macOS “Malware Blocked” Alerts: What They Are and How To Fix

Bemfica de Oliva

@jornautista
3 minute read
| How-To
macOS Malware Blocked alert warning dialog over the default macOS Sequoia wallpaper

If your Mac is displaying repeated “Malware Blocked” dialogs, it’s likely that macOS prevented a malicious app from running. To remove the warnings, you’ll need to delete some files that try to force the malware to open. Check below how to do that.

What Are the “Malware Blocked” Alerts on macOS?

These alerts are exactly what they seem to be: your Mac has malware, but macOS prevented it from running. That means you’re safe, and no malicious activity took place, so there’s no reason to worry about your data’s security.

There are, however, a few actions you can take at this point, and some that you should. Let’s start with the most practical part, though, and remove these irritating warnings.

Removing “Malware Blocked” Alerts on macOS

The alerts appear because there are some files in macOS that indicate in which cases an app should open automatically. These files, called launch agents and launch daemons, have legitimate reasons to exist, like starting apps when you log in. They also help if you need an app to open at predefined times, or when performing specific actions.

However, malware abuse that feature to open automatically, stealing your data or performing other malicious actions. When macOS recognizes malware, it quarantines the app, but launch agents or daemons may keep trying to open them. That’s when the warnings appear. To stop that from happening, you’ll need to delete the launch agents and daemons for malware.

Identifying macOS Malware Launch Agents and Daemons

macOS launch agents and daemons folders

Doing that is relatively easy. Launch agents and daemons can only be stored in one of three locations:

  • /Library/LaunchDaemons
  • /Library/LaunchAgents
  • ~/Library/LaunchAgents (where ~ is your Home folder)

To remove them, open each of the folders above in Finder and look for suspicious or unrecognized names. File names for legit launch agents and daemons always follow a similar structure:

[PREFIX] . [DEVELOPER] . [APP NAME] . plist
  • Prefix: it’s usually com, but some may be different. In the screenshot above, the rightmost folder has legit daemons with prefixes fr, org, and us.
  • Developer: it’s the developer’s name. As an example, in the center folder, there are launch agents for Logitech’s G Hub and Options+. They both feature logi as the developer name.
  • App name: may not be the exact name of the app that is opened. In the leftmost folder, Adobe has a CCXProcess launch agent, which opens Creative Cloud.
  • Plist: short for “properties list”, is a common configuration file type in macOS.

As I said, there are some exceptions. OpenRGB, which I use to control my Razer headset lights since Razer offers terrible macOS support, is one example. The launch agent is simply named OpenRGB.plist.

However, the thing is: legit developers have no need to hide their names, or the names of their apps, in the launch agents. In the center folder, there’s one Adobe launch agent that uses a random string of numbers and letters. Even that one, however, is readable as an Adobe launch agent.

For malware, you’ll often find file names that don’t specify the app being launched or the developer. They may be generic names like “LauncherAgent” or a huge string of numbers, random letters, or numbers and letters.

In this Apple Support Forums thread reply, one user showed the kind of file name you should be looking for. They’re marked in red.

Removing Suspicious Launch Agents and Daemons

To remove the malicious launch agents and daemons, restart your Mac in Safe Mode. Then, do the steps below:

  1. Open the folders listed in the previous section.
  2. Look for file names that are similar to the ones marked in red in the Apple Support Forums comment I linked above.
  3. Select these files and move them to the trash.
  4. Restart your Mac in normal mode.
  5. Wait a few minutes, if the warnings were popping up randomly or at fixed time intervals. If they appeared when performing specific actions, like opening a file, perform an action that would trigger the alert.
  6. If the alerts stop appearing, you can safely empty your trash. If they keep popping up, check for other suspicious launch agents and daemons. Remember to do that for all three folders.

The steps above won’t remove the malware itself from your Mac. They will, however, prevent it from ever opening. It’s highly unlikely they will be re-enabled by future infections, and, if they do, macOS will block them again.

The process of removing the malicious apps themselves is a bit more complex and risky. Since there’s less risk in simply leaving them quarantined, you don’t need to worry about your computer being in danger.

macOS app will damage your computer alert warning dialog over the default macOS Sequoia wallpaper

There’s one more thing to consider, however. The same behavior that led to the infection by known malware may have resulted in infection by yet-unknown ones. Therefore, I strongly suggest you also perform a malware scan on your Mac, just to err on the side of caution.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.