FileMonitor is a free, open-source macOS security tool from Objective-See that watches every file-system event on your Mac in real time, showing you exactly which processes are creating, modifying, or deleting files the moment it happens.
What is FileMonitor?
FileMonitor is a real-time file-system surveillance utility built by Patrick Wardle of Objective-See — the same researcher behind BlockBlock, LuLu, and KnockKnock. It surfaces the raw stream of file events your operating system generates but normally hides: every create, write, rename, and delete attributed to the responsible process, its PID, and its code-signing status.
I run it whenever I install unfamiliar software or receive a suspicious attachment. Within seconds it becomes obvious whether an app is quietly writing a Launch Agent, touching your SSH keys, or scattering preference files across directories it has no business touching.
What does FileMonitor do best?
FileMonitor excels at catching covert persistence and data-exfiltration behavior that no conventional antivirus surfaces in a human-readable way. Where a consumer security suite gives you a binary thumbs-up or thumbs-down, FileMonitor gives you the raw evidence — the actual file path, the exact process name, and the signing chain — so you can make your own judgment.
- Live event stream: every file-system mutation scrolls in real time with timestamp, process name, PID, and full destination path.
- Code-signing context: each event is tagged with the originating process's signing status (signed by Apple, signed by a third-party developer, or unsigned), which instantly flags suspicious unsigned writers.
- Filter and search: you can narrow the torrent of events by process name or path prefix — essential when you only care about what one specific app is doing.
- JSON output: the companion CLI streams structured JSON, which means you can pipe FileMonitor straight into jq, into a log aggregator, or into your own automation scripts.
I've used it to confirm that a supposedly sandboxed utility was writing to ~/Library/Application Support under a disguised bundle ID — the kind of thing you'd never notice until you read the event log yourself.
Is FileMonitor free?
Yes — FileMonitor is completely free to download and use, with no subscription, no nag screens, and no feature tiers. Objective-See is a not-for-profit security research organisation; the tool is released as open source and accepts voluntary donations. There is no paid Pro version to upsell you to.
Who should use FileMonitor?
Security researchers, power users, and developers who want to understand what software is actually doing on their machines will get the most from FileMonitor. It is not a click-and-protect consumer tool — it produces a high-volume event stream that requires some macOS knowledge to interpret meaningfully.
That said, even a moderately technical Mac user can use it productively with a simple workflow: launch FileMonitor, install the suspect application, interact with it for two minutes, then stop the monitor and search the log for your home folder path. Anything writing to ~/Library/LaunchAgents or ~/.ssh without your knowledge has just introduced itself.
If you're looking for something more automated and less raw, Objective-See's own BlockBlock watches for persistence installations and alerts you interactively — a friendlier companion to FileMonitor's forensic depth.
How does FileMonitor compare to alternatives?
The closest comparable tools are fs_usage (Apple's built-in command-line utility) and Crescendo (another Objective-See product focused on process and network events). fs_usage is lower-level and harder to filter; Crescendo adds process-launch and network dimensions alongside file events. For pure file-system focus, FileMonitor's GUI plus JSON CLI combination is uniquely practical.
Commercial EDR platforms like Jamf Protect or CrowdStrike Falcon do capture file events, but they're enterprise subscription products that abstract the raw data away. FileMonitor puts the unfiltered stream directly in front of you — which is exactly what you want when you need to understand, not just be told, what happened.
What are the best FileMonitor alternatives?
For broad macOS behavioural visibility, Crescendo (also free, also Objective-See) pairs naturally with FileMonitor by adding process and network telemetry. fs_usage and opensnoop cover similar ground from the Terminal for users comfortable with BSD-style tools. Instruments (part of Xcode) includes a File Activity template useful for developer profiling, though it's heavier and less suited to security investigations.