Folder Actions for Malware Detection

Use “Folder Actions” In OS X For Malware Detection

Blogger Jacob Salmela came up with a really simple way to help you detect an installation of malware in OS X by using some built-in resources ( Folder Actions) of the operating system itself.  To drive their malware, bad guys attempt to get a LaunchDaemon or LaunchAgent installed in one or more of the following locations in your computer:

/Library/LaunchDaemons

/Library/LaunchAgents

/System/Library/LaunchDaemons

/System/Library/LaunchAgents

/Users//Library/LaunchAgents

Folder Actions for Malware Detection

Salmela’s solution is to use a feature (Folder Actions) on each of these locations to alert you when an item is added to any of the above folders.  This allows you to see what is being added, and make a decision to keep the newly added item (if you recognize it), or simply delete it.

Here’s how to set it up:

Enable Folder Actions

  1. Right-click one the the folders listed above
  2. Choose Services > Folder Actions Setup…
  3. Check Enable

Assign A Folder Action

  1. Click the plus sign on the right side of the window
  2. Highlight add – new item alert.scpt
  3. Click Attach

Repeat these steps for each folder you want to check.  When a new item it added to any of these folders, you will see a pop-up window asking if you want to view the new addition.

There you have it.  A simple and elegant malware solution for malware detection, that is also FREE!

Source:

OSX: Roll-Your-Own Malware Detection  |  Jacob Salmela

6 Comments

Leave a Reply