The Adventures of Systems Boy!

Confessions of a Mac SysAdmin...

When the Cure is Worse than the Disease: Mac Anti-Virus Software

Getting anti-virus software for the Mac is like getting chemotherapy for a cold. It's totally overkill and does way more harm than good. You're better off with the cold.

Via MacFixIt:
In yet another case of AntiVirus software causing serious issues while purporting to be identifying infected files, it appears that Sophos' AntiVirus software is generating false positives for the "OSX/Inqtana.B worm", invoking users to delete critical application and system files and causing serious issues.

Again, the virus being identified by Sophos AntiVirus is marked Inqtana.B -- apparently a variant of the Inqtana.A malware that likewise spreads by copying itself to other computers via a bluetooth connection.

As previously reported, OSX/Inqtana.A -- a Java based proof of concept bluetooth worm that affects older versions of Mac OS X 10.4.x (Tiger). The vulnerability does not affect Mac OS X 10.4.5, and has not been found in the wild.

Despite that, Sophos' software is identifying "infected" files -- sometimes numbering in the thousands -- on Mac OS X 10.4.5 systems.

The results of the false positives are, in some cases, disastrous...

...We currently recommend that users disable Sophos AntiVirus until further notice, and disallow the application to automatically delete any files it deems "infected."

That really says it all. The state of commercial Mac anti-virus software is pathetic. It seems like the developers of this software are desperately trying to drum up business with scare tactics for viruses that don't even exist in the wild while simultaneously writing code that damages people's systems. Fucked up? You betcha.

I'm all for virus protection, even on the Mac. But when anti-virus software is worse than the viruses it claims to protect against, it's no wonder no one's buying it.

Labels: , ,

« Home | Next »
| Next »
| Next »
| Next »
| Next »
| Next »
| Next »
| Next »
| Next »
| Next »

3:08 AM

Watching the maillists a lot of people were hit by this. Very sad. And painful. I know my local dealer emailed me soon after the virus news hit asking whether I wanted to reconsider the sophos purchase he'd flogged 6 months earlier. Well, I didn't. ClamXav works, and it's free. Specifically, in my situation production machines shouldn't be on the internet, and your backups should be good enough in case bad things happen. However, it is always a good idea to weigh the benefits of anti-virus software vs. lost CPU cycles and cost. More importantly, if you use AV apps instant shredding of virii sounds good, but I've never set Sophos or other AV software to do it, for just such a scenario. I've seen false-positives hurt clients before. Messy business.    

3:43 PM

Yeah, unfortunately, until we see some real outcry for Mac virus software — which we won't until it becomes a bigger issue — no one's going to spend much money or time making really solid Mac AV software. ClamXav is great, but my one complaint is that it can't repair infected files. It only detects. Not terribly useful if you have an infected Word file that you just gots ta have.

Oh well. This a problem for me, like, once a year at best, and really only a minor nuisance. So far.


» Post a Comment