24.3. Looking for Rogue Software

If you know that malware or other unauthorized software is installed on a Mac but it's not actively running, finding it can be challenging. By nature, malware usually hides in obscure locations, uses innocent-looking or misleading names, and may use other tricks to avoid detection.

As before, the easiest way to find such programs is to run a commercial anti-malware utility. Such programs contain extensive databases of the characteristics of known malware programs — as well as heuristics that enable them to identify much as-yet-unknown malware — and can find them wherever they may lurk on your disk by scanning every file.

NOTE

For more on anti-malware software, see Chapter 14.

If you can't use anti-malware software for some reason, if you don't trust its results, or if it fails to locate malicious software that you're sure is there, you can use a few tricks to track it down.

One popular hiding place for malware is the /var/tmp directory because it's world-writable.

The first thing to keep in mind is that a program can't do any good (or any damage) when it's simply sitting idle on your hard disk. Only when the software is actively running can it accomplish anything. Therefore, it stands to reason that the program's designer would include some mechanism to make sure it runs — either at startup, on a recurring schedule, or in response to a frequent ...

Get Mac® Security Bible now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial