Skip to content
Improved malware detection for Mac OS X
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


is: an improvement to the built-in XProtect malware detection system included with Mac OS X.

because: after reading Sarah Edwards' excellent presentation on reverse-engineering Mac malware, I became aware of some very obvious shortcomings with XProtect.


XProtect vs. filecheckerd

XProtect filecheckerd
only things downloaded via the quarantine API any new or changed files
only known Mac malware all known malware, irrespective of platform[1]
definitions irregularly updated definitions updated all the time (uses API)
  • we live in a dual- (or multi-) boot world. To exclude Windows or Linux malware commits the same sort of error ("But the Mac is only 10% of the market!") that people previously used to justify igorning the Mac market. I personally railed against this kind of thinking for years. I used to make my living arguing the other side of that.

  • if you like filecheckerd, please, please consider using the link below to donate to the good folks at, upon whose backend API this product relies.

Technical stuff

  • filecheckerd is a GCD-modified (that is, multi-threaded) version of Amit Singh's excellent /dev/fsevents code, with some additional bits thrown in.
    • any creation/change/touch/chmod/chown is a trigger
    • files with executable permissions or the "wrong" file extensions (exe, com, js, etc.) are hashed.
  • it also uses DiskAribtration to detect the mounting of volumes to /Volumes.
    • files on the newly mounted volume are then also recursively hashed.
  • hashes are dispatched to's API; matches are quarantined in the currently logged-on user's .Trash folder.


ideally, you'd get this from github, build it, and be on your way. if that's not your style, though, you can get it pre-built from me at eventually.


filecheckerd is Copyright 2014 Terence Goggin. Portions are Copyright Amit Singh.

[1] seriously. I tested by downloading conficker.

You can’t perform that action at this time.