Mac OS X Mac Defender Malware Detection

Critical Nessus Plugin ID 54832


The remote Mac OS X host appears to have been compromised.


Using the supplied credentials, Nessus has found evidence that a fake antivirus software named Mac Defender (alternatively, MacDefender, MacGuard, MacProtector or MacSecurity) is installed on the remote Mac OS X host.

The software is typically installed by means of a phishing scam targeting Mac users by redirecting them from legitimate websites to fake ones that tell them their computer is infected with a virus and then offers this software as a solution.

Once installed, the malware will perform a 'scan' that falsely identifies applications such as 'Terminal' or even the shell command 'test' ('[') as infected and will redirect a user's browser to porn sites in an attempt to trick people into purchasing the software in order to 'clean up' their system.


Follow the steps in Apple's advisory to remove the malware.

See Also

Plugin Details

Severity: Critical

ID: 54832

File Name: macosx_macdefender_detection.nasl

Version: 1.5

Type: local

Agent: macosx

Published: 2011/05/26

Modified: 2017/05/30

Dependencies: 12634

Risk Information

Risk Factor: Critical


Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

Required KB Items: Host/MacOSX/packages