How to remove MacDefender fake antivirus program

It's long been known that Macs aren't impervious to malware, and a recent fake antivirus program calling itself MacDefender appears to have affected more people than previously thought. Here's how to clean your Mac.

Seth Rosenblatt Former Senior Writer / News
Senior writer Seth Rosenblatt covered Google and security for CNET News, with occasional forays into tech and pop culture. Formerly a CNET Reviews senior editor for software, he has written about nearly every category of software and app available.
Seth Rosenblatt
3 min read

A new malware infection has apparently been spreading relatively rapidly among Mac users, and it's unclear both how pervasive the infection is and whether Apple is addressing the problem. What is known, however, is how to get rid of it.

What is it?
Most often called MacDefender, but also known as MacProtector and MacSecurity, this bit of malware is a socially engineered threat of a type that's more familiar to Windows users. It often starts with a Web advertisement that suckers you into downloading a rogue antivirus program, which purports to protect you. In fact, once installed it engages in several malicious activities. These can include stealing your usernames and passwords; disabling your firewall and other legitimate security programs you might have installed; and pummeling you with repeated pop-ups that nag you to buy a fake upgrade (which, if you get it, just sends money to the malware's developer).

In this particular case, MacDefender runs after you install it, and then tells you your computer is infected. To "clean" the infections, you have to register the program, which involves providing your credit card number. If you've happened to fall victim to this and you've submitted your credit card info, cancel the card immediately and verify that all recent charges are legitimate.

Related link
How bad is the Mac malware scare? (FAQ)

There have also been Web-forum reports from MacDefender victims that the malware has been popping up pornographic Web sites and ads, though these reports remain unverified.

MacDefender has been targeting Safari users, though it could easily aim for users of other browsers. Be sure you've changed your browser settings so that the computer doesn't automatically install downloaded programs. You can do this in Safari by going to Preferences, then General, and uncheck the "Open 'safe' files after downloading" box. There is no option in Firefox for Mac to automatically run downloaded files. Chrome 11 users not only appear to have the option, there also doesn't seem to be a way to turn it off.

How to remove rogue antivirus programs
On any platform, rogue antivirus programs are resistant to standard program removal procedures. This means you can't just drag one to the trash.

First, close the Scan window that's opened. Then launch the Activity Monitor by going to your Applications folder, then the Utilities folder. You can also use the hot key combo of Shift+Command+U from the desktop. Manually find all processes with names that match the rogue antivirus infection. These include the aforementioned MacDefender, MacProtector, and MacSecurity, but you might be infected with a new variant that will have a similar but not identical name.

Highlight the process, then click the Quit Process button. If a pop-up appears asking if you are sure, click the Force Quit button on the left.

Next, go back to the Applications folder, and find your rogue antivirus program. Again, it will likely be called MacDefender, MacProtector, or MacSecurity. Move the program to the Trash, and then empty the Trash. It's OK to enter your system password if prompted when emptying the Trash.

Now click the Apple Menu from the upper left of the desktop taskbar and go to System Preferences, then System, Accounts, and click Login Items. This will open a window with a list of programs that automatically start when OS X boots up. Find the rogue antivirus program in the list, MacDefender or one of its malevolent brethren, click on it and then find the Minus button at the bottom of the window. Click the Minus button, which will remove the program from startup.

Be sure you've followed all these steps, otherwise the rogue antivirus program will reinstall itself the next time you reboot your computer. Also, be extremely careful about installing programs from unknown sources. It's never a good idea, on any platform, to automatically install a program or app after downloading, unless you're 100 percent positive it comes from a safe source.

Just as with Windows, there are numerous paid and free antivirus programs for Mac. ClamX AV, iAntiVirus Free, and Sophos Anti-Virus for Mac Free are all good, reputable, and free Mac antivirus programs.