Mac anti-virus thoughts

Jeff-JAMF
New Contributor

I'd appreciate anti-virus recommendations from those of you deploy an AV
package in your environment as well as hearing any reasons why you don't
run one. We're about 99% Macs (mostly 10.4, a few 10.3 clients) and have
all Mac servers (all OS X).

Thanks in advance,

Jeff Johnson
Technology Coordinator
Glendale-River Hills School District
2600 W. Mill Rd.
Glendale, WI 53209
jeff.johnson at glendale.k12.wi.us

9 REPLIES 9

ernstcs
Contributor III

Hi Jeff,

We've been running for quite some time now without any AV software, and to my knowledge have not run into anything as of yet. However, that doesn't mean we haven't been looking for a good solution. Macs can still pass along Windows based viruses in files, or if you have classic environments, they are still vulnerable.

I know that Nathaniel, and the fine folks over at Saint Paul Public Schools in Minnesota, were running Sophos, and that's a lot of machines they run. Sophos appears to have some of the best options for centralized management and deployment. I started to work with them to get a demo setup going, but ran out of time. Sophos will be very enthusiastic about getting you setup with a test and getting any help you need to do so.

Other products that in general have had good reviews, ClamXAV (http://www.clamxav.com). It's free, but I think it has some drawbacks, too.

I haven't had a chance to look at Intego Virus Barrier. Symantec just gives me the chills thinking about it.

With the release of Leopard does this change what's necessary here, again? There are reviews out there, but it's sometimes hard to find those that aren't out of date and truly are geared towards the Mac. Many things I read..."What's the best antivirus program? Mac OS X!" I also see the "there hasn't been a 'virus' reported for Mac OS X in over 6 years so I don't run anything."

Now what should worry about you is stuff like this article talks about, stopping people from getting in, preventing intrusion:
http://www.heise-security.co.uk/articles/print/98120

I think I helped? I'm not really sure...

Craig Ernst
Systems Management & Configuration
+-------------------+
University of Wisconsin-Eau Claire
Learning and Technology Services
105 Garfield Ave
Eau Claire, WI 54701
Phone: (715) 836-3639
Fax: (715) 836-6001
+-------------------+
ernstcs at uwec.edu

Not applicable

I can second the Sophos recommendation. Been using it for a few years and it has been good. I have a couple minor gripes about some of the prefs on the client being a bit unclear, but it has been working
seamlessly on a myriad of Mac models with no real problems or downsides for us since early in 10.3 all the way up to 10.4.10. We have never had any issues while installing software or images with Casper (or
in any other situations). It just doesn't get in the way for us.

The Sophos enterprise console was recently updated to v.3 and it is a real help in a mixed platform environment. They have added adware/spyware protection too, plus other goodies that can really make Win
security fairly painless.

Last I looked, clamav would detect virruses, but has no repair functionality, and it used to be dog slow. Has it been updated or improved recently?

One thing to consider is that if the Macs in question or normally run from managed(non-admin) accounts, they are pretty safe. Take the [ http://www.macworld.com/2007/10/firstlooks/trojanhorse/index.php
]latest Trojan for example. No admin access, no real threat. Sophos (or perhaps Intego?) can still add a secondary level of protection.

Thanks,
Matt Corippo
Lindamood-Bell Learning Processes
IT Dept.

Not applicable

Disclaimer, I'm not the Sophos expert in our district, but I'm trying to
learn more.

Here is what I know about Sophos on our computers in Saint Paul Schools.
-It sucks on a Mac with less than 512 MB RAM. The on-access scanning
(which scans files as the are added or modified) called Intercheck, really
slows down the Finder. More than 512 MB Ram and a recent CPU, no problem.
-It doesn't have a scheduled scanning feature built in to the very sparse
GUI. However, the Unix command "sweep" can be setup with variables and run
as a cron job. We are working to test this on a couple Mac OS X servers
(to run at night) and on some clients that use mobile home directories.
-Composer packages that I make never seem to include the latest definition
updates. Not sure why, but after an install, we always need to run the
update right away and that works, but is anoying if you need to download 40
MB of definitions and updates.
-I have come accross Macs that have Microsoft Word Macro viruses and Sophos
cleans them easily. The only way we find out though is that someone tries
to send an infected .doc from their Mac to someone else via email and our
seperate email anti-virus catches the infected file and cleans it. This
gives the recepient a blank file. So then we go back to the sender and run
a scan and cleans them up. No biggie.
-Sophos seems to work pretty well on the Windows machines, when configured
correctly. I have had some problems removing some of the malware that gets
buried on PCs, but we are still using the older Enterprise console and SAV
6 --not the latest. We are going to be upgrading this year.

I have no idea what we payed for Sophos, but I bet it was a lot. We also
have nearly 16,000 desktops (Windows, OS X, OS 9).

Nathaniel Lindley

++++++++++
Learning Systems Specialist
Educational Technology
Saint Paul Public Schools
Saint Paul, Minnesota
nathaniel.lindley at spps.org
phone: 651-603-4929

John_Wetter
Contributor II

We're running Symantec. We centrally manage the Windows environment, but the mac environment doesn't allow the same integration at this point. We've been told they are updating their whole line this fall sometime, but I haven't seen it yet. We've looked at Sophos a couple times, but haven't been able to look at it enough to be convinced either way. On many of our older macs we run into the same problem Nathaniel did with Sophos. Everyone turns off the on-access scanners because they slow the computer down too much. Also, in many of our labs, they're disabled because testing programs and some of our keyboarding programs go nuts. So, I guess we are running AV, but I find myself asking why sometimes because it's disabled in most of the environments that I'd like to have an extra layer of protection on (labs and student use computers). I've had NAV catch a couple macros my Windows counterparts have sent my way, but that's about it. I got a NAV package made much more easily than I thought it would be. I packaged it up with our settings and also with the updates that make some pieces in it universal.

-John

Not applicable

We also use SAV and while it's OK, I'm disappointed that the client has not been updated in many months (still waiting for a Universal Binary version). Have not tested it on Leopard. Integration with their Windows Corporate edition monitoring dashboard is non-existent, so we have to use the non-integrated web reporting interface. I have not heard of any upgrade news but given the ever growing Mac base and the updated OS, Symantec is definitely due for a major refresh.

- Mike

Mike Riley
Director of Technology
Quarasan
405 W Superior
Chicago, IL 60610

talkingmoose
Honored Contributor II

Didn't the SAV 10.1 update make it a UB? I had thought it did.
On 11/1/07 10:17 AM, "Mike Riley" <mike at quarasan.com> wrote:

--

bill

William M. Smith, Technical Analyst
Digital Information Systems Support
Merrill Communications, LLC
(651) 632-1492

Not applicable

Our Symantec licensing download site access shows SAV 10.0 with Mac OS 10.3/10.4.7 compatibility. If 10.1 is out for Mac, I'll have to give our rep a call and ask what's the deal - thanks for the heads-up, William!

- Mike

talkingmoose
Honored Contributor II

I see my response yesterday went to Jeff instead of the group. I'm reposting
below...

Jeff-JAMF
New Contributor

Yes, it seems the ClamXav client for Macs is a virus checker, not a fixer.
http://www.clamxav.com/
"mcorippo" <mcorippo at lblp.com> on Thursday, November 1, 2007 at 2:14 AM -0600 wrote:

I ran it and it did successfully identify and quarantine several offending
files (all were Word docs infected with the "w97m.thus.gen" macro virus).

Sophos allows a 30 day trial of the client software and it disinfected the
files successfuly.

Jeff