How to Remove Suspicious Programs From a Work Laptop
If you suspect unknown software is running on your company device, the safest response is to act methodically, not aggressively.
This guide explains how to remove suspicious programs from a work laptop while protecting corporate data, preserving evidence, and following common IT security practices.
What counts as a suspicious program?
Suspicious software is not always obviously malicious.
On a managed Windows or macOS laptop, it can include applications you did not install, browser add-ons with unusual permissions, remote access tools, keyloggers, adware, or software that requests excessive privileges.
- Programs with unfamiliar names or vague publishers
- Applications that launch at startup without a clear reason
- Software that disables security tools or changes firewall settings
- Browser extensions that track activity or redirect searches
- Remote admin utilities you do not recognize
In a work environment, these signs can indicate malware, unauthorized software, or a legitimate business app installed outside normal IT procedures.
Before you remove anything
On a work laptop, the first step is to reduce risk.
Deleting software too quickly can disrupt company applications, remove evidence needed for incident response, or trigger device management alerts.
- Disconnect from Wi-Fi and Ethernet if you suspect active compromise.
- Do not log into sensitive systems until the device is checked.
- Take screenshots of suspicious app names, file paths, and pop-ups.
- Note when the issue started and what changed before it appeared.
- Alert your IT help desk, security team, or manager if company policy requires reporting.
If your organization uses Microsoft Intune, Jamf Pro, VMware Workspace ONE, or another endpoint management platform, IT may prefer to handle removal centrally.
How to identify suspicious programs on Windows and macOS
A careful review helps distinguish unwanted software from approved tools.
Start by checking installed applications, startup items, browser extensions, and running processes.
On Windows
- Open Settings > Apps > Installed apps to review recent installations.
- Check Task Manager > Startup apps for unknown entries.
- Review Control Panel > Programs and Features if needed for older software.
- Inspect browser extensions in Chrome, Edge, and Firefox.
- Use Windows Security to scan for threats and reputation-based detections.
On macOS
- Review Applications and recent downloads in Finder.
- Check System Settings > General > Login Items for startup software.
- Inspect Safari, Chrome, or Firefox extensions.
- Look for device management profiles in System Settings if your organization uses them.
- Use XProtect, Gatekeeper, and a trusted security scan if your IT team allows it.
Pay attention to publisher names, file locations, and whether the software is tied to a known vendor such as Microsoft, Adobe, Google, Zoom, Cisco, CrowdStrike, SentinelOne, or Okta.
How to remove suspicious programs from a work laptop safely
The safest removal process depends on whether the program is a normal app, a browser extension, or something that may be malicious.
If you are unsure, involve IT before proceeding.
1. Uninstall the software through the operating system
Use the built-in uninstall process first.
On Windows, remove the app from Settings or Control Panel.
On macOS, remove the app from Applications if it is clearly identified as a normal application, then empty the Trash if policy permits.
Do not manually delete random files from system folders unless instructed by IT.
Some programs spread across multiple directories and registry keys, and partial deletion can leave behind active components.
2. Remove suspicious browser extensions
Browser extensions are a common source of tracking, redirects, and credential theft.
Open your browser’s extension manager and remove anything unfamiliar, especially extensions that:
- Claim access to all websites
- Read and change browsing data
- Changed your search engine or homepage
- Installed without your approval
After removal, reset browser settings if your IT team recommends it.
3. Check startup entries and scheduled tasks
Malware often persists by launching at startup.
Review startup items, scheduled tasks, launch agents, and login items for unknown entries.
On Windows, Task Scheduler can reveal auto-start behavior; on macOS, LaunchAgents and Login Items can do the same.
If an item is tied to a known enterprise tool, verify it with IT before removing it.
4. Run an approved security scan
Use the organization’s endpoint protection software or an approved antivirus scan to detect malicious files, suspicious processes, and persistence mechanisms.
Many modern tools use behavior detection, cloud reputation services, and threat intelligence to identify potentially unwanted programs, trojans, and spyware.
If your company uses Microsoft Defender for Endpoint, Sophos, Bitdefender, Trend Micro, or a similar product, let it complete a full scan before making further changes.
5. Quarantine or isolate the device if needed
If you find evidence of malware, ransomware, or unauthorized remote access, isolate the laptop from corporate networks and notify security immediately.
In many organizations, endpoint detection and response tools can quarantine the device automatically while analysts investigate.
When you should not try to remove it yourself
Some situations require professional handling.
Self-removal is risky if the program appears tied to credential theft, lateral movement, encryption, or persistence at the system level.
- The laptop shows signs of ransomware
- You see unknown remote desktop or screen-sharing tools
- Security software is disabled and cannot be re-enabled
- Your browser or email account has unexplained sign-ins
- The device is managed by a corporate mobile device management system
In these cases, the safest answer to how to remove suspicious programs from a work laptop is to preserve evidence and let IT or security professionals investigate.
What to tell IT support
Clear reporting helps your security team act faster.
Provide concise details so they can assess the problem and determine whether it affects one device or the broader network.
- The exact program name, if visible
- Where you found it: apps list, startup items, browser extensions, or task manager
- Any warning messages, pop-ups, or unusual behavior
- Recent software installs, email attachments, or downloads
- Whether you used the device to access sensitive corporate systems
If possible, include screenshots and the approximate time the suspicious activity started.
How to reduce the chance of future infections
Removing suspicious software is only part of the response.
Preventing repeat incidents depends on strong account hygiene, endpoint controls, and safe browsing habits.
- Install software only from approved sources or software portals
- Keep the operating system and browser fully updated
- Use multi-factor authentication on work accounts
- Avoid clicking unexpected invoice, delivery, or HR attachments
- Review browser extensions regularly and remove unused ones
- Lock the screen when away from the laptop
- Follow your company’s policies for shadow IT and BYOD tools
Organizations often combine user training with managed detection, DNS filtering, email security, and application allowlisting to reduce exposure to unwanted programs.
Signs the removal worked
After cleanup and a security scan, the device should behave normally.
Common indicators of successful removal include:
- No unknown startup prompts after reboot
- No browser redirects or homepage changes
- No unexplained network activity or pop-ups
- Security software remains active
- Approved applications open without error
If any suspicious behavior returns, treat it as an unresolved security issue and escalate to IT again.