Scan Your Mac for Malware Using Only Built-In macOS Tahoe Tools

Why cleanup apps are the wrong first move

macOS Tahoe includes four layers of built-in malware defense that run without installing a single third-party app: XProtect scans for known malware signatures, Gatekeeper blocks unsigned software, Activity Monitor exposes suspicious processes in real time, and Login Items reveals anything that launches at startup. Together, these tools catch the overwhelming majority of Mac threats before they do damage.

The complication is that most Mac users never open any of these tools on purpose. They assume macOS handles everything silently, which is partly true for XProtect and Gatekeeper, but completely false for the manual inspections that catch the sneakier infostealers now targeting macOS at double the rate of previous years. Knowing which tool to open, what to look for, and when to escalate turns passive protection into active defense.

The third-party antivirus market for Mac thrives on this knowledge gap. Many of the top Google results for "check Mac for malware" are written by companies selling cleanup software, and their guides naturally steer you toward a paid download. The tools below cost nothing because Apple already put them on your machine.

Affiliate disclosure: some links in this article are Amazon Associate links. If you buy through them, Zone of Mac may earn a small commission at no extra cost to you, and we only recommend products that genuinely bring value to your Apple setup.

Confirm XProtect and Gatekeeper are active

XProtect is Apple’s signature-based malware scanner. It runs automatically in the background, checks apps when they first launch, and updates its malware definitions independently of macOS system updates. You cannot open XProtect as an app because it has no user-facing interface. What you can do is verify it exists and confirm its definitions are current.

Open Terminal (search for it in Spotlight or find it in Applications, then Utilities) and type this command:

system_profiler SPInstallHistoryDataType | grep -A 2 "XProtect"

The output shows the most recent XProtect update date. If that date is within the last two weeks, your definitions are current. Apple pushes XProtect Remediator updates frequently, and these run periodic scans to detect and remove known malware families even after installation.

Gatekeeper is the second automatic layer. It verifies that every app you open is either from the Mac App Store or signed by a developer Apple has notarized. To confirm Gatekeeper is active, go to System Settings, then Privacy and Security, and scroll to the Security section. The setting labeled "Allow applications from" should read "App Store and Known Developers" at minimum. If someone has changed this to a more permissive option, switch it back now. Apple’s own malware protection guide confirms that Gatekeeper and XProtect together form the foundation of macOS security, and overriding Gatekeeper warnings is the single most common way a Mac gets infected.

Hunt for suspicious processes in Activity Monitor

XProtect and Gatekeeper work automatically. Activity Monitor is where you take over. Open it from Applications, then Utilities (or search for "Activity Monitor" in Spotlight) and select the CPU tab.

Sort by CPU usage with the highest consumers at the top. Legitimate macOS processes like kernel_task, WindowServer, and Spotlight (mds_stores) will frequently appear near the top. What you are looking for are unfamiliar names consuming significant CPU, especially anything you did not deliberately install. Common red flags include processes with randomized alphanumeric names, names mimicking system processes but slightly misspelled, or any process tied to a developer you do not recognize.

There is a small friction point here that matters: Activity Monitor lists hundreds of processes, and most of them look cryptic. The instinct is to panic at names like "trustd" or "timed," but those are legitimate Apple daemons. Before force-quitting anything, select the process and choose the Info button (the circled "i" in the toolbar). The resulting panel shows the process path, parent process, and CPU history. If the path points to a location inside /Applications or /System, it is almost certainly safe. If it points to a hidden folder in your user Library or a temporary directory, investigate further.

Switch to the Memory tab and repeat the same inspection. Some malware runs with low CPU usage but allocates large chunks of memory to exfiltrate data. The same rules apply: unfamiliar names, unusual paths, and unexplained resource consumption are the signals.

If your Mac has been running noticeably slow and you cannot explain why, Activity Monitor is the first diagnostic stop. Malware is only one possible cause, but it is the one with the highest stakes.

Audit Login Items and background services

Malware that survives a reboot needs a persistence mechanism, and the most common one on macOS is a Login Item or background agent. macOS Tahoe consolidated these into a single pane: go to System Settings, then General, then Login Items and Extensions.

This screen is split into two sections. The top section, "Open at Login," shows apps that launch when you log in. The bottom section, "Allow in the Background," lists background agents and services that run persistently. Review both sections carefully.

Legitimate entries include things like your cloud storage client, communication apps, or an audio interface driver. Suspicious entries are items you do not remember installing, anything with a generic or nondescript name, or services tied to apps you have already deleted. To remove an item, select it and click the minus button, or toggle its switch to off.

macOS Tahoe also shows Background Items notifications when a new service registers itself. If you have been dismissing these notifications without reading them, now is the time to return to this settings pane and review what accumulated.

For a deeper look, open Terminal and run:

ls ~/Library/LaunchAgents/

This directory contains per-user launch agents. Each .plist file defines a service that macOS starts at login. The filenames typically follow reverse-domain notation (com.apple.something or com.developer.appname). Files that do not follow this pattern, or files you cannot trace to a known app, warrant further research. Look up the filename in a search engine before deleting it, because some legitimate apps use unconventional naming.

Here is a quick comparison of the four built-in malware defense layers in macOS Tahoe and what each one handles best.

Check your Safari extensions and browser integrity

Browser hijackers are among the most common Mac infections, and they operate entirely within Safari without triggering XProtect. Open Safari, go to the menu bar and select Safari, then Settings, then Extensions. Review every installed extension. If anything appears that you did not deliberately install, disable it immediately by unchecking its box, then click Uninstall.

Next, check your default search engine (Safari Settings, then Search) and homepage (Safari Settings, then General). Browser hijackers frequently change these to redirect your queries through advertising networks. Your search engine should be set to Google, DuckDuckGo, or whichever provider you deliberately chose. Your homepage should be whatever you originally set it to.

While you are in Safari settings, verify that "Fraudulent Website Warning" is enabled under the Security tab. This feature uses Google Safe Browsing data to alert you when a page attempts to distribute malware or phish credentials.

When built-in tools are not enough

XProtect, Gatekeeper, Activity Monitor, and Login Items handle the vast majority of threats a typical Mac user encounters. There are two scenarios where they fall short.

The first is zero-day malware that has not yet been added to XProtect’s signature database. Apple updates XProtect definitions frequently, but there is always a window between when a new threat appears and when Apple pushes a signature for it. During that window, XProtect cannot detect it. The behavioral signals in Activity Monitor (unusual CPU, memory, or network activity) become your primary defense.

The second scenario is credential theft that happens outside your Mac entirely. If an attacker phishes your Apple Account password or iCloud credentials through a fake login page, no amount of on-device scanning will catch it. This is where hardware-based authentication becomes the critical second layer.

Lock your accounts with phishing-resistant hardware

A clean Mac is only half of the security picture. The accounts you log into from that Mac are the actual targets. Infostealers that have doubled in prevalence across macOS in recent quarters focus on extracting saved passwords, browser cookies, and session tokens. Even if you catch and remove the malware, any credentials it already captured remain compromised.

A physical security key eliminates the most dangerous attack vector: phishing. Unlike SMS codes or authenticator apps, a hardware key uses cryptographic challenge-response authentication that is bound to the legitimate website’s domain. A fake login page cannot trigger the key because the domain does not match. This is why FIDO2-certified security keys are the only authentication method that stops credential phishing at the protocol level.

The YubiKey 5C NFC plugs directly into any USB-C port on a MacBook, iMac, Mac Mini, or Mac Studio, and it also works wirelessly via NFC with iPhone for securing your Apple Account on mobile. It supports FIDO2, WebAuthn, and hardware-bound passkeys across more than a thousand services, including Google, Microsoft, Apple, 1Password, and Bitwarden. At 4.3 grams, it sits on a keyring without adding bulk, and the IP68 rating means it survives accidental drops into water, dust, and daily pocket abuse. The tactile feedback when you tap the gold disc to authenticate is distinct and deliberate, the kind of physical confirmation that an app-based code can never replicate.

If you want to lock down your privacy settings on iPhone as well, pairing a YubiKey with iOS 26’s passkey support creates a unified security layer across both devices.

Yubico - YubiKey 5C NFC - Multi-Factor authentication (MFA) Security Key and passkey, Connect via USB-C or NFC, FIDO Certified - Protect Your Online Accounts

Check Price

Pick up the YubiKey 5C NFC on Amazon https://www.amazon.com/dp/B08DHL1YDL?tag=zoneofmac-20

Accessibility and clarity

Every step in this guide uses text-based navigation (System Settings, then General, then Login Items and Extensions) rather than relying on icon colors or visual-only cues. Activity Monitor’s process list is fully compatible with VoiceOver, and the Info panel for each process reads aloud the process name, path, and resource usage. Terminal commands produce text output that VoiceOver reads sequentially.

The YubiKey 5C NFC provides haptic and visual feedback when authenticating (a brief flash of the green LED and a tactile pulse through the gold disc), making it usable for readers with low vision. The NFC tap workflow on iPhone also triggers a standard haptic response.

From a cognitive accessibility perspective, this guide follows a linear sequence: verify automatic protections first, then run manual inspections, then harden accounts. Each section focuses on a single tool and a single action so you do not need to hold multiple concepts in working memory simultaneously. The checklist at the end provides a distraction-free reference for repeat use.

Quick-action checklist

1. Open Terminal and run system_profiler SPInstallHistoryDataType | grep -A 2 "XProtect" to confirm XProtect definitions are current.
2. Go to System Settings, then Privacy and Security, then Security. Verify "Allow applications from" is set to "App Store and Known Developers."
3. Open Activity Monitor from Applications, then Utilities. Sort by CPU, then Memory. Investigate any unfamiliar process by selecting it and clicking the Info button.
4. Go to System Settings, then General, then Login Items and Extensions. Remove or disable anything you did not install.
5. Run ls ~/Library/LaunchAgents/ in Terminal. Research any .plist file you cannot trace to a known app.
6. Open Safari Settings, then Extensions. Remove anything you did not deliberately install.
7. Verify your Safari search engine and homepage have not been changed.
8. Go to System Settings, then General, then Software Update. Install any pending macOS updates.
9. Consider adding a FIDO2 hardware security key like the YubiKey 5C NFC to your Apple Account, Google, and password manager for phishing-resistant login.

Once your Mac passes this security audit, you might also want to reclaim hidden storage space in macOS Tahoe since leftover files from removed apps (including removed malware) can accumulate in Library caches without triggering any warnings.