CleanMachine's native malware scanner checks launch agents, login items, temp directories, browser extensions, shell scripts, and configuration profiles โ right out of the box. No Homebrew, no dependencies, nothing to install.
macOS 13+ ยท Apple Silicon & Intel ยท Zero external dependencies
The "Macs don't get viruses" era is over. macOS malware hides in specific places โ and CleanMachine knows where to look.
Unlike Windows malware that installs system-wide, Mac malware typically achieves persistence through legitimate macOS mechanisms that most users never check:
These locations are designed for legitimate software too โ which is why they're so effective for malware. A malicious Launch Agent looks exactly like a legitimate one. CleanMachine pattern-matches against known suspicious behaviors: curl/wget callbacks, base64 payloads, /tmp/ execution, and known malicious bundle identifiers.
Malicious browser extensions are one of the most common ways Macs get compromised. They can capture passwords, redirect searches, inject ads, and exfiltrate browsing data. CleanMachine scans Chrome, Firefox, Safari, Brave, and Edge extensions and flags known bad extension IDs.
Some sophisticated malware adds one-line callbacks to ~/.zshrc or ~/.bashrc โ scripts that run every time you open a Terminal window. These are invisible to most users. CleanMachine reads your shell profiles and flags suspicious patterns.
MDM (Mobile Device Management) configuration profiles are legitimate tools used by employers to manage company Macs โ but they're also used by adware to permanently redirect web traffic. CleanMachine runs profiles show and surfaces all installed profiles with risk context.
Scans ~/Library/LaunchAgents, /Library/LaunchAgents, and /Library/LaunchDaemons. Pattern-matches for suspicious commands, unsigned binaries, and known bad labels.
Scans /private/tmp and temp caches for MachO executables hiding as data files. Detects by magic bytes โ not just extension.
Checks background task management directories and flags apps with known malicious bundle identifiers.
Reads your crontab and flags suspicious commands โ network callbacks, script downloads, and unusual execution paths.
Scans for .app bundles starting with "." in your Applications folder โ a common trick to hide malware from casual inspection.
Cross-references installed extensions in Chrome, Firefox, Safari, Brave, and Edge against a database of known malicious extension IDs.
Reads ~/.zshrc, ~/.bashrc, ~/.bash_profile, and ~/.zshenv for one-line callbacks and suspicious commands that execute on every Terminal open.
Enumerates all installed MDM profiles. Normal on company Macs โ a red flag on personal machines you've never enrolled in management.
Live view of every external TCP connection your Mac is making โ with country flags, geolocation, and organization name. See if something is phoning home.
Lists all open listening ports with risk badges: Safe (known service), Unknown, and Exposed (high-risk). Unexpectedly open ports are a common malware indicator.
Shows which apps have been granted access to camera, microphone, screen recording, and location โ with timestamps. Spot permissions you never intended to grant.
One-tap privacy mode: locks screen, kills apps with screen recording access, scans for root certificates that could enable MITM attacks, then wipes browser history, clipboard, and temp files on exit.
Download CleanMachine and run the malware scanner โ completely free. See every suspicious finding with risk levels, file paths, and explanations. Only $19.99 once to unlock cleaning and removal features.
macOS 13+ ยท No subscription ยท 30-day refund guarantee
No. CleanMachine's malware scanner is completely native โ no external dependencies, no Homebrew packages, no internet database. It uses pattern matching on known malware behaviors, magic-byte detection for executable files in temp dirs, and cross-referencing against known bad extension IDs and launch agent patterns. This makes it work on any Mac right out of the box.
No. All scanning happens entirely on your Mac. File paths, contents, and findings never leave your machine. CleanMachine doesn't even have a server that could receive this data.
CleanMachine shows each finding with a risk badge (high/medium/low), the exact file path, and a plain-English explanation of why it's suspicious. You can tap "Show in Finder" to inspect the file yourself. Removal uses TrashManager โ the file goes to CleanMachine Trash, recoverable until you confirm permanent deletion.
CleanMachine uses a trusted-vendor allowlist for common legitimate apps (Docker, VS Code, Homebrew, etc.) so known-good Launch Agents don't get flagged. Unknown Launch Agents from unusual locations may still appear as low-severity findings โ use "Show in Finder" to inspect before removing anything you're unsure about.