[unisog] AV for MACS

Karl A. Krueger kkrueger at whoi.edu
Tue Dec 7 02:25:46 GMT 2004

On Mon, Dec 06, 2004 at 05:56:52PM -0700, Jim Dillon wrote:
> How is AV protection a "Windows Oriented" thing?

Quick response to your whole post:

Anti-virus software is not a general-purpose security booster.  It
is a defense against a specific, enumerated list of attacks.  Those
attacks, almost exclusively, affect Windows systems.  There are other
attacks that affect Unix systems as well as Windows, but those attacks
are not ones that anti-virus software deals with at all.

Long response:

The attacks that AV software targets are, almost exclusively, Windows
attacks.  It does nothing substantial to address the kinds of attacks
that target Linux, Solaris, Novell, Mac OS X, or other systems.
However, when deployed on those systems, it still has a cost; we have to
weigh that cost against the benefits.

What are the attacks against non-Windows systems?  Crappy PHP code,
unnecessary open services, unpatched vulnerabilities, badly-chosen
passwords.  AV software does not touch any of these problems.  If it
did, I would heartily agree that every system should run it.  But it
does not.  It catches viruses, and viruses are not a credible threat
against systems other than Windows.

> A virus simply takes advantage of any number of broken components, so
> why is a Mac somehow different? Is that not how a virus works against
> a Mac?  Might it not be more expedient to block the bug than wait for
> the next patch to surface?

Anti-virus software does not defend against the exploitation of
vulnerabilities.  It defends against known, documented viruses.  It is
not a general-purpose "security improving" tool; it is, rather, a very
tightly targeted tool for the detection and removal of specific
categories of threats.

I've mentioned before one case where our Windows technicians were
frustrated by the fact that AV targeted viruses and not rootkits, and
thus did not detect or remove files that we -knew- were part of an
attacker's toolkit.  The assumption that AV software is a *general-
purpose* security boost is a bad and dangerous assumption.  Even on
Windows, its purpose and its usefulness is very specifically targeted,
and it is not good for anything outside that range of targets.

> Isn't squashing a windows targeted bug a rather good thing, anywhere
> it happens?  I'd rather not have an infected neighbor slowing down my
> network. 

That depends entirely on whom you are asking to pay the cost of that
"squashing".  I've had reports from local Mac support staff that our
"recommended" anti-virus software can critically slow down important
applications.  I would expect that -- it's doing something substantial
on just about every access to a file.

If I'm going to recommend that Person A install some software on their
system that *will* slow down their work, I'd like to know that that
software will benefit Person A him/herself ... not just that it will
benefit "neighbors".  I can -ask- that they run things to benefit their
neighbors (out of charity on their part) but to recommend (or require!)
that they do so would be a little bit overbearing, don't you think?

> If we'd constructed the objects they all share with a tad more care
> this might not be a problem. Sorry, I don't buy the argument that the
> AV model we face is a Windows thing.  Yes, Windows is very
> susceptible, but so is any other system that can read, write, script,
> and execute.

All systems have vulnerabilities, yes.  But AV software is not a general
fix for vulnerabilities.  It is a defense against specific attacks.  If
you look at the inventory of attacks defended against by any piece of AV
software, you will see that they are attacks against Windows.

(That could change, yes.  When and if it does, the verdict will change.)

> I truly believe if the number of target OSs for Mac were equal with
> Windows, that you'd see equal havoc in the Apple/Mac world, ditto for
> Linux or whatever.

Doubtful.  See, e.g., Apache -- 70% of the Web servers in the world,
nowhere near 70% of the vulnerabilities and break-ins.

If someone tells you that all code has bugs, they're telling you the
truth.  If they tell you that all code is *equally* buggy, they're
trying to sell you especially buggy software.

Karl A. Krueger <kkrueger at whoi.edu>
Network Security -- Linux/Unix Systems Support -- Etc.
Woods Hole Oceanographic Institution

More information about the unisog mailing list