Mac virus scan: How to check for viruses on a Mac

Apple makes it hard to install an app that might not be safe on a Mac. Mac users can choose to only install apps from the Mac App Store, which is the safest option as it mean that the app has been thoroughly checked by Apple before being distributed.

Alternatively there is an option to install apps from the Mac App Store and from identified developers. An identified developer is one whose software has been scanned by Apple to ensure it is safe. As long as the app has passed Apple’s tests it will have a Notarisation ticket, which Gatekeeper looks for before telling macOS that it is safe to open.

If you only install apps from the Mac App Store, or notarised apps from identified developers, you should be safe, but sticking to the Mac App Store is the safest option as apps on the Mac App Store can’t be tampered with.

If you want to make sure your Mac can only install apps from the Mac App Store these are the steps to follow:

On Ventura:

1. Open System Settings.
2. Click on Privacy & Security.
3. Scroll down to Security and select App Store below Allow applications downloaded from.

On Monterey or earlier:

1. Open System Preferences.
2. Click on Security & Privacy.
3. Click on General.
4. Under Allow applications downloaded from select App Store.

If you prefer to allow installations from outside the Mac App Store follow the same steps but choose App Store and identified developers from the options.

If you choose to allow installations from identified developers then Apple will look for evidence that the app is notarized and it will also verify that the app hasn’t been tampered with and no malware is present. Unfortunately in the past there have been apps that slipped through this process because a certificate was present, such as the case of the Shlayer malware, but Apple has ramped up security since and changes to notarized apps are pushed out as required.

If Gatekeeper detects that the app has no notorization to prove the developer is certified by Apple, a message saying the app can’t be opened because of your settings will be displayed. If you know that the software is from a legitimate developer you can override this and open the app. See: How to open a Mac app from an unidentified developer. However, you should be aware that even legitimate software has been known to conceal malware.

Even if the developer is recognised by Apple, the software will still be checked against a list of known malware in XProtect. XProtect will scan an app the first time it launches and it will scan the app every time there is an update issued for it.

Updates to XProtect are pushed out frequently and macOS automatically checks for updates daily–a Mac user doesn’t even need to do anything as these updates are separate to macOS updates. This means that even the newest malware should be identified by XProtect, although Apple isn’t always as fast at getting this information updated as other antivirus solutions are. See our round up of the Best Antivirus for Mac, which features Intego as our number one choice.

If malware is identified the app will be blocked and a message will appear giving the option to delete the software.

To take full advantage of XProtect you need to be running macOS Catalina (10.15) or later, but we would advise that, because Apple only supports the last three versions of macOS, you will be safest if you are running Big Sur, Monterey and Ventura.

You should make sure your Mac is set to receive these updates automatically by following these steps:

In Ventura:

1. Open System Settings.
2. Go to General > Software Update.
3. Click on the i beside Automatic updates and check that Install Security Responses and System Files is selected.

In Monterey or older:

1. Open System Preferences.
2. Click on Software Update.
3. Click on Advanced.
4. Make sure the box beside Install system data files and security updates is selected.

When malware is identified on a Mac the user sees an alert suggesting that the move the affected app to the trash. The user is also asked to alert others to the malware, which they can do automatically. This doesn’t mean it is entirely down to the user to delete the app and remove the malware though.

The removal used to involve a separate Malware Removal Tool (MRT) found in /Library/System, but is wasn’t an app users could run. However, since macOS Monterey MRT was replaced by an XProtect Remediator that scans for and removes malware.

XProtect Remediator will scan your Mac at least once a day or more, and is updated much more frequently than MRT was–since MRT is no longer updated it is a good reason to make sure you are running macOS Catalina or later.

XProtect Remediator will attempt to remedy or remove malware.

If an app had been notorized by Apple but malware is identified that developer will lose the certificate that allows them to distribute apps and the app will lose its notarization.

This change to the notarization is then pushed to other Mac users so that Gatekeeper knows not to allow that app to be opened.

macOS checks for XProtect updates daily, but Notarization updates are issued even more frequently, so if malware is detected, or an app loses its Notarization, Mac users should quickly be protected.

If Mac users rely solely on XProtect and Apple’s other protections there are limitations in comparison to other anti-malware solutions, which are updated more regularly and have teams of specialists working on identifying malware.

The protection offered by XProtect is also more basic than that of third-party anti-malware apps that can also protect you from phishing, social networking scams, and they can protect your Windows using friends. We make various recommendations in our test of the top Mac antivirus apps.

XProtect is updated more frequently than it was–which was one of the main criticisms–but other malware apps check for malware constantly. XProtect only checks for malware when an app is downloaded for the first time, if the app is updated and if the status of the developer signature or app notarization changes.

Apple’s protections should keep your Mac free from most malicious software, but they do not make it impossible for malicious software to be installed on your Mac. If new malware is released today and you download and run it today you will have done so before Apple’s databases could have been updated. So it’s always best to be wise when downloading software from unknown sources.

As we argue in a separate article: Macs do need antivirus software despite Apple’s protections in macOS.