How to Detect Suspicious Processes on macOS

Your Mac runs hundreds of processes at any moment. Most are legitimate system services and apps you installed yourself. But a single rogue process — unsigned, running from an unusual path, or quietly opening network connections — can compromise your entire machine. Knowing how to spot the difference between a healthy system daemon and a suspicious intruder is one of the most practical security skills a macOS user can develop.

Quick Answer

To detect suspicious processes on macOS, check for missing or invalid code signatures with codesign -dvvv, verify Gatekeeper approval with spctl --assess, and inspect each process’s launch path, parent process, network activity, and entitlements. Processes running from /tmp, /var/folders, or user-writable locations without Apple or developer signatures deserve immediate investigation.

Red Flags: Signs of a Suspicious Process

Not every unfamiliar process is malware, but certain patterns should raise your alert level:

No code signature or ad-hoc signature. Legitimate macOS apps are signed by an identified developer or Apple. An unsigned binary running persistently is a red flag.
Launch path in a temporary or hidden directory. Processes running from /tmp, /private/var, /var/folders, or dot-prefixed directories (.hidden/) are worth scrutinizing. Legitimate apps live in /Applications, /System, or /usr.
Unusual parent process. A curl or python3 process spawned by bash that was itself spawned by launchd at login — with no matching LaunchAgent you recognize — is suspicious.
Unexpected outbound network connections. A process you don’t recognize making connections to unfamiliar IP addresses, especially on non-standard ports, warrants investigation.
High resource usage with no clear purpose. Cryptominers and data exfiltration tools often show sustained CPU or network I/O that doesn’t correlate with anything you’re doing.
Missing or overly broad entitlements. A simple utility claiming com.apple.security.cs.disable-library-validation or com.apple.security.cs.allow-unsigned-executable-memory is unusual.

Step-by-Step: Investigating a Suspect Process

When you spot something unfamiliar in your process list, work through these checks systematically.

1. Verify the code signature

The most important single check. Run codesign against the binary:

codesign -dvvv /path/to/suspicious-binary

Look for the Authority chain. A healthy app shows something like:

Authority=Developer ID Application: Company Name (TEAMID)
Authority=Developer ID Certification Authority
Authority=Apple Root CA

If you see code object is not signed at all or the authority chain is missing, that binary was never signed by an identified developer.

2. Check Gatekeeper and notarization status

Apple’s Gatekeeper verifies that software is notarized — submitted to Apple for automated malware scanning:

spctl --assess --verbose /path/to/suspicious-binary

A notarized app returns accepted, source=Notarized Developer ID. Anything else means the binary bypassed or predates Apple’s notarization requirement.

3. Inspect the launch path and arguments

Find where the process binary actually lives:

ps -eo pid,comm,args | grep <process-name>

Legitimate system processes run from /usr/libexec, /System/Library, or /Applications. A process named com.apple.something running from /Users/you/Library/LaunchAgents/ with a binary in /tmp is mimicking a system service.

4. Check for persistence mechanisms

Malware typically installs a LaunchAgent or LaunchDaemon to survive reboots:

# User-level persistence
ls ~/Library/LaunchAgents/

# System-level persistence
ls /Library/LaunchDaemons/
ls /Library/LaunchAgents/

Open any unfamiliar .plist files and check the ProgramArguments key to see what binary they launch.

5. Examine network connections

See what the process is talking to:

lsof -i -n -P | grep <PID>

Look for connections to unfamiliar IPs, especially on ports like 4444, 8080, or other non-standard ports that C2 (command and control) servers commonly use.

6. Review entitlements

Entitlements define what system resources a process can access:

codesign -d --entitlements - /path/to/binary

A legitimate PDF viewer should not need com.apple.security.device.camera or com.apple.security.network.server.

Common Legitimate Processes That Look Suspicious

Before you panic, check this list. These Apple system processes confuse users regularly:

Process	What It Actually Does
`kernel_task`	macOS kernel; high CPU often means thermal throttling, not malware
`mds` / `mds_stores`	Spotlight indexing engine; spikes after installing apps or copying files
`WindowServer`	Compositor for the entire GUI; high CPU usually means display scaling issues
`nsurlsessiond`	Background downloads for App Store updates and iCloud sync
`trustd`	Certificate and trust evaluation daemon
`syspolicyd`	Gatekeeper policy enforcement
`cloudd`	iCloud Drive sync daemon
`bird`	iCloud document sync helper
`mediaanalysisd`	Photos app ML processing for face/object recognition
`suggestd`	Siri Suggestions and Spotlight knowledge indexing

If any of these show up with valid Apple signatures and run from /usr/libexec or /System/Library, they are almost certainly legitimate.

Tools for Process Security Auditing

Activity Monitor

Activity Monitor shows CPU, memory, and basic process info, but it cannot display code signatures, entitlements, parent-child process trees, or launch paths in a useful way. For security work, it is a starting point at best.

Terminal: codesign and spctl

The codesign and spctl command-line tools are the ground truth for signature and notarization verification. They are essential but tedious when you need to audit dozens of processes — each requires you to find the binary path manually.

ProcXray

ProcXray brings code signature verification and entitlements inspection directly into a process monitoring UI. For every running process, you can see:

Signature status at a glance — signed, unsigned, or invalid — without running terminal commands.
Full entitlements list — inspect what system capabilities each process claims.
Process tree view — immediately trace which parent process spawned a suspicious child.
Launch path and arguments — see exactly where the binary lives and how it was invoked.

Instead of manually running codesign -dvvv on each binary, ProcXray surfaces the security context for every process in real time. When you spot something unsigned or running from an unexpected location, you can investigate its lineage and network context without switching to Terminal.

FAQ

How do I tell if a process is malware or a legitimate system service?

Check three things: (1) code signature — run codesign -dvvv and look for an Apple or identified developer authority chain, (2) launch path — legitimate services run from /System or /usr/libexec, not /tmp or hidden directories, and (3) persistence — check ~/Library/LaunchAgents and /Library/LaunchDaemons for unfamiliar plist files pointing to the binary.

Can malware hide from Activity Monitor?

Yes. Rootkits can hook system calls to hide processes from user-space tools. macOS System Integrity Protection (SIP) makes this significantly harder — if SIP is enabled (csrutil status), kernel-level hiding is blocked on modern macOS. However, malware can still disguise itself by using legitimate-sounding names or injecting into signed processes.

Does Gatekeeper protect against all malware?

No. Gatekeeper and notarization provide a strong first layer — they block unsigned and unnotarized software from running by default. But if a user explicitly overrides Gatekeeper (right-click > Open), or if malware is delivered through an already-running process (e.g., a browser exploit), Gatekeeper is bypassed. Defense in depth — checking signatures, monitoring process behavior, and auditing persistence mechanisms — remains essential.

Sources and References

Apple: About Gatekeeper
Apple: Notarizing macOS Software Before Distribution
Apple: System Integrity Protection
Apple: codesign man page
Apple: spctl man page
Apple: Entitlements Documentation

Download ProcXray → — built-in code signature verification, macOS Sonoma+.