17th December 2015

created by Markus Selinger

More Security for Mac OS X: 13 Security

Packages Put to the Test
Those really wanting to be on the safe side with their Mac OS X use protection software. The market offers freeware
suites or paid programs that come with a bunch of good extras. AV-TEST tested 13 applications for their security and
performance, yet only certified 10 of them.
Mac pros repeatedly declare that Mac OS X is built so securely that no additional protection software is needed. But every year,
experts discover new waves of attacks on Macs or safety gaps. In June 2015, for example, security researcher Stefan Esser
discovered that just a few shell commands are sufficient to gain access to root-level privileges under OS X 10.10. In September
2015, it became known that an infected version of the development environment, Xcode, had been pawned off on app
developers. This version, or the malware resulting from it, was then named XcodeGhost. The produced apps, including
XcodeGhost malware, subsequently ended up in the App Store. Apple didn't realize they were infected, however. Furthermore, at
the beginning of October 2015, an expert discovered how to defeat the security tool Gatekeeper embedded in OS X, thus
installing an app that subsequently unloads malware into the system.

A lower number of malware threats doesn't make Mac OS X safer

While the number of known malware threats for Windows has already surpassed the 450 million mark, the number for Mac OS X
malware is only around a few thousand. But afflicted users know that even one malware specimen is enough to ruin your whole
day. Attackers are currently focusing on infiltrating systems with infected apps. Naturally, they are aware of the general security
barriers of Mac OS X. That's why the above-mentioned attacks are successful. With a good security suite, Mac OS X users can
raise their system to the greatest possible level of security.

13 programs put to the test 3 fail

In the lab at AV-TEST, 13 products were tested in terms of their protection function, false positives and speed. In their protection
function, the applications were required to identify and liquidate new, still unknown malware threats. Compared to the last tests,
such as in April 2015, more products have now achieved an excellent detection rate. The solutions from Avast, Avira,
Bitdefender, ESET, Kaspersky, SentinelOne, Sophos and Symantec identified all the threats in the test 100 percent. Of particular
interest is the result from SentinelOne. As a product of the latest generation, it works without a signature database to identify
malware. For analysis, it only uses the technology of behavior-based detection.
The additional security suites delivered lower results. Coming in last were the solutions from ClamXav, Webroot and F-Secure
with detection rates of only 76.2 to 88.1 percent. That is why these three solutions did not receive a security certificate from AVTEST. All the others did.

No significant false positives

It's always annoying for the user when security products falsely detect benign files or block the launch of apps. But in this test
segment, the lab has nothing but praise. Only ClamXav falsely flagged a clean file. All other system watchdogs exhibited errorfree friend-or-foe detection. In the subsequent test, apps were also installed and launched. In this case, the suites did not sound
a single false alarm.
Although the test for potentially unwanted applications ("PUA" for short) does not yet play any role in this certification, the
laboratory still performed it behind the scenes. Avira, Bitdefender, ESET, Intego, Symantec and SentinelOne already did a good
job. All the other products could still use some improvement in this area. Some manufacturers have a very differentiated view of
what is a PUA and what is not, and offer a wide latitude in their approach. They allow some disputable applications to continue to
run undisturbed, whereas other manufacturers block these programs.

Lots of applications slowing down the system

Users repeatedly complain that an installed suite slows down their system. The laboratory found out in its speed test whether
this is really true or only imagined. To do so, 26.6 GB of data were copied onto a reference system, MD5 hash values were
calculated for files and a set of files was downloaded. In total, these tests took 146 seconds on the reference system.
Afterwards, the tests were repeated; naturally with each of the installed security suites. The best performers in this category
were the products from ClamXav, Panda, Bitdefender and Symantec. They slow down the system by about 10 percent. A value
that is not really noticeable in daily use. For Sophos, this value increases to 20 percent, Avira already jumps to 40 percent,
SentinelOne to 80 percent, and for F-Secure, it is already over 120 percent.
The application finishing last in this case is Avast, as it works differently for downloads: it already scans the downloaded file
during the download. This may be secure, but it also takes a lot of time. The other products only scan the file once it has arrived
and is executed.

Useful extras
Some paid programs offer extra features such as an anti-spam function, safe browsing, a firewall, parental control routines or a
backup function. The freeware system watchdogs generally do not offer any additional functions.
None of the commercial products delivers all the above functions in one package. Rather, all the solutions offer one, two or three
extra features. The security packages from Intego, Kaspersky and Symantec throw in the most additional features. Some also
even offer a system cleaning tool or functions for secure payment on the Internet.

Conclusion: There are many secure products, and many put the brakes on the system in daily use
A total of eight of the products examined detected all the malware threats in the test by 100 percent. These even include three
freeware products in the mix. But if you are seeking a solution with the best security performance at the lowest system load, the
field narrows considerably. The ones that remain are Bitdefender Antivirus for Mac and Symantec Norton Security with 100
percent detection with roughly 10 percent additional system load. Both are paid products.
Those looking for a freeware solution can turn to Sophos Anti-Virus. It also detected 100 percent of the threats in the test, but it
slowed down the system by 20 percent. The other freeware products from Avira and Avast do detect everything error-free, but a
system slowdown of 40 or 170 percent is not acceptable.
Our tip: Some versions of security software offered via the App Store differ from the version on the manufacturer's website. The
version offered directly from the manufacturer often includes more additional Features.

Protection for Mac OS X: All just a case of Chicken Little?

Many users are of the opinion that security experts exaggerate

when stating the risks and attacks on Mac OS X. The experts
counter that Apple's marketing is quick to play down too many
serious issues.
At international conferences on the topic of IT security and anti-virus
software, the topic of attacks and security gaps in Mac OS X is an
increasing subject on the agenda. It was also addressed at the security
conference AVAR 2015 in Vietnam. At that conference, there was a
recent expert article "Threat Intelligence behind XcodeGhost" on the
routine of how the infected programming environment for Mac apps was
distributed, and who the author is.
Although the number of malware specimens for Mac OS X is only
increasing slowly it is growing continuously. The reports of detected
security gaps in Mac OS X are also steadily growing. The Achilles heels
are naturally not only found in the operating system. Most of the breaches
in Mac OS X occur due to programs or drivers of other manufacturers.
Already in 2014, OS X and iOS exhibited considerably more gaps than
Linux or Windows systems. A brief look into the National Vulnerability
Database (NVD) indicates a long list of entered CVEs Common
Vulnerabilities and Exposures. The search for CVEs under "Apple"

Andreas Marx,
CEO AV-TEST GmbH

indicates more CVEs in the three months of September to November

2015 than for the search term "Windows".
The use of security software for Mac OS X should not fail due to false vanity.

Detection rates under Mac OS X: Of the 13 tested security suites, eight detected all of the threats 100 percent, and three products failed.

13 Security Suites for Mac OS X: Only four solutions slow down Mac OS X by 10 percent, from Sophos onward, it is already 20 percent, SentinelOne slows the
system down 80 percent more and Avast 170 percent due to immediate scanning of downloads.

Bitdefender Antivirus for Mac: This very compact solution detected all the threats, works quickly, but only offers surfing protection as an extra feature.

Symantec Norton Security: This security solution works quickly, safely and even throws in a Firewall.

Sophos Anti-Virus: The freeware security package for Mac OS X systems does indicate the highest security in the test, yet it slows down the system somewhat.

Copyright 2015 by AV-TEST GmbH, Klewitzstr. 7, 39112 Magdeburg, Germany

Phone +49 (0) 391 60754-60, Fax +49 (0) 391 60754-69, www.av-test.org