Removing Malware from MACs

Steps by Step Guide to Removing Malware from MACs

Removing Malware from MACs is a guide for anyone who has a MAC laptop or desktop. What steps can you take to remove Viruses, Bots, Malware, Unwanted Programs, Plug-ins and Other “unwanted” Software from your MAC OS. These steps also include the precautions for Ransomware. 

(version 1.0)

Security Wave 1 – Protecting your MAC

Ransomware, virus, malware, phishing, botnets, plug-ins, applications, and other miscreant software are all trying to get into your computers, your devices, and all the “connected things” in your home. This is a first step for MAC users to protect their core MACs. The MAC would be the first security wave to protect your home, your family, and your community.

Step 1 – Backup Your MAC

Backing up your MAC is always the first step. If you are not backing up your MAC, now would be a good time to start. There are two major backup options with Apple: Time Machine and iCloud Drive. Time Machine is a complete backup while iCloud Drive saves the most critical files. It is recommended to do both! This recommendation applies even if you use a 3rd party backup solution.

 

Check out these articles for those looking for other Mac backup options:

• Best Way to Backup Your MacBook and iMac By Jon Henshaw
• How to back up a Mac from MacWorld

Step 2 – Check the Health of your Disk with MacOS’s Disk Utility First Aid

Make sure your disk is OK before continuing with all the checks. Notice the first thing we did is back up your Mac. Now we check the drives on the Mac using the Disk Utility.

 

 

From Apple’s macOS Disk Utility Users Guide:

1. In the Disk Utility app on your Mac, choose View > Show All Devices.
2. Select a disk or volume in the sidebar, click the First Aid button , then click Run.
   If you run First Aid on a disk, Disk Utility checks the partition maps on the disk and performs some additional checks, then checks each volume. If you run First Aid on a volume, Disk Utility verifies all the contents of that volume only.
3. If Disk Utility tells you the disk or volume is about to fail, back it up and replace it. You can’t repair it.
   If Disk Utility reports that the disk appears to be OK, you’re done. Otherwise, you need to repair the disk.

Step 3 – First Round of Malware Checks with Malwarebytes (Free Version)

Don’t us just one anti-malware/anti-virus solution. This MAC security inspection will use two. Each has “different points of view” and approaches to look for malware, viruses, trojans, and other “miscreant” tools. Malwarebytes is the solid “first scan” in the security community. Malwarebytes has a “download and scan for free” function that allows us to clean up then delete (selection of which anti-malware/anti-virus security tool will come in a later phase).

• Download Malwarebytes for Free (https://www.malwarebytes.com/mac/)
• Do not buy Malwarebytes. We are just going to use the free scan checks.
• What does Malwarebytes check for on the system?

We will delete Malwarebytes at the end of the cleanup process. Evaluating if you want it as possible defensive tools will come later.

 

Step 4 – Second Round of Virus & Malware Scanning

Many of the anti-virus solutions offer a free version. Some have a “try before you buy.” Some have a “free version” along with a paid “premium” version. Leverage these free options.

Here are three options for the MAC that will allow you to load a free version, use that version to clean your MAC, then be OK with you deleting after the cleanup steps.

• Avast: https://www.avast.com/en-us/mac
• AVG: https://www.avg.com/en-ww/homepage#mac
• Avira: https://www.avira.com/en/free-antivirus-mac
• Sophos: https://home.sophos.com/en-us/download-mac-anti-virus.aspx

Any example is Avast (taking the first one alphabetically), you would:

1. Download and install Avast for the Mac.
2. Run a Full System Scan
3. Use the report to correct any issues found.
4. Leave Avast installed for removal at the end of the cleanup process.

 

Step 5 – Check & Remove Malicious Profiles

Apple has added the profile feature to provide organizations “flexibility” to remotely manage the Macs. Of course, cybercriminals use profiles to activate apps, remote logins, change DNS settings, change the default web settings, and other tools to keep the Mac “infected” and under “criminal control. These get installed through web scripts, social engineering, and other seemingly “friendly” applications.

Full Speed PC has a good YouTube illustration on how to check and remove Malicious Profiles in How To Remove A Mac Computer Virus, Malware, Spyware, Maintenance, And Cleaning 2019. Go to Time Stamp 5:50 (click here) to see his Malicious Profile Removal steps.

In essence, if you see Profiles in your Systems Preferences, there is a high chance you have been tricked into installing a malicious profile.

 

How bad can MacOS’s Profiles be abused? Check out Apple’s Developers Reference for Configuration Profile Reference. It shows you how to configure Restrictions on device features, Wi-Fi settings, VPN settings, Email server settings, Exchange settings, LDAP directory service settings, CalDAV calendar service settings, Web clips, Credential/keys, and many more.

Step 6 – Web Browser Clean, Security Check, & Optimization

You will be amazed at how many extensions and plugins get added to your browsers. Some you might need (like a Grammer checker). Others are just neat when you load, but you end up using once, then forget.

For this exercise, we will TURN OFF (Disable) all browser extensions and plugins! You can always turn them back on later. The objective is to find and clean up criminal infections on your Mac.

How do you turn them all off? Give thanks to Full Speed PC. He has an excellent YouTube walkthrough for Chrome, Firefox, and Safari in his video How To Remove A Mac Computer Virus, Malware, Spyware, Maintenance, And Cleaning 2019. Go to

• Google Chrome @ Time Stamp 6:41 (click here)
• Mozilla Firefox @ Time Stamp 9:35 (click here)
• Safari @ Time Stamp 11:04 (click here)

Step 7 – Apple Software Updates

Now we check for software updates. We check now after a good backup, checking the health of the disk, and doing two rounds of malware/virus inspections.

Apple provides details update instructions via How to update the software on your Mac.

One of Apple’s security strong points is its push to get everyone upgrades to the latest software. This upgrade push is usually right before a discovered exploit is used by cybercriminals and miscreants. Pay attention to Apple’s upgrade notices.

Note: Once you have upgraded, it might be prudent to do another backup.

Step 8 – Audit the Login Items

Apple allows you to open applications, documents, folders, execute scripts, or server connections when you log in to your Mac.

 

 

Full Speed PC’s. security walkthrough illustrates how to do an audit of your login. He has an excellent YouTube walkthrough for Chrome, Firefox, and Safari in his video How To Remove A Mac Computer Virus, Malware, Spyware, Maintenance, And Cleaning 2019. Go to Time Stamp 13:2 (click here) to see an example of a Login Startup Audit.

Step 9 – Check and Use MAC Security Settings

Apple has a suite of security features and practices to keep its customers safe. A summary of these features can be reviewed via Apple’s macOS Security Page and in detail in this white paper: macOS Security – Overview for IT.

For this step, we will check the following MAC Security Settings (access via your System Preferences):

• Require Password to unlock the screen saver. This is a common-sense security practice for any device. See Require a password after waking your Mac for more information.
• Disable Automatic Login. Ensuring you must have a password when the computer first starts up is an essential security practice. Check to ensure this option is selected.
• Turn on Filevault (Encrypted Disk). Apple has detailed instructions on this helpful guide: Use FileVault to encrypt the startup disk on your Mac. FileVault full-disk encryption (FileVault 2) uses XTS-AES-128 encryption with a 256-bit key to help prevent unauthorized access to the information on your startup disk.
• Turn on the macOS Firewall. The firewall is default off. Make sure it is on. For more details, check out macOS: About the application firewall. It is worth using the macOS default application firewall. This firewall is does not need to be fancy. It can be used to control connections made to your computer from other computers on your network.

Step 10 – Look for more nastiness with CCleaner

CCleaner is another step to look for files, configurations, and other settings that are contributing to the security risk on your Mac. Again, we will run the free version for this check.

Download, Install and run https://www.ccleaner.com/ccleaner/download?mac

Just use the default CCleaner settings.

10. (Time Stamp 16:42) Removal of all bad applications and programs:

Step X – Clean Up Applications and Remove all the Security Applications uses for this Malware Removal

• Remove CCCleaner, the Anti-Virus, and Malwarebytes Applications. Later you can determine which security tools are best for your
• Review all your Application in the Application folder. Delete any which you are not using. It is best to declutter your Mac. Use a Google search on the application to figure out if you still need it. You can also use sites like Should I Remove It? to find more information about applications.

Step Y – RESTART YOUR MAC 

All these steps are part essential to removing malware from your MACs, but it might it is not the end of your security journey. There are more “Security Waves” which are needed to safe guard your family, home, and community. 

Advance Steps – What if the Malware Persist?

Criminals will persist when there is criminal gain. All of the above steps might not catch everything. You might try a different anti-virus package to see if that one catches something missed by the others. What follows is a living list of articles and references for people who wish to keep on digging. But, be mindful that you may need back up all your data and do a complete system rebuild.

• SentinalOne Guide: How Malware Persists on Macros
• How To Erase and Reset a Mac back to factory default

How often should I check?

Check whenever you need to have that “gut feeling” that something is not right. It may be the Mac acting up. Or it could be something else. Other than that, run through this process at lease once every few months.

Good “Removing Malware from MACs” Reference Videos

There are several good walk-through reference videos that help you understand many of these steps. More will be added over time.

• Full Speed PC produced a very good video How To Remove A Mac Computer Virus, Malware, Spyware, Maintenance, And Cleaning 2019. He provides an easy to understand walkthrough.

Need Security Advice?

If you find your organization needs help and worry about the FUD from the industry, reach out and ask for help. You can reach me at bgreene@senki.org. Start with the Operator’s Security Toolkit. It is the no-nonsense security for all Operators. It provides details to help them build more security resilient networks. In the meantime, stay connected to the Senki Community to get updates on new empowerment and security insights.