How to Check your Mac for Rootkits

While there are very few viruses that affect OS X, there are a number of rootkits that can compromise the security of your Mac. This tutorial will guide you through using OS X Rootkit Hunter to check your Mac for any rootkit related problems.

Start out by downloading OS X Rootkit Hunter. Open the .dmg file and run the installer.

Once it’s installed, navigate to Applications -> OSXrkhunter -> Rootkit Hunter and run it.

Click the start rootkit scan button.

You’ll be prompted to enter your password. Do so.

A Terminal window will open and Rootkit Hunter will start.

A bunch of text will fly by – you don’t have to worry to much about making sure you read it all (it’ll probably scroll too fast anyway) – Rootkit Hunter will create a log file for you to review once it has completed the scan.

When it’s done, pressy ctrl+c and then ctrl+d to close the Terminal window (you can skip the ctrl+d if you want to review the log file, you’ll need an open Terminal window).

To review the log file, at the command prompt in a Terminal enter cd /tmp. Then issue the command cp rkhunter.log ~/Desktop – which will copy the log file to your Desktop.

Double-click the rkhunger.log file that’s now on your Desktop.

Scroll to the bottom of the log, and review the System checks summary section. In particular, look for a line that states One or more warnings have been found while checking the system.

If that line exists, press ctrl+f to run a search, and search for the word warning. As seen in the screenshot below, there was a warning about a file on my system. The file in question (/usr/share/man/man5/.rhosts.5.gz was in fact harmless. If you’re unsure if a file is harmful, do a Google search on the file name and see if you can find pages that describe the file.

Comments [14]

  1. Interesting, thanks. How common are rootkit "infections" in OS X? I've never come across this before, but at the same time have never looked into it in any depth…

  2. I downloaded this but could never even find the program on my Mac, so it didn't work for me.

  3. Leann,

    It wasn't in the /Applications/OSXrkhunter/ folder? I just uninstalled it and then re-installed, and that's where it wound up again… (?)

  4. No, I couldn't find it there. I don't know why. It's puzzling. I even restarted the computer and it still wasn't there.

  5. Better is to install macports, then install checkrootkit from the command line:

    sudo port install chkrootkit

    which gives the same program, but then from a source known.



  6. sdf,

    You'll have to take the authors word for it. That, and the thousands of users 🙂

    If it was, it would be widely known as bad software.

  7. Did anyone make progress with rootkit hunter? I couldn't find the program either??

  8. I followed the instructions and the log file never appeared on the Desktop. Any suggestions?

  9. Hello, I run the application and I have two questions.

    First : I get the message that the command properties text is not supported. Does this means the results of the scan is not accurate ?

    Second : I got two suspects applications, but which one ? How do i find out ?


  10. How can we be sure, this magnificent program is not going to open a hole in our systems or be itself a rootkit?

  11. Of course, once you go mac, you never go back… you go forward to Linux 😉

  12. Usage


    To run Geany just type

    $ geany

    on a console or use the applications menu from your desktop environment.

    There a few command line options. See the manual page of Geany or run

    $ geany –help

    for details. Or look into the documention in the doc/ directory.

    The most important option probably is -c or –config, where you can

    specify an alternate configuration directory.

  13. So after I google the file name to see if it’s malignant, how do I get rid of it? (I haven’t used this, I’m inquiring for a friend)

Leave a Reply

Your email address will not be published. Required fields are marked *