SE Labs

Special Edition
Computer security testing comment and analysis from SE LABS Ⓡ

Mac anti-virus

All you need to know about anti-virus on the Mac.

Mac anti-virus

At SE Labs we are often asked, “which is the best anti-virus for the Mac?” And, “do you need anti-malware for MacBooks?” For reasons we’ll explain, we’ve not published an endpoint security report for Mac-based products (yet).

But we do have an insight into how Mac threats work and how Apple tries to protect users. In this article we cover everything you need to know.

Is the Mac malware-free?

Mitchell and Webb advert

Apple has long marketed its operating system as being free of ‘viruses’. The famous Mitchell and Webb advert of 2007 was the most obvious dig at the prevalence of Windows malware and the lack of Mac threats.

Some argue (convincingly) that, as the Mac has routinely occupied less than 10 per cent of the computer market for years, its lack of users makes the platform less interesting for general cybercriminals.

There is malware for the Mac

As we’ll see, the Mac doesn’t face the same level of malware threat that Windows users experience.

However, it is possible to create malware for macOS and the excellent book, “The Art of Mac Malware” goes into a lot of detail about how the bad guys run their attacks.

For our purposes it’s useful to know that Mac malware can do pretty much everything that Windows malware can do, such as:

  1. Gain access to targets through social engineering or technical means
  2. Achieve persistence on targets (i.e. stay installed, even after reboots)
  3. Steal or damage data; and provide remote access

You can expect attackers to use the same type of techniques as those who focus on Windows targets. They will use obfuscated web links, Office Macros, Trojanised applications and can even exploit vulnerable applications without user interaction.

macOS has anti-virus protection built in

Despite the perceived lack of threats, Apple has built anti-malware protection into macOS, the operating system that runs today’s MacBooks of various types. Apple doesn’t make a big deal about it, and it’s not something you’ll run into very often, but there are (sort of) three main components of macOS devoted to securing the system from malware. These are:

  • Gatekeeper (with Notarization)
  • XProtect
  • Malware Removal Tool (MRT)

Hashing out the problem (Gatekeeper and Notarization)

Step 1: Stop known bad files

Protection actually starts at the App Store, which checks for malware. But some developers don’t want to use that, so Apple scans their applications using a service called Notarization. This certifies the apps as being free of known malware.

The technical term for how this works is ‘hash-based’ malware detection. If the malware has been seen before, it has a known fingerprint (the hash). If a security scanner sees that fingerprint it knows that malware is in play.

The Gatekeeper technology built into macOS looks at the apps’ certificates (called ‘Notarization tickets’ by Apple) and either allows the user to install the software or blocks it.

This is how anti-virus worked back in the 90s. And there’s nothing wrong with that. Actually, it’s a very sensible approach to recognise the bad things that you know for sure are bad.

Bad behaviour (XProtect)

Step 2: Stop bad behaviour

XProtect is anti-malware software built into macOS. It uses rules to spot bad behaviour. Unlike hashes (see above), these rules are flexible enough to notice new threats, as long as they behave in similar ways to old ones. It’s less of a fingerprint and more about noticing familiar suspicious activity.

If a new threat appears on the Mac, and Gatekeeper missed it, XProtect provides the next layer of defence.

Apple distributes updates to XProtect regularly so that new rules spread to counter new threats.

XProtect is also responsible for removing any malware that previously infected the Mac and subsequently becomes known. To achieve this goal it (probably) uses the somewhat mysterious Malware Removal Tool (MRT)…

Eviction notice

Step 3: Remove installed malware

There is an ‘application’* in macOS called the Malware Removal Tool (MRT) but there isn’t a lot of publicly available information about it. It’s probably easiest just to imagine that it’s the feature of XProtect that removes malware.

* It’s not an application in the normal sense of the word. More of a ‘component’.

Sign up to our monthly business and personal security newsletters.

Why no reports?

You may be wondering why there are so few professional security reports assessing Mac anti-virus. There is a simple reason for this: there is a lack of malware threats for the Mac.

Traditionally readers expect to see tests including dozens , if not hundreds, of malware attacks.

When security vendors ask us to create a Mac malware test we struggle to find the same levels of real-world malware threats that Windows users face. Sometimes a vendor claims that there is a lot of bad software out there for the Mac, but it turns out that it means there is software that serves adverts (Adware) and behaves in slightly shady ways, tricking users into installing other software.

This grey ‘potentially unwanted program’ (PUP) part of the industry doesn’t fall into what we call ‘malware’. It’s annoying software that doesn’t improve your life much, but it doesn’t steal or damage information like a significant threat would.

Business customers often need ‘anti-virus’ to comply with rules around their security policies. “All endpoints must have anti-virus!” for example. We maintain that for now it’s not technically necessary, even if it might be required by their in-house legal teams.

Mac anti-virus doesn’t solve all the problems

Some security practices and tools are extremely important and not specific to users of Mac products. If you need to protect your network connection in a hostile environment, a VPN is useful. You should protect your internet accounts using two-factor authentication. Choosing strong passwords is crucial. Recognising phishing emails is also very important. Mac users should pay attention to all of these things.

Find out more

Free security test reports

Stay in touch

Get tested

Discover how we work with large organisations and security vendors.

  • Do you run a large organisation’s security infrastructure and want an assessment?
  • Are you a security vendor that needs certification?
  • SE Labs anti-virus certification can help security vendors access Windows Early Launch Antimalware (ELAM).

Please contact us now.


SE Labs Ltd is a private, independently-owned and run testing company that assesses security products and services. The main laboratory is located in Wimbledon, South London. It has excellent local and international travel connections. The lab is open for prearranged client visits.


SE Labs Ltd
Hill Place House
55A High Street
SW19 5BA