Sweepfor Mac
Free Download

Mac maintenance

Mac Security Tips That Aren't Just 'Get Antivirus'

Real Mac security tips beyond antivirus theatre. FileVault, Gatekeeper, XProtect, firewall, secure boot, and the threats that actually matter.

10 min read

The Mac doesn’t need antivirus the way Windows does. It also isn’t immune. The difference is what attacks actually work on a Mac in 2026 — almost never traditional viruses, almost always phishing, malicious browser extensions, fake “your Mac is infected” pop-ups, and supply-chain compromises in apps you trust. The defenses are mostly about not getting tricked, plus a handful of macOS settings that should be on but often aren’t.

FileVault (do this first if you haven’t)

System Settings, Privacy & Security, FileVault. Turn on if it’s off. This encrypts your entire disk. Without your password, the SSD is unreadable — including by someone who removes it from your Mac.

On Apple silicon, encryption uses the Secure Enclave and is virtually free in performance terms. There’s no good reason to leave it off.

Save the recovery key when prompted. Without your password OR the recovery key, your data is unrecoverable.

Set a strong login password

System Settings, Users & Groups, click your account, Change Password. The basics:

  • 12+ characters, mix of types
  • Not used on any other service
  • Not stored in a password manager that’s also locked behind it (avoid the chicken-and-egg)

Tick “Require password to wake from sleep” in System Settings, Lock Screen. Set “Require password” to “Immediately” or “5 seconds after sleep or screen saver begins.”

Enable Find My Mac

System Settings, your Apple ID, iCloud, Find My, on. If your Mac is stolen:

  • Apple silicon Macs lock to your iCloud account — they can be wiped but not used as someone else’s Mac
  • You can remote-lock the device with a passcode
  • You can remotely erase it
  • Last known location appears on iCloud.com or Find My on your iPhone

This is the single most underused security feature on the Mac.

Power users use SweepIf you’re tweaking macOS at this level, you’ll want Sweep doing the cleanup. Get Sweep free →

Gatekeeper, XProtect, and what’s already running

macOS ships with several security layers that run silently:

  • Gatekeeper: blocks unsigned apps from launching
  • XProtect: built-in malware scanner. Apple updates the signatures behind your back, no app required
  • MRT (Malware Removal Tool): removes known malware
  • System Integrity Protection (SIP): prevents modification of system files even by root

All on by default. Don’t disable any of them unless you have a specific reason.

To verify Gatekeeper is on: Terminal, spctl --status. Should say “assessments enabled.”

To check XProtect’s last update: System Settings, General, About, System Report, Software, Installations. XProtect entries show recent dates.

Don’t disable Gatekeeper to install random apps

When you download an app and macOS says “cannot be opened because the developer cannot be verified,” you have two options:

  • Right-click, Open — overrides Gatekeeper for that app, once. Acceptable if you trust the source
  • Disable Gatekeeper entirely in Terminal — never do this

Apps from outside the Mac App Store are often legitimately unsigned (open source projects, indie developers). If you trust the project, Right-click, Open is fine. If you don’t, don’t install it.

Apps to be especially careful with

Categories that have produced real Mac malware in recent years:

  • Pirated commercial software: a top vector for trojans
  • “System cleaners” from pop-up ads: real cleaners exist (Sweep, OnyX). The ones that show up as pop-ups don’t
  • Free codec downloads: never legitimate. macOS plays everything QuickTime and IINA support
  • Bogus “Flash Player” updates: Flash has been dead since 2020. Anything claiming you need it is malicious
  • Fake “your Mac is infected” sites: exit the browser, never click the dialog

When in doubt: search the app’s name plus “malware” before installing. Real apps have weeks-old reviews. Malware has either no presence or fresh reviews from accounts that look bot-generated.

Two-factor authentication on your Apple ID

System Settings, your Apple ID, Sign-In & Security, Two-Factor Authentication. Should be on. Apple makes it nearly mandatory now, but verify.

The same panel: Security Keys (lets you require a physical key for sign-in), Account Recovery, and Recovery Contacts.

Two-factor on every important account

Use a TOTP app, not SMS:

  • iCloud Passwords (built into Settings, Passwords): generates and stores TOTP codes, syncs across Apple devices
  • 1Password / Bitwarden: cross-platform alternatives
  • Authy: dedicated TOTP app

SMS-based 2FA can be defeated by SIM swap attacks. TOTP can’t.

Browser security basics

  • Update Safari/Chrome/Brave when they prompt. Most browser exploits target unpatched vulnerabilities
  • Don’t install browser extensions you can’t verify. Each extension can read every page you visit. The safe pile: 1Password, Bitwarden, uBlock Origin, your password manager, your VPN
  • Turn off Java and Flash — both should already be off, but verify
  • Disable JavaScript for high-risk visits (banking, sensitive accounts) — overkill for most users, but possible in Safari Develop menu

Phishing — the actual #1 threat

Almost every successful attack on Mac users in 2026 is phishing or social engineering, not malware. Examples:

  • Fake “Apple Support” calls or emails saying your account is compromised
  • Texts pretending to be UPS/USPS/FedEx with a tracking link
  • “Your iCloud storage is full” emails with malicious links
  • LinkedIn or job-hunt phishing aimed at unique, high-value targets
  • Fake invoices delivered as PDFs to your email

Defenses:

  • Never click links in emails to log into anything. Always navigate to the site directly
  • Verify caller identity. Apple does not call you. Microsoft does not call you. Banks rarely call you
  • Treat unexpected attachments as suspicious. Don’t open PDFs you weren’t expecting
  • Hover before clicking. The displayed URL and the actual destination are different in phishing emails
Tip: When in doubt about a suspicious email, forward it to reportphishing@apple.com (for fake Apple emails), then delete it. Apple's security team monitors that inbox.

Don’t reuse passwords

The single most impactful security practice. Every breached site eventually leaks its password database. If you reused that password, every account using it is compromised.

Password manager + unique password per site. iCloud Passwords is free and built into the Mac. Use it.

Backup (it’s a security control too)

Ransomware is rare on Mac but possible. Hardware failures aren’t rare. Time Machine to an external drive plus an offsite backup (Backblaze, iCloud Backup, or a second drive at another location) means a compromised or dead Mac is a 2-hour inconvenience, not a disaster.

System Settings, General, Time Machine. Add a backup disk. Set it and forget it.

Software firewall

System Settings, Network, Firewall. On. Click Options:

  • Tick “Block all incoming connections” only if you don’t use Screen Sharing, Remote Login, or AirDrop on your local network
  • Tick “Enable stealth mode”
  • Tick “Automatically allow built-in software” and “downloaded signed software”

For outbound monitoring, the built-in firewall doesn’t help. LuLu (free) or Little Snitch ($45) show you what’s calling out.

Safari and Mail security settings

Safari, Settings, Security:

  • “Warn when visiting a fraudulent website” — on
  • “Web push notifications” — only allowed websites I select

Mail, Settings, Privacy:

  • “Hide IP Address” — from email senders (blocks tracking pixels)
  • “Block All Remote Content” — until you click “Load Remote Content” per email. Stops invisible tracking pixels

When to worry about Mac antivirus

Most Mac users do not need third-party antivirus. The exceptions:

  • You’re a high-value target (executive, journalist, activist)
  • You handle others’ files routinely (IT support, designers receiving from many clients)
  • You frequently install apps from outside the App Store and don’t vet them carefully
  • Compliance requires it (some corporate environments mandate AV regardless)

If you fit those, Malwarebytes Premium or Kaspersky for Mac are the usual recommendations. ClamAV (free, open source) for occasional scans.

For everyone else: macOS’s built-in protections plus careful clicking habits cover 95%+ of real risk.

Zero-day risk

Apple silicon Macs have received security updates within days of Apple silicon zero-days being reported. Keep macOS up to date — System Settings, General, Software Update, “Automatic updates” on. The lag between vulnerability and patch is your biggest exposure window.

Skip the manual huntSweep finds the cache, clutter, and forgotten files in seconds. Download Sweep free →

A 30-minute security baseline

If you do nothing else from this list, do these:

  1. FileVault on
  2. Find My Mac on
  3. Strong unique password, “Require Immediately” on lock screen
  4. Two-factor on Apple ID and every account
  5. iCloud Passwords or 1Password for everything else
  6. Time Machine + an offsite backup
  7. Software updates set to automatic
  8. Audit Privacy & Security permissions (Camera, Mic, Screen Recording, Full Disk Access)
  9. Don’t click suspicious links

That covers the bulk of practical Mac security risk. The rest — VPNs, antivirus, advanced firewall rules — adds incremental protection at increasing cost in friction. Sweep over the list once a quarter, and you’ll be in a meaningfully better position than 90% of Mac users.

← Back to all guides