rollyourownmalwaredetection

OS X: Roll-your-own Malware Detection

[UPDATE 2014-10-20]: This tricks seems to cause high CPU usage in Yosemite.  I am working a launchd method to provide a similar effect.

[UPDATE 2014-10-02]: defend yourself from becoming a zombie courtesy of Mac.BackDoor.iWorm

[UPDATE]: Use this trick to fend off the new malware XLSCmd

Macs are not immune to malware.  Authors of malicious software often try to get a LaunchDaemon or LaunchAgent installed onto your computer in one or more of the following locations:

OS X has a lesser-known feature called Folder Actions.  These allow you to run scripts when an item is added to a folder.  You can set up a simple script that lets you know when an item is added to one of the folders above and then open it to see what was added.  If it is not something you recognize or were expecting, delete it.

jacob_salmlea_folderactionpopoup

Step-by-step Walkthrough

Enable Folder Actions

  1. Right-click one the the folders listed above
  2. Choose Services > Folder Actions Setup…
  3. Check Enable

Assign A Folder Action

  1. Click the plus sign on the right side of the window
  2. Highlight add – new item alert.scpt
  3. Click Attach

Repeat the steps above for each folder you want to monitor.  When a new item is added to any of these folders, a window will popup asking if you want to view it.

 

  • Dan Helton

    Just a note. After upgrading to Yosemite, Folder Actions was consuming a ton of RAM and these were the only Folder Actions I’d created or used.

    • http://www.jacobsalmela.com Jacob Salmela

      Interesting. I will have to test this out myself. Folder actions have never seemed flawless to begin with and sometimes seemed a bit slow, so that isn’t too surprising–but they were nice because they were completely native to the OS.

  • Zsolt

    Just FYI, it seems that all is fine as long as I do not enable the folder action on the home/Library/LaunchAgent, all the rest is fine