How to Check Your Mac for Malware in 2026 (Free Methods)

You can check your Mac for malware free using built-in macOS tools, Terminal commands, and lightweight scanners — no paid subscription required. Your Mac already runs silent malware checks in the background, but they miss things. Adware, browser hijackers, and persistence scripts slip through all the time. Here is exactly how to check, step by step, using methods that actually work.

What macOS Already Does for You

Before you install anything, it is worth understanding the security your Mac already has. Apple ships three layers of protection that run without you doing anything:

XProtect is Apple's built-in signature-based malware scanner. It checks apps when you first launch them, and Apple updates its signature database silently in the background. As of macOS Sequoia, XProtect also runs periodic scans of your system — not just on launch. It is genuinely good at catching known threats.

Gatekeeper verifies that apps are signed by identified developers or distributed through the App Store. If you try to open an unsigned app, Gatekeeper blocks it and shows a warning. This prevents a lot of drive-by installs from sketchy download sites.

MRT (Malware Removal Tool) runs automatically after XProtect signature updates and removes known malware it finds. You never see it work — it just quietly cleans up in the background.

Here is the honest truth: these tools are solid against known, cataloged malware. But they are reactive, not proactive. A brand-new adware variant, a malicious browser extension, or a persistence script dropped into your LaunchAgents folder can sit there for weeks before Apple's signatures catch up. That gap is why manual checking still matters.

How to Check Your Mac for Malware Free — Manual Methods

These methods cost nothing and catch things that XProtect misses.

Check Activity Monitor for Suspicious Processes

Open Activity Monitor (search for it in Spotlight with Cmd+Space). Click the CPU tab and sort by CPU usage. Look for processes you do not recognize that are consuming significant resources.

Red flags to watch for:

• Processes with generic names like "helper," "updater," or random strings of characters
• Anything using high CPU while your Mac is idle
• Processes from unknown developers (right-click a process and choose "Open Files and Ports" to investigate)

If you spot something unfamiliar, do not just kill it — search the process name online first. Some legitimate macOS processes have odd names. But if Google results link it to adware or malware, you have found your problem.

Inspect LaunchAgents and LaunchDaemons

This is where most Mac malware hides. LaunchAgents and LaunchDaemons are folders containing .plist files that tell macOS to run programs automatically at login or startup. Legitimate apps use them, but so does malware.

Check these four directories:

• ~/Library/LaunchAgents/ — per-user agents (most common malware location)
• /Library/LaunchAgents/ — system-wide agents
• /Library/LaunchDaemons/ — system-wide daemons (requires admin)
• /System/Library/LaunchDaemons/ — Apple's own (do not touch these)

Open Finder, press Cmd+Shift+G, and paste each path. Look at the .plist files inside. Legitimate entries come from companies you recognize — Adobe, Microsoft, Spotify. Anything with a random-looking identifier like com.xzjk84.helper.plist or a company name you have never heard of deserves investigation.

Audit Your Browser Extensions

Browser extensions are the most overlooked malware vector on macOS. Open your browser's extension settings:

• Safari: Safari menu > Settings > Extensions
• Chrome: chrome://extensions
• Firefox: about:addons

Remove anything you did not intentionally install. Pay special attention to extensions that request access to "all websites" or "browsing history." If an extension appeared without you installing it, that is a strong indicator of adware.

The Terminal Method (for Technical Users)

Terminal gives you deeper visibility than the GUI tools. Open Terminal from Applications > Utilities.

List All LaunchAgents

ls -la ~/Library/LaunchAgents/
ls -la /Library/LaunchAgents/
ls -la /Library/LaunchDaemons/

This shows every persistence mechanism on your system along with file dates. Recently added files that you did not install are suspicious.

Verify App Code Signatures

Check whether an application has a valid Apple code signature:

codesign -v /Applications/SomeApp.app

If the app is properly signed, you will see no output (silence means valid). If it fails verification, you will see an error like a seal or signature was invalid. Unsigned or tampered apps are worth investigating further.

You can also check what team signed an app:

codesign -dv /Applications/SomeApp.app 2>&1 | grep "Authority"

Check for Suspicious Cron Jobs

Malware sometimes uses cron jobs for persistence:

crontab -l

If you see entries you did not create, especially ones running scripts from /tmp/ or other unusual locations, those need attention.

Inspect Open Network Connections

See what your Mac is talking to right now:

lsof -i -P | grep ESTABLISHED

This lists all active network connections. Look for processes connecting to IP addresses or domains you do not recognize. If a process you have never heard of is phoning home to an unknown server, that is a red flag.

How to Scan Your Entire Mac at Once

Manual checks are thorough, but they take time and require you to know what to look for. A full-system scan catches things faster.

ClamAV is a free, open-source antivirus engine you can install via Homebrew:

brew install clamav
freshclam
clamscan -r --bell -i /

ClamAV is legitimate and widely used on servers. The downside: it is command-line only, the scan is slow, and it does not offer real-time protection. It also produces false positives on occasion. But it is free, open-source, and trustworthy.

CoreLock takes a different approach. It is a lightweight Mac app that scans your entire system in under a minute — checking running processes, persistence mechanisms, network connections, browser extensions, and file signatures all at once. It flags suspicious activity in plain English instead of cryptic log output. The free version covers a full scan with no time limits or feature walls.

Both tools complement what Apple's built-in protections already do. The right choice depends on whether you prefer a GUI or the command line.

What to Do If You Find Malware

If any of the methods above turn up something suspicious, do not panic. Most Mac malware is adware or potentially unwanted programs — annoying but not catastrophic. Here is the playbook:

1. Do not just delete the file. Malware with persistence mechanisms will reinstall itself. You need to remove the LaunchAgent/LaunchDaemon .plist file *and* the binary it points to.

1. Check the .plist file first. Open it in a text editor and look for the ProgramArguments key. That tells you exactly what executable the agent is running and where it lives on disk.

1. Remove both pieces. Delete the .plist file from LaunchAgents/LaunchDaemons and delete the executable it referenced. Then restart your Mac.

1. Clear browser state. If the malware was a browser hijacker, reset your browser's homepage, default search engine, and remove any extensions you did not install.

1. Change passwords. If you found anything that was logging keystrokes or had network access to unknown servers, change your important passwords from a different device as a precaution.

For a full walkthrough with screenshots, read our step-by-step malware removal guide.

Signs Your Mac Might Be Infected

Sometimes you do not find malware by scanning — you notice symptoms first. If your Mac is showing any of these behaviors, it is worth running the checks above:

• Browser redirects. You search Google but end up on a different search engine, or you see extra ads injected into pages that should not have them.
• Sluggish performance. Your Mac is slow even after a restart, with Activity Monitor showing high CPU from unfamiliar processes.
• Apps you did not install. New applications in your Applications folder or Dock that you never downloaded.
• Pop-ups outside the browser. Notifications or windows appearing from apps you do not recognize, especially ones warning you about viruses (ironic, but common with scareware).
• Changed settings. Your homepage, default search engine, or DNS settings were modified without you doing it.

We wrote a deeper breakdown of these warning signs: 5 signs your Mac might be compromised.

Bottom Line

You do not need to pay for antivirus software to check your Mac for malware. Between macOS built-in protections, manual inspection of LaunchAgents and processes, Terminal commands, and free scanning tools, you have everything you need.

The key is actually checking. Most people never look at their LaunchAgents folder or audit their browser extensions. The malware that persists on Macs does so because nobody looks for it — not because it is sophisticated.

If you want the fastest path to an answer, CoreLock scans your Mac in 47 seconds and tells you exactly what it finds. Free, no credit card, no account required. Or use the manual methods above — either way, you will know where you stand.

For more free tools and how they compare, check out our roundup of the best free Mac security tools in 2026.