How-To: Verify the Malwarebytes for Mac hasn't been tampered with.

Document created by parche Employee on Aug 22, 2017Last modified by jyamada on Aug 24, 2017
Version 7Show Document
  • View in full screen mode

We do not publish checksums of Malwarebytes for Mac on our website, for a couple reasons. First, checksums are a poor method of verifying the integrity of an app. If you suppose that a hacker has replaced the app on a developer’s website with a hacked copy, then the checksum could just as easily have been replaced.

 

Second, keeping checksums updated is a pain.

 

A code signature is a far better option. Code signatures can be validated independently, and are an important aspect of security on macOS. Both the Malwarebytes for Mac installer and the app are cryptographically signed.

 

Verifying the installer

 

To verify the installer for Malwarebytes 3.0 prior to installation, perform the following steps:

 

  • Open the Malwarebytes-3.x.y.zzz.dmg file that you downloaded from our website.
  • Open the Terminal app (found in the Utilities folder in the Applications folder)
  • Execute the following command in the Terminal:

        pkgutil --check-signature "/Volumes/Malwarebytes/Install Malwarebytes 3.pkg"

  • (Note that, if the installer is in a different location, you can insert the path to the installer by dragging the .pkg file onto the Terminal window.)

 

If the output of this command says that the package is invalid, it has been tampered with and should not be installed.

 

In addition, if the output shows anything other than Malwarebytes Corporation (GVZRY6KDKR) as the first entry in the certificate chain, then the installer has been tampered with and re-signed by someone else, and should not be installed.

 

Verifying the application

 

To verify that the application itself has not been modified, two different commands in the Terminal app will be required.

 

  • Open the Terminal app (found in the Utilities folder in the Applications folder)
  • Execute the following command in the Terminal:

        codesign -dvvv /Applications/Malwarebytes.app

  • Then execute the following command:

        spctl --assess /Applications/Malwarebytes.app

  • (Note that, if the application is in a different location, you can insert the path to the app by dragging it onto the Terminal window.)

 

The output from the first command should indicate that the authority is Malwarebytes Corporation (GVZRY6KDKR). The second command will only output anything if the application has been tampered with. If there is no output, the application’s code signature is valid. If there is any output, the app may have been modified, invalidating the code signature.

Attachments

    Outcomes