are these? Does anyone have any recommendations on the following: - Data Loss Prevention - File Integrity Monitoring - Firewalls (location aware)

@jazzyj DLP is not a fantastic solution. It suffers from YAA (Yet Another Agent) and the simple fact that if someone really wants to exfiltrate data, they're going to do it. Take a picture of a screen, stick an iPad on a photocopier etc. At some point you have to trust your employees to do the right thing. If they don't, that's an HR issue not a technology issue.

If DLP is trying to solve things like malicious USB devices from being plugged into systems, what's more effective is user training. Run an exercise that drops juicy looking USB drives in your parking lot and see just how many get plugged into your systems. There's lots of companies out there which will run an exercise like this for you. That's going to be far cheaper (and likely more effective) than spending more money on software licensing.

FIM's a good direction to go, but again it's based upon signatures. Someone first has to be compromised for the provider of that service to create a signature. It's the same issue with Anti-virus/malware software - someone has to get infected first before you have a prayer of picking up that signature definition, meanwhile you're hoping you're not the first one. More and more, malware is crafted specifically for targets and nobody else would see that signature anyway.

Instead, solutions that are brought up to the network level that looks for malicious behavior is where things are shifting. Port scans? Weird destinations your traffic doesn't normally go do? Systems on the network that don't normally talk to each other? They're able to see what is "normal" for your network and alert you to things that are abnormal. Presume the network is hostile and do what you can to detect that it actually is.

Firewalls are still tried and true, but again, a lot of exfil occurs over ports that are common like 80 and 443. You can't just shut those off.

Unfortunately, a lot of ITSEC folks want all of these things on systems. It's our jobs as engineers to push back and ask, "Why?" In many cases, good user education is more effective and cheaper at protecting company data and assets.

EDIT: Kinda interesting to see how this thread has meandered since I started it 3 years ago.

rcorbin
Contributor II

We are currently using Sophos on our Macs, but it is starting to get a bit expensive so I'm once again looking at alternatives. We currently use Sophos for both our Macs and PC's. (Controlled via the Sophos Console) We are about 90% Mac. I'm thinking about keeping the PC's on Sophos and moving the Macs to something else. We mainly put AV on the Macs to be good network citizens. Most of what it finds on the Mac side are documents with PC viruses. There is some AV component that Microsoft has as part of SCCM etc, but it looks like it has zero reporting anyway. Not sure if anyone has used that at all. I'm considering giving ClamXav a good look. The pricing is reasonable. I posted this question on another forum and osquery was suggested. See osquery and osquery packs It looks interesting, but a lot more complex. It seems to approach things very differently. It's a "host-based intrusion detection system (HIDS)" Has any one looked at this or implemented it by Casper ?
An interesting link I received from @arekdreyer seems to put Symantec on the top but I can't say I've seen many good comments about it : AV Test And ClamXav doesn't fair that well, although maybe it has improved since going commercial ?

laxthxdude
New Contributor II

First some very important things to remember:
1. Don't lose focus on what the objective is for a scanner requirement. Are you installing a scanner to prevent Mac malware? This is very different case than those in management who insist on installing a scanner to detect and clean Windows malware as a responsibility for Mac users. It makes little sense (especially cost) for attempt to force responsibly over to a Mac client to detect and clean something which is benign and just another file for them (but is malicious to a Windows user). There is a reason Windows users have their scanner installed. 2. OS X has multiple layers in it already and when implement, provide a good layered defense already for Mac malware (e.g. Gatekeeper/Xprotect/Developer ID; sandboxing; posix; keychain; and now with 10.11 system integrity protection). Don't try to replace or reinvent the wheel when there is perfectly good one already in place. 3. Virtually all vendors claiming to write a malware scanner for OS X do so very poorly. Most of this is the mistake of attempting to port things over from years of Windows design and development and the other main issue is a failure to understand OS X design. 4. Be careful when looking at av-test.org products and assuming the products are the same from the same vendors (e.g. Intel Security/McAfee Internet Security is not their McAfee Endpoint Protection for Mac product and they are different designs and code bases). 5. There is a large failure across the board to properly design a OS X App for these scanners let alone keeping them modernized with the quick OS X changes Apple makes yearly (e.g. scanners that elevate to root to scan even in sandboxed containers)

Having said all that, what if you are in the position that requires something more to either make management happy or meet a policy requirement? Here I would offer the following advice:
1. Legacy company strong in nix offerings have better products than those that are (were) Windows focused. Sophos has a strong nix background. McAfee and Webroot do not.
2. Some companies have seen the light and have re-written things from the ground up to be (more) modernized to OS X requirements. Sophos and Symantec fall into this category. 3. Some companies focus on OS X solutions and tend to be stronger/have better designed solutions than the others. Avast, Bitdefender, Kaspersky fall into this category. 4. Some companies are finding out how hard it is to make money trying to sell Mac malware software and quit offering Mac solutions. Sophos went free for consumer; Trend discontinued at least one of their products; Symantecs free version in the Mac App Store is gone. 5. By far the most critical impact of a scanner package is its design of what is called 'On Access' scanning. There are 2 views on this approach which virtually all the vendors choosing to do it incorrectly by trying to write a kernel level extension to scan, via elevated privileges, anything they want on the file system. There is a surrendered risk when you choose to install 3rd party kexts to OS X. You are granting and trusting the 3rd party kext to be completely perfect in design and code. As the kext has full access of the system, in almost all cases, bad things happen (performance, memory leaks, stability issues, dependency issues, breaking on OS X updates, etc). This is why Apple has a 'Keep Out' section on kext programming in additional to stating that if you are considering a kext, to come and talk to them as there is probably a better way. Apple continues to lock down kext use (not allowed on App Store at all) but as of 10.11 they are still allowed but require very specific signing which the developer must plead their case to Apple on to obtain a valid entitlement to sign the kext). In most cases, deploying the scanning in an On Demand mode will remove the kext dependency however not all packages do this (Sophos does)
6. Remember the design of OS X. The concept of "On Access" scanning brings virtually no mitigation to OS X especially with the existing OS X controls (Gatekeeper, xprotect, posix) in place.

So what to look for? I would suggest the following:
1. Make sure the product is modernized. That means everything from Retina support to full modernized Cocoa code. There should be no support for things like OS X 10.4/5/6 or even 10.7 or 10.8. 2. Make sure the product is supportable with Apple's OS X releases. That means day and date support when Apple releases the current OS X version in the Fall. Well designed/properly designed Apps should be supportable with future OS X versions with little changes required. 3. Make sure it is designed against OS X and not other platforms. This means runs within user space, honors sandboxed data, requests authentication to elevate outside of user space, honors what is system integrity protection in 10.11, 64-bit, etc... 4. Make sure it embraces Apple's existing security controls and doesn't bypass or disable them.
5. If you choose to implement something with a kext requirement, make sure you understand the risks of doing so!

Finally remember that Apple provides no "Malware Scanner API" like say Windows does and Apple's stance on OS X design is that if you have to install a 3rd party security product to use OS X, then they have failed to properly design OS X.

In a perfect world, the scanner will be 64-bit and proper sandboxed, running under user context with a daemon watching those high risk areas (~/Downloads, etc), skipping all areas which are under system integrity protection control, skipping those areas which are sandboxed, scanning only user context level areas and only in the case of "deep scan", have the ability to request user elevated privileges to scan areas off limit by standard user context.

Hope this helps.

laxthxdude
New Contributor II

For those interested in Facebook's approach, see: http://macadmins.psu.edu/wp-content/uploads/sites/1567/2012/11/psumac2015-77-osx-security-facebook-2015.07.pdf

For insight into breaking current AV software: https://www.syscan360.org/slides/2014_EN_BreakingAVSoftware_JoxeanKoret.pdf

For more insight into Mac malware: https://www.blackhat.com/docs/us-15/materials/us-15-Wardle-Writing-Bad-A-Malware-For-OS-X.pdf
(https://objective-see.com)

tnielsen
Valued Contributor

@laxthxdude

That was one vague look into facebook's security. They want to read and query OSX tables and then compare old vs new, allowed vs not allowed. Standard vs unknown processes ect.

gachowski
Valued Contributor II

Tim,

I would bet dollars to donuts, that if you reach out to Facebook guys, through osquery. They will give you all the details you want. They have been more than open with osquery and when they used Casper they were very open about how, what and why they used it.

C

jbestine
New Contributor III

We were using Sophos for years on the Macs, but earlier versions were very resource heavy and killed the processors. Three years ago we did an evaluation of Sophos, McAfee, ESET, and SEP. Personally, I preferred the new version of Sophos at that time. The console was fantastic, however their sales team was not very good They kept to the powerpoint presentation and kept pushing features we weren't looking for in our environment. That did not impress management and killed their contract with us.

In the end we went with ESET. It works, but the management console has much to be desired. Fantastic features for Windows, but when you go to see if the same is available for the Mac you have to really dig and in some cases it's not available for the Mac.

chsupport
New Contributor

@tico

We use Webroot Secure Anywhere

would you be willing to offer support in helping me get this set up for our users?

BK
New Contributor III

We use System Center 2012 Endpoint Protection from Microsoft.

Rack'Em!

yellow
Contributor

We also use SCEP.

gburgess
New Contributor III

We've started moving to SCEP as well on our macs. This is a move from Sophos.

Chris_Hafner
Valued Contributor II

Just to follow up form an earlier point. We've have now chosen to move from Sophos to Cylance. We've finished our demo and are moving forward with deployment.