back to article Knock Knock tool makes a joke of Mac AV

Security research and development bod Patrick Wardle has released a tool to reveal executables that automatically boot in Mac OS X. The Knock Knock tool was open source and built on an extensible framework to encourage the community to evolve the platform. Wardle, of consultancy Synack, said he designed the tool because he …

  1. Henry Wertz 1 Gold badge


    This is clever, and should be pretty effective. After all, (this is true in Windows and Linux as well), if there's some "naughty" executable on there, but it never actually gets executed... it's basically a bit of data taking up space. Knowing about what gets loaded up on boot is the first line of defense against malware on any system.

  2. Shane8


    What about this MacOS that keeps loading up automatically, will it get rid of this and replace with my favourite Linux distro?

  3. Frankee Llonnygog

    Re: your favourite distro?


  4. AMBxx Silver badge

    Re: hmmmm

    No Linux or MacOS here, but have an upvote to take away the pain of all those down votes.

    People get so worked up about their Apple toys.

  5. sabroni Silver badge
    Thumb Up


    Can I wipe it and put a PROPER Linux on there?

  6. Pookietoo

    Re: FTFY

    It's not Linux, it's BSD.

  7. Cliff


    Likewise, have an upvote to take away the pain.

    They really do, don't they? Even you being meta and impartial gets a downvote lobby also. In fact I'll bet this post, several removed gets downvotes for agreeing that people downvote oversensitively, simultaneously vanishing into a recursive loop and proving your point...

  8. Frankee Llonnygog

    Re: @AMBxx

    "Apple toys" counts as impartial?

  9. sabroni Silver badge

    @Cliff: They really do, don't they?

    Not me. What gets up my goat is the constant posting by some on here that you can make any device better by wiping it and putting your favourite Linux distro on it.

    We get it! A load of people on here like Linux. Now change the fucking record.....

  10. gnasher729 Silver badge

    Re: hmmmm

    If you own a Mac, feel free to install Linux on it if you like. Nobody is stopping you.

  11. Wzrd1

    Re: FTFY

    Sorry, as one that uses Linux to death, Windows when forced and all...

    I'll stick with my MacBook Pro, due to its hardware capabilities.

    *Each* OS has its strengths and weaknesses, depending upon usage.

    Windows is, essentially, king, due to ease of use/misuse by the average village idiot and regrettably, all to often maintained by other village idiots.

    *BSD is nice, but it is a lot stodgy in admitting to new interfaces/technology. As in taking two years to admit a beta USB system and three years to get the damned thing to actually work properly.

    Linux is nice, if you like rough edges. I use it daily at home and frequently at work.

    Linux is nice, but it's unpolished in may areas, when compared on a desktop level with Windows or OS X.

    From that standpoint, I've eliminated all Windows desktops at home. I still maintain a Windows server, due to certain commonalities issues.

    All desktops are Linux, my singular exception is this MacBook Pro, where I am typing from now.

    Now, from a security standpoint, I condemn all.

    Linux for partially adopting SELinux, *BSD for not bothering to seek NSA input in a far more merciful time, Microsoft was totally out of that program. Said program was to teach how to build a Trusted Operating System.

    Still leaving Solaris, in certain special configurations, as the *only* trusted operating system for the US.

  12. Dan 55 Silver badge

    It works, I used it and I found some malware

    It was the Google Updater. I don't know how it got on the computer but I've wiped it.

  13. Anonymous Coward
    Anonymous Coward

    Re: It works, I used it and I found some malware

    The Google updater comes in with various products. Ironically, the most nefarious hookup was a supposedly secure chrome based browser which installed a covertly mounted drive which only showed up in disk utility and which set up various services to re-install itself from there.

    It got in because I just upgraded hardware as well as OS, and the "Hands Off!" license didn't work in the new machine (HO does not just firewall code from the network, it can also bar access to the hard disk). Grr.

    There are advantages coming from the world of Windows - I don't trust anything. So far, it's certainly less work to keep things safe on a Mac, but it still requires paying attention.

  14. Unicornpiss Silver badge
    Thumb Up

    Malware detection

    I have to admit I've found and cleaned more malware (on Windows) with Sysinternals Autoruns than with any anti-malware scanning product. I'm surprised nothing like this existed for Macs before.

  15. Anonymous Coward
    Anonymous Coward

    Re: Malware detection

    sssshhhhhh don't tell everyone :o)

  16. This post has been deleted by its author

  17. bytejunkie

    good idea

    i have two macs, i'll be running this.

    another point - i have a problem currently with an email client that isn't configurable for what folders it can download. its downloading a bunch of javascript malware that on windows would be an issue but on a mac is just flagged by avast (but not sophos - beware of sophos mac users)

    thats bad design of software.

  18. sabroni Silver badge

    Re: its downloading a bunch of javascript malware that on windows would be an issue

    Why? What's going to execute them on Windows? Isn't your email client the thing that'll parse these scripts? Doesn't the mac client have the same capabilities? (Genuine technical question everyone, so can we skip the OS flames if at all possible? When I double click a .js file in windows it opens in notepad...)

  19. bytejunkie

    Re: its downloading a bunch of javascript malware that on windows would be an issue

    interesting point.

    the way i was thinking about it was, its only executed if i go into junk and ask it to display that message. then the js file will be opened and run, since its an html capable email client. and i never go into junk. so not a massive issue. i think my windows vms are sufficiently ringfenced.

    but the big issue is usability. my screen is filled with warnings. im not sure its a good idea to store malware even if you can't execute it. and do i really want to be backing up malware onto the time machine backups on my nas only for the AV on my nas to find them as virus infections? not really.

    the small issue is why is avast detecting js malware when gmail isnt.

  20. AMBxx Silver badge

    Re: good idea

    If you email client is running javascript attachments, you're doing something wrong.

    Surely not happened in 15 years?

  21. Anonymous Coward
    Anonymous Coward

    Re: good idea

    i have two macs, i'll be running this.

    I'm going to wait. 50% of so-called "security" tools (especially the free ones) are in reality anything but. That's not to say this is not kosher, but I tend to do a lot more checking before I install anything.

  22. Steven Raith

    Re: good idea

    50% of the security tools don't come with a half hour explanation of why they were built, and how they work.

    Good grief, I'm not sure if you're being deliberately obtuse or you're just a bit dim.

    Steven R

  23. Anonymous Coward
    Anonymous Coward

    Re: good idea

    50% of the security tools don't come with a half hour explanation of why they were built, and how they work.

    Good grief, I'm not sure if you're being deliberately obtuse or you're just a bit dim.

    My background is in the more "interesting" sides of security. If you consider a half hour plausible explanation sufficient validation to consider something safe you will probably also happily answer those spams that tell you there is a problem with your bank account as it all looks kosher - ditto for the other downvoters.

    By way of illustration, see Whitehatsec aviator. That thing (or something that somehow managed to replace what was supposed to be there) manages to create a hidden, persistent mount which only shows up in Disk Utility, and which throws all sorts of hooks into the OS to re-install itself if you delete parts of it, it takes quite a bit of work to eradicate it (and there's hoping it hasn't dragged anything else in while it kept the cat flap open). That was reviewed in Tom's Hardware as an excellent product, but it turned out to be malware.

    Macs are reasonably easy to keep clean, provided you avoid installing stuff you haven't checked out from all possible angles. A fancy and plausible explanation may seem like a recommendation, but there are enough people who can cook up a plausible text but for less benign purposes. All a trojan needs is for you to run it, and Macs too seem to have this weird need to install everything at system level, which gets people far too used to granting admin rights..

  24. cd

    AC, good idea to be cautious. Also, if you want a GUI, etrecheck will make you a nice list as well. Not sure if ti gets the same things, but I have found some mouldering daemons with it.

  25. Anonymous Coward
    Anonymous Coward

    Knock Knock!

    Who's there?


    Tim who?

  26. DougS Silver badge

    What's the definition of "malware?"

    He seems to be assuming anything that autoruns at startup but wasn't signed by Apple is malware. I'm sure a lot of applications install their own stuff, and I even have some of it on my Linux desktop - VMware starts up several processes automatically!

    What if you install Photoshop and there's an Adobe process that runs on OS X at startup (I don't know if there is, just using as an example) If it just checks for updates, is it OK? What if it downloads the updates without asking, possibly taking up all your drive space if you were short? What if it has a bug in it where it deletes a failed download and re-downloads it over and over again so when you have a full drive it soaks your network bandwidth? What if it has a bug where it hits a spin loop and consumes 100% CPU? What if it uploads the MAC address of your computer back to Adobe? What if it records keystrokes during while you're running Photoshop, to help engineers fix bugs and improve the GUI? What if it has a bug where it keeps recording keystrokes after you're done, and uploads passwords to Adobe? What if that isn't a bug, but a backdoor some engineer put in on his last week of work hoping to tank the company when it became public?

    Everyone has a different point in the above where they'd say it crosses the line into malware, but claiming anything related to something a user knowingly installed is "malware" conflates it with true malware, which is something you never intended to install or didn't install but it happened through a remote/web exploit.

  27. Keven E.

    Define the definition of is.

    "...true malware, which is something you never intended to install or didn't install but it happened through a remote/web exploit."

    Don't we need a coupla two tree more parameters for this definition, cuz with just *those it seems quite equatable to a "virus"?

    I challenge that the *only difference is that a virus just spreads without you/your machine *doing anything...

    ... like I just did by opening Pandora's box (snicker).

  28. ashdav

    Re: Define the definition of is.

    @ Keven E.

    Please learn to spell and use punctuation correctly.

  29. Keven E.

    I'll order a round for the bar

    It's all about pronunciation.

    How is one s'posed to spell punctuation, ashdav?

  30. sabroni Silver badge

    Re: Don't we need a coupla two tree more parameters for this definition

    I'd rather see that than 'No overload for method takes 1 argument'....

  31. RegKees


    Interesting stuff. Although if all true, you have to wonder why this isn't being abused more, given how prevalent Macs have become, and how many people love to be hating on them. Anyway, if he creates a slick gui for this he'll be able to sell it, I'm sure. Hype it up, say it elevates Macs to insane levels of security. Should work, though he might have trouble getting it approved at the app store...

    Somebody does need to tell this guy the OS is actually called '10' though (you know, the roman number, not x)

    Slightly embarrassing, to not get the name of your topic right ;-)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2018