How to Scan for Malware on the Command Line

DetectX Swift has the ability to do command line searches for issues on your Mac like malware, keyloggers, browser hijacks and potentially dangerous software, and there’s a number of extra options that are not available when using the user interface. In this post, I’m going to give you a quick tour of the CLI (Command Line Interface) tool with some examples of how to use it (if you haven’t yet grabbed a free copy of DetectX Swift you might want to do that first to play along).

Prerequisite

Ensure that DetectX Swift and the Terminal have Full Disk Access if you’re using macOS 10.14 Mojave or higher. This is required so that DetectX can search various folders within your User Library for suspicious or malicious files. More info on how to enable Full Disk Access can be found here.

1. Basic scan
Let’s start with a basic scan. To use the CLI search, you need to specify the full path to the app executable. In this example, let’s suppose that the app is in /Applications folder. In that case, you’d need to execute this on the command line:

/Applications/DetectX\ Swift.app/Contents/MacOS/DetectX\ Swift search

Since that’s a bit of a handful, even using tab completion, you might want to edit your .bash_profile to include a shortcut alias. Here’s mine:

sphil@sphils-iMac-5:~$ cat .bash_profile

alias sudo='sudo '

alias detectx='/Applications/DetectX\ Swift.app/Contents/MacOS/DetectX\ Swift'

Note the sudo line (and note the extra space in the value). We’re going to need that so that we can pass the alias to sudo when we want to pass certain options to the search. Like…

2. Scan other users
Probably the most important benefit you gain with scanning on the command line rather than from the app’s interface is the ability to scan all, or selected, other users. You can search all users by using sudo and the -a option:

sudo detectx search -a

If you want to restrict the search to one or more users, the -u option allows you to specify a list of shortuser names (comma-delimited):

sudo detectx search -u alice,bob

3. Go deep
If you’d like more verbose output, including how long the search took, try either the vsearch or vvvv commands:

sudo detectx vvvv -a

4. Save the results
You can specify a path to output the results, either in regular text:

sudo detectx vvvv -a ~/Desktop/searchtest.txt

or, by passing the extra -j option, in JSON format:

sudo detectx search -aj ~/Desktop/searchtest.json

Here’s an example of what the formatted JSON file looks like:

5. Anything else?
There’s a help command that will output the documentation to the command line, and also if you get into the habit of regularly running command line checks, don’t forget to launch the app from time to time in the Finder. Like its predecessor, DetectX, DetectX Swift does a lot of other stuff besides searching that can help track down and remediate problems with your mac, and a large part of that revolves around the way it tracks changes to your system every time you launch it. The CLI tool runs independently of that and won’t give you that kind of feedback or record those changes.

Enjoy! 🙂


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.