Ask HN: How to secure your Apple Mac against malware/viruses?

- IceFloor (since OS X includes pf)

- mDNSResponder -NoMulticastAdvertisements

- Hands Off!/LS

- Vera/TrueCrypt

- Samhain/TripWire

- GPG Tools

- Homebrew packages

- a password manager

- 5x DNSCrypt-proxy instances round-robin'ed with dnsmasq

- Chrome/FF

- TorBrowser

- i2p

- no unnecessary apps

- follow the NSA and other guides for securing OS X (FileVault 2, firmware password, don't use iCloud Keychain, etc.)

- use DBAN on old systems and drives

Be aware that security has to be balanced and leave a usable device, and some security measures interfere with and/or disable certain features.

And no flash/adobe, browser java plugin

References:

https://github.com/drduh/OS-X-Security-and-Privacy-Guide

http://docs.hardentheworld.org/OS/OSX_10.11_El_Capitan/

http://www.tenable.com/blog/hardening-os-x-using-the-nsa-gui...

https://ist.mit.edu/macosx/1011

https://walterkilar.wordpress.com/2016/05/08/apple-os-x-el-c...

Related: is it possible to use ClamAV without the daemon, etc.? I would like to run it manually on specific files/dirs, but I don't know if I can.

Have a separate administrator account that you don't use for ordinary work. Your normal account should not have administrator privileges.

Don't run Flash, Acrobat or anything else from Adobe.

Use a good ad-blocker

Never click on a link in an email, or open an email attachment.

I don't run any antivirus on my Macs.

Little snitch is definitely a good tool, built in Mac OS firewall, uBlock Origin, uninstall Flash or disable it another way. I'm considering trying out BitDefender for Mac, but I've never had an issue before without added protection. knocks on wood...

The first step to securing any desktop computer, regardless of operating system, is to reduce your attack surface. Notably:

* Make sure your firewall's enabled and strictly configured

* Don't install arbitrary programs from the Internet

* Related to the above, don't pipe 'curl' into 'sh', and publicly scold anyone who's negligent and/or malicious enough to include that in the official installation steps of any program

* Make sure your web browser(s) is/are up-to-date

* Install an ad-blocker on said web browser(s)

* Disable anything that involves running arbitrary Turing-complete code off the Internet, including Flash, Java, and especially Javascript. If some newfangled Wangular.js web-scale tangled mess of obfuscated code fails to run in your browser, then it's up to you to make that choice to enable it.

Security != Flexibility and if you're going to make your daily workflow hell, then the hell with security measures! That is not valid for your working desktop ofc.

Security is a collection of policies more than specific programs. You need an anti-virus to scan for malicious files, possibly the moment they are locally available.

I used to use littlesnitch, clamxav and spamsieve (since I don't do mail filtering server-side). But never encountered any virus for mac. Everything claxmav was catching up was either false positives or spam emails with zip files which all ended up in the SPAM folder anyway.

Some malware doesn't even touch the file system nowadays - software like little snitch and tripwires are easily circumvented. All it takes is some remote code execution and you're fucked, so the best strategy is compartmentalization and extreme caution as to what code you execute. Only run signed apps from the AppStore and remove flash, pdf, and Java from the browser. The most critical thing is never running anything that didn't come from the AppStore and trusted vendors, and keeping OSX up-to-date.

I've been a Mac user since 2004. Up until December 2015, I never ran any type of anti-{malware,spyware} software on my Macs.

Then I went freelance, and as part of the contract with my first costumer, they required I be running AV stuff on any of my machines that connect to their network. I happily complied.

My Macs run ESET. (Linux machines as well, consequently.)