What a Free Mac Security Scan Actually Finds (Real Results)

I asked 50 people to download CoreLock and run the free scan on their Macs. No special setup, no configuration, just download and click scan. Then I collected the results.

What came back was genuinely surprising, even to me. And I built the thing.

Here is what a free Mac security scan actually finds on a real, everyday Mac.

What CoreLock's scan actually checks

Before we get into the results, it helps to understand what the scan does. CoreLock is not an antivirus. It does not scan your files looking for known malware signatures. Instead, it performs a security audit of your Mac's current state. Think of it as a health check rather than a virus hunt.

The scan looks at four main areas:

Processes. Every running process on your Mac gets identified, verified, and analyzed for suspicious behavior. CoreLock checks code signatures, looks for unusual resource usage, and flags anything that does not belong.

Permissions. Every privacy permission your Mac has granted gets audited. Camera, microphone, screen recording, full disk access, accessibility, input monitoring, and more. CoreLock identifies which apps have which permissions and whether those permissions make sense.

Network activity. CoreLock checks outbound connections to see what your Mac is talking to. It identifies the destination servers, flags connections to unusual or unknown endpoints, and maps which processes are responsible.

Behavioral analysis. Beyond just looking at snapshots, CoreLock watches for behavioral patterns that indicate something is wrong, things like processes that try to hide themselves, apps that phone home at unusual intervals, or permission usage that does not match what an app is supposed to do.

The whole scan takes under a minute on most Macs. You can learn more about each capability on the features page.

The results from 50 real Macs

These numbers are averages across the 50 Macs I collected results from. The machines ranged from brand new MacBook Airs to five-year-old iMacs. Some belonged to developers, some to designers, some to people who just use their Mac for email and browsing.

Camera and microphone access: way more than expected

The average Mac in our sample had 22 apps with camera access. The range was 8 to 41.

Most people, when I asked them beforehand, guessed they had maybe 5 to 10 apps with camera access. Every single person underestimated the real number. Several people did not believe their own results until they checked System Settings manually.

The microphone numbers were even higher. Average of 26 apps with microphone access. That makes sense because most apps that request camera access also request microphone access, and some audio-only apps add to the count.

If you want to understand why this matters and what to do about it, I wrote a detailed breakdown in 23 Apps on Your Mac Probably Have Camera Access Right Now.

Full disk access: the permission people forget about

On average, Macs in our sample had 5 apps with full disk access. That number sounds low until you realize what full disk access actually means. An app with this permission can read every file on your machine. Documents, photos, messages, browser history, everything.

At least 2 of those 5 apps, on average, no longer needed the permission. They were backup utilities that had been replaced, old antivirus tools that were uninstalled but whose permissions lingered, or developer tools that were used once for a specific project and never again.

The full disk access permission is one of the most powerful on macOS, and it deserves careful attention. Check out our full disk access guide for more on how to audit yours.

Running processes: the number that shocks everyone

The average Mac had 347 running processes. The lowest count was 189. The highest was 612.

Nobody guessed anywhere close to the real number. Most people assumed 20 to 30 things were running in the background. The actual number is at least ten times that.

Now, most of those processes are legitimate. macOS itself runs well over a hundred system processes just to keep the lights on. But buried in that list of 347 processes, the average Mac had 4 to 7 processes that CoreLock flagged for review. These were not necessarily malicious, but they were unusual enough to warrant attention.

Common flags included processes with missing or invalid code signatures, helper processes running from unexpected file paths, and processes consuming network bandwidth with no obvious reason. I covered this topic in depth in The Hidden Processes Running on Your Mac.

Outbound network connections: who is your Mac talking to?

This is where things got uncomfortable for a lot of participants. The average Mac was maintaining 23 active outbound connections at the time of the scan.

Most of those were to expected servers: Apple, Google, Microsoft, Cloudflare, CDN providers. But on average, each Mac had 3 to 5 connections to servers that the user could not identify or explain. These were not necessarily malicious, but the users had no idea they were happening.

In several cases, these turned out to be analytics services baked into apps, telemetry data being sent by developer tools, or cloud sync features that the user had forgotten they enabled. In two cases across the 50 machines, the connections were genuinely suspicious and warranted further investigation.

Stale permissions: the ghost of apps past

This was the finding I personally found most interesting. The average Mac had 6 stale permissions, permissions granted to apps that were no longer installed or no longer running.

macOS does not automatically revoke permissions when you uninstall an app. If you dragged an app to the Trash six months ago, its camera access, microphone access, and accessibility permissions might still be sitting there, active and waiting. If you ever reinstall that app, or if anything takes over that app's bundle identifier, it inherits all those old permissions instantly.

The worst case in our sample was a Mac with 14 stale permissions from apps the user had uninstalled over the past two years.

The surprises that caught people off guard

Beyond the numbers, there were some findings that consistently surprised people.

Accessibility permissions that make no sense

The accessibility permission is enormously powerful. It lets an app control your Mac, simulate keyboard input, read the contents of any window, and monitor your actions. It is essential for screen readers and certain productivity tools, but multiple Macs in our sample had accessibility access granted to apps like note-taking tools, weather apps, and file managers that have no legitimate need for it.

These apps request accessibility access during installation, and users click Allow because they do not understand what the permission does. Then the permission sits there forever.

Login items from years ago

CoreLock's scan found that the average Mac had 8 login items, apps or processes that start automatically when you log in. Some of these were from software the user installed years ago and no longer uses.

One participant had a login item from an app they installed in 2022, used twice, and forgot about. It had been starting silently every single day for four years, running in the background, using resources, and maintaining an outbound connection to its developer's servers.

Background processes that phone home

Several Macs had processes that were periodically sending data to remote servers without any user-visible activity. These were not malware. They were legitimate apps with built-in analytics, crash reporting, and update checking. But the users had no idea this was happening, and in most cases, they would have preferred it was not.

The issue is not that these apps are doing something evil. The issue is that you have no visibility into what is happening on your own machine unless you actively go looking for it.

What the scan does not find

I want to be clear about the boundaries. CoreLock's scan is a security audit, not antivirus software. Here is what it does not do:

It does not scan files for malware signatures. If you have a malicious file sitting in your Downloads folder that has never been executed, CoreLock will not find it. Traditional antivirus tools are built for that.

It does not check for phishing or social engineering. CoreLock analyzes your Mac's security posture, not your email inbox or browser history.

It does not monitor in real-time during the free scan. The free scan is a point-in-time snapshot. CoreLock's real-time monitoring and alerts are part of the full version.

What the scan does is give you complete visibility into what your Mac is doing right now. Running processes, granted permissions, network connections, and behavioral anomalies. It is the layer of visibility that macOS does not give you natively.

How to act on your results

After you run the scan, you will get a report organized by severity. Here is how I recommend working through it.

Start with the red flags. Anything CoreLock marks as high severity deserves immediate attention. These are things like unsigned processes, suspicious network connections, or permissions that clearly do not belong.

Clean up stale permissions. This is the easiest win. Go through any permissions flagged as stale and revoke them. There is zero downside to removing a permission for an app you no longer use.

Review accessibility and full disk access. These are the two most powerful permissions on macOS. If an app has either of these and you are not sure why, revoke the access. If the app truly needs it, it will ask again.

Check your login items. Remove anything you do not recognize or no longer use. Your Mac will boot faster and run cleaner.

Investigate flagged processes. For any process CoreLock flags, take a moment to understand what it is. The report gives you the process name, file path, and an explanation. If something looks wrong, research it further.

Run the scan yourself

The numbers I shared are averages. Your Mac will have its own story. Maybe you are unusually careful about permissions and your results will be clean. Maybe you have been using the same Mac for five years without ever auditing your security settings and the results will be a wake-up call.

Either way, the scan is free, takes under a minute, and does not require any configuration. Download CoreLock, click scan, and see what is actually happening on your Mac.

Download CoreLock free and run your first scan. The results might surprise you.