Best malware scanner for Monterey?

[Queen6]

@Queen6: thanks! 👍

it seems my post came along as i distrusted that app, which is not the case at all... just wanted to be absolutely sure about it's behavior as i simply didn't understand enough about how it actually handled things

and yes,
Patrick Wardle is awesome! 🤘
Don't know him for too long as i'm new to Mac and gave a **** about security before (and somehow still managed to get away more or less malware free in 30+ years using DOS or Windows 🤡)
and i also never cared before what scanners did with my info back in the Windows days so i had no clue what they were actually doing with my data.
i really enjoy his videos on Youtube
and i suspect it's the one who is constantly helping me and many others here on this forum too
(in case i should be wrong at it is not the same person, bogdanw is awesome too! 😂)

Been using Knockknock since release Only other I use is Bitdefender's free version (on demand scanner) from Apple's store.

Anyone wants active protection BlockBlock is another excellent tool from Patrick, however you do need to interpret the alerts and have some understanding how the app functions.

Q-6

 

[unrigestered]

yup, opted for knocknock just for the piece of mind as i never really had much trouble on Windows already (though on that side always with a scanner running in the background - which never really found anything, except once on Windows XP when i was downloading a video codec pack from a generally pretty trustworthy source)

so i don't think i really need real time monitoring (in addition to macOS's native solutions)
observing just one plist in my affectable launch folders is also pretty managable for me, though of course i'm aware that something like BlockBlock would find it immediately, while i would only be reviewing those folders every once in a while.
but i also couldn't sleep too well without on-demand scans from time to time

 

[bogdanw]

Simple AppleScript, that can be saved as an app, to check the contents of ~/Library/LaunchAgents, /Library/LaunchAgents, /Library/LaunchDaemons and /Library/PrivilegedHelperTools

set uLA to do shell script "ls -a ~/Library/LaunchAgents | grep -Evw '.|.DS_Store'"
set gLA to do shell script "ls -a /Library/LaunchAgents | grep -Evw '.|.DS_Store'"
set gLD to do shell script "ls -a /Library/LaunchDaemons | grep -Evw '.|.DS_Store'"
set gHT to do shell script "ls -a /Library/PrivilegedHelperTools | grep -Evw '.|.DS_Store'"
display dialog tab & "~/Library/LaunchAgents" & return & "Third-party agents that apply only to the logged-in user:" & return & return & uLA & return & return & tab & "/Library/LaunchAgents" & return & "Third-party agents that apply to all users on a per-user basis:" & return & return & gLA & return & return & tab & "/Library/LaunchDaemons" & return & "Third-party system daemons:" & return & return & gLD & return & return & tab & "/Library/PrivilegedHelperTools" & return & "Privileged Helpers:" & return & return & gHT & return & return buttons {"Close"} default button 1

Open Script Editor (/Applications/Utilities/Script Editor.app), copy-paste the code above, save it as an app, run the app. The script uses the Terminal command ls to list the contents of the folders (including invisible files, excluding .DS_Store file) and displays the results is a dialog box. The content of the display box can be copied as text.

Documentation from Apple:
https://support.apple.com/guide/ter...d-apdc6c1077b-5d5d-4d35-9c19-60f2397b2369/mac
https://developer.apple.com/library...SecureCodingGuide/Articles/AccessControl.html

Script on GitHub https://github.com/b0gdanw/AppleScripts/blob/master/LaunchCheck.scpt

 

[unrigestered]

wasn‘t aware of that privilegedhelper… location yet.
the other two Lauch locations inside library are just one click away in Finder though, so really no big hassle for me to monitor. (no launch thingy inside ~/Library/ for me yet)

But thanks for bringing up scripting, which i haven’t looked up at all yet.
Though there is so much else to learn for me too! 😳

 

[bogdanw]

(no launch thingy inside ~/Library/ for me yet)

Here’s a trick I’ve learned on this forum (can’t remember from whom exactly, maybe @katbel )
- replace the undesired plist files with folders with the same name so apps can not re-add them.
So, to stop Google’s autoupdate feature from running, I now have two folders named com.google.keystone.agent.plist and com.google.keystone.xpcservice.plist in ~/Library/LaunchAgents/
Chrome can not delete them and place its plist files, that would enable it to run when it desires, but the update works from chrome://settings/help when I want it to ;-)

 

[gilby101]

Simple AppleScript, that can be saved as an app, to check the contents of ~/Library/LaunchAgents, /Library/LaunchAgents, /Library/LaunchDaemons and /Library/PrivilegedHelperTools

I get real time checks on changes using Hazel. Folder Actions can also be used.

 

[unrigestered]

@bogdanw: that's weird. 😳
i always thought that files and folders would be handled independently from each other, like a Google.txt, Google.png and Google.jpg could easily co-exist inside the same folder without interfering with each other since they are not alike, "file" attribute wise.
just tried it in DOS too, (via the command line inside Windows) as i thought that this should work there and it is indeed the same behavior! 😱
the OS should be able to easily differentiate between files and folders though?, as ls -l (and of course Finder too) clearly tells you wether these are files or folders.
so is this still some restriction of the file systems, or just a matter to not confuse the users too much?

and what's the point in disabling auto updating those google services?
getting rid of resource hogging? reduce home calling / traffic? or do those updates break things for you?

as i said, i don't have that ~/Library/LaunchAgents/ folder yet, and only one single plist inside /Library/LaunchDaemons,, and not planning to add too much to my system anymore, but who knows - maybe this might become handy at one point 👍
but like in another thread, where you suggested renaming a process to prevent it from loading, i thought something like this would give you an error message (file could not be found, read/write errors, etc.)?

 

[rpmurray]

I went to the Malwarebytes website and read:

IN THE LAST 30 DAYS, GLOBALLY WE’VE STOPPED​

​

44 million plus malware and PUPs​

35 million plus malicious sites​

2 million plus exploits​

35 thousand plus ransomware attacks​

So my question is, how do they know? Unless they're spying on everything that's happening on your computer.

 

[rpmurray]

Scans on customer Macs is a different issue. Had one just last month that got hits on 45 different items. Amazingly, the lady has, in my experience, the most common kind of internet use that gets "unexpected" files. She is a stitching and knitting fan. Sounds innocent, right? Those patterns that you can download for that often come with extra added "features". The lady had hundreds of patterns, and a few dozen were quarantined/removed. All with free Malwarebytes.

So a lot of false positives?

 

[unrigestered]

So my question is, how do they know? Unless they're spying on everything that's happening on your computer.

i don't know their method(s), but the scanner could simply just post the amount of findings (including the names and kinds of the infections) and their website simply collects these info from everyone and generates a total count from all of those.

 

[bogdanw]

I get real time checks on changes using Hazel. Folder Actions can also be used.

I forgot to mention, the script is for educational purposes only, not for malware monitoring
I’ve already recommend BlockBlock for that and I still do.
Good to know about Hazel https://www.noodlesoft.com
From a decade ago, but still relevant, CNET - Monitor OS X LaunchAgents folders to help prevent malware attacks https://www.cnet.com/tech/computing...ents-folders-to-help-prevent-malware-attacks/

just tried it in DOS too, (via the command line inside Windows) as i thought that this should work there and it is indeed the same behavior! 😱

If files could overwrite folders, it would be chaos on any OS And especially on macOS, where an .app is actually a folder with files and subfolders inside.

and what's the point in disabling auto updating those google services?
getting rid of resource hogging? reduce home calling / traffic? or do those updates break things for you?

I don’t use Chrome everyday, there is no point of its update service running. I update Chrome when I use it.

Returning to the topic, some news about a security suite.
I don’t use Kaspersky and I haven’t tested a recent version of their app, but I follow their security blog and I noticed they announced new subscription plans yesterday. 22 USD for three devices (macOS or Windows)/ for the first year sounds like a good deal. Notice the fine print:
“*Introductory price for the first year of your subscription. It will renew automatically at $56.99 per year. Cancel your subscription at any time.”
https://www.kaspersky.com/blog/kaspersky-home-products-2022/45268/
https://usa.kaspersky.com/standard

 

[Queen6]

I forgot to mention, the script is for educational purposes only, not for malware monitoring
I’ve already recommend BlockBlock for that and I still do.
Good to know about Hazel https://www.noodlesoft.com
From a decade ago, but still relevant, CNET - Monitor OS X LaunchAgents folders to help prevent malware attacks https://www.cnet.com/tech/computing...ents-folders-to-help-prevent-malware-attacks/

Think needs to be expanded; Blockblock does not solely block malware, it blocks every persistent component including Apple's. The user then must look at the details and act appropriately.

Knockknock is similar in that the app does not actively detect malware. It simply enumerates items that are automatically started; either during start up, during login, or during another application's launch. Subsequent results of the scan the files "fingerprint's" are then sent to Virustotal for comparison and or analysis.

Please don't get me wrong my intention is not to be negative I do however think people need some expansion with Objective Sea's SW, how it work and why it's so very effective.

I have the free Bitdefender from Apple and it's very much a traditional scanner depending on downloaded malware signatures and a single engine. That said it does scan all new files irrespective of use/type which is clearly useful, especially in a mixed environment.

Q-6

 

[1user2]

I’ve never worried much about malware on Macs, but it’s always nice to do a quick scan every once in a while just to be sure. What’s the best (preferably free) malware scanner for Monterey for occasional use (not always on)? Thanks.

Isn't Mac OS a spyware program nowadays?

 

[bogdanw]

Think needs to be expanded; Blockblock does not solely block malware, it blocks every persistent component including Apple's.

What do you mean by “including Apple's”?
BlockBlock’s page does a good job explaining what it does and, in my opinion, even unexperienced users can follow common sense logic: if I am not installing anything, why is something trying to install itself? That’s most likely malware.
https://objective-see.org/products/blockblock.html

Isn't Mac OS a spyware program nowadays?

In that sense, every current OS (macOS, iOS, Windows, Android) is spyware. The amount of “telemetry” collected about users is astonishing.

 

[Queen6]

What do you mean by “including Apple's”?
BlockBlock’s page does a good job explaining what it does and, in my opinion, even unexperienced users can follow common sense logic: if I am not installing anything, why is something trying to install itself? That’s most likely malware.
https://objective-see.org/products/blockblock.html

It blocks everything that's it's purpose. If an app auto updates in the background and needs to update the launch agent BlockBlock will trigger...

"Once installed, BlockBlock will begin running and will be automatically started any time your computer is restarted, thus providing continual protection. If anything installs a persistent piece of software, BlockBlock aims to detect this and will display an informative alert"

"By design BlockBlock strives to alert you anytime it detects a persistent component has been added to the system. There are many legitimate reasons why something would be benign persisted. For example BlockBlock persistently installs itself so it can provide continual protection!

Is very simple, yet elegant in execution

Q-6

 

[piattj]

Lots of votes for the free Malwarebytes scanner. Any experience with the equivalent (?) Intego VirusBarrier Scanner also in the App Store. Looks to get positive reviews. As Intego are known as Mac platform specialists, is Intego a viable & quality alternative to MWB?

 

[bogdanw]

It blocks everything that's it's purpose. If an app auto updates in the background and needs to update the launch agent BlockBlock will trigger...

"Once installed, BlockBlock will begin running and will be automatically started any time your computer is restarted, thus providing continual protection. If anything installs a persistent piece of software, BlockBlock aims to detect this and will display an informative alert"

"By design BlockBlock strives to alert you anytime it detects a persistent component has been added to the system. There are many legitimate reasons why something would be benign persisted. For example BlockBlock persistently installs itself so it can provide continual protection!

Is very simple, yet elegant in execution

Q-6

I know what it does.
I don’t understand what you mean with “it blocks every persistent component including Apple's”
You are referring to apps downloaded from the App Store?
Yes, they can be abused https://privacyis1st.medium.com/abuse-of-the-mac-appstore-investigation-6151114bb10e
But BlockBlock does not block Apple launch agents or daemons.
From the link above
/System/Library/LaunchDaemons - Apple-supplied system daemons
/System/Library/LaunchAgents - Apple-supplied agents that apply to all users on a per-user basis

 

[unrigestered]

In that sense, every current OS (macOS, iOS, Windows, Android) is spyware.

so Linux is/are not current? 🤡

though i'm sure there are good and bad examples there too (at least i hope, there must be some good examples, right?)
and of course when it comes to apps that enable you to browse the web, privacy surely will have ended even there too

 

[bogdanw]

Lots of votes for the free Malwarebytes scanner.

Malwarebytes is garbage, see https://forums.macrumors.com/threads/malwarebytes.2305923/post-31342099

 

[bogdanw]

so Linux is/are not current? 🤡

though i'm sure there are good and bad examples there too (at least i hope, there must be some good examples, right?)
and of course when it comes to apps that enable you to browse the web, privacy surely will have ended even there too

Linux - 1% market share https://gs.statcounter.com/os-market-share
disable-ubuntu-telemetry https://github.com/LamdaLamdaLamda/disable-ubuntu-telemetry

 

[Queen6]

I know what it does.
I don’t understand what you mean with “it blocks every persistent component including Apple's”
You are referring to apps downloaded from the App Store?
Yes, they can be abused https://privacyis1st.medium.com/abuse-of-the-mac-appstore-investigation-6151114bb10e
But BlockBlock does not block Apple launch agents or daemons.
From the link above
/System/Library/LaunchDaemons - Apple-supplied system daemons
/System/Library/LaunchAgents - Apple-supplied agents that apply to all users on a per-user basis

If new on the system in my experience the app will trigger. You also have to consider that not all apps are from the store.

Q-6

 

[HDFan]

Any experience with the equivalent (?) Intego VirusBarrier Scanner also in the App Store.

Anti-Virus rankings change over time. At the time when I was deciding Sophos was better than Intego. Now it is the reverse.

I'm sticking with Sophos due to their excellent support. Had an issue where I was getting only ~2.19 Gbits/sec connections to my NAS when I should have been getting 9.98 Gbits/sec. Support was excellent as we worked the issue and they identified a problem in their code. Took over 6 months to fix it but they did.

Tested Intego and found it had the same problem. Decided not worth the time and delay involved trying to get the fix from Intego.

 

[philippe2014]

Mac OS X built-in folder actions