[unisog] AV for MACS

Jim Dillon Jim.Dillon at cusys.edu
Mon Dec 6 17:20:33 GMT 2004

Why AV for Macs?  Macs are just as interesting a target for security attacks, so why not for AV?  Observe...

A recent honeypot test (6 systems, configured, plugged into broadband, left alone for two weeks) by Avantgarde in San Francisco should make it clear enough why you should be using AV (and other security in depth features.)  Note the frequency of attacks on the platforms in the following table - notice the two favorites - and unpatched XP box and a Mac OS X box, almost identical in number of attempts.  Seems to me the attackers must know something about which platforms yield results given the number of times they attack particular platforms.  Note that the experiment only yielded 10 successful break ins over that time frame.  The Mac was not one of them, (neither was XP SP2 or XP with Zone Alarm) but the telling stat is how often it was attempted.  Note that the SP2 and Zone Alarm boxes didn't get a whole lot of attention.  My apologies if the chart doesn't retain any readable formatting, but hopefully you can discern the pertinent info.  (Esp. the 341 attacks per hour for XP and 339 for OS X.)

Platform    Total attacks     Attacks/day     Attacks/hour
XP SP1      139,024           8,177           341
OS X        138,647      	8,155           339
Win SBS      25,222           1,400            61
XP SP2        1,386              82             3.4
XP w/ZoneAlarm  848              50             2.1
Linspire        795              46             1.9

It's utter foolishness to not protect your system, irregardless of its underlying operating system.  If a Mac is this interesting a target to hackers, it has to be interesting to the Virus authors as well, its just a matter of time.  The idea behind AV is as much corporate responsibility as it is protecting yourself.  No, you can't make a one to one correlation here between attacks and virus susceptibility, but be real, there is just as much interest in bringing down or compromising Macs as there is in other boxes, so don't be too smug about it, the problem is real for everyone.


Jim Dillon, CISA
IT Audit Manager
University of Colorado
jim.dillon at cusys.edu
Phone: 303-492-9734
Dept. Phone: 303-492-9730
Fax: 303-492-9737

-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org]On Behalf Of Stan Horwitz
Sent: Friday, December 03, 2004 4:25 PM
To: Willie.OConnor at cs.tcd.ie; UNIversity Security Operations Group
Subject: Re: [unisog] AV for MACS

Anti-virus software for Macs? What are you trying to protect Mac users
from? I am a long-time Mac user and very active in two local Mac User
Groups and as far as I know, the only reason anyone has for running Mac AV
software is to avoid mistakenly forwarding a virused email to a Windows

Symantec makes anti-virus software for the Mac. So does Macafee. I think
both products are a complete waste of time for Mac users. I have been
using Macs since 1986 and I have had at least one Mac sitting on an
unrestricted broadband line for many years without incident. I know at
least two hundred Mac users and none of them has had a virus with OS X and
only one has had a virus with pre-OS X, and that was way back in OS 7.
unisog mailing list
unisog at lists.sans.org

More information about the unisog mailing list