Malware on Apple Mac Computers

The Mac OS X OS is very robust against malware attacks, as long is you do not click on the links from a website, popup or email!

Here’s an example

Removal Instructions for Mac Defender Malware


  1. 1.Print out these instructions so it will be easier to reference it as you follow these steps.

  2. 2.As Mac Defender will stay on top of any other programs that are running, we first want to close the program so that we can see the other screens that we need to open during this cleaning process. Please close this window by clicking on the red close (X) button in the top left of the Mac Defender Windows. The button that you need to click in order to close the window is shown below:

  3. 3.Next you should click on empty portion of your desktop so that the Finder is selected. Once it is selected, click on the Go button and select Utilities as shown in the image below.

  4. 4.The Utilities folder should now appear as shown in the image below.

  5. 5.Locate the Activity Monitor icon and double-click on it. 

  6. 6.The Activity Monitor should now be displayed on your screen. This program lists all the processes that are currently running on your Mac OS and allows us to terminate specific programs that may be running. Scroll through the list of processes and left click on the process named MacDefender as shown in the image below.

  7. 7.Once the process is selected click on the Quit Process button. When a prompt appears asking if you are sure you want to quit the MacDefender process, please click on the Force Quitbutton. When you have finished, Mac Defender should no longer be running on your Mac and you can now close the Activity Monitor and the Utilities window.

  8. 8.While still at the Finder, click on the Go button and select the Applications menu option. When the Applications folder is displayed, scroll through the list of programs until you see a program named MacDefender. When you find the program, right-click on it and select the Move to Trash menu option. If MacOS prompts you for your password, please enter it. The MacDefender application will now be removed from the operating system. 

  9. 9.Now click on the Apple Menu (
    and select the System Preferences menu option. When the System Preferences screen opens, select the Accounts option under the System category. When the Accounts screen opens, click on the Login Items button. This will open a screen, similar to the one below, that displays a list of programs that will automatically start for this particular user when they login to the operating system.

  10. 10.Look through the list of programs that are starting automatically, and single click on the entry named MacDefender. Once it is selected, click on the minus (-) sign button, as indicated by the red arrow in the image above. Once you click on the minus button the Mac Defender entry will be removed and MacOS will no longer attempt to start it when you login.

  11. 11.Now that Mac Defender is no longer running, we need to change a setting in Safari so that these types of programs are not automatically run on your computer in the future. By default Safari opens and launches programs that it considers safe to run. These programs include movies, pictures, sounds, PDFs, text documents, archives, and disk images. Due to this, these types of infections are able to be downloaded and automatically run on your Mac. To fix this, start the Safari program and then click on the Safari menu option. From the Safari drop down menu, select Preferences. This will open the Preferences screen as shown below. When the screen opens, if you are not on the General settings screen, please click on the General button.

  12. 12.You should now uncheck the checkbox labeled Open "safe" files after downloading as shown in the image above. After unchecking this box you can close the Preferences screen and Safari.

Your computer should now be free of the MacDefender program and Safari should be secure so that it does not automatically launch these types of programs again in the future.

Mac Defender strikes again; Apple fights back

by Ted Landau,   May 27, 2011 10:40 am

The Mac Defender Trojan Horse phishing scam was back in the news this week. Twice.

First, a more virulent variation of the malware was detected. In this latest iteration, the phony program is named MacGuard. The new wrinkle is that it doesn’t require an administrator’s password to install. This means that any user on a Mac has the authority to install the malware. Of course, unless said user also had a credit card number to offer, this does not significantly alter the risk.

Second, a new Apple support article revealed that Apple is working on an update to Mac OS X (presumably 10.6.8) that will “automatically find and remove Mac Defender malware and its known variants. The update will also help protect users by providing an explicit warning if they download this malware.”

The support article went on to offer recommendations on how to remove the malware if you inadvertently fall victim to this scam prior to the release of 10.6.8.

Meanwhile, a prior report (unconfirmed by Apple) cited an internal Apple memo advising AppleCare employees not to “confirm or deny whether the customer’s Mac is infected (by the malware) or not.” Not surprisingly, critics jumped all over this. For example, Infoworld’s Robert X. Cringely lamented that this was yet another example of Apple being “arrogant beyond belief and helpful only when forced into a corner.”

My view is more benign. While I wish Apple had been more helpful out-of-the-gate, I can understand Apple’s reluctance to offer advice over the phone—potentially leading to making a bad situation worse if instructions are not correctly followed—before Apple fully understood what they were dealing with. In a worst case scenario, I could see Apple exposed to a lawsuit, with users seeking to recover damages incurred by Apple’s supposed “bad” advice. Regardless, Apple has apparently concluded its investigation and has responded in an appropriate manner.

How will Apple’s update work?

I was especially intrigued by the promised specificity of Apple’s upcoming fix. It is one of the very few times that Apple has included code in Mac OS X that is targeted at a specific security threat. In fact, the only other targeting (of which I am aware) is the XProtect.plist file of malware definitions included in Mac OS X 10.6. The protection offered here remains limited. Back in 2009, the file included only two definitions: one each for RSPlug.A and iService. As of the current Mac OS X 10.6.7, the file has added definitions to protect against two further attacks: HellRTS and OpinionSpy.

Even in cases where the XProtect.plist file is of value, the protection is only against installing the software. The feature offers no way to remove malware after it has been installed. This is in apparent contrast to the upcoming Mac OS X update, which promises to “find and remove Mac Defender.” It will be interesting to see exactly how Mac OS X 10.6.8 implements this removal. Will it work via the XProtect.plist file or via some other mechanism?

This also has me wondering about Apple’s plans for the future. Is this response to Mac Defender a limited deal for Apple? Or does it now plan to regularly update Mac OS X to cope with the latest malware and virus attacks? My guess is that Apple will assess each threat on a case-by-case basis. Don’t expect an identical response from Apple to all future attacks.

The larger view

Overall, similar to what Rich Mogull argued here at Macworld, I consider Mac Defender to be a rather low risk threat. Most users will never confront any Mac Defender variant. And those that do will still need to be “tricked” by the software before they are in any real danger. At the same time (as I covered in a previous Bugs & Fixes column), you should remain suspicious of any and all unsolicited requests to install software or provide confidential information. This is not difficult to do and it doesn’t require any third-party software (such as Intego’s VirusBarrier). Being appropriately vigilant while recognizing that the risk of an “infection” is small are not inconsistent or mutually exclusive propositions.