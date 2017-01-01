Q:
KnockKnock found many applications, should I be worried?
A:
No. KnockKnock simply enumerates items that are automatically started; either during startup, during login, or during another application's launch (e.g. browser extensions). Although signed-Apple items are filtered out by default, many legitimate 3rd-party items will likely be shown. Of course, the goal is that KnockKnock will also display any persistently installed malware.
Q:
Ok, so how do I determine if something is malware?
A:
By design KnockKnock itself doesn't try to determine if something is malware or not. However, since VirusTotal is fully integrated into KnockKnock, known malware will be detected (and highlighted in red). The remaining items that are not flagged can be manually examined. Perhaps google the hash of the file, run strings on it, or if you are really concerned about a specific item, email me at patrick@objective-see.com
and attach the file :)
Q:
When I run KnockKnock, why does it ask to access the keychain?
A:
Recent versions of Safari store their list of installed extensions in the keychain (specifically in an item named 'Safari Extensions List'). To enumerate installed Safari extensions, KnockKnock queries this (and only this) item in the keychain. Clicking 'Allow' or 'Always Allow' will allow KnockKnock to list installed extensions. Clicking the 'Deny' button will block KnockKnock from accessing the keychain, and thus prevent it from listing the installed Safari extensions.
Q:
Why does KnockKnock try to access the network?
A:
In order to detect known malware, KnockKnock is integrated with the online malware detection service VirusTotal
. Specifically, hashes of items that are found by KnockKnock, are automatically and securely sent to VirusTotal to determine if they are associated with known malware. A user can also manually resubmit or rescan a file, which will generate outgoing connections to VirusTotal as well. VirusTotal is the only network endpoint that KnockKnock talks to; it has no other networking logic. If you prefer, you can disable VirusTotal integration (via the Preferences popup). Once disabled (until re-enabled), KnockKnock will not attempt any network connections or generate any network traffic.