We are currently running TrendMicro and are not a fan. We have been given permission to look at alternative solutions for our Apple devices. Obviously I would prefer to not run any third party tool, but assuming that is not an option, what solutions are you guys using, and how well do you like them? Are some easier to package / manage than others? Is there a gold standard that if money was no object, most of you would jump on?
Again, this is assuming I can't just leave gatekeeper and xprotect to do their jobs.
We are reasonably happy with Symantec, but with IBM using built the built in tools it's very hard for anybody to make a logical argument for a 3rd party solution.
Not that anybody will admit it publicly but by installing a 3rd party solution, they are saying that the 3rd party is better at protecting the macOS than Apple. While that might have been true in the past, now it's just sad that anybody still thinks that way.
but with IBM using built the built in tools it's very hard for anybody to make a logical argument for a 3rd party solution.
The argument I usually get is that we need a third party solution to scan for windows viruses and malware so that Mac users don't inadvertently pass those files along to more people. Do you think there is any validity to this?
It's not just about "which product protects macOS better" though. Our corporate AV policy requires a product that can perform scheduled full-system scans and, more importantly, reports any detections and actions taken so we can be alerted.
SEP may not necessarily protect the macOS better, but it will detect viruses/malware that can affect our other platforms, and it reports detections to the SEP server so we can track and remediate.
It's the macOS job to protect windows. Most networks have AV scanners running, the Windows machines have their scanner and the email and shares are likely getting scanned. That isn't enough to protect Windows?
So that data that I have seen points that the number of mac detections is almost non-existent. So that lead to the question why are the scheduled full-system scans and reports required?
If your users are admins on their windows machines your organization as already accepted that X number of machines are alway compromised. What is that number, that is acceptable? Whatever number is picked is going to be significantly more that the number of compromised macs.
To jump off of what @alexjdale says, the issue with Apple's XProtect, Gatekeeper, and other built in malware protection is one of transparency and control. Some orgs don't take kindly to mechanisms they can't really control or report on, and Apple's mechanisms generally fall into that bucket. I'm not trying to imply they don't do a good job or that 3rd party AV products can do better, but it does mean making a leap of faith to just that Apple's tools are doing their job. That's kind of a tall order for some places. When one of the principles of an org is to be able to control and report on their AV/Antimalware setup, for compliancy purposes for example, Apple's tools simply don't fit the bill. Yes, there are things like Extension Attributes and other hacky ways of seeing what "definitions" Apple has pushed to the machines, but none of this is centralized and there is no (easy) way to force any changes or standardized reporting. Hence why they need to look at 3rd party products.
Depends on your environment.
Are you an org that has machines never leave your premises?
Or do you have a mix of both?
I'd recommend Sophos Cloud, from what I've used of it within the last year, I've been happy with it so far. The only issue I've had with it is that if you have an AD environment and you want to be able to enroll Macs within it. The AD bind on the machine won't talk with Sophos Cloud properly, meaning you can set policies depending on the AD group the user is in.
However, if you have a generic base policy for all employees, excluding yourself possibly, this shouldn't be an issue.
+1 to @mm2270's points.
McAfee, SEP, etc., are well behaved when exclusions (etc.) are managed properly for each platform, including making sure the solution is kept up to date.
The question to ask yourself, are you willing to risk your job, if your responsibility is to support and protect the company? ¯_(ツ)_/¯
There's also the notion that Apple's "solution" is a set-n-ferget solution. Fine for home/SOHO use, but hardly acceptable in large enterprise environments where risk mitigation is not taken lightly.
XProtect doesn't detect many browser hijackers. We use McAfee and even though it can't do anything about the browser hijackers, it will at least notify the user and our security team so that I can manually delete the files in question (and the .dmg they came from) and run Malwarebytes. Other than that, any antivirus software on Macs is really just to make sure the Windows PCs don't get infected.
We've been using Sophos for years and are fairly happy with it. Moved to Sophos Cloud a year or so ago and it's one less server in our MDF that we have to maintain.
I am pleased they seem to be targeting some of the more common malware/adware for OS X: Geneio, Spigot, etc. We have set our rules to block these potentially unwanted programs (PUP) and we also use MalwareBytes for further cleanup.
Like @AVmcclint we use McAfee. Not sure how he felt about the packaging and agent deployment, but I thought it was a drag. But once it was deployed, all was okay.
Though I've seen if you don't keep the app updated, the Mac will freeze for a bit after a user logins. Overall, the security team sees the Macs on their end to generate reports for what they need.
I am really enjoying Cylance. It's catching all sorts of PUP and AdWare that DOES affect the Mac. That said, I've largely used the excuse that AV on macs help to make sure we don't propagate other (Windows) malware while secretly preparing for the time when bad things did begin to show up on the mac.
[W]ith IBM using built the built in tools it's very hard for anybody to make a logical argument for a 3rd party solution
I believe that, but I can't find a source. How do we know IBM isn't using 3rd-party AV on Macs?
I've long been of the opinion that Macs don't need 3rd-party AV software, but it would bolster my argument if I could point to a quote from IBM's @ericwilliams or Fletcher Previn.
Our InfoSec won't even consider anything unless it has a fully controlled server side component for DAT file version reporting and pushing updates. XProtect doesn't even have any kind of user interface to get any information at all. They wanna know how many pieces of malware, and what kind have been found and exactly how they were handled. There is no way XProtect will ever be allowed to stand alone here especially since XProtect doesn't do anything with Windows malware.
New Jamf user here...
I've been using Bitdefender GravityZone since the beginning of the year and it's working well for me. While the main purpose was to pick up Windows malware before it gets passed on to other people from our Macs, it's been picking up browser hijacks on the Mac (Bitcoin miners mostly).
There's a decent web management interface that tells me what it's found and what it's done with the nasties. There are plenty of reporting options and I've set mine up to send me daily digests by email.
Bonus points for being reasonably cheap, cross-platform and for having a fairly lightweight performance footprint.
The biggest maintenance issue I have had is that every once in a while one of the Macs needs a restart to complete an update and there are odd things it has quarantined that I then have to go in and delete manually, usually mail attachments in Outlook.
Thanks, @gachowski ! I found the video. It's from JNUC 2016. Fletcher Previn is presenting, and it's at exactly 29 minutes into this video: https://www.youtube.com/watch?v=NLgvIarqdDM&t=29m0s
My transcription: "We rely on the native security features of macOS. That's things like SIP, Gatekeeper, Xprotect, uh, and FileVault, instead of third-party alternatives."
(I was very surprised to find out that all users are local admins!)
I've had pretty good success with Malwarebytes' enterprise offering, Malwarebytes Endpoint Protection (cloud hosted). It catches lots of browser hijacks and PUPs and PUMs on Mac. It doesn't yet have real-time protection though. On the plus side, that keeps it super lightweight. So we do twice daily scans. Been running on ~200 Macs for about 10 months without many problems.
I agree with many of the other comments here - you don't need much to protect Macs, but you have to check boxes come PCI, SOX, etc audits. And Macs seem to be trending upward and getting more and more malware written for them.