Mac virus scan: How to check for Mac viruses

Apple has made it difficult to install an app that might not be secure on a Mac. Mac users can choose to only install apps from the Mac App Store, which is the safest option because it means the app has been thoroughly reviewed by Apple before distribution.

Alternatively, there is an option to install apps from the Mac App Store and from recognized developers. A recognized developer is one whose software has been scanned by Apple to ensure it is safe. As long as the app has passed Apple’s tests it has a Notarization ticket, which Gatekeeper looks for before telling macOS that it’s safe to open.

If you only install apps from the Mac App Store, or notary apps from recognized developers, you should be safe, but sticking to the Mac App Store is the safest option because the apps in the Mac App Store cannot be modified.

If you want to make sure your Mac can only install apps from the Mac App Store these are the steps to follow:

In Ventura:

1. Open System Settings.
2. Click on Privacy & Security.
3. Scroll down to Security and select App Store under Allow applications downloaded from.

In Monterey or earlier:

1. Open System Preferences.
2. Click on Security & Privacy.
3. Click on General.
4. Under Allow applications to be downloaded from the selected App Store.

If you want to allow installations from outside the Mac App Store follow the same steps but select App Store and identified developers from the options.

If you choose to allow installations from recognized developers then Apple will look for evidence that the app has been notarized and it will also verify that the app has not been tampered with and that no malware is present. Unfortunately in the past there were apps that got through this process because there was a certificate, as in the case of the Shlayer malware, but Apple has increased security since and changes to notarized apps are pushed when necessary.

If the Gatekeeper detects that the app does not have a notorization to prove that the developer is certified by Apple, a message saying that the app cannot be opened because of your settings will be displayed. If you know the software is from a legitimate developer you can override it and open the app. See: How to unlock a Mac app from an unknown developer. However, you should be aware that even legitimate software is known to harbor malware.

Even if the developer is recognized by Apple, the software will still be checked against a list of known XProtect malware. XProtect will scan an app the first time it launches and it will scan the app every time an update is issued for it.

XProtect updates are pushed regularly and macOS automatically checks for updates every day—a Mac user doesn’t need to do anything because these updates are separate from macOS updates. This means that even the latest malware should be recognized by XProtect, although Apple is not always as fast in getting this information updated as other antivirus solutions. Check out our round up of the Best Antivirus for Mac, featuring Intego as our number one pick.

If malware is detected the app will be blocked and a message will appear giving the option to remove the software.

To take full advantage of XProtect you need to be running macOS Catalina (10.15) or later, but we advise that, since Apple only supports the last three versions of macOS, it’s safer if you’re running Big Sur, Monterey and Ventura.

You should make sure your Mac is set to receive these updates automatically by following these steps:

In Ventura:

1. Open System Settings.
2. Go to General > Software Update.
3. Click the i next to Automatic updates and check that Install Security Responses and System Files is selected.

In Monterey or older:

1. Open System Preferences.
2. Click on Software Update.
3. Click on Advanced.
4. Make sure the box next to Install system data files and security updates is selected.

When malware is detected on a Mac the user will see an alert suggesting moving the affected app to the trash. The user is also asked to alert others to the malware, which they can do automatically. This does not mean that it is up to the user to uninstall the app and remove the malware though.

The removal is used to include a separate Malware Removal Tool (MRT) found in /Library/System, but it is not an app available to users. However, since macOS Monterey MRT has been replaced by an XProtect Remediator that scans and removes malware.

XProtect Remediator scans your Mac at least once a day or so, and is updated more frequently than MRT used to be—since MRT is no longer updated it’s a good reason to make sure it’s running. you’re on macOS Catalina or later.

XProtect Remediator will attempt to repair or remove the malware.

If an app is notified by Apple but the malware is known the developer will lose the certificate that allows them to distribute apps and the app will lose its notarization.

This notarization change is then pushed to other Mac users so Gatekeeper knows not to allow the app to open.

macOS checks for XProtect updates daily, but Notarization updates are issued more frequently, so if malware is found, or a Notarization app is missing, Mac users should be protected immediately.

If Mac users only rely on XProtect and other Apple protections there are limitations compared to other anti-malware solutions, which are constantly updated and have teams of specialists working on detection of malware.

The protection offered by XProtect is also more basic than third-party anti-malware apps that can also protect you from phishing, social networking scams, and it can protect your Windows using friends. We’ve made various recommendations in our testing of the top Mac antivirus apps.

XProtect is updated more frequently than before—which is one of the main criticisms—but other malware apps check for malware regularly. XProtect only checks for malware when an app is downloaded for the first time, when the app is updated and when the developer signature or app notarization status changes.

Apple’s protections are supposed to keep your Mac free from most harmful software, but they can’t impossible for malicious software to be installed on your Mac. If new malware is released today and you download and run it now you may do so before Apple’s databases are updated. That’s why it’s always best to be smart about downloading software from unknown sources.

As we argue in a separate article: Macs need antivirus software despite Apple’s macOS protections.