What is chronod, is it a part of Sonoma?

Hi! Former Apple dev here. Here's a brief on `chronod`: It's a LaunchAgent, not a LaunchDaemon, which means it's a per-user agent in macOS. It's specifically designed to manage widget-related tasks and is user-session dependent. To troubleshoot, I used several `launchctl` commands in Terminal to inspect and manage the `chronod` service. For those facing similar issues, here are the steps:

1. Check if chronod is Running:

launchctl print gui/501/com.apple.chronod

Replace `501` with your user ID (can be found with `id -u`). This command checks if `chronod` is active in your user session.

2. Restart chronod if Necessary:

launchctl kickstart -kp gui/501/com.apple.chronod

3. Ensure Network Access:

Make sure `chronod` has the necessary network access, especially if you're using a firewall or network monitoring tools.

It seems `chronod` plays a crucial role in widget functionality on macOS. My issues, in particular, were related to the Tesla widget. While a restart would have likely solved any issues related to this, I wanted to dive a bit deeper to help the next guy understand more about `chronod`. Hope this helps anyone struggling with widget issues!

That’s a longstanding bug in the add-on anti-malware you’re using, Norton.

That connection is an utterly benign part of macOS—widgets, specifically.

That add-on anti-malware haw been mis-flagging that for months, as has been acknowledged on the Norton website.

Remove Norton, use the built-in anti-malware, and that message will go away.

If you have concerns or issues with that add-on anti-malware, contact Norton support.

Add-on anti-malware tends to be noisy about non-issues, unfortunately.

Add-on anti-malware can also introduce security vulnerabilities as the designs of some has historically been hilariously bad, and too much of the add-on anti-malware has introduced privacy breaches. One of the better-known macOS anti-malware add-ons recently got what I’d consider a token 16 million dollar fine for reselling personally-identified browsing and web purchasing data, for instance. That other add-on “security” apps might also be selling that or other data would not surprise.

Blocking network connections can cause problems too, depending on what gets blocked.

I'm not a high-level person here, but my research indicates chronod is related to Widgets in macOS Sonoma. I got a popup from macOS firewall asking if I wanted to allow incoming connections to chronod. I found some Reddit posts that say it has to do with Widgets (apparently in iOS and macOS).

I checked the that chronod is properly signed by Apple, so it's certainly part of the system.

If the built-in macOS Firwall is active, you can check in System Settings > Network > Firewall > Options

and see if chronod is allowed to accept incoming connections. You could turn this off, but it might cause some Widgets not to work. Doesn't seem like a lot of risk to me though.

I’d expect false positives and connection notifications in add-on anti-malware are likely both inevitable and intentional, because this noise can effectively also serve as advertising for the product.

The bad news here is that chronod is part of macOS. Why is this bad news? Because this pop-up should never even show; the add-on security app should already recognize this daemon as part of macOS.

For assistance with third-party apps and particularly third-party add-on security apps, contact the third-party provider.

There have been previous cases with these add-on security apps where the app mis-detected and tried to delete parts of macOS itself. The built-in macOS anti-malware then detected and blocked these (erroneous) deletion attempts. The add-on security vendor eventually pushed out a fix for that false positive.

In this particular case, here is the Norton 360 work-around:

https://support.norton.com/sp/en/us/home/current/solutions/v20231108114911853

I would consider this chronod report to be a documented bug in this particular add-on security app.

I typically use the built-in anti-malware; Apple Gatekeeper, XProtect, and XProtect Remediator, absent some requirement for end-point security or similar. Why? One of the better-known add-on security apps was caught selling data, and I’d expect other add-ons might either be selling, or leaking.

The best procedure is to not use Norton at all. In fact Norton support has a document on how to resolve its false flagging. And yes, chronod is part of the chronocore framework of macOS Sonoma.

https://support.norton.com/sp/en/us/home/current/solutions/v20231108114911853

Best advice to be given is to stop using any anti-virus software. They are unnecessary and cause exactly the issue described here.

I want to endorse what @MrHoffman and @Ikrupp suggest: don't use 3rd party anti-virus on macOS.

Today's modern macOS and even Windows include powerful built-in anti-malware capabilities. Unless you are a high-profile target for bad-actors like government security services, or you frequent very sketchy websites, you don't need any 3rd party applications. If you must have one, Malwarebytes is probably the best option, and it's designed for most people (not tech experts).

Trying to make sense of what is happening on a modern computer, iPhone, or your network takes expertise and knowledge that most people simply don't have. In this case, Norton is showing you info that you have no way to understand and make an informed decision about--that's why many people ended up here. I suspect this is part of their marketing strategy. The best advice is "get rid of 3rd party AV, and just let macOS do it's thing."

And yes chrond is part of macOS; it can't be removed or stopped. If you block it, you are breaking macOS. It is possible for malware to pretend to be chrond, but this is VERY unlikely. But you can check the program's signature and verify it is signed by Apple.

Thanks for trying to clear up the confusion @MusicGenereDeleted.

The bottom line is: this is a macOS process; you can safely allow chrond connections in any firewall you're running on your Mac. You can dis-allow chrond, but it will likely break some functions related to widgets (and probably some other things).

wwwXpert wrote:

Do as jd2020 suggested.

Locate the file by clicking the "Details" next time the Norton alert appears.

Check and verify the file in question is signed by Apple.

If it is signed by Apple, you can permanently allow access.

If it is not, do not Allow access because it's most likely malware used to intercept browser credentials. Malicious programs often use common system program names to trick users into granting access.

Easier and more probably reliable to remove Norton, and use the built-in anti-malware.

removal of Norton means this unnecessary and distracting noise goes away, certainly.

Norton has been unnecessarily flagging this Apple app for months, based on postings.

It is an apple process, is not specific to Sonoma, in previous versions as well. It is not Chronod that is the issue. It is how the Norton firewall deals with requests from other machines to access to Chronod. Both the built-in firewall and the Norton firewall allow uninhibited access to Chronod by default.

Chronod is likely the time synchronizer. Different Apple products query each other all the time and, logically, all my Apple products on my network are setting their time off each other.

Chronod is marked wide open by default on both IOS/Mac OS firewalls and Norton's. The bug is that Norton keeps throwing access warning dialog boxes regarding an attempt to access Chronod from another machine with choices to allow or block access and if this is one-time or forever. It doesn't matter what options you choose and the dialog box will be back; sometimes immediately, sometimes not for a while. I can find no information suggesting Chronod is often used by bad actors. If you could post a link, I'd love to read about it. Currently Apple and Norton advise allowing access forever.

Do as jd2020 suggested.

Locate the file by clicking the "Details" next time the Norton alert appears.

Check and verify the file in question is signed by Apple.

If it is signed by Apple, you can permanently allow access.

If it is not, do not Allow access because it's most likely malware used to intercept browser credentials. Malicious programs often use common system program names to trick users into granting access.

L-R-G wrote:

I get this pop-up and would like to find out if it is some part of the latest OS-Sonoma.

https://discussions.apple.com/content/attachment/b4a0e41f-902d-4dd6-9328-abbae31924f5

If you are purposely running Norton....

Try uninstalling it and compare your results—Look for an in-app official uninstaller.

if in doubt search the developers website or contact their: Support/Help/FAQ/Known issues/compatibility/updates/uninstaller

Contact a third-party vendor - Apple Support

Contact a third-party vendor - Apple Support

Third party AntiVirus is not recommended— it typically does nothing but add issues to the macOS and competes directly with Apple’s own built in security:

macOS - Security - Apple macOS - Security - Apple

Apple Platform Security - Apple Apple Platform Security - Apple Support

ref: Recognize and avoid phishing messages, phony support calls, and other scams

Recognize and avoid phishing messages, phony ...

Don't "Allow" a program/daemon access unless you know with certitude exactly what it is. Err on the side of caution because you can always "Allow" permissions to a legitimate program after the fact which is much easier and less painful than canceling your credit card for fraud or filing a police report for identify theft.

Bad actors often create malicious programs that use legitimate and common program names to trick users into granting access. What's more difficult to fake are security signatures for legit publishers so programs such as Norton check and block programs that aren't signed. For instance "chronod" is often used by bad actors aka hackers to intercept browser data, e.g. credentials, while connected to a public wifi or hotel network that's outside of your corporate or home networks.

JM2C

Safe Computing

This is a bug. The permission box challenges the user. Permission is granted or not or anything . . . the permission box returns. The solution is to remove Norton 360. This is not acceptable.

This is likely a Norton Bug but it does require some investigation by Apple, if for no other reason than the "App Store" published this software and they usually do such a thorough job certifying the applications they allow in the App Store.

MusicGenreDeleted wrote:

This is a bug. The permission box challenges the user. Permission is granted or not or anything . . . the permission box returns. The solution is to remove Norton 360. This is not acceptable.

This is likely a Norton Bug but it does require some investigation by Apple, if for no other reason than the "App Store" published this software and they usually do such a thorough job certifying the applications they allow in the App Store.

Apple would disclaim any sort of thorough testing of any apps.

Apple usually tests for basic functions, and for use of permissible APIs.

As for Norton, they’ve seemingly known about this for some months, based on previous reports.

Being noisy is arguably a fundamental part of self-marketing of add-on security apps, too.