Posted by: David Harley | September 10, 2012

Can’t see the Forrester for the trees?

Apparently Forrester have decided that Mac users don’t need antivirus. Gosh, I’ve never heard that before.

Well, I’m being a little disingenuous: I haven’t read the actual report because it isn’t available for individual purchase, and I’m not inspired to buy it on behalf of Mac Virus, but but tells us over at ReadWriteWeb that it concludes that:

“the performance degradation caused by most AV technology outweighs the malware risks on a Mac.”

Though the way that report author David Johnson puts it is that Mac admins believe that:

“Mac viruses are infrequent enough that they are not a problem for them to deal with.”

Well, that’s true as far as it goes: there is hardly any Mac malware that meets a universal definition of ‘virus’, if such a definition existed. From there on, though, it goes a bit haywire. The complaint seems to be that:

  1. Mac malware usually turns out to be a trojan, and therefore difficult to remove with antivirus
  2. Antivirus gets in the way
  3. Patching, regular backup, and recovering from an infection is less problematical than running AV.

I have no idea where (1) comes from. Of course, two trojans may have very different characteristics, but Mac trojans probably generally present less technical difficulties in terms of disinfection than some of the more vexatious Windows trojans. And the idea that AV can only handle real viruses totally ignores the fact that most of the malware we handle nowadays – irrespective of platform – consists of trojans.

As a Mac (security) support person from way, way back, I do remember issues with certain combinations of Mac and AV software. Since I haven’t been doing AV detection or performance testing for quite a while, I can’t comment on whether those issues still apply except in so far as I do (normally) run AV on my own systems: I should, I guess, cross my fingers when I say so, but I’ve had no problems with my present kit (including the Mac on which I’m writing this, which runs a fairly healthy range of software on not-very-recent hardware) for many moons. Since this site is supposed to be vendor neutral, I won’t name names.

Would I argue against good patch management and backup practice? Of course not. And good corporate defences (or even a modicum of common sense and caution) still goes a long way.  But is it easier to do a full restore post-infection than to use a real-time scanner with a good chance of detecting malware before it infects? According to Gonsalves, Johnson believes it, because AV “should be completely unobtrusive and transparent, and that has not been the case for some of the anti-virus tools out there” citing startup scans that last for minutes “while employees sit idly by.” I must be using the wrong AV, because it doesn’t hold me up at all. 😉

So what are the alternatives? Specialist updating tools get a thumbs-up. Apple’s own encryption software is recommended to encrypt the hard drive, though there’s no explanation of how this counts as an anti-malware measure. Gatekeeper is recommended as an ‘anti-malware tool.’ Data Leakage Prevention, while apparently as resource-intensive as AV is claimed to be, can be used where “the consequences of data loss far outweigh the productivity costs.” Why doesn’t the same apply to AV? Apparently because “Modern Trojans require anti-malware vendors to develop extraordinary countermeasures, which can take weeks or even months to develop, test and deploy.” Sorry, but that is sheer mythology. And while I don’t have a problem with people using some or all of these tools, recommending them as equivalent to malware detection doesn’t suggest much knowledge of anti-malware technology.

David Harley


  1. I didn’t decide it, David. I simply reported that some of the firms we interviewed for the research have decided it.

    David K. Johnson
    Forrester Research

    • Point taken. Though I think ‘simply reported’ is a little disingenuous.

      • Hi David. Happy to send you a copy of the report to get your feedback. I’m always willing to learn – particularly if I’ve missed something important. My e-mail address is dajohnson*at* Drop me a line and I’ll be happy to send it over.

      • Well, if you think it might be useful, by all means send me a copy. myfirstname.a.mylastname at is the best way to reach me.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.


%d bloggers like this: