MacInTouch Amazon link...

anti-virus software

Channels
Security, Questions
I have run mostly the web protection module portion of this sprawling app, Sophos Endpoint, for years without problems. However, recently I began to have very slow page loads with certain sites, including (especially) Facebook. Sometimes the loads would stall for moments and then load; sometimes the stalls were interminable. I use Safari but was able to replicate this effect with Chrome.

I tried the usual troubleshooting steps of orderly elimination of extensions, etc. to no avail. I finally got around to disabling Sophos--a misnomer because you cannot disable it; there are processes that won't die. So I uninstalled it.

Immediately, I noticed a return to the normal, fast speeds I had been used to for years, and this happy result has endured for three days. I had always viewed Sophos as having low resource overhead. I am going to hazard a guess that one of the recent macOS updates or security updates relating to Intel's botched microcode design upset something.
 


Anyone know of an antivirus or anti-malware product that would work on Snow Leopard? I've got an old laptop with Mac OS X 10.6.8, and most of the products I see (I've looked at Avast, Sophos, Malwarebytes) require a newer version of the OS.
 


Ric Ford

MacInTouch
Anyone know of an antivirus or anti-malware product that would work on Snow Leopard? I've got an old laptop with Mac OS X 10.6.8, and most of the products I see (I've looked at Avast, Sophos, Malwarebytes) require a newer version of the OS.
You should be able to run an anti-virus app on a newer Mac to examine the old system's drive (e.g. boot it in Target Disk Mode).

That said, ClamXav seems to be compatible with Mac OS X 10.6.8 (and later).
 


A better solution might be to never put a Mac running Mac OS X 10.6.8 on the Internet. It has not received any security updates for years from Apple. I consider this more important than any anti-virus software.
 



A better solution might be to never put a Mac running Mac OS X 10.6.8 on the Internet. It has not received any security updates for years from Apple. I consider this more important than any anti-virus software.
There's a big difference between possible and probable. Are there reports of Snow Leopard being exploited after it stopped getting updates?

Until recently I ran several Snow Leopard Macs that sat directly on the Internet. The only security issue was when OS X Server had its web home page defaced. This happened three times in nine years.

Since there are no up-to-date web browsers for Snow Leopard, cruising the web (vs. going to known secure sites) is risky.

I'm running Snow Leopard 24/7 on my SpamSieve mail drone. It's on a LAN behind my VPN router. The only way this Mac could get attacked is from a man-in-the-middle attack. The probability of that is so small, I feel safe ignoring it.
 





Ric Ford

MacInTouch
Last month I was looking for a version of MalwareBytes that would run on Snow Leopard, and couldn't find any info on their site. Does anyone know which version was the last to support 10.6.8?
I just did a quick check, and Malwarebytes required OS X 10.7 back in 2017. Before that, I don't think there was a Mac version of this excellent anti-malware app for Windows. (Malwarebytes for the Mac was derived from Thomas Reed's Adware Medic, I believe - Thomas joined the company in 2015.)
 


Last month I was looking for a version of MalwareBytes that would run on Snow Leopard, and couldn't find any info on their site. Does anyone know which version was the last to support 10.6.8?
There never was a version that ran on 10.6.8. I'm not even sure that its predecessor, Adware Medic (no longer supported), did, although I believe his even earlier Adware Removal Tool (AppleScript-based) did.
 





Malwarebytes has released an iOS app: Malwarebytes For iOS.
It's in the App Store at: Malwarebytes Mobile Security.

I downloaded it and bought the premium subscription (1 year, which has a 1-month trial). The setup instructions were concise and easy to follow. If it works as seamlessly and effectively as the Mac app, I'll be very pleased.

It's only got 9 ratings - the average is 5 stars.
 


A month ago, Sophos simply by fiat "upgraded" my basic install to "premium." Supposedly a "free trial."

I could see no change in any behaviors other than Sophos started to declare that my daily Carbon Copy Cloner backups were "ransomware" (I was able to get it to fix this), and it persistently announced that my "microphone is activated" during all sorts of routine Finder operations, use of Grab, etc.

I expected all of this bizarre false-positive activity to go away when the "free trial" ended. However, despite several warning emails from Sophos about the end of the trial -- and the offer to sell a subscription -- now that the period is over, Sophos has not reverted to its prior functions. Worse, trying to turn these premium "features" off in the preferences settings does not actually turn them off but, instead, merely changed the menu bar icon to an alarming orange color with the warning "computer is vulnerable."

Has Sophos become spy/malware? How dare it reach into our computers and take control in this fashion? Is there any alternative other than to uninstall it? Is it even possible to uninstall it?

Thanks for any insights.
 


Has Sophos become spy/malware? How dare it reach into our computers and take control in this fashion? Is there any alternative other than to uninstall it? Is it even possible to uninstall it?
I know I didn't care for the recent behavior of the app/company so I got rid of it and eventually settled on Malwarebytes. Previously incarnations placed a Sophos folder with an Uninstaller within the Applications folder. if I recall correctly, I used this to remove the application. Afterwards ran EasyFind to gather any loose leftover items on the drive and moved them to the Trash. I always do this if using an application uninstaller just because I want to make sure everything is gone.
 


Many thanks.
I used to have Sophos installed on my mid-2010 ('Snow Leopard'). I uninstalled it, because it became too processor-intensive (?) and was a drag on the speed and functionality of the entire system.

I now have Avast installed and configured, and it does everything that needs to be done without being the memory hog Sophos became. I don't know if that happened because of 'updates' that were done without notification or some other cause. Don't care. It's gone. After reading comments here about what Sophos has become, I'm even happier I dumped it.

You should be very pleased with the way Avast works to protect your Mac. It's lean and low-to-the-ground operationally, and it stays out of the way unless it notices something it thinks you should know (how's that for anthropomorphism?).
 


A month ago, Sophos simply by fiat "upgraded" my basic install to "premium." Supposedly a "free trial."
I could see no change in any behaviors other than Sophos started to declare that my daily Carbon Copy Cloner backups were "ransomware" (I was able to get it to fix this), and it persistently announced that my "microphone is activated" during all sorts of routine Finder operations, use of Grab, etc.
I expected all of this bizarre false-positive activity to go away when the "free trial" ended. However, despite several warning emails from Sophos about the end of the trial -- and the offer to sell a subscription -- now that the period is over, Sophos has not reverted to its prior functions. Worse, trying to turn these premium "features" off in the preferences settings does not actually turn them off but, instead, merely changed the menu bar icon to an alarming orange color with the warning "computer is vulnerable."
Has Sophos become spy/malware? How dare it reach into our computers and take control in this fashion? Is there any alternative other than to uninstall it? Is it even possible to uninstall it? Thanks for any insights.
You must have Sophos Home for Mac (vs. Sophos AntiVirus for Mac Home Edition).

Sophos Home's settings and features are controlled from a web site (at cloud.sophos.com). The idea is that you can control all registered devices from one site.

Recently Sophos Home added new features, enabled by getting a "Premium" license. For free, you get the same antivirus and web protection as it always had; for extra $, it adds ransomware protection, privacy protection and malicious traffic detection. Note that these are all new features.

There is only one installed product for both the free and Premium features. When Sophos Home auto-upgraded to the latest version, it picked up the ability to do the Premium stuff.

Sophos sent an email and automatically enabled the Premium level for 30 days. They were able to do this because your license level is controlled by the cloud.

I don't think that the temporary bump to Premium level automatically turned on any of the premium features. If I recall correctly, it just set it so that you could turn them on. I can't remember for sure; it may be that at the start of the trial I turned the new features off.

If you're getting Mic alerts it means that you have Mic Protection turned on in the Privacy section.

If you can turn that on and off, it would mean that it still thinks you are at the Premium license level. Once the license drops back to the Free level, the switches for webcam and mic protection are greyed out.

But anyway, turning off the privacy features doesn't set the status to "computer is vulnerable". It would only do that if you turned off Real-Time Protection.

Try logging in to the Sophos Home account, click on your name in the upper right corner, select Settings, unlock with your Sophos Home password, and then check the License section on the right. Does it say "Free"? Or something else?
 


I guess Mark Allan doesn't read here to see how much we love subscription software. I shall not be converting to ClamXAV 3 and its subscription-only model. Time to go back to Sophos, I guess.
 


Ric Ford

MacInTouch
I guess Mark Allan doesn't read here to see how much we love subscription software. I shall not be converting to ClamXAV 3 and its subscription-only model. Time to go back to Sophos, I guess.
Ironically, I had just deleted ClamXAV 2 from my system because of its terrible performance - extremely long delays doing basic things (e.g. scanning an individual file). I'm more concerned with the performance of the new version than its modest subscription price, which would be warranted if it's very good at what it does, and I think Mark deserves credit for providing anti-virus tools for the Mac over the years (and freely for much of that time).

I would expect Sophos to be troublesome, based on past reports.

My current choice is Malwarebytes, which is also subscription-based ($39.99/yr.) but can be used free of charge to do manual scans.

I also recommend DetectX Swift and EtreCheck, which are different tools and very useful ones.
 


Ironically, I had just deleted ClamXAV 2 from my system because of its terrible performance - extremely long delays doing basic things.
Just yesterday I pondered whether I should delete ClamXav from my system because of the poor performance. The last few updates have impacted performance significantly.

The new version notes an improvement in performance. However, I'm reluctant to upgrade from a perpetual license (v2) to a subscription license (v3) to fix a problem that was introduced in v2.
 


FYI. For ClamXAV 2 users, there are discounts available even if you didn't purchase within the last few months. The discount offered me as a licensed user made the cost attractive to me as opposed to paying for Malwarebytes or using another scanner. Better the devil you know, as my experience with PC (Windows) virus scanners is that that software itself is a virus.

While at times ClamXAV has been slow—particularly when invoking it manually on a single file or folder (via Services)—generally, ClamXAV has not gotten in the way of my usage. However I usually restrict it to scanning a few folders, such as Downloads and the mail attachments folder, which are the point of entry. I do not want to scan everything that launches, as some scanners do. I also avoid scanning VM disks or other large files originating from my machine.

All that ClamXAV has ever revealed has been PC-related viruses in mail attachment files.

Out of curiousity - anyone try using Folder Actions scripts with Malwarebytes or another passive scanner?
 


Just yesterday I pondered whether I should delete ClamXav from my system because of the poor performance. The last few updates have impacted performance significantly.
The performance problems are believed to be due to some poorly written bytecode signature or two provided by Cisco-Talos/ClamAV rather than the ClamXAV UI. I know they are aware of it but seem to be having a problem cleaning them all out.

There has been some improvements made to streamline the ClamXAV performance and reduce CPU use in V3. Sentry is much more powerful and will actually watch your entire computer by default without adversely affecting computer use. If you have specific areas you don't want to be scanned, you should drag and drop them into the Exclude Files section in the Settings area for your hard disk.

Virus definition updates for ClamXAV 2 will cease on 31st October, However, ClamXAV 2 will accept a V3 subscription registration key in order to continue receiving updates. That's good news for OS X 10.6.8 through 10.9.x users who will not be able to use V3. Don't download and install V3 until you are ready to try it out, as it will remove V2 in the process. Or at least make sure you have a backup V2 installer, in case you want to revert.
 


I was also contemplating giving up on ClamXav due to performance problems. The move to a subscription model pretty much sealed it for me.

Several months ago I noticed that ClamXav was scanning directories that I didn't want scanned, including my Photos library and Applications directory. These scans seemed to happen at random times and consumed vast amounts of CPU time.

The log file that includes one of the scans is over three million lines long (yes, over 3,000,000) and contains the same error message repeated over two million times (2,000,000). Customer support seems to have no clue. One piece of advice they gave was:
"you can abort the current scan if it appears to be using 100% CPU for an excessive amount of time."
Another was:
"Can you please try re-installing the scanning engine?"
Since the errant scans happen so randomly I still can't be sure if the final suggestion worked.

Here's some info on the out-of-control log file:
Code:
MrMuscle:logs mnewman$ ls -la ClamXavSentry-scan.log20180804.log
-rwxr-xr-x@ 1 mnewman  staff  195707542 Aug  4 06:22 ClamXavSentry-scan.log20180804.log
MrMuscle:logs mnewman$ wc -l ClamXavSentry-scan.log20180804.log
3313217 ClamXavSentry-scan.log20180804.log
MrMuscle:logs mnewman$ grep -o "Could not connect to clamd" ClamXavSentry-scan.log20180804.log | wc -l
2068379
 


I guess Mark Allan doesn't read here to see how much we love subscription software. I shall not be converting to ClamXAV 3 and its subscription-only model. Time to go back to Sophos, I guess.
I've tried Sophos repeatedly over the last few years, always thinking/hoping that "this will be the time that I stick with it," and always (eventually) remembering why I abandoned it the previous time: Very slow, laborious scans that tie up my entire system, conflicts with a host of applications, etc. (the list goes on)...

Since swearing off Sophos "for good," I also have subscribed to Malwarebytes, and have remained problem free -- and with no (zero) issues involving lags or application conflicts. Count me as a "believer."
 


Just yesterday I pondered whether I should delete ClamXav from my system because of the poor performance. The last few updates have impacted performance significantly. The new version notes an improvement in performance. However, I'm reluctant to upgrade from a perpetual license (v2) to a subscription license (v3) to fix a problem that was introduced in v2.
I used to use ClamXav when it was free, just for the protection from Windows malware, but it was never very good at detecting Mac malware. Once it went to a paid version, not only did it its performance decrease, but when tested against all the other Mac antivirus software, it came in last at detecting Mac malware.

Nowadays, for free versions that are active resident for malware, I use either Avira or Avast - both are good and not terrible in affecting performance.

Avast does have one terrible effect that sometimes it will suddenly start to prevent you from going to any website, with malware notices that site is infected (false signal) - not sure why, maybe to get you to upgrade to the paid premium version. Only thing to do then is to uninstall it and install Avira.

I also highly recommend Malwarebytes. You will have to pay for it to get the active monitoring, but the free version allows you to manually run scans, and I have found it to be the best in finding malware. Also true for the Windows OS.

I have been doing computer service on Macs since the late 80's and a little Windows work, but 90% is on Macs, and since the subscription model for buying software came out, I have found that generally means a decrease in quality over time and, of course, trying to make sure that customers are locked in.

In my opinion, a permanent license model makes for better software upgrades. At the same time, developers need a smoother steady income to continue improvements and stay in business. This is the hardest task, to find the right price point. I will sometimes tolerate subscription software, if you decide not to renew and the software still allows for read-only mode, but when they completely lock you out of even a preview look is when I avoid that software.
 


Am I wrong in ClamXav only provides the OSX program but relies completely on someone else's efforts at adding to the virus database? If subscriptions are here, I am just as concerned about the health of people who understand each new virus and maintain the virus signatures database. Most of any subscription cost should be going to them. Does anyone know who manages these virus databases that Clam, Sophos, etc. uses?
 


Ric Ford

MacInTouch
Does anyone know who manages these virus databases that Clam, Sophos, etc. uses?
Here's some more info from ClamAV (not ClamXAV):
Cisco said:
Cisco said:
Getting a copy of the latest virus database
The most important factor for an antivirus’s efficiency is to be up to date. ClamAV comes with a tool to update the virus database automatically: its name is freshclam.

freshclam looks up the TXT record associated with current.cvd.clamav.net and extracts the latest database version available from the string returned. If the local database is outdated, freshclam tries to connect to the hostnames listed in freshclam.conf (DatabaseMirror directive). If the first server in the list fails or the latest database is not available on that mirror (e.g. in case there has been a problem sync’ing the mirror), freshclam will sleep for 10 secs and then try again with the next one, and so on.

After freshclam downloads the new database, it sends a notify to clamd (if active) to reload the database.
Here's more about virus signature sources:
StackExchange said:
Where Does ClamAV Get Its Virus Signatures?
ClamAV belongs to Cisco and its Talos Group. Cisco acquired Sourcefire, the makers of Snort and ClamAV in late 2013.
...
Many big contributors are anvitirus vendors and security companies:

Each update contains information about the sender, some mention Virus Total, VRT Sandbox and others.

Generally antivirus vendors, security researchers and contributors collaborate and share samples.
 



FYI: Where I work, they are looking to (finally) replace the horror that is McAfee with Crowdstrike. However, I don't believe it’s available except for commercial/business deployment.

Meanwhile, like others, I've removed ClamXav from any Macs and either recommend Malwarebytes AntiMalware (Mac) free version (for those who can run scans when they want) or pro version (for those that have no clue).

Sophos is the next recommendation, and that is based on a colleague who has deployed the Endpoint Protection version on a few dozen Macs (and used web-based admin, as well).

FYI, SophosAV for Home has a free version, but after a 30-day trial, certain features (available in Premium) are disabled.
 


Well, I listened to you on Sophos, and tried installing Avast. I was a bit alarmed at its way of working - rather than, say, simply scanning my e-mails, it was connecting to all my mail servers. (I know, as it drove Little Snitch crazy with incessant demands to connect to mail servers, sites bookmarked in Safari, etc).

S,o much as I dislike the subscription model, I ended up with a subscription to Malwarebytes for my MacBook Pro, and the iMacs that run my scanners and handle my array of backup disks will have to manage with Avast.
 


Am I wrong in ClamXav only provides the OSX program but relies completely on someone else's efforts at adding to the virus database?
No, the ClamAV scan engine and the database it provides have become only a small part of what ClamXAV provides to macOS users. Specifically, the additional database provided currently contains over 1.6 million macOS-only signatures. It also has a unique QuickScan engine that is triggered each time something is added or changed in locations where malware is commonly installed.
 


Is there a way to manually get the updates and install them?
It is possible to download those parts of the database provided by Cisco/ClamAV. However, they only contain a fraction of the number of macOS-related signatures available to ClamXAV users. In order to obtain those additional signatures, the user will have to have a subscription.
 


Here's some more info from ClamAV (not ClamXAV):
ClamXAV unique signatures are completely managed by the ClamXAV signature team. They obtain malware samples from three sources, the primary being VirusTotal. Second most used source is from users who either submit them via the webpage provided or using a diagnostic tool which uploads suspected malware files for examination. Lastly, the developers of ClamXAV, Malwarebytes for Mac and DetectX actually collaborate occasionally on newly discovered variants, sharing both samples and analysis among themselves and a select number of Mac malware security specialists.
 


Computational load and cost structure aside, does anyone have any data that says one anti-virus/anti-malware is better than another in detecting macOS viruses and malware?
 


I installed ClamXAV yesterday, to see how the new version worked. I turned off scanning on several of my attached volumes. This morning I powered up, only to find ClamXAV eating up a significant amount of my processor, scanning the very volumes I told it to ignore.

I uninstalled it, and returned to my favorite of several years now: BitDefender. It has a top detection rate, and remains the lightest on system resources, at least as near as I can tell.
 


I like Malwarebytes, too, but do they limit their scan to common adware/sleazeware? How else could their scans take a tiny fraction of the time that all the others do? It's minutes vs hours.

I've assumed that ClamXAV's QuickScan, if I understand it right, is an answer to Malwarebytes' speed. For my clients, I usually do a Malwarebytes scan (or multiple scans as needed), then start a comprehensive scan (ClamXAV, but I think it could just as well be another), and leave, with an agreement that they call me when the scan is done.
 



Ric Ford

MacInTouch
Here's some background on Malwarebytes Mac's speed:
PC Magazine said:
Malwarebytes for Mac Premium
Most antivirus programs include the option to scan your entire Mac for malware. Many also offer a quick scan that just looks for active malware and for malware traces in common locations. However, a full scan is counter to the Malwarebytes philosophy. The company's thinking goes like this: If you really have an infection, the quick scan will see that there's a problem and remediate it. All a full scan could find beyond that is static malware that's inert and not doing any immediate harm.

Indeed, a scan of the Apple MacBook Air 13-Inch that I use for testing finished in about 15 seconds. That's darned fast, considering that the average quick scan time for recent products is more than four minutes.

All of the other products I've reviewed recently aim to detect and eliminate Windows-based malware as well as malware focused on the Mac. The idea is that this prevents the Mac from becoming a Typhoid Mary, carrying infection without being affected. Malwarebytes has no interest in malware that can't even run on the Mac, so it ignores Windows malware.
 


Amazon disclaimer:
As an Amazon Associate I earn from qualifying purchases.

Latest posts