TweetFollow Us on Twitter

Real World Review: Sophos Anti-Virus for Mac, Home Edition

Volume Number: 27
Issue Number: 01
Column Tag: Real World Review

Real World Review: Sophos Anti-Virus for Mac, Home Edition

Enterprise-grade antivirus software, now free for home Macs

by Joshua Long

Introduction

Businesses are often required by laws and company policies to run antivirus software on all their computers, Macs included. In the home environment, however, there are no such requirements, and Mac users have debated for years about whether they should go to the trouble of running antivirus software. Is it really worthwhile to spend $40 every year to protect a Mac with commercial-grade antivirus software, or to endure the agonizing speed degradation commonly associated with AV? Thanks to Sophos, home users can now have quality protection without these frustrations.

Why Mac antivirus software?

Enterprise antivirus maker Sophos announced in November that they would begin offering a free Home Edition of Sophos Anti-Virus to all Mac users. The announcement came just one week after SecureMac and Intego had independently published information about new Java-based Mac malware spreading through Facebook and other sites, dubbed Boonana by SecureMac and identified as a variant of the Koobface malware by Intego.

Two weeks after the release of Sophos Anti-Virus for Mac Home Edition, Sophos released a report showing that a significant number of Macs running their software had been infected with malware. This malware included both Mac-native threats as well as plenty of Java-based malware, which Sophos pointed out "could easily be adapted to download Mac-based threats," as was the case with Boonana. Two Mac-specific threats, OSX/Jahlav-C and OSX/DNSCha-E, were each found on about 1 in every 100 Macs scanned. (For the full Sophos report, see http://macte.ch/sophos_stats).

Sophos vs the competition

Sophos' antivirus engine is one of the best on the market. In AV-Comparatives' (av-comparatives.org) November 2010 tests of proactive detection of new malware, Sophos Anti-Virus ranked in the top three PC antivirus products, earning the highest certification level (Advanced+). The tests also took into consideration the number of false positives, of which the Sophos engine had "few."

Let's take a look at how Sophos Anti-Virus Home Edition compares to other free alternatives for the Mac. The two most prominent freeware antivirus solutions are ClamXav (clamxav.com) and PC Tools iAntiVirus (iantivirus.com), and each is very different from Sophos.

ClamXav is free for anyone to use in any environment, from home computers to enterprise workstations. Although ClamXav does not provide on-access scanning of the whole computer, it can be manually configured to scan files that are downloaded or copied to specific folders, for example ~/Downloads and ~/Desktop. Like Sophos, ClamXav detects malware designed for any platform, as opposed to Mac-only malware.

PC Tools iAntiVirus is only free for home use, and although it does offer on-access scanning, it only detects Mac-specific malware. Neither ClamXav nor iAntiVirus is a comprehensive solution compared to Sophos. Of the three, only Sophos will detect infected Web pages and e-mail attachments as soon as they are downloaded, regardless of the threat's target platform.

I tested Sophos and ClamXav with several hundred samples that I've collected from infected computers, Web sites, and e-mails over the past couple years. ClamXav only detected about 75% as many files as Sophos, although ClamXav detected some files (particularly Windows adware) that Sophos did not detect. Neither one detected all the samples, which was expected; no antivirus solution detects 100% of infected or potentially dangerous files.


Figure 1 - Threat detected by Sophos Anti-Virus

Effectiveness

Unlike most full-featured antivirus solutions, the default settings of Sophos Anti-Virus do not automatically delete infected files or prompt users to do so. Instead, Sophos displays an alert informing the user that a threat has been detected, with options to open the Quarantine Manager or close the dialog box, and the latter is the default selection. Regardless of which option the user chooses, as long as Sophos' on-access scanner is enabled, the file is inaccessible and cannot be opened or even duplicated in the Finder or the Terminal (even using sudo).


Figure 2 - When a threat is found, Sophos denies access by default

If a malicious Mac application is detected by Sophos, attempting to open the application will result in two Mac OS X dialog boxes informing the user that they can't open the application because it is "not supported on this type of Mac." Thus, Sophos effectively quarantines the files in place.


Figure 3 - Malware is not supported on this type of Mac

Even trying to access quarantined files from another computer via a network share proves fruitless. I had Sophos running on an iMac and no antivirus software on a MacBook Pro. From the MacBook Pro I connected to an AFP share on the iMac and tried to copy a file from the iMac to the local hard drive. This resulted in a Mac OS X dialog box explaining that I did not have permission to access the file. I also tried to duplicate an infected file in-place on the network share, which caused the MacBook Pro's Finder to crash and relaunch (note to self: file a bug report). In any case, Sophos quarantines files on the local system in such a way that they cannot be accessed by remote systems.

Annoyances

One strange and annoying issue I've encountered is that Sophos Anti-Virus frequently grays out the Clean Up Threat button for items that should be easy for Sophos to delete on its own. For example, the action available for dealing with .zip files downloaded from parcel scam e-mails is Clean up manually, meaning that users must try to locate the infected files on their computer. This may or may not be easy, depending on whether the full path is shown in the Quarantine Manager; if the path or file name is too long, the path will be truncated, so you may have to use Spotlight or a third-party search utility to locate the file (refer to the screenshot of the Quarantine Manager). You cannot resize the window so there is no way to see the full path, and there is no Show in Finder option either.


Figure 4 - "Clean up manually"... okay, so what's the full path?

In other cases, instead of Clean up manually the available action will be Restart Mac instead, even when there's absolutely no reason why that should be necessary. I came across this after downloading fake ActiveX video codec malware, which consisted of nothing more than Windows .exe files. Why on earth would Sophos need to restart the computer to clean Windows executables that aren't in use? Worse still, restarting your Mac won't even clean up the threat; it will still be there in the Quarantine Manager after restarting.

Fortunately, Sophos did not gray out the Clean Up Threat button for the Mac OS X-specific threat I had it scan (a dangerous Space Invaders-style game called lose/lose which deletes files in the user's home directory when you destroy enemy spaceships); no manual deletion or restarting is required to clean that Mac-native threat.

Speed

Antivirus suites have a reputation of slowing down computers. In my testing, there was no noticeable decrease in system speed or usability after installing the Sophos software. I even tested it on a low-end Hackintosh netbook (a Dell Mini 10v with a 1.6 GHz Intel Atom processor and 1 GB RAM) and the system was still quite usable after installing Sophos.

Conclusion

For those who support Macs in a home environment, I recommend trying Sophos Anti-Virus for Mac Home Edition. Although there's currently only a small amount of Mac-specific malware in the wild, Sophos can protect Macs from other threats such as malicious JavaScript redirectors, Adobe Flash files that exploit known vulnerabilities (see Mike Hjörleifsson's CoreSec column in the MacTech November 2010 issue), multiplatform Java-based attacks like Boonana, and Windows-based malware that could accidentally be opened in a virtual environment like Parallels or VMware, and it can also discover infections on USB flash drives that you might have picked up from an infected PC unbeknownst to you.

It's time for us to put away our Smug Virus-Free Mac User shirts of yore and become more proactive at defending Macs from security threats. Three cheers to Sophos for lighting the way into battle.


Joshua Long has a master’s degree in IT concentrating in Internet Security, is a Security+ certified professional, and is currently earning a Ph.D. in Business Administration specializing in Computer and Information Security. Josh writes about malware and other information security topics at security.thejoshmeister.com. He is also the producer and host of MacTech Magazine’s official podcast, MacTech Live (www.mactech.com/live). You can follow him on Twitter @theJoshMeister or contact him via e-mail at jlong@mactech.com.

 

Community Search:
MacTech Search:

Software Updates via MacUpdate

Latest Forum Discussions

See All

Monster Hunter Now introduces Driftsmelt...
One of the most fun parts of the Monster Hunter franchise, to me at least, is designing that perfect armour set to give you that optimal skill set you’ve been dreaming of. Unfortunately, you sometimes had to sacrifice fashion, but that won’t be a... | Read more »
A sorely overdue feature finally gets ad...
It’s a yo ho ho and the pirate's life and what have you, as Uncharted Waters Origin unveils its May update. This month we have the customary new mates including the historic Gentleman Pirate, a new entry to the Relationship Chronicle, and the... | Read more »
Brawl Stars veteran-backed Octopo Studio...
The 2024 PlayX4 B2B is kicking off tomorrow in Ilsan, lasting until the 26th in KINTEX Hall 1, and Octopo Studio has announced that they will be making an appearance. Shooting RPG Bounty Pang will be on show as the developers seek publishing... | Read more »
The Astral Express sets off to bring Hon...
After vanquishing yet another threat and adding a fine hat to their wardrobe, you’d think the crew of the Astral Express would be able to kick back after their adventures in Penacony. Clearly not though, as HoYo has announced the next leg of the... | Read more »
Dragons rein supreme in Pokemon Unite as...
If you were looking for the strongest type in Pokemon and asked the fanbase, I would wager most people's thoughts would turn to Dragon. They hit hard, are often powerful, and get used by some of the toughest trainers. Pokemon Unite is honouring... | Read more »
Players can take a peek into the design...
It doesn’t matter how much effort developers put into their classes, or how many special little mechanics there are; if there is one that wields two blades, I’m ignoring everything else. Diablo Immortal recently announced such a class in the shape... | Read more »
Android users have a new option in the c...
When you are in the thick of a firefight or trying to pull off a mid-combat parkour flip through a squad of foes, sometimes touchscreen control just won’t do it for you. For those intense sessions, you could benefit from a good mobile controller,... | Read more »
Jagex releases the first of three origin...
At this point, I am sure everyone has heard of Runescape, and or Runescape Classic. It has been going strong for 23 years, with constant content and story coming out. Luckily for fans of the game, or fantasy in general, Jagex has announced an... | Read more »
Watcher of Realms unveils new story and...
Watcher of Realms players are in for quite the feast this month, as Moonton release two powerful new heroes, including one that will burst down even the most mighty of foes. Recruit your new friends, and then burn through the Main Quest expansion... | Read more »
Reverse: 1999 continues its trip down un...
The field trip to Australia continues in Reverse: 1999 as Phase 2 of Revival! The Uluru Games kicks off. You will be able to collect new characters, engage with new events, get hordes of free gifts, and follow the story of a mushroom-based... | Read more »

Price Scanner via MacPrices.net

Apple retailers offer MacBook Airs starting a...
Our Apple award-winning MacBook Air Price Trackers are continually updated with the latest information on prices, bundles, and availability for 13″ M3, M2, and M1 MacBook Airs and 15″ M3 and M2... Read more
Apple now selling iPhone 14 models starting a...
Apple has unlocked Certified Refurbished iPhone 14 models in stock starting at $619 and ranging up to $230 off original MSRP. Apple includes a standard one-year warranty and new outer shell with... Read more
Memorial Day Weekend Sale: Apple AirPods Max...
Apple retailers have AirPods Max headphones on sale for $100 off MSRP as part of their Memorial Day Weekend sales. The sale price is valid for all colors at the time of this post. Shipping is free... Read more
Get a 14-inch M3 Pro/M3 Max MacBook Pro for u...
Apple has 14″ M3 Pro and M3 Max MacBook Pros in stock today and available, Certified Refurbished, starting at $1699 and ranging up to $480 off MSRP. Each model features a new outer case, shipping is... Read more
Clearance 14-inch M2 Pro MacBook Pros with 16...
Apple has clearance 14″ M2 Pro MacBook Pros with 16GB of memory available, Certified Refurbished, starting at $1599. Each model features a new outer case, shipping is free, and an Apple 1-year... Read more
While it lasts: M1-powered Mac mini for only...
Apple has restocked clearance M1-powered Mac minis in their Certified Refurbished section for only $469. Each mini comes with Apple’s one-year warranty, and shipping is free. The following model is... Read more
Apple has SE and Series 9 Apple Watches in st...
Apple has a full line of Certified Refurbished Apple Watch Series SE models available in their online store for $40-$50 off MSRP, starting at $209. Each Watch includes Apple’s standard one-year... Read more
Amazon is blowing out clearance 13-inch M1 Ma...
Amazon has clearance Apple 13″ M1 MacBook Airs on Memorial Day sale for $300 off original MSRP, only $699. Their prices are the lowest available for new MacBooks this Holiday shopping season. Stock... Read more
MacBook Sale! 13-inch M2 MacBook Airs are onl...
Best Buy has Apple 13″ MacBook Airs with M2 CPUs in stock and back on sale this week on their online store for $150 off MSRP in Space Gray, Silver, Starlight, and Midnight colors. Prices start at... Read more
Apple increases iPhone trade-in values ahead...
Get up to $650 on the purchase of new or refurbished iPhone at Apple using their official Trade In program, now with increased values ahead of WWDC 2024. Trade in your old iPhone, and Apple will... Read more

Jobs Board

Nursing Assistant - *Apple* Hill Surgical C...
Nursing Assistant - Apple Hill Surgical Center - Post Anesthesia Care Unit - Day Location: WellSpan Health, York, PA Schedule: Full Time Sign-On Bonus Eligible Read more
LPN-Physician Office Nurse - Orthopedics- *Ap...
LPN-Physician Office Nurse - Orthopedics- Apple Hill Location: WellSpan Medical Group, York, PA Schedule: Full Time Sign-On Bonus Eligible Remote/Hybrid Regular Apply Read more
DMR Technician - *Apple* /iOS Systems - Haml...
…relevant point-of-need technology self-help aids are available as appropriate. ** Apple Systems Administration** **:** Develops solutions for supporting, deploying, Read more
Independent Optometrist- *Apple* Valley, CA...
Independent Optometrist- Apple Valley, CA- Target Optical Date: May 23, 2024 Brand: Target Optical Location: Apple Valley, CA, US, 92308 **Requisition ID:** Read more
Solutions Engineer - *Apple* - SHI (United...
**Job Summary** An Apple Solution Engineer's primary role is tosupport SHI customers in their efforts to select, deploy, and manage Apple operating systems and Read more
All contents are Copyright 1984-2011 by Xplain Corporation. All rights reserved. Theme designed by Icreon.