Hacker News new | ask | show | jobs
by 45h34jh53k4j 2986 days ago
you need AV on your corporate macs. No excuses.

For those in "my enterprise doesnt need AV, because AV is stupid" camp: In the last week, the enterprise AV:

* Blocked 15 cryptominers * Blocked 3 email based ransomware attachments * Blocked 6 phishing emails * Blocked 3 installs for MacKeeper (PUA) * Found 4 other adware-type infections on hosts

Without it, these things would have hit the organisation. AV -- it will catch the lowest hanging fruit. You need this. It is necessary, but not sufficient.
3 comments
ken 2986 days ago
This [1] post last year pointed to Google Project Zero, which found dozens of exploits in popular AV software. What if your third-party AV is your lowest hanging fruit? How many issues did your AV itself cause? How would you know?

[1]: https://robert.ocallahan.org/2017/01/disable-your-antivirus-...

link
45h34jh53k4j 2986 days ago
Im aware of the research p0 did on AV -- its very important, and their findings were fed back to the vendors, to improve their products. AV is not the low hanging fruit, there has never been a discovered malware that exploits an AV bug. It might happen, but you are a million times more likely to find a garden variety malware that all AV detects.

(of course i am ignoring APT/nation state 0day, as it is not specifically about AV, all software is vulnerable against an adversary of this skill). If you worry is APT attacking your AV, you best to be looking at your Operating Systems first.

link
RandallBrown 2986 days ago
So far my corporate Mac antivirus has only blocked iOS apps that I personally built and it completely breaks the iOS simulator. It has caused me hours of headache and it regularly locks up my machine to the point that I have to restart it almost daily.

All of the things you mentioned can be stopped using far less intrusive methods than an always on, always scanning, antivirus.

The usual excuse given for requiring an antivirus is PCI compliance.

link
fulafel 2986 days ago
AV detection rate is not very good. And of course targeted stuff can just test against your av.

Yes, lowest hanging fruit, I know. So at this point you have to start managing your compromises instead of altogether preventing them.

link