I use Pi Hole, which is mostly intended as an ad blocker DNS server. It's an open source project that maintains a list of domains that you would be better off not seeing. For those domains, it returns '0.0.0.0' for the IP address.
For some vectors, this can be surprisingly effective. But it won't save you from malware that's already on your machines; if the bad guys can run anything at all on your computers, they can run their own DNS servers.
The default Pi Hole setup if pretty good.
You can add more lists, if you wish. I know of one that was highly rated some time ago... pre-covid, when I had some spare cycles to set this up.
For straight up "Is my Mac infected" scanning, I would use clamAV.
But I actually don't run it all that often. Instead, I try to monitor activity, like network access, or writes to file system areas that might indicate weird behavior.
But -- Now that my kid is heavy into macOS usage, and relatively inexperienced regarding possible malware vectors, I can't rely on runtime observation. I've installed a DNS block list for malware sites, log our net traffic, and periodically scan with clamAV.
For my own box, I try to keep things simple and learn how the system normally behaves, in the hope that I might notice if something weird is going on. I realize this is not an adequate solution.
I use Little Snitch for real-time monitoring of network activity; it can get distracting but it's a good way to see how much a process or application likes to phone home.
I used BlockBlock for a while. It pops up an alert when software tries to install itself into places that might run without your knowledge. LaunchAgents and system extensions. I don't recall ever seeing actual malware with this tool.
The author runs a Mac Security conference that seems to generate good work among the attendees, those who track Mac security best practices. Sysadmins and researchers. I have not attended, so my endorsement is perhaps not useful... Back in the 20th Century, I built and ran a business Mac network with hundreds of nodes, which was considered pretty big at the time. Focused conferences and workshops were amazing in getting an idea on how much I needed to learn.
I use Lulu and find it great. It’s more dumbed down than Little Snitch without hiding too much. And it’s free to the extent that the author deserves a donation.
Little snitch like firewalls are nice yet I think they can give a false sense of false security since it takes too much mental effort, discipline and is simply annoying to approve each rule.
I disagree. Security and privacy require efforts. The revolutionary interface of Little Snitch has given a clean view of my system outbound connections.
Existence of this software is the core reason, me and my team to look at alternatives for Mac OS and finally after CSAM fiasco, to switch 90 percent of our workflow to Linux. We still use some Apple computers, but we isolated them from the network.
https://pi-hole.net
For some vectors, this can be surprisingly effective. But it won't save you from malware that's already on your machines; if the bad guys can run anything at all on your computers, they can run their own DNS servers.
The default Pi Hole setup if pretty good.
You can add more lists, if you wish. I know of one that was highly rated some time ago... pre-covid, when I had some spare cycles to set this up.