Previous 1 2 Next 22 Replies Latest reply: Apr 12, 2012 5:35 PM by Chametzoo Go to original post
  • WZZZ Level 6 (12,810 points)

    Before doing that, I'd  put Little Snitch on it to see if anything is making connections to the mothership.

    And stop them.

  • WZZZ Level 6 (12,810 points)
  • Chametzoo Level 1 (55 points)

    WZZZ: So, I've got Little Snitch working (for the next 3 hours of free trial).  What am I looking for??  Mike

  • WZZZ Level 6 (12,810 points)

    First, it can be renewed every three hours, but it's a must have application in general, so I'd buy it. Look for something like .rserv (there are others with a dot preceeding the name or process) wanting to connect  to some strange looking URL.


    See this thread for more like this.


  • Chametzoo Level 1 (55 points)

    WZZZ.... thanks.  This is all a bit technically beyond me.  Will Snitch block a nefarious communique?  I have gotten a few requests from Snitch to 'accept' or 'deny'.... but I have to say I don't really understand what it's asking me.  Mike

  • WZZZ Level 6 (12,810 points)

    Since right now the main purpose for you in using LS is you are looking for anything like .rserv wants to connect to (I made that up), if you see something like that just Deny. Little Snitch is based on Application and Process requests for outgoing connections. A lot of stuff, mostly legitimate, is usually going on behind your back. With LS you get to see what that is.


    Here's an except from a thread in a another forum where we were introducing Little Snitch to someone. (I could give you a screenshot of my ruleset, but I've modified the default one so much it would just be confusing.)


    In general, unless it's fairly obvious where it's coming from and it's needed, just deny first -- from experience, you develop a sense about when it sounds legitimate. Then, if something's broken, google the url in question, check with WOT (WOT, Web of Trust, can be added to a number of browsers) and if it looks OK, then go back and allow. Very often, if you deny, nothing gets broken and there's no reason to do any research, except out of curiosity. Often, I'll google first before deciding whether to allow or deny, and leave the pop-up hanging until I decide. When you are being prompted to allow or deny, you can "Show Details" to get more information....


    ...Just to add, if an application has no reason to be communicating out over the internet, like say TextEdit, which simply edits files on your local system and literally is incapable of opening documents residing on a server someplace on the internet, there's no reason to allow it to communicate to a server on the internet. If it's a program like Firefox, which needs to talk to web servers (port 80 and 443), then you allow that communication to happen. If it's an FTP (File Transfer Protocol) program, which needs to talk to an internet server over FTP in order for you to transfer files off that server onto your system, then you allow it to communicate over port... er... 21? 23? If it's a "free" game that doesn't support network play that for some mysterious reason is trying to talk to an IP address that doesn't resolve to a hostname, then you block it.


    For most part it just requires you to sit back and think about things logically in that fashion, it's only when you get into cryptic stuff like destroying the App Store that it becomes mildly counter-intuitive and cryptic.


    And the prompts on Little Snitch are somewhat informative, in that they always do a reverse DNS lookup, which (normally) changes an unintuitive IP address into a fully qualified server name ( instead of, which makes it lot easier to figure out what's talking to where.


    After a few days of firing up all your normal apps Little Snitch will literally be transparent, only prompting you when you add something new to your system....


    When Firefox goes to it talks to on port 80. Google then sends back information to your system so that you get the web page. When Firefox tries to make that initial connection to, Little Snitch will pop up a warning telling you that Firefox is trying to communicate with over port 80. Since you typically want to browse the web with a web browser, I typically choose the "allow port 80 communication with any server" option, instead of just allowing port 80 traffic with, because allowing connections to each server would get tedious fast, as every web site would result in a new popup. I don't mind if Firefox communicates with a web server over port 80 - that's it's intended purpose.


    The same process occurs with Firefox and port 443 (https) connections. Firefox tries to connect to on port 443, which causes Little Snitch to pop up a warning letting you know a network connection attempt is being made, and you allow Firefox to communicate to any web server over port 443.


    Understand that Little Snitch remembers and manages connection attempts on an application, not system, level. If you fire up Safari and try to talk to a web site, it's going to pop up the same kind of connection messages because it's not Firefox. So basically each application gets it's own set of connection filters that you choose to either allow or deny.


    Typically malware will attempt to connect to systems over nonstandard ports, like IRC, so after allowing port 80 & 443 if Firefox suddenly wants to talk to an IRC server you know something strange is going on.



    And here's something that might also be a bit helpful. -mac/448

  • WZZZ Level 6 (12,810 points)

    A lot of stuff, mostly legitimate, is usually going on behind your back. With LS you get to see what that is

    I should have said "A lot of stuff, mostly legitimate, but often unnecessary...."

  • Chametzoo Level 1 (55 points)

    WZZZ... incredibly helpful, thanks!  Still no sign of Flashback.  I'll get Snitch on board permanently.... so far no odd connections reported or apps that shouldn't be talking on the internet, but I got my eye on it.

Previous 1 2 Next