How can I remove malware from my Mac? I think I picked up something nasty. Should I have installed antivirus on my Mac to stop this kind of thing?
Malware (malicious software) is the scourge of the software world, but (thankfully) it's rarely found on macOS or Mac OS X. Mac malware does exist, though, and every so often a new piece of Mac malware hits the headlines and scares Mac owners senseless.
One such headline concerns an attack known as KeRanger, believed to be the first ransomware attack on Mac users. (Ransomware is one specific form of malware that has historically been a problem for PC owners, not Mac owners. More on this below.) KeRanger recently affected Macs via a popular BitTorrent client called Transmission. If you're worried about the Transmission KeRanger attack, or about ransomware in general, we have specific information to help.
We run through some cases of viruses and trojans in this article: Do Macs get viruses?
In this article we are going to look at the following:
- What is malware
- How to remove malware
- What is ransomware
- How to remove ransomware
- What are phishing emails and how to avoid them
- How to protect your Mac from malware in the future
- Should you install antivirus software on a Mac?
Apple is extremely adept at issuing security updates that remove Mac malware as it is discovered. But many people wisely learn how to spot macOS malware and how to remove it for free. This is what we'll be covering in this article. Read next: Tips for macOS Sierra.
The first thing to know is that malware is different from other types of malicious software, such as viruses.
Malware doesn't attempt to get into your machine without your knowledge - it is malicious software disguised as legitimate software. Perhaps you see an adversitement on a website, or you receive an email, either way, it tricks you into installing it as you would any other program, and then when it is installed it starts to gather information about you. In most instances it wants to get hold of your credit card or banking details and passes them on to nefarious individuals on the other end.
Where things get tricky is that most Mac malware pretends to be the very thing you want to use to get rid of it. Most Mac malware seems to masquerade as antivirus or antimalware software. While there is no definitive list of macOS malware, here are some names to watch out for:
So, to be clear: these are the names of programs you should be avoiding.
The way this scam works is that a hacker takes over a legitimate website, and this directs you to a a fake website that pretends to scan your Mac and find malicious software. It then convinces you to download the program to check for the malware, and enter your Apple ID and password to install the program: this program itself is the malware.
Over time it will pretend to scan your Mac, pretend to find problems, and try to get you to enter your credit-card details to fix the problems. If you enter your credit card details they are passed on to scammers who try to get money from your account.
This point is important. You shouldn't be paying to remove Mac software - ever. You shouldn't pay to remove malware. In fact, we'd go so far as to suggest that if you don't know what you're doing, don't put your credit-card details into any program or website that claims to be able to fix your computer.
Also, while we're at it: if somebody phones you up claiming they have spotted malicious software on your computer and tries to convince you to hand over your bank details, put the phone down. It's a variation on the theme.
You don't need to pay for antivirus software on the Mac. Many trusted antivirus providers offer a free service for home users and charge businesses for an antivirus service. The important thing, though, is not to jump for your credit card when faced with a program on your Mac that claims to have found problems. The program itself could be the problem.
What to do when a website says you have malicious software on Mac? If you are browsing a website and it claims to have detected malicious software, malware, or a virus (or simply states it has "detected problems" with your Mac), then follow these steps:
- If you're in Safari (or another web browser) and get a warning about malicious software, virus, or problems detected, quit Safari by choosing Safari > Quit. If Safari refuses to quit, force-quit the app (Control-click the Safari icon and choose Force Quit).
- Go to the Downloads folder and drag any install files, or files that you don't recognise, to the Trash.
- Empty the Trash (Control-Click the Trash icon and choose Empty Trash). By doing this you will dodge the problem in the first place. You haven't installed any software, or handed over your credit-card details. We'd suggest you don't return to that website.
That's how to avoid falling into the trap of installing malware to remove malware, but how do you remove malware...
Here's what to do if you suspect you've already installed malware on to your Mac - typically because a website claimed to have detected problems. Follow these steps to remove the software:
- If the app is open, check the name of the app.
- Move or close the app window.
- Open the Utilities folder (Command-Shift-U).
- Open Activity Monitor.
- Choose All Processes.
- Go to the Utilities folder in the Applications folder and launch Activity Monitor.
- Look for an app called MacDefender, MacSecurity or MacProtector. Or look for the name of the app (from Step 1).
- Click the Quit Process button (top-left) and select Quit.
- Quit Activity Monitor.
- Open the Applications folder and locate the app (called MacDefender, MacSecurity, MacProtector, or some other name).
- Drag the unwanted app to the Trash. Empty the trash.
You can find more advice on deleting malware from a Mac on the Apple Support website. If you're unsure whether you have deleted the malware from your Mac, then consider taking the Mac into an Apple Store and asking an Apple Genius to look at it. (See How to book an appointment with an Apple Genius.)
Read next: Best free Mac Apps
Unresponsive apps? Here's how to ctrl-alt-delete on a Mac, aka Force Quit on a Mac
Ransomware is a variation on malware becoming more prevalent in recent times. Until recently, OS X users were mercifully free from ransomware, but a recent Mac attack known as KeRanger has been distributed via the popular Transmission BitTorrent client. So now we have ransomware on Mac to contend with.
Like malware, ransomware infects your computer, but it's malicious with purpose. The idea behind ransomware is to encrypt the files on your computer so you can't use them, and force you to hand over money to get the files unencrypted. In the case of KeRanger, you'll be instructed to pay $400 in Bitcoins to a website in the Tor network to get your files back.
To date there has only been one example of ransomware, the KeRanger attack, so we will discuss how to remove that below.
You are only at risk of the KeRanger attack if you use popular BitTorrent client Transmission. The KeRanger attack snuck onto Macs via an update to Transmission.
The file known as "OSX.KeRanger.A" was hidden in the Transmission 2.90 update. This appeared for download on the Transmission website between 4-5 March. If you have downloaded Transmission since that date you should be safe as Apple has since revoked the GateKeeper signature and updated its XProtect system (part of File Quarantine) to block KeRanger.
You have no reason to be worried if you don't use Transmission, but if you are using Transmission, you must upgrade to the latest version, Transmission 2.92, immediately. You'll find more information about KeyRanger on the Transmission website.
Step 1: Find out if KeRanger has infected your Mac
If you're worried that KeRanger ransomware may have infected your Mac, here is how Palo Alto suggests you check for it:
1. Using either Terminal or Finder, check whether /Applications/Transmission.app/Contents/Resources/ General.rtf or /Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf exist. If any of these exist, the Transmission application is infected, and we suggest deleting this version of Transmission.
2. Using 'Activity Monitor' preinstalled in OS X, check whether any process named 'kernel_service' is running. If so, double-check the process, choose Open Files and Ports and check whether there is a file name like "/Users//Library/kernel_service". If so, the process is KeRanger's main process. We suggest terminating it with Quit > Force Quit.
3. After these steps, we also recommend users check whether the files .kernel_pid, .kernel_time, .kernel_complete or kernel_service exist in ~/Library directory. If so, you should delete them.
Spet 2: What to do if KeRanger has encrypted files on your Mac
Advice on how to fix an encrypted OS X computer is fairly vague. Our understanding is that you will not be able to decrypt the files, but you should be able to restore OS X from scratch from your backup.
The other option would be to pay the ransom, although we don't recommend this. There's no guarantee that you'll get your files unencrypted (or that they won't just encrypt them again at a later date).
The third choice is to wipe OS X and start again from scratch (losing all your files in the process). This isn't a good option, we know, but it's the only way to be sure you don't have KeRanger on your machine.
Macs are very secure against viruses and worms that attack the machine directly, but many Mac attacks succeed by exploiting human errors - convincing users to click a link in an email, and then download and run the malware themselves.
Phishing – where naughty people attempt to gain everything from your password to your credit card details – is a constant threat. You might think that you, and those you know, aren't stupid enough to fall for a fake email. But can you be sure? And can you be sure that your parents wouldn't respond to what looks like a legitimate email from HMRC about the tax they are owed?
Is the email from someone you know? That doesn't necessarily mean it is safe. You may receive an email from a colleague, the email could even included that person's usual signature. Inside the email is an attachment with a note saying that it was something we should read. To download the attachment you have to add your email address and password, and heypresto, hackers are in your email too...
There's more advice about avoiding phishing attacks here: How to stop your parents opening and responding to phishing emails
Now that you've checked and removed any malware from your Mac, you may want to ensure that your Mac doesn't get any malicious software in the future.
Here are some tips to follow to ensure you don't get any more malware:
- Ensure your Mac is up to date. Open the App Store app and click Update All.
- Turn on automatic updates. Open System Preferences and click App Store and select the option Automatically Check for Updates. Make sure both Install OS X Updates and Install System Data Files and Security Updates are also both selected.
- Make sure the Mac only allows apps from trusted developers. Click on System Preferences > Security and Privacy and General. Check that the option under Allow Apps Download From is set to either Mac App Store or Mac App Store and Identified Developers. If it is set to Anywhere, then click on the Lock icon, enter your password, and change it to either Mac App Store or Mac App Store and Identified Developers.
- Get your software from the Mac App Store or from developers you know and trust.
If you're particularly concerned about malware, or malicious software, then you may want to install antivirus software on your Mac computer. Opinion on antivirus software amongst the Mac community is mixed.
Some people believe the current protection offered by Apple in OS X is enough protection, and that using a good strong password and installing trusted software from places like the App Store is enough protection. Others believe that while Macs are inherently safer than a PC, you should still install antivirus software as a precaution.
Our colleagues at Macworld in the US explain the dangers of not having an anti-virus on a Mac. Despite it being safer than a Windows machine, there are still risks for Mac users. Alongside our US colleagues, we also recommended ClamXav, which you can find directly on their website or the Mac App Store.
To virus scan a Mac you'll need a program like ClamXav. Once installed, you'll have the option to run a virus scan by clicking on the Start Scan button. Depending on the size of your Mac's hard drive it might some time. So, make sure you put aside enough time for the scan to take place. You will also experience occasional slowness on your PC when certain files are being scanned.
We've discussed this issue at some length in a separate article that you may like to read: Do Macs get viruses? Why you DO need security software for your Mac (our position may be apparent from the headline). See also: Apple removes claim that 'Macs don't get PC viruses' and Why Macs are safer than PCs.
And if you do choose to install antivirus software, please do so after reading this article to ensure you're installing software from a trusted source: Best Mac antivirus software.