Recently, I started seeing a persistent "Malware Blocked" alert on my Mac running macOS Sequoia. Every time I clicked "Done," the message would disappear momentarily, only to come back again with the exact same file name. I tried searching for the file to delete it manually but couldn’t find it anywhere on my system.
The error message says: Malware Blocked "app-name" was not opened because it contains malware. This action did not harm your Mac.
It appears that a lot of Mac users have experienced the same issue. In many cases, the alert is triggered by older or unsigned apps (like outdated versions of Citrix Receiver or Docker) that macOS now flags as potentially harmful. Sometimes the issue is caused by files carried over from old Time Machine backups, or from third-party antivirus software that’s not playing nicely with macOS’s built-in security features.
If you’re are also stuck in this frustrating loop like I was, here’s how to track down the problem, remove it, and stop the alert from popping up again.
This alert typically means macOS’s built-in security (XProtect, Gatekeeper, or MRT) has detected something suspicious — usually a background launch file linked to an outdated or unsigned app.
Common causes include:
- Old or unsigned apps, like legacy versions of Citrix Receiver, Docker, or Adobe tools.
- Files left behind after migrating from an older Mac or restoring from a Time Machine backup.
- Apps you thought you deleted but left behind helper files.
- Third-party antivirus software (like Norton) that doesn’t fully remove the threat — or adds its own noise.
How to remove persistent ‘Malware blocked’ notifications on your Mac
You’ll need to manually inspect three folders where launch agents and daemons are stored. These background helper files are often responsible for triggering the alert.
- Launch Finder
-
In the menu bar, click Go > Go to Folder…
-
Paste each of the following paths one at a time, and open them in separate Finder windows:
~/Library/LaunchAgents
/Library/LaunchAgents
/Library/LaunchDaemons
Now you should have three Finder windows open — keep them on your Desktop for easy access.
When your Mac is new, these folders are typically empty or contain just a few Apple-created files. Everything else was added later — usually by third-party apps you installed.
Common Legitimate Names to Look For:
Most well-known and trustworthy apps will use clear, recognizable names in their background helper files. If the file name includes the name of the app or its developer, it’s usually safe. Here are some examples:
- Adobe (Acrobat, Creative Cloud, Photoshop)
- Amazon (Kindle, Amazon Music)
- Citrix (Receiver, Workspace)
- Dropbox
- Google (Chrome, Drive, GoogleSoftwareUpdate)
- Microsoft (Office, OneDrive, Teams)
- TeamViewer
- Zoom
- Spotify
- VMware
- Logitech (Logi Options, G HUB)
- Canon, Epson, HP (Printer/scanner utilities)
- Mozilla (Firefox, Thunderbird)
- Oracle (Java tools)
- Parallels (Virtual machines)
- Steam (Valve/Steam-related files)
- Backblaze, Carbonite (Backup software)
- 1Password, LastPass, Dashlane (Password managers)
- Malwarebytes (if installed by you)
- Rogue Amoeba (Audio tools like Loopback, Audio Hijack)
- Elgato, Corsair (Streaming or gaming hardware support)
These are typically safe to leave alone.
What Suspicious Files Look Like:
In contrast, suspicious or potentially malicious files often use:
- Random or jumbled characters (e.g.,
com.sys.jkApLeX64.plist) - Misspellings or slight name tweaks (e.g.,
Micros0ftUpdaterorGo0gleUpdate) - Generic-sounding names that give no clue what they belong to
If the file name matches what you saw in the "Malware Blocked" alert, or it just looks off, that’s a good candidate for removal.
For example:
Let us say that LaunchDaemons folder looks like this:
You should remove the red ones in the rectangle:
Remove Suspicious Files (Safely)
If you’re comfortable troubleshooting on your own, here’s how to proceed:
Start up your Mac in safe mode – Apple Support. Safe Mode prevents unnecessary and potentially harmful processes from launching.
While in Safe Mode:
- Go back to the three Finder windows you opened earlier.
- Drag any suspicious or unrecognized files to the Trash.
After restarting, check whether the malware alert still appears.
- If the alert stops, you’re done.
- If it returns, you may have missed a file or misidentified something as safe — go back and repeat the process.
Tip: If you accidentally removed a legitimate file, you can open the Trash, right-click it, and select Put Backto restore it.