Is my Mac more at-risk installing anti-virus than running without?
A little preface here: I'm a big fan of F-Secure and have followed them for years, this is more of an industry note than anything else
I'm a contract consultant who often works with companies evaluate risk and develop security policies. I practice sanitary behavior and have not had a known infection on any of my personal computers in over 10 years (at least I can't recall much further back than that).
However, due to the nature of my work the risk exposure requires that I take every practical precaution. One of these is using commercially available anti-virus software on my personal computers.
I've been a Mac user for about 6 years, and although I toyed with anti-virus early on I quickly abandoned its use due to the lack of known Mac exploits and the actual system issues I encountered related to poorly written and maintained software.
Anti-virus for Mac has since evolved along with the accompanying platform-specific malware. When Flashback was detected in the wild I decided it was time to re-implement anti-virus on my Mac PCs. I also recommended to my clients that it was time to put anti-virus on their Macs.
I've been struggling to find a good product for the last few months, and through a few stop and start efforts with other vendors have landed on F-Secure. It is difficult to find a well-engineered product from a firm with a stellar detection record (F-Secure I hope has both).
As I downloaded the F-Secure for Mac trial today I noted two things (that are also true of other security vendors, it should be noted that F-Secure isn't doing worse than anyone else):
- F-Secure does not sign their installation packages. This relatively simple effort would bring F-Secure (a security vendor) up to par with the security hoops Apple has recommended for all Apple developers (and that thanks to the App store, most have been forced to abide).
- Also, the download link for the software is not available on the website to the public, and the valid hash for the file is not posted. You're required to submit a request by email (F-Secure does sign the email at least). Then, you're required to click an http (no SSL, not secure) link which sends you to the newsletter server (is this webserver maintained with the same security standards as software distribution servers?), the newsletter server then forwards you to a software distribution web server via http (again, no SSL, not secure).
I can think of about half a dozen ways this can go wrong. This is a risky software distribution practice. I haven't yet evaluated the product, but at first glance it seems superior to my previous evaluations.
As I'm running my first full-disk scan I'm thinking .... has adding anti-virus to my desktop PC increased or decreased my risk exposure? I'm not sure.
This just made my job harder. I've got no clear-cut answer to give clients when they ask me about the risk malware could pose. If a well-respected security vendor at the top of their field can't get it right .... who can?
Anyone have opinions? I'd love to hear them.