Virus Protection on the Mac is Simple But Necessary

By Bruce Schneier
MacWEEK
December 13, 1993

"Protecting yourself from Mac virus infection is easy; it's a wonder there are people who don't do it," said Ben Liberman, independent Macintosh consultant in Chicago. There are several good anti-viral software packages, both commercial and free, designed to protect your Mac from attack.

There are two types of anti-viral software: protective and detective. The commercial virus-prevention software packages -Central Point Software Inc.'s Central Point Anti-Virus for Macintosh 2.0, Symantec Corp.'s Symantec Anti-Virus for Macintosh 3.5 and Datawatch Corp.'s Virex 4.1 - support both protective and detective protection. There are two freeware virus-protection programs: Disinfectant, which takes a detective approach, and GateKeeper, which takes a protective approach. Both programs are available on most bulletin board systems and on-line services.

The particular means of virus detection you use depends on how intrusive you want the anti-viral software to be.

Watching the Detectives

Detective software scans files looking for specific code fragments that indicate a virus. These fragments, called signatures, are different for every virus. Detective anti-viral software can scan hard disks on command and automatically scan floppy disks, applications and data files when they are opened.

This method is a good way to detect known viruses; the downside is you have to update the program every time a new virus is discovered, and you can never protect against new and unknown viruses. But this is not much of a problem, since only four new viruses were discovered in 1993 (see MacWEEK, Nov. 8, Page 3) and vendors are quick to provide users with upgrades to fight the latest strains.

"Disinfectant has the big advantage of being user-transparent, so you don't have to teach people how to use it," said Eric Aubourg, professor at the Centre d'Etudes Nucleaires in Saclay, France.

An Ounce of Prevention

Preventive anti-viral software continuously monitors the Macintosh system, looking for suspicious activity that may indicate a virus attack. Suspicious activities include an application trying to modify another or an application trying to modify the System file. When this occurs the anti-viral software puts up an alert, indicating a possible virus infection.

Preventive software can detect unknown viruses, but it can also cause false alarms. "Prevention can really get in the way when you are developing software," said Brian Hall, president of Mark/Space Softworks in Santa Clara, Calif.

How serious is the virus threat?

Viruses are real. Dale Hall, end-user computing analyst at Lord Corp. in Erie, Pa., is responsible for his company's 500 Macs. In 1989, after receiving about 75 calls a week relating to virus infection, he convinced his company to purchase a site license for Virex. "I installed it on every machine, and the problem went away," he said.

These days, viruses are less of a problem. "I think the virus fad has run its course in the Mac world," said David Senor, research engineer at Battelle Pacific Northwest Laboratory in Richland, Wash. Still, without anti-viral software, old viruses can return.

Users who maintain large Mac labs are much more likely to see viruses than individual users. "I have never seen a virus, but the computer labs at Case Western are another story," said James Nauer, facilities manager for Library Information Technologies at Case Western Reserve University in Cleveland. Nauer said he uses Disinfectant to keep the lab machines clean.

"Any place where lots of people have free access to lots of Macs will have a virus problem unless specific anti-virus measures are taken," said Jonathan Brecher, Macintosh archivist for the Internet site mac.archive.umich.edu at the University of Michigan in Ann Arbor, who uses Disinfectant and GateKeeper.

Professor Edgar Knapp of Purdue University in West Lafayette, Ind., agreed. "In seven years I have not had a single infection on any of my machines, but I have seen many infected public Macs," Knapp said.

Viruses of the future

Bill Leininger, a programmer at Crenelle Inc. in Chicago, said he expects a new wave of viruses to emerge that take advantage of new technology developments, such as interapplication communications and telecommunications. "Viruses might use Apple events to tell other programs what to do and potentially give viruses a whole other means for infecting programs," Leininger said.

Future viruses might also spread via networks. Leininger said that as more machines get connected, there could appear Macintosh worms similar to Robert Morris' Internet worm that clogged the network in 1988.

On the other hand, it is harder to write a successful virus today than it used to be. For a virus to have any chance of spreading, it has to circumvent all of the existing anti-viral software. "The level of knowledge required to write a good virus has gone up considerably," Leininger said.

Case Western's Nauer said: "Thanks to the efforts of John Norstad [author of Disinfectant] and Chris Johnson [author of GateKeeper] and the various commercial anti-virus vendors, new viruses are usually caught quickly and anti-virus program updates are issued within a matter of days."

Viruses in the DOS World

When it comes to viruses, Macintosh users have it easy. There are only 17 known Mac viruses, and some of them have never been seen by most users.

DOS users must worry about thousands of viruses. According to virus trackers, about 3,000 viruses have been found in the DOS world. When the Iron Curtain came down, hundreds of viruses from Eastern Europe infected machines all over the world. There are virus creation engines available from underground bulletin boards that help any programmer create, with little effort, a DOS virus.

One reason PC viruses are more prevalent than Mac viruses is that there are many more IBM PCs and compatibles than there are Macs. Additionally, PC programming is more accessible. "Programming on the Macintosh is much harder than programming on the PC," said Bill Leininger, a programmer for Crenelle Inc. in Chicago. As a result, Leininger said, only very skilled Mac programmers can write a virus. Most Mac viruses cause problems not because they are intended to be destructive, Leininger said, but because of conflicts and side effects resulting from bad Mac programming.

"One of the reasons you write a virus is to impress your friends with how cool a programmer you are," Leininger said. "But programming anything on the Mac is cool in itself."

Several strains of deadly computer viruses are still found only on PCs. One new virus so far limited to the PC world is called a polymorphic virus, and it makes standard virus defenses obsolete.

A polymorphic virus is self-mutating. Every time it infects a program, it completely rewrites itself. There is no single fingerprint that indicates the virus' presence, so it cannot be found by a virus scanner. The only way to catch it is with a preventive monitor, and some polymorphic viruses are designed to get around those as well.

earlier essay: Macs Prove Their Worth as High-End Lab Assistants
later essay: Virus Killers: Macworld Lab Tests Virus Software and Survives
categories: Computer and Information Security
back to Essays and Op Eds

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..