I'm running the little snitch network monitor and caught my MBP running Monterey sending requests to Beijing from the /usr/libexec/avconferenced process. Does anyone else find this suspicious?
Some forums claim that process is related to FaceTime and Sidecar but why would it be communicating with China?
From what I understand, Little Snitch only knows about IP addresses. Then is uses an inaccurate reverse DNS operation to give you a server name. What server name did it give you? In most cases, all servers are on some big content delivery network like Amazon Web Services. Your neighbourhood plumber's web site will be running right next to a Chinese school. If all Little Snitch has is an IP address, which name does it get? Nobody knows.
From what I understand, Little Snitch only knows about IP addresses. Then is uses an inaccurate reverse DNS operation to give you a server name. What server name did it give you? In most cases, all servers are on some big content delivery network like Amazon Web Services. Your neighbourhood plumber's web site will be running right next to a Chinese school. If all Little Snitch has is an IP address, which name does it get? Nobody knows.
That /usr/libexec/avconferenced is installed by the operating system and your fellow users cannot tell why it would be sending requests ( if it really is) to China. It also seems unusual that security researchers, eager for Apple cash, would allow this to go undetected. The macOS product team are the only ones that know the answer to your question and they do not participate in these public user-supported communities.
You might consider sending direct feedback to the macOS product team about this.
pr3py wrote:
The IP address that is reported by LittleSnitch is 120.0.0.1, no server name is reported.
Are you sure about that? In theory, any number is theoretically as likely as any other random number. But internet IP addresses aren't random. For one thing, that is one digit away from 127.0.0.1, which is a shorthand for "localhost", your own computer. For another thing, any IP address ending in ".0.0.1" is highly unusual. That is usually the address of a low-level router, kind of like the "127.0.0.1".
If the Apple avconferenced software is contacting that server on purpose, it could be trying to determine if the computer in question is physically located in China. China is known for having some heavy-handed internet laws.
Otherwise, there are any number of possible explanations that have nothing whatsoever to do with Apple. It could be malware that is redirecting otherwise legitimate requests. Maybe ask Little Snitch about it. Probably the only thing anyone could know for certain is that avconferenced it not doing anything suspicious.
pr3py wrote:
I'm going to escalate this issue to Apple so that they can provide further clarification.
Apple isn't going to provide any information like that.
You don't "attract" malware, you "install" it. Various types of malware and scamware use all kinds of tricks to get people to install their software. Have you fallen for any of those? No way to tell.
There is lots of network activity that goes on in the background. I can assure you that Apple isn't uploading any of your sensitive information to China. Furthermore, these background processes could also be making network requests on behalf of 3rd party apps. It is just way too complicated internally to be able to figure this out.
If there isn't some legitimate, low-level networking or security reason for Apple to be connecting to that server, then the next most likely cause is some other software or hack that was meant to be "127.0.0.1" and was simply typed incorrectly. When I Google that IP address, the majority of results are exactly people who have mistyped "127.0.0.1".
pr3py wrote:
On the topic of malware… can I ask which prevention/detection tool you recommend?
Start here:
… Effective defenses against malware and other threats - Apple Community
The anti-malware business is too often a cesspool, to be blunt, what with poorly-designed and vulnerable products, with vendors that have sold personally-identified browsing and web purchase history, or with others that include a cryptocurrency miner, and “security” apps that are unstable or buggy or exploited.
For moderate and larger entities, end-point security can be useful, but that’s out of the range of what most end-user folks want to pay for and operate and deal with. Or manage. Or even need.
Oh, and all that is not how most folks are getting breached in recent years, too:
… Recognize and avoid phishing messages, phony support calls, and other scams - Apple Support
… or the folks are explicitly installing the rubbish apps. Does a deliberately-installed rubbish app really count as malware?
While far from perfect, Gatekeeper, XProtect, MRT, notarization, and the read-only file system do fairly well against most rubbish.
… https://manuals.info.apple.com/MANUALS/1000/MA1902/en_US/apple-platform-security-guide.pdf
I think that's a question for the developer. If it's not supposed to be happening, I'd suspect malware. Macs are susceptible to malware.
That IP address is owned by China Unicom.
whois 120.0.0.1
Thanks again for the response here. The address provided by LittleSnitch is 120.0.0.1, not 127.0.0.1 (localhost).
I'm going to escalate this issue to Apple so that they can provide further clarification. This is happening on a brand new MPB, so I seriously doubt that I've had any time to attract any malware onto my machine. I'll close the loop on this thread if I am able to get apple to supply a response. Otherwise I may simply block connections to that IP and see if FT continues to function.
pr3py wrote:
On the topic of malware… can I ask which prevention/detection tool you recommend?
macOS already includes functionality to protect the computer against malware. However, Apple always allows the user to override these protections. Malware gets installed by tricking the user into installing it. If you find yourself repeatedly being tricked into installing malware, then some kind of antivirus tool may be an effective way to protect your computer, not against malware, but against you.
I cannot recommend any specific tool. The "security" industry is rife with scams, low-quality software, and even malware. In this industry, companies are frequently bought and sold like regular people buy trinkets on eBay. Any product I might recommend could be transformed into a crypto-currency mining app overnight. I am not exaggerating here. Sorry.
The IP address that is reported by LittleSnitch is 120.0.0.1, no server name is reported.
Thanks for the response.
Just want to look at some replies....
On the topic of malware… can I ask which prevention/detection tool you recommend?
/usr/libexec/avconferenced --> Sending network requests to Beijing?