Top 3 Best Antivirus for Mac of 2020
Updated: January 2020
Norton 360 (new)
The most complete antivirus for Mac. Antivirus, firewall, VPN and a password manager.
- Protection for Mac 100% 100%
- Speed 100% 100%
✓ Protects Windows, Mac, iOS and Android
✓ 60-day money-back guarantee
✓ VPN: Free and unlimited
Read our full Norton Review
BitDefender for Mac
Perfect protection, but no extra features. It has antivirus and a VPN, but not much more.
- Protection for Mac 100% 100%
- Speed 100% 100%
✓ 30-day money-back guarantee
✓ VPN: Free but limited to 200 mb
Read our full BitDefender Review
Perfect protection scores, but at a heavy performance cost. Significantly slows down your Mac.
- Protection for Mac 100% 100%
- Speed 58% 58%
✓ 30-day money-back guarantee
✓ VPN: Not included for free
Read our full Avast Review
The Best Antivirus of the Year
Millions of users around the world trust Norton as the industry leader in antivirus technology
Firewall for Mac
Free and Unlimited VPN
How We Test
Below we explain with factors go into the calculation of our editors’ rating, what each of these factors mean, and the data sources we use
How We Test
Finding the right antivirus for mac is crucial. To make sure you have the right tools to make the decision, we want to be as transparent in our analysis as possible.
We use 6 criteria to analyze the winning programs. All criteria matter, but not all are equally important. Therefore, they impact the final score in different degrees. Below we show you the 6 factors and the impact they have.
- Protection from Malware 50% 50%
- Impact on Performance and Speed 15% 15%
- Devices and Features 10% 10%
- User Reviews 10% 10%
- Value for Money 10% 10%
- False Positives 5% 5%
Our protection, performance and false positive data comes from AV-Test and AV-Comparatives. These are considered the two global leaders in cybersecurity software testing.
Our user review data comes from TrustPilot and Google’s App Store, called Google Play. TrustPilot specializes in the collection of verified user reviews in a central location. Google Play, in turn, is the app database for Android users. It has one of the largest software review databases in the world.
The Supported Devices data is taken directly from the vendors. And finally, value for Money represents the relation between the requested price and the protection and features offered, of which all data comes from the vendors.
Protection from Malware
Protection from malware makes up 50% of the total score
Protection from malware and other online threats is the most important feature of any cybersecurity product.
Malware is a term used to describe a vast quantity of digital attacks. These include viruses, spyware, ransomware, adware, phishing, rootkits, keyloggers, and many more. As you can imagine, protecting users from such a diverse set of threats requires a diverse set of methods.
Over time, three distinct protection methods have developed and evolved. Each of the top ranking antiviruses has been tested extensively according to these. We describe each in more detail below.
Signature File Detection:
The classic form of malware detection, often referred to as virus scanning. In this method, antivirus programs scan files for digital signatures of malware. These digital signatures can be viewed as patterns, in either activity or code, that indicate the presence of malware.
Each malware has a unique digital signature which is stored in an incredibly large database containing hundreds of millions of malware samples. Whenever a cybersecurity firm discovers a new malware, its sample is added to the database.
This method has many advantages. It is fast, reliable, relatively easy to operate and scalable. But it is not perfect. As it can only discover known malware threats that have been uploaded to the database, it is blind to discovering new malware attacks.
To combat this, cybersecurity companies have evolved their methods. Using machine learning, they have developed the next stage in malware discovery: Heuristic file detection.
Heuristic File Detection:
Heuristic file detection is designed to discover malware threats that have never been encountered before and do not exist in any database.
To find these new threats, the antivirus software looks at behavioral patterns rather than signatures. This means it scans files and systems for particular suspicious activities that are common to malware.
When these patterns are uncovered, the antivirus software has two more methods of analyzing the suspicious files further:
File Emulation: File emulation is commonly referred to as sandbox testing. Using this method, the antivirus software executes the potential malware in a safe environment in which it cannot cause harm. This is often a virtual machine, called the sandbox.
In this environment, the antivirus program can analyze the suspicious file for common malware practices without any risk. These practices include the deletion of files, rapid replication in the system or network, and any attempt to hide specific files in the operating software.
Once it is confirmed that the suspicious file is indeed malware, further action will be taken to eliminate the threat.
Genetic Signature Detection: Developing malware is not an easy task, and malware creators like to reuse their creations as often as possible. Therefore, these cybercriminals frequently create slightly adjusted versions of their malware that are just unique enough to pass the signature-based detection method.
Genetic signature detection is developed to protect users from these slightly adjusted forms of malware. In this method, the source code of suspicious files is compared to the source code of known malware in the database. If a certain percentage of the source code overlap, the file is considered malware and further action will be taken to eliminate the threat.
User-Focused Protection Features:
In a constant game of cat and mouse, both malware and anti-malware technologies are evolving rapidly. They have come to the point where both are so sophisticated that it is often easier for malware creators to use a different route: Targeting the user directly.
There are many forms of malware, such as phishing, social engineering, scams, and identity theft, that don’t necessarily include the use of malicious software. Instead, these are clever schemes developed to trick users into providing cybercriminals with sensitive information.
The best antivirus programs for Mac have developed a range of clever tools to protect users from these schemes. Among many others, these include:
Website advisors: A tool that warns you before you access a website known for malicious intent.
WiFi security advisors: A tool that advises you on the safety of a specific WiFi network and whether using a VPN would be a wise choice.
Password managers: Tools designed to generate and store highly unique and secure passwords. They also automatically log you in on your favorite websites when you visit them.
Encrypted browsers: Browsers with an added layer of security that automatically launch when you access payment and banking websites.
Impact on Performance and Speed
Performance impact makes up 15% of the total score
If your Macbook slows down because antivirus software is running in the background, we speak of a negative performance impact. This can be measured in website load times, download speeds or the CPU resources required to run the software.
Devices and Features
Supported devices makes up 10% of the total score
For this factor, we investigate the supported devices per antivirus software. On top of that, we analyze which features are offered for each of the antivirus software. Often, a full security solution is offered for Windows, but the antivirus for Android, and Mac are far less generously equipped.
A note on iOS:
All antivirus providers create software for Windows, Mac, and Android. For Mac, however, not all do so with equal dedication. Some top-rated antivirus companies, such as Panda, BullGuard, and McAfee for instance, do not participate in the testing of their antivirus for Mac products by the IT security institutes. Which is also why they are not included in the line up of the best antivirus software for mac.
On top of that, not all antivirus providers offer security apps for iOS. Although It is true that iOS is a safer platform than the other operating software, this is only the case with malware. As ever more consumers fall into phishing traps, use insecure passwords, and surf unencrypted public wifi networks, even iOS users should have a cybersecurity app.
User Reviews make up 10% of the total score
User reviews are an important factor in the analysis of any potential purchase. They not only represent product satisfaction, but also the overall customer experience a user has in the engagement with the company.
Sadly, however, user reviews are easily faked and it’s difficult to know which sources to trust. We therefore only use review data from the most credible sources available: TrustPilot and the Google Play Store.
Value For Money
Value for Money makes up 10% of the total score
The damage caused by malware can be very significant. Both emotionally and financially. We therefore believe the price of an antivirus product should not be the most important factor in your purchasing decision.
That being said, it definitely has a role to play. As there are vendors that simply offer significantly more value for money than others, It pays to shop around and make a well-information purchasing decision.
To help you, we have analyzed the global pricing strategy of each firm to find out which offers the most value for your buck.
False Positives makes up 5% of the total score
When a clean file is flagged as malware, we speak of a false positives. This is fairly common when using the heuristic file detection method and nothing to worry about. However, some antivirus programs generate significantly more false positives than others, which can be annoying.
AV-Test is one of the leading test organizations in cybersecurity. Based in Germany, they have been performing in-depth antivirus analysis since 2013. AV-Test uses an incredibly large database of malware samples and state-of-the-art technology to run their tests. We consult the reports of AV-Test in the calculation of the performance and protection scores.
AV-Comparatives is the second top test organization in cybersecurity. Based in Austria, they have been running their software analysis since 1999. AV-Comparatives is famous for the creation of real-world test scenario’s that are capable of testing every aspect of the antivirus software. We consult their reports for the calculation of the performance and protection scores.
TrustPilot is the international leader in B2C (business to consumer) reviews. Over 200.000 companies have been reviewed on their platform by over 45 million reviews.
The Google Play Store is the app store for Android, the most used mobile operating system in the world. The Google Play Store has one of the largest software review databases in the world.
Tech enthusiast and founder of SoftwareLab. He has degrees in Engineering and Business, and has been active in the analysis of software, electronics and digital services since 2013.
Frequently Asked Questions
Below we have summed up the most commonly asked questions surrounding the topic of cybersecurity and the best antivirus software.
What Is Adware?
Adware is freely distributed software that contains and displays built-in advertisements for various products and services. It is also a type of software that can redirect queries to various sponsor websites. Another facet of adware software is data collection, which is usually done for marketing purposes.
This type of software, depending on how complex it is, can collect search history results, keystrokes, keywords, search patterns, and sometimes even personal information, most often without the user’s consent. Adware doesn’t always have to be installed manually. It can be installed remotely on a user’s computer when they visit an infected website. Hackers can also install malicious adware via a backdoor.
What Is Antivirus?
Antiviruses are among the most important lines of defense of computers and other internet-enabled devices. Antivirus programs or program suites are designed to detect threats, quarantine them, remove them, as well as prevent them from accessing the target computer or network in the first place.
Depending on the complexity of the antivirus software, it can protect against low-key and high-risk attacks and invasions of privacy such as those made possible by hacking, viruses, worms, adware, rootkits, spyware, keyloggers, and others. While sandbox detection techniques are the most popular, various detection algorithms are implemented today, the most modern of which use data mining and machine learning.
What Is a Botnet?
A botnet is a network of hijacked internet-connected devices that can be used for their superior combined computing power to deliver powerful attacks, disrupt internet traffic, or send spam. In a botnet, the hijacked computers are infected with bots, software programs that can perform automated tasks. Each computer in the network can operate one or more bots.
Also known as a zombie army or a zombie network, a botnet can be used by its owner through C&C software. Some threat actors may choose to use botnets for their own DDoS attacks, while others may rent out the botnet to interested third parties with malicious intent of their own.
What Is a Computer Exploit?
Various command sequences, as well as pieces of software, code, and data may fall under the category of computer exploits when they are used to exploit certain software or hardware vulnerabilities on foreign devices or networks. Depending on the vulnerability, a computer exploit can be assigned to a specific subtype, all contingent on what the exploit can do to a foreign system thanks to the vulnerability it takes advantage of.
Exploits can be local and remote. Remote vulnerabilities allow varying degrees of access remotely while local vulnerabilities usually imply than an exploit cannot be used unless the origin of the attack comes from within the vulnerable device or network. This too can sometimes be accessed remotely if there is backdoor access into the system.
What Is a Computer Virus?
A computer virus is usually a self-replicating malicious code that can copy itself into new programs, documents, or boot sectors, thus altering the way in which a device works. Computer viruses can be spread knowingly or unknowingly, but they need to be activated on the target device to have any effect. That’s why many viruses are embedded into software that looks trustworthy and legitimate or hidden inside links to websites that are seemingly legit.
There is also a risk of transmission through infected storage devices such as USB drives. Viruses can target system memory or core functions of apps and hardware components. They can also be designed to copy or delete data, or even encrypt it, which is something that’s often used in ransomware.
What Is a Computer Worm?
A computer worm is a subclass of computer viruses that rarely requires any help from the user (i.e. opening a program) to self-replicate and propagate itself in a vast network of interconnected devices. Worms usually get into a system either by direct download or through an unprotected network connection. Once inside a system, a worm can replicate itself multiple times and spread to other devices.
Although worms are sometimes viewed as a less threatening subclass, they are also often used to install backdoors into systems. These backdoors can then be used to install other malicious malware like keyloggers, adware, spyware, or bots, as well as to lay the foundation for a DDoS attack.
What Is Computer Hacking?
Computer hacking, or just hacking, is any unauthorized intrusion into a computer or computer network. Such actions usually involve compromising the system security by either altering some of its features or bypassing security measures altogether to achieve anything from access to confidential information to establishing root access to that system.
The term hacking doesn’t always imply negative activities. While there are people who use their skills to hack into foreign systems for personal, financial, or political gain, there are also those who hack into systems only to test their security and discover flaws or exploits. As a result of this type of hacking, many vulnerabilities can be patched before malicious hackers can exploit them.
What Is Cybercrime?
For a crime to qualify as a cybercrime, it needs to either target a computer or use a computer as a tool to commit the offense. Although there are various subtypes of cybercrime, they can all be categorized into two larger types – crimes that target individual computers or networks and those that target the device owners.
Some of the most common types of cybercrime include bank information theft, identity theft, cyberterrorism, online predatory crimes, and online stalking. Not all cybercrimes are end-game actions. Some of them are simply one small step in a much larger scheme that extends to the offline world as well.
What Is a DDoS Attack?
A DDoS attack is most often carried out by a botnet or zombie army of computers. It stands for distributed denial-of-service attack. The terminology refers to the disruption of services – either of a network or, say, a website. This is achieved by flooding target devices with unwanted internet traffic that hampers their performance.
The most common targets for DDoS attacks are online vendors, marketplaces, as well as other businesses that depend on having a stable connection and cannot afford to lose bandwidth. DDoS attacks may not only slow the performance of the targeted system but can also corrupt data or lead to data loss, not to mention significant financial losses.
What Is Identity Theft?
Identity theft is used to describe any unauthorized gathering of personal identifying information, achieved by any means, physically or in the virtual world. Identity theft can be done via shoulder-surfing, stealing bank statements, obtaining fingerprints, dumpster diving, and so many more methods. The perpetrator uses this information to assume the victim’s identity and gain personal benefit.
In this day and age, identity theft is more often than not classified as a cybercrime due to the fact that it involves hacking computer networks and databases for private information. It can also be done via spyware, keyloggers, planting viruses, email phishing, and other types of actions classified as cybercrimes.
What Is a Keylogger?
There are two types of keyloggers. There are hardware keyloggers and software keyloggers. Regardless of which one is used, the main goal is always the same: tracking someone’s keystrokes in order to monitor and record whatever it is they’re doing on a device, whether they’re browsing the internet, writing emails, writing code, etc.
Keyloggers are not always used with malicious intent. They can be used in cognitive writing research, to monitor employees on their work computers, or monitor underage kids and their online activities. However, they tend to have a negative connotation since they’re most often used as standalone tools or part of advanced rootkits to steal confidential information or grant access to target devices.
What Is Malware?
The term malware (short for malicious software) denotes all harmful pieces software such as computer viruses and worms, Trojans, ransomware, and adware, among others. Cybercriminals use it to establish a backdoor into foreign systems, create botnets, and launch various attacks for the purpose of stealing, corrupting, or deleting data on the target systems.
A malware suite, or a collection of more than one types of malicious software, is often referred to as a rootkit. Multiple types of covert malware programs can be embedded in a single application or file.
What Is Phishing?
Phishing is a fraudulent act that involves the theft of credit card numbers, usernames, passwords, and other sensitive information in which a criminal poses as a trustworthy individual or business. Over the internet, phishing usually involves the use of fake websites with seemingly trustworthy domain names.
Although quite dangerous, phishing is usually easily avoidable if the user exercises more caution when opening attachments, disclosing their personal information, checking website URLs, and using up-to-date antivirus software. Phishing can’t be successful without some involuntary help from the victims themselves, hence the need for cybercriminals to impersonate legitimate entities when phishing for information.
What Is Ransomware?
Ransomware is a type of malware that is most often associated with holding certain files, data, or financial assets hostage. This malware can be remotely installed via a backdoor or downloaded by the user from infected websites or attachments. Once inside the target’s system, the malware encrypts information that cannot be decrypted without a key. Other designations for ransomware include crypto-Trojan, crypto-worm, or crypto-virus.
Ransomware is also sometimes used to steal information. As a result, it is used in online blackmailing schemes in which the victim is threatened with the release of potentially compromising personal information that’s been encrypted by the hacker unless a ransom is paid off. Finding the source of the attack or the attacker is generally very difficult since most ransoms involve cryptocurrency payouts.
What Is a Rootkit?
Rootkits are usually, but not always, malware suites comprised of multiple programs and viruses designed to grant access to a computer or computer network by secretly exploiting various system vulnerabilities. Rootkits can be distributed via attachments, adware, email links, and other means.
The most common goal for a rootkit is establishing a backdoor access to the target system, which will allow the attacker to easily steal information, documents, money, or passwords. The perpetrator can also use this to wreak havoc on the system by corrupting data, disrupting traffic, deleting data, or slowing down the system’s performance. Modern antivirus programs have rootkit detection, whereas this was a much more difficult problem to deal with in the past.
What Is a Scam?
A scam is a fraudulent and criminal action initiated by an individual or group of individuals for the purpose of extracting sensitive information, stealing money, repurposing goods, etc. Internet scams include fake donations, cold calls, chain mail, online surveys, and many more.
A large majority of scams are done via the internet due to the ease of access that scammers have to networks of people. Some scams are quick schemes with a well-defined goal while others are larger cons that involve multiple steps in establishing trust, obtaining sensitive information, and stealing money.
What Is Social Engineering?
In the context of computer security, social engineering involves the use of psychological manipulation of individuals and groups using various techniques. Regardless of the specific technique that is used, social engineering is often employed with malicious intent and for the purpose of stealing confidential information or disrupting the normal operation of certain organizations.
Phishing is one aspect of social engineering as it involves tricking the target into revealing sensitive information. However, social engineering involves both low-tech and high-tech methods of manipulating victims. Just like with phishing, the perpetrator aims to earn the victim’s trust in order to gain access to information they can use to either harm the target or gain something for themselves.
What Is Spam?
Sending spam (also known as spamming) is the action of sending multiple unsolicited electronic messages. Spam almost always has a negative connotation but isn’t always part of some illegal scheme. Spam email, for example, can simply be part of an aggressive advertising campaign for certain products or services.
On the other hand, spam email can also be used in phishing schemes. In that case, the emails likely contain infected attachments or links to fake versions of various legitimate websites. Their creators’ goal is to collect personal information that can be used to extort money or information from the victim, gain access to restricted servers, or steal one’s identity.
What Is Email, IP, or DNS Spoofing?
Email spoofing is done to gain access to confidential information from an individual or groups of individuals. This type of action involves creating fake versions of legitimate websites that look good enough at first glance, to convince the target to reveal whatever information is requested.
DNS spoofing can be a standalone scam or part of an email spoofing scan. It involves diverting traffic from trusted websites to fake versions of those websites, from which the website owners can get the victims’ personal identifying information, usernames and passwords, credit card information, etc.
IP spoofing is not always used with malicious intent. Some people use IP spoofing and VPN services to access georestricted websites or hide their online activities. However, it can also be used to gain access to restricted networks in order to steal information or carry out some other malicious activities.
What Is Spyware?
Spyware is a subclass of malware programs that may include keyloggers, adware, Trojans, system monitors, tracking cookies, and other programs designed to monitor, record, and steal information. Most spyware programs are designed to operate covertly, without the user’s knowledge or consent. They can be standalone programs, remotely installed, or programs that need to be triggered by an action on the end-user’s device.
Spyware may collect a wide range of data or very specific information from targeted devices. In the case of adware, it may simply collect marketing-related information. In the case of keyloggers, however, it can steal usernames, passwords, identifying bank credentials, and so much more.
What Is an SQL Injection Attack?
An SQL injection attack is any action that inserts malicious SQL code into an SQL database for the purpose of gaining access to data and modifying, corrupting, or deleting it. It can either be done for financial gain or to wreak havoc on someone’s business, thus causing significant economic damage.
Most SQL injection attacks are directed towards online vendors and online marketplaces. However, due to the constant attacks against the e-commerce sector, there are more than a few ways to secure and protect websites with SQL databases against these attacks. Today, very little damage can be done to protected systems, thanks to the advanced antivirus and firewall programs available for small businesses and large enterprises.
What Is a Trojan Horse?
A Trojan horse, also known as a Trojan virus or simply Trojan, is a type of computer virus that can cause harm to a system once activated. Unlike a computer worm, a Trojan requires activation on the end-user’s system to do its job. However, this is not a type of virus that self-replicates and spreads to other systems.
Most of the time, a Trojan virus is used to establish backdoor access or remote access into the target system. Some Trojans are used to steal information directly or to download other malicious software onto the target computer or network.
What Is a Zero-Day Exploit?
A zero-day exploit, sometimes called a zero-hour exploit is not one particular exploit but rather a category of computer exploits. It includes all unknown or recently discovered computer exploits. Any exploit that’s known only to the attacker and is used to take advantage of a vulnerability is called a zero-day exploit.
These exploits are virtually impossible to defend against, because they are inconspicuous and work thanks to undiscovered or unpublicized vulnerabilities in various apps or networks. Once such an exploit has been made public, it is called an N-day exploit, with N being the number of days since the exploit was first discovered and since developers have started working on fixing it.
Below you can find all the sources we have used in our analysis
Disclaimer: SoftwareLab.org is not an antivirus, VPN or hosting service provider and does not endorse the use of the products featured on this website for unlawful means. It is the responsibility of the user to adhere to all applicable laws. We have no control over the third-party websites we link to and they are governed by their own terms and conditions. SoftwareLab.org is supported by advertisement in order to be a free-to-use resource. We strive to keep the information accurate and up-to-date, but cannot guarantee that it is always the case.