malware-scan

malware-scan

Heuristic sweep for suspicious behaviour on a macOS machine. Not a signature-based antivirus. Reports anomalies that are commonly — but not always — associated with malware or adware.

When to invoke

Trigger on phrases like: "scan for malware", "is there malware on my mac", "check for viruses", "suspicious processes".

Critical framing

Be explicit in the summary and in the mini-report that this is a heuristic sweep — not a signed antivirus product. False positives are expected. Legitimate tools (Homebrew services, VPN clients, dev tools) often create launch agents and unsigned helper binaries.

What to check

1. Processes in ephemeral / unusual paths — ps -axo pid,user,command | awk '$3 ~ /^\/(tmp|var\/tmp|private\/tmp|var\/folders)\// {print}'. Each match is a finding with severity warn.

2. Hidden directories in $HOME that look anomalous — ls -A "$HOME" | grep -E "^\." | grep -Ev "^(\.bash|\.z|\.git|\.npm|\.cache|\.cargo|\.rustup|\.config|\.local|\.ssh|\.gnupg|\.docker|\.colima|\.claude|\.cursor|\.vscode|\.idea|\.oh-my-zsh|\.CFUserTextEncoding|\.Trash|\.DS_Store|\.viminfo|\.lesshst|\.wget-hsts|\.python_history|\.node_repl_history|\.bashrc|\.profile|\.zsh|\.nvm|\.pyenv|\.rvm|\.vim|\.tool-versions|\.yarn|\.gem|\.m2|\.gradle|\.android|\.expo|\.terraform\.d|\.aws|\.kube|\.helm|\.ansible|\.serverless|\.netrc|\.curlrc|\.subversion|\.hg|\.openjdk)$". Unmatched entries: info. Record up to 20.

3. Unsigned binaries referenced by user LaunchAgents — for each .plist in ~/Library/LaunchAgents, extract the Program or first ProgramArguments entry, then run codesign --verify --verbose=0 <path>. Non-zero exit = finding warn with the program path and launch agent path.

4. Known-bad bundle IDs — grep launch agent plists for a short deny-list: com.pcv., com.searchmine, com.MyShopCoupon, com.genieo, com.installmac, com.inkeepr, com.vsearch, com.conduit, com.cinemaplus, com.trovi. Any hit = critical.

5. Cron and at persistence — crontab -l 2>/dev/null, atq 2>/dev/null. Any non-empty output = info with contents in raw.

6. Recent writes in sensitive directories (last 7 days) — find /Library/LaunchAgents /Library/LaunchDaemons ~/Library/LaunchAgents -type f -mtime -7 2>/dev/null. Any matches: individual info findings.

7. Processes with failed codesign verification — iterate top 30 user processes via ps -axo pid,comm,command | head -30, resolve the executable, run codesign --verify where a valid path exists, and record failures as warn. Skip pseudo-paths like [kernel_task] and anything under /usr/libexec, /System/, or /sbin/.

8. DNS hijack heuristics — scutil --dns | awk '/nameserver/ {print $NF}' | sort -u. If any non-private resolver is not in a small allowlist (1.1.1.1, 1.0.0.1, 8.8.8.8, 8.8.4.4, 9.9.9.9, and RFC1918 ranges), emit info.

Output contract

Same envelope as other skills. Write to ~/.mac-guardian/data/malware-scan-<ISOdate>.json.

Set top-level severity to the highest among findings, capped at warn unless check 4 (known-bad bundle IDs) fired.

Include in summary an explicit note: e.g. "Heuristic sweep: 2 warn, 5 info. Not a substitute for a signed AV tool."

Handoff

• On direct invocation, render and open: bash ${CLAUDE_PLUGIN_ROOT}/scripts/render-single.sh malware-scan.
• When invoked by daily-health-report, return the JSON path only.

Safety

• Never quarantine, move, or delete files. Report paths only.
• Never phone home or submit samples anywhere.
• Do not request sudo.