8 Simple Tips to Secure a Mac from Malware, Viruses, & Trojans
The recent outbreak of the Flashback trojan (Apple released an update and fix, get it!) has brought a lot of attention to potential viruses and trojans hitting the Mac platform. Most of what you’ll read is overblown fear mongering hype, and practically all Mac malware has come through third party utilities and applications. What that means for the average user is that it’s very easy to completely prevent infections and attacks from occurring in the first place, especially when combined with some general security tips.
Without further ado, here are eight simple ways to secure a Mac to help prevent viruses, trojans, and malware from effecting you:
1) Disable or Remove Java
Flashback and other malware has installed through Java security breaches. Apple has already released several updates to patch the Java security holes that allowed Flashback to spread (you should install those), but you can also go a step further and completely disable Java on the Mac. Frankly, the average person doesn’t need Java installed on their Mac let alone active in their web browser, disable it and you don’t have to worry about security holes in older versions of the software impacting your Mac.
You can read how to uninstall Java from Mac here if you don’t use java at all on the computer. Otherwise you can disable it manually too.
1a) Disable Java in Safari
- Open Safari and pull down the Safari menu, selecting “Preferences”
- Click on the “Security” tab and uncheck the box next to “Enable Java”
Disabling Java in the Safari browser is reasonably effective, but why not go a step further and disable it in Mac OS X completely? Chances are high that you won’t miss it, let alone notice it’s disabled.
1b) Disable Java System-Wide in Mac OS X
- Open the Applications folder and then open the Utilities folder
- Launch the “Java Preferences” application
- Uncheck the box next to “Enable applet plug-in and Web Start applications”
- Uncheck all the boxes next to “Java SE #” in the list below
2) Update Apps and Mac OS X Software Regularly
Apple regularly issues Security Updates and many third party apps do as well, therefore regularly updating both your MacOS / Mac OS X System Software and Mac OS X apps are one of the single best preventative measures you can take to keep a Mac secure. We’ve hammered home about this repeatedly as a general Mac OS X maintenance tip because it’s important and so easy to do:
- Open Software Update from the Apple menu and install updates when available
- Open the App Store and download available updates to apps and anything else as well
3) Disable or Remove Adobe Acrobat Reader
Adobe Acrobat Reader has had multiple security breaches recently, therefore you’ll be safer without it in your web browser. There’s little reason to have Reader installed on a Mac anyway, Mac OS X includes Preview for viewing PDF’s. Uninstall Adobe Acrobat Reader by running the bundled uninstaller app, or locate the following file and remove it to uninstall the Acrobat browser plugin:
/Library/Internet Plug-ins/AdobePDFViewer.plugin
4) Install Anti-Malware / Anti-Virus Software for Mac OS X
Using anti-virus software on the Mac is likely overkill, but it’s worth mentioning again. Additionally, there are anti-malware tools available now too.
Arguably the best solution is available for free from Malwarebytes (and yes, there is a paid tier but if you just want a scanner and removal tool, the free version is sufficient for those needs). It is a widely trusted tool that keeps an updated list of malware, and the free version will remove any detected malware from the Mac.
As for anti-virus, it’s generally not necessary. Nonetheless, we’ve talked about the free Sophos anti-virus here before, and though you probably won’t ever need it, it’s a free and effective way to fight viruses that may end up on the Mac. If you’re the cautious type and you’d like an antivirus on the Mac, Sophos is something to look into:
5) Disable or Remove Adobe Flash / Use a Flash Block Plugin
Flash has been used as an attack vector in the past, and Macs stopped shipping with Flash installed for a reason; basically it’s a crash-prone battery hog that has occasional security breaches. Many sites use Flash for video and games though, so instead of uninstalling Flash completely we’ll recommend using a Flash block plugin for your web browser. This causes all Flash to be disabled by default until you click to allow individual plugins and instances of the Flash plugin to run, preventing unauthorized Flash from running in a web browser completely. These plugins are free and available for every major browser:
6) Disable Automatic File Opening After Download
Safari defaults to automatically opening “safe” files after they’re downloaded. For added security, disable this feature and manage the opening of downloads yourself:
- Open Safari preferences and click the General tab
- Uncheck the box next to “Open ‘safe’ files after downloading”
7) Double-Check Anti-Malware Definitions are Enabled
Mac OS X automatically downloads and maintains a malware definition list which is actively used to combat potential threats and attacks. This is enabled by default, but you can double-check to make sure you’re getting the updates as they arrive by insuring the feature is turned on:
- Open System Preferences and click on “Security & Privacy”
- Under the General tab look for “Automatically update safe downloads list” and make sure it is checked
You can also check the update list manually if you’re concerned the latest version hasn’t been installed, but as long as you have the feature enabled and have regular internet access, it probably is.
8 ) Don’t Install Random Software You Didn’t Ask For
If you see a random pop-up window asking you to install random software you didn’t request, don’t install it! This may sound like common sense, but it’s actually how some Mac malware propagated in the past. Apple patched the hole that allowed for that to happen a while ago, but the overall message is still relevant: if you didn’t download or request an app to be installed and you’re suddenly confronted with an installation dialog, don’t install it.
That about covers it, but if you have any additional security tips and anti-virus/malware/trojan tips, let us know in the comments.
:( I cannot find Java preferences on my 2017 iMac.
That means you don’t have Java installed on your Mac. Keep it that way, you probably don’t need Java on your Mac anyway!
When I click on your “Flashblocker for Chrome” I get an “Error 404” response. Can you help me?
Is there an update to this JS:TrojanScript article?
I found one on my extrnal HD with Bitdefender but Bitdefender can’t seem to remove or disable it.
https://osxdaily.com/2012/04/07/tips-secure-mac-from-virus-trojan/
I purchased my Mac in November 2015. Like the above reader, is there an update to this article, please? I spoke to an Apple staff member on the telephone in December 2015 about installing my Avast antivirus on the Mac and was given the advice to do so. For the past two weeks I have constant alerts on the screen from the Avast programme telling me that they have blocked a suspected Trojan. I get about 30 of these a day coming from the same source, and it is driving me insane. Yesterday Avast blocked the Silverlight program, which is used to watch Now TV football, therefore disabling viewing this on the Mac. Last week I was able to use Silverlight to view without a problem.
Do I need the antivirus on the Mac, it is posing an annoyance presently. I have the same programme installed on my Windows PC and am not having the same issues, there are no pop up alerts on that machine. Any advice would be much appreciated. I would add that I bank online so do need to be secure.
This is up to date advice. Security doesn’t become outdated.
Keep OS X update to date, don’t install junky software, don’t install java, use Chrome, don’t install Flash or any browser plugins. Keep it simple.
So do you advise uninstalling Avast antivirus from my Mac and leave Apple and the apps to do the monitoring of mail traffic, etc. The programme is constantly alerting me of it blocking suspected Trojans in mail, from one particular source.
Hi there,
I am new to MAC, is there an updated version of this page’s information for 2014?
Cheers!
I cant open java prefs, crashes when I try. weird.
[…] access to certain banking websites. Those concerned about potential malware and trojans in OS X can read our article on some common sense tips to avoid infecting Macs. stLight.options({ publisher:'fe5e0a84-1fac-40de-8014-9f89fc1cbe6a' […]
On OSX no virus exist! Only trojans! A “Anti-Virus”-Software don’t work against trojans on a Mac.
You have to install the security fixes on OSX and work with a USER account, not an ADMIN and you have to use your “Brain.app”!
ClamXav is good for scanning attachments from Windows-Users. Its ok to install it because it’s free.
Happy New Year to All!
its amazing how people get neurotic about virus on osx, they say doesnt exist its like a forbidden word , they can be called malware, the true is that kaspersky blog said there is several like flashback, i would ask the people who claim it doesnt exist where they get the info or they can bear the idea, they exist no matter users get neurotic ,the experts like kaspersky claimed that , there is no security expert that claims there is no virus, flashback can install with no user intervention, its very funny what the little word “virus” can do to the apple users
thx for the tips, but you don’t need a anti-virus.
its called xprotect, people feel proud about macs not needing antivirus ,better call it xprotec it will help you to sleep, many people when hit by a virus apple will replace the hdd to hide the virus i tell that cos my cousin ist a former apple worker, you don t know how many healthy hdd are replaced to hide the presence of virus in macs, you replace the hdd and you gotta install os x that s how you hide it people will never know an d will sleeo happy
Just use Open Office to view and create PDFs, DOCs, XLS, PPT and a ton other formats. Oh yeah, it’s free
[…] it actually uninstalls the Java applet plugin from all web browsers on the Mac. This is done as a security precaution to protect against potential malware, which has consistently used Java exploits as a means of attack. With Java removed from the browser […]
I found that I needed Adobe Reader on my MBP (Snow Leopard) in order to fill out a PDF form from the VA. Preview would not work. The question then becomes, which application to use as the default PDF viewer? I’d choose Preview. And, before using Adobe Reader on a trusted PDF, I’d open it and check for updates.
[…] the average user, we’ve recommended keeping Java disabled as one of the primary means of protecting a Mac against potential malware, viruses, and trojans. In fact, the newest versions of OS X require that Java be installed manually to help mitigate […]
[…] may recall that disabling Java was the number one tip we suggested when protecting a Mac against viruses and trojans, that’s because the majority of security […]
I can’t find “Automatically update safe downloads list”
Generally Mac computers are immune to malware threats. A number of users have strong belief that their system and data are completely safe just because they’re using Mac OS X. But they should think about Mac safety or security. Every Mac user should install antivirus so that they could aware of new virus update and keep their Mac secure and yes backup is also a good idea for the safety of data.
I found I got more troubles after turning off Java. For instance, I couldn’t make MATLAB start until I remembered it uses Java. My work heavily depends on MATLAB, I almost got myself a heart attack for it.
Wish I had left things alone. I went through all the steps with each browser I use, and now everything is messed up. I can’t scan a check to my bank that I used to be able to, the images on web pages do not load properly…..Is there any way to put things back the way they were before, if I am not using Time Machine on my Macbook Pro?
Re-enable Java and Flash, uninstall a plugin or two. Just reverse the instructions.
[…] install the update as soon as possible. For extra protection, don’t miss our recent post on some simple tips to secure Mac OS X from viruses, malware, and trojans. […]
And I use a separate old dedicated Windows PC to do all banking and financial activity. All email from banks and places that involve money transactions go to a dedicated email address used by that computer. No other email is processed. Unknown email is auto-deleted. Op Sys and anti-virus always updated. PC never used to web surf or visit non-banking non-financial merchant sites. And it is backed up. Runs minimal plug ins and add ons. The ONLY thing that is 100% is that eventually something will go wrong. But I feel in this way I improve my data security.
OS X *is* Unix certified, the XNU “X is *not* Unix” kernel is POSIX complaint. Macs have been “safe” because of good architectural design. It has nothing to do with the world’s population that use a Mac.
“Keep your junk up to date and quit being so paranoid.” – It’s nonsense like this, that makes Mac users so vulnerable. First off, OS X is *not* Unix – It’s a Mach/BSD hybrid kernel. Second, Macs have only been “safe” because of security through obscurity – only 5% of the world’s population uses them, thus those who write viruses didn’t much bother…yet in security test after security test, OS X has proven to be indeed rather vulnerable, and it’s only a matter of time. If ill-willed coders have a change of heart and decide to focus more on Macs, stuff like Flashback is only the beginning, sorry to say.
“OS X is *not* Unix”
Bullsh*t! Mac OSX 10.5 was certified SUSv03 (Ars article : http://bit.ly/TtdBY ) Whilst it’s true that the smaller user base makes Macs a smaller target, the potential is certainly there, especially as they have a better trust level. Almost all weaknesses in the Mac arise from 3rd party software, particularly Adobe products, or from social engineering.
I run ClamXav, mainly because they have NO interest in selling you anything, I use ClicktoPlugin in Safari and I don’t run as admin. Thus, with a little bit of intelligence, I’m fairly safe.
I had trouble using GoToWebinar after following all the tips in this article. Had to re-enable Java in Safari and OS-wide Jave Preferences, had to check both boxes again. Now it works.
So if you want to follow this article’s suggestions, you’ll be unable to look at some important webinars.
Keep your junk up to date and quit being so paranoid. The most secure windows system is less secure than a wide open unix system. A java exploit that does absolutely nothing hits the front page news because it affected macs. A webpage that tells the user to sudo rm -rf / would do more damage.
[…] OS X Daily Podobne […]
I’ve just downloaded and installed Sophos Anti-Virus software, and it says there are 5 virus/malware. I’ve also scanned with ClamXav and Flashback and BOTH these softwares say my iMac isn’t infected. So why the discrepancy? I suspect Sophos – coming from a company that SELLS and HOPE to sell (more) anti-virus softwares is merely listing the virus/malwareinfection so that we end up buying their software. I’m uninstalling Sophos. This message/feedback is to warn users not to bother installing the Sophos anti-virus software. Plus, based on the feedback from users, I still haven’t heard of any saying their Macs have ACTUALLY being infected.
The simplest way to avoid trojans – get LittleSnitch.
I’d recommend a free, Windows 7 tried and true, security suite which is now available for Mac OS : comodo internet security (google it). It’s been very effective on my PC, and it has cleaned up my Macbook
Uh, Safari 5 does not allow webkit plugins, including Clicktoflash.
I’m using Safari 5.1.5 and ClickToPlugin right now.
Since Sophos has a free anti-malware client for Mac users, that’s a good place to start with doing something preventative on your Mac(s). It’s a good product and it’s FREE.
ClamXav http://www.clamxav.com/ is also free and better than Sophos IMHO.
wonderful post – another OSX brilliant post
thankyou
—-
for item 3)
3) Disable or Remove Adobe Acrobat Reader
when you say remove — do I cick “delete” that file (AdobePDFViewer.plugin) after I navigated to it
and then the viewer is “uninstalled”?
—–
1b) Disable Java System-Wide in Mac OS X
I could not see the check box at the top to uncheck
I am on 10.6x
is this a 10.7x option?
—–
I use firefox not Safari
for 1a) Disable Java in Safari
option Enable Java, was there but on a different tab
for 6) Disable Automatic File Opening After Download
I could NOT find option in Firefox to uncheck
—-
thx again
In firefox, choose add ons from the menu and then go to plug ins. You can disable java there.
Sophos is not a good idea. It runs too much code privileged and can make your system less secure. You don’t need an anti-virus for OSx anyway.
Anyone has to worry when anti virus software companies make hundreds of millions of dollars each year out of the existence of viruses. It’s in their interests that viruses exist. Has anyone wondered who writes viruses and why?
I might be inclined to agree with you if anti-virus worked well. However, it rarely works unless the malware sample is old.
I have been saying that for years!!!!! I have been trying to get my grandfather from PC to Mac and he just keeps saying way to expensive. I said you get what you pay for.You pay that 1,200 to 2,000 on a Mac and you turn it on and thats it. As to Windows you have to buy AntiVirus; then you still get virus’s and have to pay all kinds of money to get it fixed.He goes but I never paid anyone to fix it and says “you do it for me”! I said do you have any idea how much money you would owe me if I was a company like Geek Squad or Radio Shack.Literally 5k pop pop I said and I am not exaggerating at all.Then I said don’t you think if Bill Gates wanted a SOLID computer on the market don’t you think h would have done it by now!!! He wants you to get catastrophic Trojans,virus’s,and everything else under the son.They all do!!!! He won’t break. I told him next time (which will be any day now) I am not taking all day to use them ComboFixes.Thats old school shit for me! And I am sticking to my word.Anyway great article hear I learned something new today!!
LOL.. thought I test blogger’s theory about “the average person doesn’t need Java installed on their Mac let alone active in their web browser, disable it and you don’t have to worry about security holes in older versions of the software impacting your Mac.”
Woke up this morning forgetting I had done this late last night…. and did my usual mosey’ing around the web.. wondering what in the world is going on with all these internet sites not working properly.
Everything else is on point.. idk about Javascript disabled though.
Javascript is not the same as Java.
I wish that Sophos would stop keep appearing in articles like this as ‘recommended’ anti-virus products; I had the product installed for six months and it made my MBPS vet unstable and when I logged a numbe of calls with Technical Support I was ignored over and over again. I got Customer Services involved in the end and pointed out that they treated their customers with contempt! My suggestion is not use it
You get what you pay for.
Yeah… Since I uninstalled (which by the way is the most robust process within it) the Sophos software, the machine hasn’t played up at all! ;) I migrated from Windows and some habits die hard…
I think java is used a lot more than you would expect, especially by people who use their Macs at work.
Blockers like click-to-plugin allow control over when java is allowed to load in Safari. FF and Chrome have similar add-ons. (It is curious to me that such features aren’t built in.)
I don’t see much need for A/V. Just use some judgment.
Good list otherwise.
i don’t think any of it is for good,, this os x daily sales anti viruses once we follow them we might needed anti virus then,, there is no yet found virus for mac which is true,, just update software is better,,
Not sure where you get that idea. We don’t sell anything, and the anti-virus app that we only half-recommended is free.
“…Frankly, the average person doesn’t need Java installed on their Mac let alone active in their web browser…”
…except for the average person who uses net-banking, since the majority of banks use Java for their login certification (Danske Bank, Deutsche Bank, IngDiba, just to name a few of the *international* banks).
NemID in Denmark use java. You use NemID to log on basically everything. Your bank, ensurance, tax office, pension etc. etc. quite the exact opposite of what is stated in this article. Everybody needs Java.
And to think in my “yoout”, a Trojan was enough protection! Hmmmm…
The best policy is to not download ANYTHING from a site you do not know and do not allow auto-install – ever!
I do thin that the article is a big of overkill but we are now subjected to MacMoMos who really think that MacOS is the same as Windows. So, I can see the reasoning behind the article.
I also agree with not using your admin account as your main account.
Cheers.
Hey its good article, but you what you said is to much…. instead I would suggest you to completely shut down Mac and go to sleep. If mac has security holes, Apple should release updates. It does not mean user should disable all service that he has on his computer. I feel window 7 i better….
If I’ll disable Java, Adobe Creative Suite CS5 stop working.
There’s a hint there…
A hint to use quark? Do the apple apolohensia do anything other than blog and tweet? Disable java and flash??!! Fing seriously??!!
Tip 9: go into a locked, dark, shielded room and format your hard drive. Do NOT reinstall. Admire the outstanding industrial design of your Mac by sense of touch.
“apolohensia”. Perhaps you were looking for apologensia which isn’t actually a word, just something the unintelligent use to try and seem smart. Java isn’t critical to a web browsing experience, but it does help. As for flash, its just a bloated POS whose premise sits back (and belongs) in the last century. Only the packaged content has changed. The sooner it evaporates off the face of the planet, the better, as the security holes it opens your system up to, you can drive a truck through. Nothing was mention about torrent files. Biggest risk you will ever take is to download anything from P2P or torrent files.
One other thing, turn your modem off when you don’t use it or only turn it on when you’re actually using the internet.
why would you turn your modem off When you watch tv using your modem and cable box
I don’t agree with the point 4
If you disable java and enable your brain you don’t need an antivirus
100% agree
I agree as well, antivirus is basically snake oil for a Mac
Stop going to p0rn sites, since this is where most viruses are usually picked up.
no its not
Above tips are good and not using an Admin account as main account is also a good idea.
I don’t feel antivirus is necessary. It’s like wearing a seat belt while sitting at a desk chair, vaguely possible in a theoretical concept yet never needed.
How about:
Having a NOT administrative account as everyday user account, even though Apple creates the first user with administrative rights for everyday use one should use an account without these rights.
Yes, that’s a very sensible idea, but it would not have been enough against this trojan. I think it could install itself in one of the user directories.
into the user directory who is visiting the site, yes, but not system wide except you enter the admin password of course…
its quiet useful against the most attacks on a mac. only one user will be harmed and thats something easy to handle i think.
Once the Trojan is in the user directory, it will propagate to the system, as soon as the administrator logs on.
I run Firefox with noscript and ad block plugins. Proactive protection. It’s a moot point about a effectiveness of AV applications
Hey great tips and very timely, you can never be too safe with this stuff.
Not to nitpick about wording, but I think it’s “virii” and not “viruses”?
Virii as the Latin plural of virus is incorrect for several reasons, the first one of which is the fact that the singular is virus, not virius. See for details. Briefly, the plural ‘viruses’ is acceptable in English, while modern Latin uses ‘vira’.
Oops, the URL for those details didn’t come through. Search Wikipedia for ‘Plural form of words ending in -us’.
And if one is going to be THAT picky, there are all of those comma splices in the article. But so what?
For the sake of nit-picking the nits on a nit, traditional Classical Latin didn’t actually have a finite correct plural form for ‘virus’. Therefore using the word ‘viruses’ seems perfectly acceptable. Everybody knows what it means, whether used within a medical or computer-based concept. ‘Virii’ seems to be one of those words which makes some of us feel good about ourselves when we’ve been able to use it in polite conversation.
[…] to take some extra security precautions and preventative measures, don’t miss our article on simple tips to prevent Mac virus infections, malware, and trojans. […]