OS X: Roll-your-own Malware Detection

OS X: Roll-your-own Malware Detection

[UPDATE 2014-10-20]: This tricks seems to cause high CPU usage in Yosemite, try using launchd instead.

[UPDATE 2014-10-02]: defend yourself from becoming a zombie courtesy of Mac.BackDoor.iWorm

[UPDATE]: Use this trick to fend off the new malware XLSCmd

Macs are not immune to malware.  Authors of malicious software often try to get a LaunchDaemon or LaunchAgent installed onto your computer in one or more of the following locations:


OS X has a lesser-known feature called Folder Actions.  These allow you to run scripts when an item is added to a folder.  You can set up a simple script that lets you know when an item is added to one of the folders above and then open it to see what was added.  If it is not something you recognize or expecting, delete it.

Step-by-step Walkthrough

Enable Folder Actions

  1. Right-click one the the folders listed above
  2. Choose Services > Folder Actions Setup…
  3. Check Enable

Assign A Folder Action

  1. Click the plus sign on the right side of the window
  2. Highlight add – new item alert.scpt
  3. Click Attach

Repeat the steps above for each folder you want to monitor.  When a new item is added to any of these folders, a window will popup asking if you want to view it.