"promotedcontentd"

jklinect wrote:

Little Snitch caught this process (`/usr/libexec/promotedcontentd`) phoning home to strongbad.voiceopia.com on boot the other day. Pretty sketchy, given I had started nothing to that point, but it noted the process was signed by Apple. Upon further investigation, it's running on both of my systems.

Little Snitch just does a reverse DNS lookup for an IP address and reports some name that was associated at some point. You can manually lookup this name to get the IP address (52.6.160.3). And then look that up on ARIN to see who owns it. The answer is, surprise, surprise, "Amazon Technologies Inc." In other words, "the internet".

But none of that means anything. These servers, names, and IP addresses get passed around, cached, and re-used constantly. There is no way to tell if the IP address that Little Snitch found was associated with that domain name or the above IP address.

1. What is this process? (simple guess: a program that fetches ads for the operating system... ?)

You can run "strings" on it to find out all kinds of information. Your guess is pretty accurate. Apple provides an advertising network designed to protect people's privacy. It is part of the operating system. Is it malicious? Do you regularly see any pop-up ads? There is one company (Apple) trying to do advertising honestly and you are blocking them. I'm sure you're not blocking the other companies that are doing advertising dishonestly.

2. Why are typical attempts to stop the process from running via launchctl fail? I get "unknown error: 150" on a `launchctl bootout` call, and `launchctl disable/stop` do not work as expected.

It is part of the operating system, which is read-only.

3. Does removing this binary, and the associated plist file, have any larger fallout on the system that I should be aware of? (e.g. is the app store gonna still function after this if it can't talk to the local daemon?)

No way to tell. Depending on your computer, it might not even boot again.

I've denied the binary all internet access via Little Snitch, but if the process is gonna dryrun itself in the background anyway, I'd like to stop it from running altogether to save on battery.

Did you detect some kind of heavy energy use from this process?

Here's the problem. Little Snitch is not doing you any favours. It is impossible to prevent apps from "phoning home". You could use an app like Little Snitch to interfere, but you aren't blocking anything malicious. You are simply interfering with the normal operation of the operating system.

If Apple, or any company for that matter, wanted to be sneaky and upload your personal information, why would they use a name like "strongbad.voiceopia.com" anyway? Why not "certificate-validation.apple.com"? Nobody's going to block that, are they?

But here is the problem. There is no way that you can tell the server isn't "certificate-validation.apple.com". As I mentioned above, these associations between a domain names and and IP addresses are not fixed or permanent. They could change at any minute. Big companies have hundreds or thousands of servers on Amazon. They spin new ones up in batches of hundreds and then shut them down when they are no longer needed. Some DNS server automatically links a name to an IP address and then changes it later. The next day, some other company does the exact same thing, with the exact same IP addresses, maybe even using the exact same computers. It's all on Amazon, after all. Little Snitch is doing a reverse name lookup, which simply isn't accurate.

Furthermore, there is no way to tell that promotedcontentd is actually doing this. The executable links to 16 different Apple frameworks. Any one of those could be responsible for making this network connection. The irony here is that it is likely that this specific request actually is validating some security certificate. By intercepting or blocking this request, you may be actually reducing your security. Maybe the Apple software actually is accessing "strongbad.voiceopia.com" merely to check the security certificate.

It is simply not possible for you to selectively identify and/or block internet traffic on your computer. It is absolutely impossible to look at a reverse DNS name and make some kind of judgement. All of this information is encrypted anyway. If any companies did want to track you, they can do it quite easily. You can't block it. All you are doing is interfering with the one company that is trying to help you - Apple.

It is VoiP service in which uses the internet vice a phone line.

Just because signed by Apple does not mean much.

Have you install any internet security, VPN or similar?

Download and run this app so we can find more information about your installation.

https://etrecheck.com/upgrade

It shows what is launched and other information and is very useful in finding causes of problems. After you first launch the app make sure you check Enable full disk access in the box in lower left.

After running the app use the app's feature to paste to clipboard. Then paste it in the text box for a reply in this forum click on the addition text icon. This is because the normal reply text box limits how much you can type.

No personal identifiable information is contained if the app output. The app was written for a person who is contributor to these Apple Support Communities