PCs

Supporting Macs in the enterprise: Eliminating malware

In spite of their marketing message, Apple knows that their computers need to be protected from malware. Don't be caught unawares! Make sure your Macs are set for the day the big one hits.

In spite of its marketing message, Apple knows that its computers need to be protected from malware. Don't be caught unaware! Make sure your Macs are set for the day the big one hits.

---------------------------------------------------------------------------------------------------------

Joe and I are of like minds this week, thinking about client security. While I have been following the discussion of Windows anti-spyware solutions with interest, my post for this week is going in a different direction. I have been considering the security of Apple computers.

Last week, it came to the attention of tech journalists that on their corporate Web site Apple recommends that users of their computers employ anti-virus software. There seemed to be a significant amount of glee on display as the pundits pointed out that this stance seems to contradict Apple's own marketing message, which claims their computers are not troubled by viruses and other malware.

Apple is right that there are fewer pieces of malware directed at Macs. That is simply a case of numbers working in their favor, though. There are fewer Macs in the world than Windows machines, so Apple computers are not too profitable as targets. More Apple machines are rolling out all the time, however, and as support pros we have a responsibility to make sure that the systems under our charge are protected, regardless of what operating system they run. There may not be as many security software packages for Macs as there are for Windows machines, but thankfully there are some quality options available.

Anti-virus

As last week's news highlighted, even Apple recommends anti-virus software, and I've always installed AV packages on the Macs on our corporate network. I was never really worried about a serious infection on our Apple systems, I mostly just wanted to make sure that they did not pick up a macro virus or serve as a vector for PC-based infections. Apple-compatible virus software has come a long way in the last several years. Security software vendors have worked to get some Mac development expertise in-house, so their products work much better than they used to.

For a long time, my big gripe was that there was no Mac-compatible AV solution that offered centralized management tools. That problem has been rectified by companies like McAfee, Sophos and Intego; all these players offer AV packages compatible with enterprise management software that can monitor the installed clients on your network. (McAfee and Sophos' admin consoles will manage Windows, Linux, and Mac clients, but the management tools have to be installed on Windows. Intego is a Mac software developer, so their admin console runs on Mac OS X.)

Another welcome development in Mac anti-virus software is the appearance of "dual protection" bundles. Since Apple supports booting into Windows on their hardware, a couple of companies have started selling AV protection for both MacOS and Windows in the same box. Symantec has one of these packages, but Intego made it first to market with theirs. I think that these bundles are a great idea for those customers who want the support and assurance that come with commercial AV products. Two for one! How can you beat that?

For the budget-conscious office (show me one that isn't), ClamXav is a free anti-virus solution for Macs that I can recommend. It's a no-frills product, but it works well for detecting infected files. (One caveat: ClamXav won't repair infected files. For that you'll want a commercial AV program.) ClamXav is grounded in an open-source project, and definitions are published daily.

Anti-spyware

While most AV products offered for Macs claim some protection against spyware and adware, the truth is there just are not many examples of these kinds of exploits in the wild targeting Apple computers. That explains why there are so few dedicated spyware removal tools for MacOS: there is just not the same market as exists with Windows.

If there is one thing my experience with Windows spyware has taught me, though, it pays to have more than one removal tool in your kit. Thankfully, there is an alternative to having to use two full security suites on your Apple machines. I recommend looking at SecureMac's MacScan. MacScan is designed to detect and remove spyware specifically, and it's reasonably priced. It can serve as a good complement to your existing security package, especially if you're going to use ClamXav and its more bare-bones virus protection.

Good habits

As I have mentioned previously, I firmly believe that the best way to protect a computer is by making sure that users are trained and understand what kinds of behavior will put their system at risk. This is just as true for Apple computers as it is for Windows machines. Apple may have been able to escape the attention of serious malware developers to a point, but it is irresponsible to assume that fortune will last forever. When there is a real threat, good habits and good security tools will make sure that the Macs you support will be protected.

32 comments
timthefoolman
timthefoolman

This ignores one of the primary reasons that Macs are relatively immune to common malware attacks: Macs don't browse with root-level permissions. As a result, any malware has to perform some privilege escalation first, typically by some form of social engineering. Going further, people need to "get over" the idea that you can run an application on a box and have it truly protect that box. The nature of rootkits is such that they can hide themselves from ANY antivirus product, such that the only way to assess and remove one is to scan and inspect the drive from an external system. In 99.9% of the cases I've seen, the best course of action is to recover data, scan it for malware, and rebuild the system from scratch. Thinking that you can "clean" a system in 2008 with an AV product is just a case of nerd ego. Back in the 1970's, you could be sexually promiscuous and just knock stuff out with some penicillin. Today, an STD can wipe out the immune system such that your body can't respond properly. The same is true with AV and computers. One thing that DOES make sense to recommend is either browsing from a VM (which you can regularly nuke) or install MS's SteadyState, which effectively does the same thing. Sandboxing is an alternative, but not a complete solution. Getting back to the point, the right approach (regardless of OS) is: 1) Don't browse as Admin, or browse only inside a virtual machine 2) Use an external device, such as an Astaro gateway instead of depending solely on code running on the box you're trying to protect (a logically flawed concept), and to scan inbound traffic as well as providing encryption endpoints 3) If you're going to install an AV product, use something like Blink (from eEye Security), which monitors the behavior of the host applications and traffic BEFORE you're infected 4) Store data on a drive other than the boot drive 5) Backup both the boot drive and data drive regularly 6) Provide for "resurrection" of the boot drive by way of a Ghost image or SteadyState Mr. Jones, I'm curious. How many viruses have your Mac AV products found? - Tim

williamjones
williamjones

I've decided to kick off a series of articles on what it takes to support Macs in the enterprise. This time, I discuss making sure that your Macs are protected from spyware and viruses. Why doesn't your company use Apple computers? If your company does use them, how have they worked out in the enterprise setting?

williamjones
williamjones

I agree that the only 100% sure way to remove malware is by reformatting and rebuilding a system from known-good backups. Some of your comments imply imply that you think security software offers little or no protection, though, and I don't think that is true. Even if AV and spyware scanners can't protect against every threat, this doesn't mean that the protection they can provide is worthless. To use an analogy, the fact that a burgler *could* break my window doesn't mean I'm going to start leaving my door unlocked. The other suggestions you offer are valid and useful, even if some of them aren't germane in a discussion of Mac security. Thanks for offering those. Me personally, I haven't found an infection on any of my Macs since I started running OS X. I regularly use my ClamXav install to scan files sent to me by others, though, and I still find macro viruses every now and then.

alexisgarcia72
alexisgarcia72

I agree with you 100%. I'm using GPOs and Steadystate with very good results. For additional security we run ASA firewalls, Cisco IDS, Forescouts, CSA, etc. Is hard to keep the windows machines secure, but with the proper tools and admin we can make a good work. I see lot of networks there where local users have local admin rights, braking the security model perspective. But we do not use MAC at all, even the graphics departments have very powerfull Windows Machines with all the Adobe and 3d Packages out there (I'm wondering this 64bit computers with 64bit OS with 20Gb ram / quad cores and 3 TB raid0 hard drives have something they cannot run comparing with MAC design computers). MAC are "secured" but lacks of managment, deployment, centralized control, application compatibility (i.e Interaction, Deltaview, Desksite, Mailsite, etc) only runs on windows pcs. So is no sense to put a MAC in the bussiness enviroment. And if things go wrong, how many MAC certified engineers do you know? How really deep do you know the MAC OS? Are you able to implement ipsec, vpn, encryption, etc in a MAC??...mmmm

timthefoolman
timthefoolman

3a) If you're going to install an AV product, make sure it's one that scans/evaluates removable media like CD-ROMs, jump drives, and especially those horrendously dangerous E3 thumb drives that auto-run a partition like a CD-ROM (using that feature is ASKING for a rootkit).

cupcake
cupcake

Over my tenure in IT, I have worked for a number of companies using Macs... some small, some not so small. I think it primarily had to do with the person or persons in charge and also the product of the company. For example, in the early 90's I helped implement lan-based applications for SoCalEdison in LA area. Also, did a nice stint for Disney TV & Pictures that had everyone from the cartoonists to legal to accounting to the execs using Macs. Then of course, worked for Apple (and I think their employee count then was in the tens of thousands) and then some smaller shops in Silicon Valley (Global Village, Intuit, NetObjects). They all networked, supported and maintained a network of Macs, thank you very much. I am in my first position in 25 years where there isn't a Mac in sight... and I am miserable. [Edited for spelling]

dstanton
dstanton

We are a hard core MS shop, with several customized .net applications which wouldn't work on a mac. Not to mention the CEO is very status quo minded. If it doesn't need to change don't change it. It took us weeks to convince him that remote access is a good idea. That and dollar for dollar MAC's just aren't cost effective as a comparable PC.

pjboyles
pjboyles

We don't do anything that does not move the business forward. No business case, no implementation (and no money). Since none of our critical applications will run on a MAC, there is no business case to deploy a MAC. Should there be a need to deploy a MAC, then we will.

domster83
domster83

It seems that half of the reason companies stick with Windows is the familiarity and comfort. People know Windows, know its foibols, and its weirdness and can deal with it. A lot of IT departments aren't prepared to seriously consider Mac's as an option. I've seen some internal documents at my workplace that discuss the possibility of introducing Mac's, and most of it is positive stuff. I think some of the hangups come from the software. People look for the same software they have on Windows and look for a mac version, rather than looking at other vendors software. Personally I'd rather have a small group of Mac's on my network as early as possible to start on the integration proceedure, for a future where both run in equal numbers.

csmith.kaze
csmith.kaze

Besides the fact that our one must have app is Windows only (an EHR solution from GE) Only about one of my doctors would not have a cow if it wasn't windows that greeted them in the morning. Not to mention the 250 employees that work here. Mac so far removed from the radar here, it's not even funny. (all that and the fact my boss and I refuse to support Macs on principle, him because he is a windows guy, and me because I see nothing but problems.)

timthefoolman
timthefoolman

Hmmm... OS X 10.5 is 64-bit, so I'm not sure what your concern is there. I'd say from a percentage standpoint, the penetration of 64-bit computing in the Mac world is far, far greater than on the Windows side (like, 2-3 nines or greater). Likewise, you can configure large software RAID arrays on fairly pedestrian Mac systems, and the higher-end boxes they make support hardware RAID, including native drivers for many of the RAID cards. I think you're overstating it to say that "[the Mac] makes no sense in a business environment." It's true that large corporations require centralized management apps and business apps that run only on Windows. I'm not going to suggest otherwise. However, the small business market, where you don't have the resources or the need for that type of management, actually represents a good business case for a non-Windows OS (OS X, Linux, etc), simply BECAUSE of the smaller attack surface (and I'm not referring to the red herring of market share). In such cases, I think you can make a reasonable argument for any OS. As far as Mac certification, Apple offers this (a quick Google search turned up: http://training.apple.com/certification/). Then again, quite a few of the MS and Cisco certs that I know have a gorgeous certificate on their wall, but don't know squat about supporting systems in the real world. I guess you'd say I don't put much stock in ANY of the vendor certifications. Lastly, ipsec, VPN, encryption... uhm... those have been available on Macs for a long time. Try Googling "OS X ipsec" to see evidence of this. In short, each OS has different strengths and weaknesses (and marketshare is a DEFINITE strength for Windows), so it pays to know something about all of them before dismissing ANY of them out-of-hand. - Tim P.S. Interested readers might want to check out "Cyber Insecurity," co-authored by Dan Geer, Bruce Schneier, and others, where they warned of the risks of OS monocultures in computing (http://www.ccianet.org/papers/cyberinsecurity.pdf).

atestwick
atestwick

I live in the caribbean in Barbados and work with the niversity of the West Indies cave hill campus. I want to buy some Macs and cannot get a contact. It is a Higher Education Institution and I need an Education price. Can some one help me. Never thought that the Mac was so difficult to get.

williamjones
williamjones

...have in the past shown that Apple hardware is priced fairly similarly to comparably configured PCs. I don't think that's changed. There are also indications that Apple hardware can have higher resale value and can provide a better return on investment over the long run. That they "cost more" is a generalization that a lot of people make about Apple hardware. I think that's based mostly on initial sticker shock. The calculation of how much a certain platform costs in the long run is more complicated than that. That's obviously not the only consideration in your office, though. Thanks for your response.

williamjones
williamjones

Running Macs is an option that should only be considered when there are no other overriding concerns. Thanks for your thoughts.

atestwick
atestwick

Why are the MAcs problematic?

williamjones
williamjones

...it makes sense to run Windows. I'm not enough of a zealot to suggest anyone run Windows on a Mac for a mission-critical application (though one could). I think a big part of what makes Macs great is OS X. Buying Macs to run Windows on them full-time is pointless, in my opinion.

williamjones
williamjones

Apple's can authenticate against AD since OS 10.3 "Panther". Link: http://www.macworld.com/article/56791/2007/03/activedirectory.html From the article: "Apple introduced a plug-in to its Directory Access utility that allows you to configure authentication against Active Directory. Apple's Active Directory plug-in uses LDAP to query Active Directory. The Active Directory plug-in works fairly well. It supports forests with multiple domains, domain controller fail-over and can automount a user's home directory. It can also grant users administrator access to a Mac workstation based on their Active Directory group membership. You can also enable mobile accounts for portable computers and designate a preferred domain controller if needed."

alexisgarcia72
alexisgarcia72

OS machines can login into AD? How I can join a MAC OS computer to the MS Domain? I know I can use certain resources in the MAC but, JOIN the domain? Do you have any link? I have a couple of design macs in the office but they are isolated.

williamjones
williamjones

It's true that AD is powerful and great. OS X machines can log in to AD, which I am thankful for regularly, even if they can't be managed as robustly as Windows machines. But then Apples aren't Windows boxes, so that shouldn't surprise anyone. They are different OSes with different management tools. Apple has been better about integration than Microsoft has, since it's designed its OS to allow use of many Windows-served resources while building its server OS on open technologies that don't exclude Windows clients from connecting. And the client version of Mac OS includes L2TP and IPSEC VPN clients out-of-the-box. I use them all the time. Apple's instructions on creating a VPN connection in Mac OS 10.5 http://docs.info.apple.com/article.html?path=Mac/10.5/en/9010.html edited for S-V agreement

alexisgarcia72
alexisgarcia72

There is nothing like Active Directory, We have lot of objects in AD, replicates in 15 sites around the world, an amazing design. We even have our AD integrated with lot of technologies: Intranets, Cisco Unified Communication devices, Ricoh Copy centers, Keyscan Security Managment, Altiris Deployment tools, Copitrax cost recovery controls, etc. The integration is just amazing, MAC don't have such features at this time. In regards to the VPN, you need to install the OSX server to have vpn on a mac client, but Windows XP have both by default: client and server VPN software.

williamjones
williamjones

To clarify... The client version of OS X has VPN client software included. Apple's implementation of VPN gateway/server/endpoint software is only included in the version of MacOS Server. You can install Mac OS Server on most Apple machines. You don't have to buy their Xserve server hardware.

williamjones
williamjones

...for Mac OS. It's built into Mac OS X server. Any enterprise that is going to run more than a couple of Macs is going to want to have a Mac running OS X Server. (It's a cheap solution, too. A license for OS X Server supporting *an unlimited number of clients* is only $999 retail.) Finding one turn-key management solution that supports both Windows and OS X is probably never going to happen. The OSes are too different. Macs can be centrally managed though, should the need arise.

alexisgarcia72
alexisgarcia72

Thanks really very much for the link. I see MAC have existing vpn services very well implemented. Nice!. The setup is as easy to setup as you can do VPN in windows XP or Vista (is more complicated in server 2000, 2003 or 2008 but because the server MS versions can be integrated with Radius and other features). I know have a doubt, the article indicates: "The VPN server capabilities are not built-in to the client version of the OS" so how I can add the vpn server capabilities to a regular MAC workstation? Do I need to install "server software" or need a "MAC server"????

timthefoolman
timthefoolman

You wanted to state that Macs make no sense in a business environment. I took issue with that, but that doesn't mean that I'm trying to point to a specific case where they DO make sense. Why are people so determined to tell someone else what makes sense in their business model? Macs don't make sense in our shop, but I'm not going to make blanket statements to suggest to someone else that Macs don't make sense elsewhere. Run what works for you. Back to the point of the original article, I stand by what I said, which is that regardless of OS, expecting AV software to fix a problem after-the-fact is just being naive, and pretending that we're living in the same conditions that existed 5 years ago. Those days are gone. If a boot drive gets infected, regardless of OS, your best bet is to nuke it and start from scratch. Otherwise, you have no idea what that box is really running without doing an external analysis of the drive. - Tim

timthefoolman
timthefoolman

You mean like this? http://www.maclive.net/sid/132 It looks a whole lot more complicated than setting up a comparable VPN server on a Windows box. This alone probably explains why you don't see more Macs in the enterprise.

alexisgarcia72
alexisgarcia72

Hey, hold. I believe I don't express myself correctly. I don't argue the 64bit OS in MAC, what I mean is I don't understand some people out there indicates they cannot run certain applications (design, cad, 3d) in a windows enviroment because they need a MAC. I see VERy powerfull Windows computer rendering MAYA, Truespace and high end stuff requiring lot of power, so I believe everything you run on a MAC can be executed in a windows pc as well. In regards to certifications, you can see this MAC cert, but related with windows and x86 hardware you can find A LOT!! not only Microsoft MCP MCSA MCSE MCT MCST but Comptia A+, ETA CST, etc etc. You can without no doubt find more easy a good MS certified technician for sure!. I only knows a couple of MAC techs and they s@cks!!! When things go wrong they need to setup the pcs from scracth all the time! I know vpn and ipsec are available on MAC OS, the point here is how easy is to setup a vpn server on a MAC? do you know how to do it?... I'm not talking about VPN client, I mean VPN server services... I believe MAC is a good sign of good tech, speed, performance, security and design, but for bussiness enviroment, a friend who love MACs in the past, now HATE this technology because the lack of network support and integration. He see it by his own eyes in an school network (with only macs).

timthefoolman
timthefoolman

This is true, and a distinction I should have made. However, retaining a 32-bit kernel (to ease the migration of device drivers) seems like a sensible compromise. The larger question (which remains) is how quickly Apple will rebuild their pro apps to take advantage of this. - Tim

williamjones
williamjones

where you can get EDU pricing. There aren't any volume discounts available through that site, though. To try and get a volume discount, you'd have to contact Apple sales. Have they told you that there's no one who serves your region?

Forum Surfer
Forum Surfer

If I were making a personal purchase, the fact that the macbook comes with an nvidia 9400m would factor in. However, when plugging into a cisco console port I don't care about framerates and hybrid sli. That's where I think Mac needs a true business class notebook without the flashy gfx card and offer it at a lower price point. The nvida quadro card on my dell suits business apps just fine. It even handles a game or two I've tried on it for kicks and giggles just fine. The docking station is a selling point as I can snatch it off my desk and go in a hurry, ugly connector or not. All options factored, I would probably buy myself a mac if I were in the market. At work however, price vs feature content leads me to dell or lenovo. EDit: I still think 15.4" is too big to be truly portable and 13.3" is too small for middle aged eyes. The 14.1" Latitudes, Precisions and Lenovos are a nice compromise. I mean who actally uses the laptop keyboard and display at their desk? I keep a real keyboard with full numpad, mouse and 24" monitor on mine at home and work.

williamjones
williamjones

I wasn't trying to disparage Windows-based hardware, trust me. Dell is a fine brand, and I work with their machines every day. The recent revisions to Apple's portable line are the exception that proves the rule, in my opinion. Does your Dell come with 2 graphics systems on-board? All the Apple MacBook Pros have an integrated *as well as a dedicated* graphics chipset. You can use one, or the other, and NVidia claims that they are engineered to work in a "virtual" SLI set up of sorts (though Apple doesn't implement that now). That feature right there is one that will keep the price of Macbook Pros high for awhile. This new aluminum manufacturing process is novel, too. If you look at the previous Macbook Pro model, it's more price/feature comparable with some of the systems that Dell offers. You're right; Apple's new portable models have a premium attached. I'll stand corrected on that. But they are significantly different in the build engineering than most offerings from other manufacturers. Look at Ebay, too. The used Apple market is pretty strong. I think their machines do tend to hold resale value well. Better than most manufacturers. I also don't mind paying a little more for a Macbook Pro (I'm in the market) since it will allow me to sell my current IBM and Apple laptops and run both OSes (legally) on one portable. But that's me. You're absolutely right about the lack of docking solutions for Apple machines. It's annoyed me on many an occasion. I think it's a "design" issue, though. Most docking systems require a big multi pin port sticking out of the chassis, and I think that probably offends the aesthetic sensibilities of the Apple higher-ups. There is the new Apple LED Cinema Display designed to integrate with the new MacBooks. It offers some port replication and a built-in cam, but that's about it. Apple's not made a sleek docking system since the days of the old Powerbook Duo systems, which were pretty awesome, but didn't sell well. Thanks for your thoughts, Surfer.

Forum Surfer
Forum Surfer

It's more than just a generalization. I recently needed a new laptop. Times are tight, so instead of the usual $2000 I was only give a $1500 budget. I work as a network admin and most of my Cisco tools are windows based. I still wanted a Mac book since I have to admit they are sexy. I can always dual boot xp or vista. But I also wanted 4 gigs of memory and at least an Intel c2d t9400m not to mention a 7200 rpm drive, docking station, /b/g/n wireless card, gig nic and Bluetooth. I can't stand a 13.3" laptop, I still prefer 14.1". I was willing to settle on the added bulk of a 15.4" macbook but boy was the price up there with all the options. I went through a lot of vendors including cdw-g and about 15 more but no one could get me a 15.4" macbook equipped even close to my specs for anywhere remotely close to $1500. I settled on a Dell Latitude. I received all the specs as I listed for $1499 from a vendor desperate for my business vs $2300 for a 15.4" mac equipped the same. I don't buy the "quality" argument since I've seen several state police agencies running dell just fine, not to mention my own agencies...not to mention they are running the same Intel chipset these days. High end desktops may be priced similarly, but laptops are way different...no matter if you source it from a vendor or the web directly.