Currently Being ModeratedMar 18, 2013 5:52 PM (in response to baltwo)
I just went back in and checked "Automatically install...." As soon as I did that, within a half second, Little Sntich came up with crsud wants to connect."
It seems Xprotect and the new crsud are wrapped up together, since that's in the original location for allowing XProtect updates.
Wonder if this is still working in 10.6 to force XProtect to update now.
sudo launchctl start com.apple.xprotectupdater
Currently Being ModeratedMar 18, 2013 6:20 PM (in response to WZZZ)
>>Wonder if this is still working...
try it eh
I said earlier, not sure what ML has for the same purpose - of course it has a 'system data files & security updates' option in the SU pref pane, similar to the 'automatically install...' I haven't noticed what flags them yet, presumably something in the catalog or the pkm's.
I think it's a good thing overall : eg non-admin user, yet 'critical' updates come in w/o interaction, and it can be disabled if you wish. There are seemingly flashback & maybe other such still around, due no updates.
Currently Being ModeratedMar 18, 2013 6:28 PM (in response to andyBall_uk)
I did just try it. (Figured I should eat my own dog food.) Looked through the logs and didn't see the usual "placeholder" message (screenshot below) that appears when the XProtectUpdater automatically connects but doesn't get an update. I'd never used the force update commands before, so don't know if that same message is to be expected when it's done that way.
Currently Being ModeratedMar 19, 2013 8:18 AM (in response to WZZZ)
And looking at /private/var/db/install/crsud.plist I'm seeing that the last time it updated was last night after I checked "Automatically install..." and then allowed crsud to connect. Nothing thereafter.
(In Snow, but it's very likely because I'm not doing this correctly, I'm not finding any of the results you found, Andy, for test .pkg. Just /private/var/db/receipts/com.apple.pkg.SecUpdBase2013-001Test.plist, which doesn't contain any of what you are showing.)
This is the crsud.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
Message was edited by: WZZZ
Currently Being ModeratedMar 19, 2013 8:36 AM (in response to billcole)
So why keep using Little Snitch at all?
There is nothing protecting curl from malicious or surreptitious use and it is a very flexible and powerful tool. It is common practice for software that seeks to operate without being noticed to use common tools (e.g. curl, ssh, etc.) to do things like network access which are often watched, so as to look more like routine activity.
Little Snitch resides in root and looks for suspicious outgoing network behavior, thus any malware attacking the machine and wants to go unnoticed when it calls home needs to gain access to root to disable Little Snitch.
So LS is protecting users who normally reside in Admin (or better) Standard User which are lower permissions levels from unseen malware. It won't protect against someone installing a Trojan with their Admin password obviously.
crsud and curl are root level processes, and Little Snitch flags crsud because it's a new process, it was installed in the last software update thus LS doesn't automatically allow it though in the default settings as it hasn't seen it before.
curl is flagged because it can be easily called, so if one isn't running a program and curl wants to connect, it alerts the user something fishy is going on.
LS will obviously get a update that will allow the new crsud and the check for the process that calls curl for legitimacy, thus allowing that by default as it's from Apple.
LS has protected many from the Flashback malware as if it saw LS it just deleted itself knowing it couldn't download the main payload without alerting seasoned users.
So it's a extremely useful security tool especially if it catches some malware where the writer doesn't plan on users having it, thus alerting seasoned users the platform is under attack.
For those malware writers that know we run LS, it forces them to seek root access which isn't as easy to accomplish.
Sure a browser flaw can upload all a users files or attempt to do things in a lower permissions level, the new LS 3 has a activity window how that shows all the connections and the activity of those programs/processes that are allowed through or attempting connections. So it can flag stuff that's going on when the user isn't doing anything or seems overload for that they are doing. For instance ASC is uploading the unposted comments on this forum so in case something happens you can recover your post in case of a glitch.
The object of LS is to keep the user aware of what's going out (and even into) their machine via the network connections.
Currently Being ModeratedMar 19, 2013 9:55 PM (in response to WZZZ)
I just force ran the XProtect updater again, which I'm seeing in the logs, but nothing at all about actually connecting.
I should have mentioned this when you first brought it up, but back when XProtect first came out along with the Terminal command (and a small app) to force an update, there were a handful of individuals who lost their Login Keychains when they used it. Never figured out why and the numbers were small, but it did cause me to start telling people to only Toggle the preference to initiate an update. I even managed to get Macworld to retract their tip about it.
Now that the option seems to be gone for 10.6 users, I don't know what I should be recommending.
Currently Being ModeratedMay 14, 2013 6:37 AM (in response to WZZZ)
And, if you haven't already done so, uncheck "Open 'safe' files after downloading" in Safari Preferences. Whether or not Apple keeps this list updated or not, this is an enormous security risk.
FYI: I personally have harped on this issue to Apple. They have at least acknowledged my complaint. I'm certain others have complained as well. I can say that at least the update to Safari 6.0.3 did NOT turn this checkbox ON again. I don't yet know if a clean install of Safari 6.0.3 still has it turned on by default.
If it helps: There have been no infections of Macs via this potential security hole, so far, of which I am aware.
<Link Edited By Host>
Currently Being ModeratedMar 20, 2013 3:00 AM (in response to Derek Currie)
Derek Currie wrote:
There have been no infections of Macs via this potential security hole, so far, of which I am aware.
IIRC, it the original Flashback Trojan that was downloaded as a FlashPlayer.pkg file that started the concern over disabling this option. There may well have been others, even before that, but I'd have to go through the list to be certain.
Currently Being ModeratedMar 20, 2013 5:29 AM (in response to MadMacs0)
I had it unchecked way before Flashback on principle; I wasn't going to trust whatever Apple thought 'safe' files were and also I don't like losing control over downloads. We saw what happened when that kind of user control was relinquished.
FWIW: output of strings /usr/libexec/crsud You can clearly see here that it's involved with XProtect. No idea why I'm seeing these failures or errors, except that perhaps Apple hasn't fnished the job yet.
Last login: Wed Mar 20 08:11:13 on ttys000
***********$ strings /usr/libexec/crsud
This tool must be run as root
crsud: Couldn't instantiate daemon
Error encountered - scheduling retry: %@
Error encountered - retries exhausted: %@
crsud service disabled - exiting now.
Preference set to force a scan
No lastScanDate in cache - will scan now
Will not scan - scan interval %d less than %d. Next scan in %d seconds.
Starting scan now...
Found updates to install
No updates found to install at this time
Sending request %@ %@
Found the following required updates: %@
Download catalog with URL: %@
EV cert checking disabled by preferences
Error parsing catalog: %@
No catalog found - done.
Error during download: %@
downloadCatalog returning with Dict:%@
Downloading package with URL: %@
Error downloading package: %@
Invalid product with key %@ found in catalog - cannot download and install product.
Package URL: %@, File Size: %ld, Digest: %@, Package ID: %@
Package Download Path is: %@
%s: Failed post-download size check for package "%s": expected %llu, got %llu
%s: Failed post-download digest check for package "%s": expected %s, got %s
Failed to register package %@ for %@ (returned trust level %d)
Invalid product download - file either does not exist or is a directory
Successfully verified package at path: %s
Invalid flat package %s
Untrusted request %s: %s
Error while downloading product :%@ - %@
Error callback while installing: %s
New install state: %s
Exception caught while downloading or installing product %@
Error encountered - product will be cleaned up
Exception caught in installProducts: %s
CriticalUpdates: Error attempting to create the preferences file - critical updates may fail
xProtect = %@, crsud = %@
Syncing up xprotect and codeginger preferences...
Error obtaining right to modify launch prefs: %@
Disabling crsud service - xprotect was found disabled...
Error attempting to enable crsud: %@
Canceling PA timeout
Scheduling PA timeout in %d seconds
Releasing power assertion: %@
No assertion exists while trying to release the assertion
Taking power assertion: %@
Could not create assertion - failed with status %d
setting cert validated for host %@ = %@
certValidatedForURL %@ = %@
isHostDisabledForEVCheck %@ = %@
Failed Software Update - trust evaluation failed in SecTrustEvaluate: %d
Failed Software Update - trust evaluation failed in SecTrustEvaluate with result: %d
Accepting valid EV Cert from host %@ with org name: %@
Failed Software Update - Refusing invalid certificate from host: %@
Currently Being ModeratedMar 21, 2013 2:14 PM (in response to andyBall_uk)
Just tried toggling off/on: nothing. Although it did run, or at least Little Snitch asked to allow and I allowed earlier today. Whether that means it actually ran anything, I have no idea, since the logs show nothing.
Currently Being ModeratedMar 21, 2013 6:10 PM (in response to WZZZ)
no logs here either, except when it ran after reboot & the connection was offline, then on verifying a package & installing it; but crsud.plist will be modified with a last success entry, and root's Library/Caches/crsud/cache.db is altered too.
Currently Being ModeratedMar 22, 2013 3:25 AM (in response to andyBall_uk)
I don't have that cache.db anywhere.
/private/var/db/install/crsud.plist, which you mentioned, appears to have been updated yesterday, presumably from when crsud asked to run.
Message was edited by: WZZZ