How to Check Your Mac for Malware (Free Methods)

Most Mac users think they're immune to malware. I get it — I used to think the same thing until I started building security software and realized how wrong we all were.

The truth is, Mac malware has exploded over the past few years. We're talking about adware that hijacks your browser, cryptominers that slow your machine to a crawl, and info stealers that grab your passwords. The good news? You can check your Mac for malware free using tools Apple already gives you, plus a few others that won't cost you a dime.

I always tell people: before you install any security tool, learn to use Activity Monitor. It won't catch everything, but it teaches you what "normal" looks like on your machine — and that's half the battle.

Start with Activity Monitor — Your First Line of Defense

Activity Monitor is sitting right there in your Applications > Utilities folder, and honestly, it's more powerful than most people realize. When I was testing CoreLock's process scanner, I learned more about macOS internals in three months than I did in years of using a Mac.

Fire up Activity Monitor and switch to the CPU tab. Sort by CPU usage and look for processes you don't recognize eating up resources. Here's what you're hunting for:

Processes with weird names like "com.apple.something.random" that aren't actually from Apple. Real Apple processes usually have predictable names. Anything mining cryptocurrency will show up here too — those processes are CPU hogs by design.

Click on the Memory tab next. Malware often consumes unusual amounts of RAM. If you see something using 500MB+ and you've never heard of it, that's worth investigating.

The Network tab shows which processes are talking to the internet. This is gold for spotting data thieves. Look for processes sending lots of data that shouldn't be — your calculator app probably doesn't need a constant internet connection.

Here's the thing though: Activity Monitor won't tell you if a process is malicious. It just shows you what's running. You'll need to do some detective work from here.

Dig into Launch Agents and Daemons

Malware loves to install itself as a launch agent or daemon so it starts automatically when you boot your Mac. Let's check the usual hiding spots.

Open Terminal (Applications > Utilities) and run these commands:

ls -la ~/Library/LaunchAgents/

This shows launch agents for your user account. Look for .plist files you don't recognize. Common malware names include anything with "search", "adware", or random strings of letters.

ls -la /Library/LaunchAgents/

This checks system-wide launch agents. Same deal — look for suspicious names.

ls -la /Library/LaunchDaemons/

Daemons run with higher privileges, so this is where the nastier stuff hides.

If you find something suspicious, you can examine the .plist file:

cat ~/Library/LaunchAgents/suspicious-file.plist

Look for programs that launch from weird locations like /tmp/ or directories with random names. Legitimate software usually lives in /Applications/ or /usr/bin/.

To be fair, this is probably overkill for most people. But if you're dealing with persistent malware that keeps coming back, this is where you'll find it.

Check Your Browser Extensions

Browser hijackers are everywhere on Mac now. They slip in through sketchy downloads and completely take over your browsing experience.

Chrome: Go to chrome://extensions/ in your address bar. Look for extensions you didn't install, especially ones that mention search, homepage, or new tab functionality. How to check mac for malware free often starts with cleaning up your browser.

Safari: Open Safari > Settings > Extensions. Same principle — anything you don't remember installing should go.

Firefox: Type about:addons in the address bar. Firefox users tend to be more careful, but malware doesn't discriminate.

Remove anything suspicious immediately. Don't just disable it — remove it completely. Some of these extensions are surprisingly sophisticated and can re-enable themselves.

Examine Login Items and Background Apps

System Settings > General > Login Items shows apps that start when you log in. This is low-hanging fruit for malware detection.

Look through both the "Open at Login" and "Allow in the Background" sections. Remove anything you don't recognize or don't need starting automatically.

The terminal isn't scary once you get past the initial learning curve. I wrote my first security script in about 20 minutes, and it caught something that a paid antivirus missed completely.

Here's a command that shows what's set to start at login from the terminal:

osascript -e 'tell application "System Events" to get the name of every login item'

Cross-reference this with what you see in System Settings. Sometimes malware hides login items that don't show up in the GUI.

Use MalwareBytes for Mac (Free Version)

MalwareBytes offers a free Mac scanner that's surprisingly effective. It's not real-time protection — that costs money — but the free scan catches a lot of Mac-specific threats.

Download it from malwarebytes.com (not from any other site — there are fake versions floating around). Run a full scan and let it do its thing. It takes about 20-30 minutes on most Macs.

MalwareBytes is particularly good at finding adware and potentially unwanted programs (PUPs) that other scanners miss. It also cleans up browser hijackers automatically, which saves you time.

Terminal Commands for Deeper Investigation

If you want to get nerdy about it, here are some terminal commands that can reveal hidden malware:

sudo lsof -i -P -n | grep LISTEN

This shows all processes listening for network connections. Look for ports you don't recognize or processes that shouldn't be acting as servers.

ps aux | head -20

Lists the top 20 processes by CPU usage. Different view than Activity Monitor, sometimes catches things that GUI missed.

find /Applications -name "*.app" -type d | sort

Lists all applications in your Applications folder. Look for apps you don't remember installing.

sudo fs_usage -w -f network | head -50

Shows real-time network activity. This is advanced stuff, but it's fascinating to see which apps are constantly phoning home.

To be honest, most people won't need these commands. But if you're dealing with sophisticated malware or you're just curious about what your Mac is doing, these give you incredible insight.

Check for Suspicious Network Activity

System Settings > Privacy & Security > Full Disk Access shows apps with complete access to your files. This is nuclear-level permission — only apps you absolutely trust should be here.

Look for anything suspicious in this list. Malware often tries to get Full Disk Access so it can steal your files or install itself deeper into the system.

While you're in Privacy & Security, check the other sections too. Location Services, Camera, Microphone — make sure you recognize everything that has access.

You can also use Little Snitch (free version available) to monitor network connections in real-time. It's overkill for casual users, but incredibly powerful if you want to see exactly what's talking to the internet.

What About XProtect and Gatekeeper?

Apple's built-in security systems — XProtect and Gatekeeper — are actually pretty decent. XProtect is Apple's antivirus that runs silently in the background. You can check its status with:

system_profiler SPInstallHistoryDataType | grep -i xprotect

This shows XProtect updates. If you haven't seen any in months, something might be wrong.

Gatekeeper prevents unsigned apps from running. Check its status:

spctl --status

It should say "assessments enabled". If it doesn't, someone (or something) disabled it.

Here's where it gets interesting though: these systems aren't perfect. They catch known malware but struggle with new threats or stuff that's technically not malware but still unwanted.

Run a Free CoreLock Security Scan

Tools like CoreLock can automate a lot of these manual checks we've been talking about. The free scan looks at running processes, network connections, login items, and browser extensions all in one go.

I'm obviously biased since I work on CoreLock, but the free scan feature genuinely saves time if you want a comprehensive check without running through all these terminal commands manually.

When Free Methods Aren't Enough

Honestly, free tools have limitations. They're great for detecting obvious threats and cleaning up your system, but they won't catch everything.

Advanced malware uses rootkit techniques to hide from basic detection. Some threats live entirely in memory and leave no trace on disk. Others mimic legitimate system processes so well that even experienced users miss them.

If you're dealing with persistent issues — random crashes, unexplained network activity, files disappearing — you might need professional help or paid security software with real-time protection.

This doesn't help if you're dealing with targeted attacks either. If someone's specifically going after you with custom malware, free tools probably won't cut it.

Regular Maintenance is Key

Here's the thing: checking for malware isn't a one-time deal. I'd recommend running through this process monthly, or whenever your Mac starts acting weird.

Keep your system updated — seriously, install those macOS updates. Most malware exploits known vulnerabilities that Apple has already patched.

Be careful what you download. The biggest source of Mac malware is still sketchy websites offering "free" versions of expensive software. If it seems too good to be true, it probably is.

Back up your important stuff regularly. Even if you never get infected, hardware fails. Time Machine or a cloud backup service will save you way more heartache than any antivirus ever will.

Most importantly, trust your instincts. If your Mac feels slower, if your browser keeps redirecting to weird sites, if you're seeing pop-ups you didn't see before — something's probably wrong. Don't ignore those warning signs.

The methods I've outlined here will catch the vast majority of Mac malware without spending a penny. They take some time and a bit of technical curiosity, but they're incredibly effective when used together. Your Mac will thank you for it.