KnockKnock found many applications, should I be worried?
No. KnockKnock simply enumerates items that are automatically started; either during startup, during login, or during another application's launch (e.g. browser extensions). Although signed-Apple items are filtered out by default, many legitimate 3rd-party items will likely be shown. Of course, the goal is that KnockKnock will also display any persistently installed malware.
Ok, so how do I determine if something is malware?
By design KnockKnock itself doesn't try to determine if something is malware or not. However, since VirusTotal is fully integrated into KnockKnock, known malware will be detected (and highlighted in red). The remaining items that are not flagged can be manually examined. Perhaps google the hash of the file, run strings on it, or if you are really concerned about a specific item, email me at firstname.lastname@example.org
and attach the file :)
When I run KnockKnock, why does it ask to access the keychain?
Recent versions of Safari store their list of installed extensions in the keychain (specifically in an item named 'Safari Extensions List'). To enumerate installed Safari extensions, KnockKnock queries this (and only this) item in the keychain. Clicking 'Allow' or 'Always Allow' will allow KnockKnock to list installed extensions. Clicking the 'Deny' button will block KnockKnock from accessing the keychain, and thus prevent it from listing the installed Safari extensions.
Why does KnockKnock try to access the network?
When KnockKnock is started, it connects to Objective-See.com
to check if there is a new version of the product. Specifically, it reads the file products.json
, which contains the latest version number of KnockKnock. No user or product information is collected nor transmitted.
KnockKnock may generate network traffic related to its integration with VirusTotal
. As described above, when a user clicks the 'virus total' button in the alert window, this will send generate a request which contains the file's path, name, and hash. Note that the automated version checking can be disabled via the 'disable update checks' option in KnockKnock's preferences.
Finally, KnockKnock also utilizes Sentry.io
for crash detection which may generate network traffic related to crash reporting.