Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time


is: an improvement to the built-in XProtect malware detection system included with Mac OS X.

because: after reading Sarah Edwards' excellent presentation on reverse-engineering Mac malware, I became aware of some very obvious shortcomings with XProtect.


XProtect vs. filecheckerd

XProtect filecheckerd
only things downloaded via the quarantine API any new or changed files
only known Mac malware all known malware, irrespective of platform[1]
definitions irregularly updated definitions updated all the time (uses API)
  • we live in a dual- (or multi-) boot world. To exclude Windows or Linux malware commits the same sort of error ("But the Mac is only 10% of the market!") that people previously used to justify igorning the Mac market. I personally railed against this kind of thinking for years. I used to make my living arguing the other side of that.

  • if you like filecheckerd, please, please consider using the link below to donate to the good folks at, upon whose backend API this product relies.

Technical stuff

  • filecheckerd is a GCD-modified (that is, multi-threaded) version of Amit Singh's excellent /dev/fsevents code, with some additional bits thrown in.
    • any creation/change/touch/chmod/chown is a trigger
    • files with executable permissions or the "wrong" file extensions (exe, com, js, etc.) are hashed.
  • it also uses DiskAribtration to detect the mounting of volumes to /Volumes.
    • files on the newly mounted volume are then also recursively hashed.
  • hashes are dispatched to's API; matches are quarantined in the currently logged-on user's .Trash folder.


ideally, you'd get this from github, build it, and be on your way. if that's not your style, though, you can get it pre-built from me at eventually.


filecheckerd is Copyright 2014 Terence Goggin. Portions are Copyright Amit Singh.

[1] seriously. I tested by downloading conficker.


Improved malware detection for Mac OS X






No releases published


No packages published