Apple has taken some very serious steps in the last few versions of OS X to beef up its security, and OS X 10.11 — El Capitan — is no exception. In fact, the steps it has taken with El Capitan may be the boldest yet.
El Capitan features “System Integrity Protection” which prevents any software you install and run on your Mac, regardless of where you got it, from modifying the System itself or any of the applications and utilities that ship with OS X in any way. Point blank.
That means, of course, that a lot of utilities and customisation tools that Mac users have used and in some cases relied upon for years no longer work — because they need to modify components of the System. That’s the price of security.
El Capitan also runs by default in “rootless” mode — that is, the “root” level of user access that’s generally present in Unix-based operating systems is not present in El Capitan. This means that the “holy grail” of malware authors — gaining root access and control of your system — is simply not possible.
At least until someone figures out a way to do it. Which, in all probability, someone will eventually.
The above features of El Capitan are in addition to other OS X security features such as Sandboxing, Gatekeeper and the Application Firewall. There’s also built-in anti-virus, and anti-phishing features in Safari (as well as just about any other OS X web browser).
If you make use of these features, and also install software only from the Apple App Store or trusted developers, you’ve got yourself a pretty secure system. So the question is, do you actually need anything more?
If and only if you don’t do a lot of web browsing or downloading stuff, and your online interactions are only with other Mac users, you probably don’t need to spend more money on security.
Otherwise yes, you do. Apple’s included malware protection and firewall are good enough for a lot of users most likely, but they’re very basic.
For example, the firewall doesn’t monitor outgoing traffic, only incoming — so if there’s something spying on you you won’t know.
For another, the included AV doesn’t look for Windows or Linux malware, only for nasties written specifically for OS X — so your machine can be used as a vector to infect others.
Lock down your Mac
First, use the tools Apple gives you. Open up System Preferences and go to Security & Privacy. Tell Gatekeeper only to allow apps downloaded from the App Store or, at most, the App Store and identified developers.
Activate FileVault — the performance hit is negligible, but anyone stealing your Mac can get nothing out of it. Switch on the Firewall — its default settings are good enough.
(Actually, under Firewall, click on Advanced … and activate Stealth Mode. This renders your Mac invisible to port sniffers.)
Finally, install Little Snitch to keep an eye on outgoing network traffic.
Avast Free Mac Security
In tests conducted by AV-Test, Avast Mac Security not only managed to catch 100 per cent of the malware thrown at it, but did so with only a slight hit to system performance.
That’s impressive, considering the product is free.
Avast provides three “shields”: File Shield, Mail Shield and Web Shield. Each scans stuff coming into your Mac from whatever source and alerts you to any problems (the Web Shield requires you to download and install an extension for your preferred browser). You then have the option to move infected files to the “Virus Chest” for further action.
In addition, Avast provides VPN products for desktops and mobile devices, which are also free.
And that’s about it. As you might expect, given this is a free product, you don’t get additional goodies such as a firewall or other protection. This is anti-virus, pure and simple. But it does it well and it does it free, and that’s what it says on the metaphorical box.
Our one complaint is that the notifications Avast provides don’t follow standard OS X interface guidelines. When a potential threat is discovered, you get a big orange splat thing in the shape of the Avast logo on the right of your screen, with no really obvious way to dismiss it (hint: click near the upper-left corner).
Probably handy as an attention-getter, but irritating for taking up so much screen real estate (remember that Avast also looks for Windows malware, so chances are you’ll get a lot of these alerts when you check your email).
Verdict: For a freeware package, Avast Mac Security is both powerful and lightweight.
Rating: 4.5 stars out of 5
Bitdefender Antivirus for Mac
And it did so with virtually no hit to performance — an important consideration, given many Mac users’ reluctance to bother with security software at all.
Optionally, you can add TrafficLight, a web browser extension (for Safari, Chrome or Firefox) that monitors pages you visit and jumps up to alert you to any suspicious behaviour such as phishing attacks or dodgy links on social media.
It also spots web sites that track your browsing and report back — a handy feature for the privacy-conscious.
Unfortunately it’s not free, and unlike other paid-for products, it doesn’t come bundled with a whole lot of other tools for different forms of online protection.
That’s not necessarily a bad thing — what it does, it does very well and simplicity is a virtue. But when you look at the additional tools bundled with, for example, Norton, you may feel a little underwhelmed for value.
Note that there is a version of Bitdefender in the Mac App Store, but you shouldn’t bother with that one. Limitations placed on developers by the Mac App Store basically make it incompatible with effective security software — you can’t scan every file on a computer from within a sandbox.
Verdict: Reliable detection with minimal performance load, but with a smaller feature set than some.
Rating: 3.5 stars out of 5
Kaspersky Internet Security for Mac
Kaspersky’s Mac anti-virus, like most paid products, comes with a suite of other features such as a firewall, password management (essentially duplicating the role of the OS X Keychain) parental controls, web protection (automatically installing extensions for Safari, Chrome and Firefox) and “Safe Money” — a tool that specifically protects your financial information when shopping and banking online.
Unfortunately, some features require a bit more manual fiddling than many unsophisticated users will be up for, so will end up unused.
Likewise the Parental Control feature, which at first looks pretty amazing, requires so much manual intervention that parents might not bother using it. To block your child from sending personal data, for instance, you have to activate Personal Data Control, and then specifically list the data (for example credit cards) your child is not meant to share.
Surely this could be automated to some extent? It’s a pity, because other aspects of Parental Control such as its interface for setting time limits are very nice indeed. Ultimately the best parental control is teaching your kids to be safe online.
Along with Avast, Norton and BitDefender, Kaspersky also managed to block 100 per cent of malware threats in AV Test’s comparison, though it did so with a heavier performance load than Norton or BitDefender (and slightly lighter than the free Avast).
We also liked the drag-and-drop interface Kaspersky provides for manually scanning a file — very Mac-like.
Verdict: Reliable malware blocking and a good feature set, but some features are a bit complicated.
Price: One device, $59.95 per year; multi-device, multi-year licensing also available
Rating: 4 stars out of 5
Symantec Norton Security Premium
As well as anti-virus, you get a very sophisticated firewall, web browsing protection (only for Safari and Firefox on Mac) and other goodies such as FileGuard, which password-protects individual files from prying eyes (although you can also do with OS X itself, so its value is neither here nor there really).
It’s designed as a household product, so you get parental controls and other similar tools over and above what OS X (or whatever other OS you happen to have in your house) uses.
If you have multiple devices protected it’s handy to have one unified interface for monitoring and configuring all of that though.
It’s an extremely full feature set, but might seem a bit overwhelming if all you want is anti-virus.
The good news is that Norton Security for Mac blocked 100 per cent of the malware AV Test threw at it and had the smallest performance hit of all the products tested. Indeed, once you’ve paid for the product (a 30-day free version is available) Norton guarantees a refund if you ever do get infected. That’s confidence.
It’s worth mentioning that the firewall monitors both outgoing and incoming traffic, and can monitor based on applications as well as network ports. It’s highly sophisticated but very Mac-like in its ease of configuration. In a lot of ways, it’s more valuable than the anti-virus protection for which you’re buying the product.
Verdict: Has a very full feature set, reliable protection and minimal performance hit.
Price: One device, $59.99 per year; three devices, $99.99; five devices, $129.99