Dealing with Malware
If ClamXAV finds malware on your Mac, a macOS notification will appear in the top-right of your screen, similar to the screenshot below. The notification will remain on your screen until closed and can be expanded by dragging the bottom edge to reveal any truncated text. It is designed to quickly provide you with details such as the name and category of the malware found and whether the infected files have been automatically quarantined. In this example, ClamXAV has found Trojan.OSX.CrescentCore.
Upon receiving an ‘Infection Found’ notification, you should open ClamXAV and click the ‘View Reports’ button.
This will open the reports window which lists recent scans and any infected files found.
This window is divided into three sections: a list of recent scans, a summary of the currently selected scan and a file list. The Reports window opens with the most recent scan selected. Scans which resulted in the discovery of infected files will be highlighted in bold in the list of recent scans. If, after opening the Reports window following an ‘Infection Found’ notification, you do not see any infected files - click the most recent scan with an emboldened name. You should now see the file infected with Trojan.OSX.CrescentCore that we were previously notified of in the File List.
At this stage, you may wish to promptly rid your machine of the infection, or find more information about trojans and CrescentCore. For the latter, you can refer to our pages ‘How is Malware Categorized by ClamXAV?’ and ‘Malware Descriptions’. To remove the malware from your machine, click the red ‘Trash Item’ button next to the infected file.
How ClamXAV handles infected items
Depending on the scan type and files found, the options for handling the infected files may differ.
- Scheduled and manually-initiated scans of any drives in the Drives list will result in automatic quarantining of infected files by default.
- For system infections identified by a Quick Scan, ClamXAV will not automatically quarantine infected files. Instead, you will be given the Trash Item option only, which will remove the malware from your Mac by securely deleting the infected files, bypassing the macOS Trash folder.
- For scheduled and manually-initiated scans, Trash Item will move the infected files to the Trash folder, which can be emptied when you wish.
- The ‘Status’ column in the File List reflects the current state of the infected files. This can either be ‘Quarantined’ if the files have been moved to the quarantine directory, or ‘Trashed’ if the files have been securely deleted from your Mac.
Quarantining moves the files to a secure location where they can be reviewed if necessary. The quarantine directory serves as an intermediate location when malware can be moved before it is deleted from the system. This allows the user to review the files if necessary and learn more about the quarantined sample. ClamXAV will only automatically quarantine files which it knows are not necessary to the integrity of the macOS system.
If you are viewing a list of infected files in a scan report, decide that you are happy with ClamXAV’s detection and wish to remove the malware from your Mac, you can click the red Trash Item to securely remove the files from your machine. Despite the naming of the button, the deletion action bypasses the macOS Trash location and instead, permanently removes the malware from your Mac. ClamXAV will also terminate any malicious applications which are known to be using the infected files. This is the best way to remove infected files, as simply moving them to the Trash/Bin will not remove them from your computer.