You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

crsud process with security update 2013-001

I just installed the new security update, 2013-001, and Little Snitch detected a new process at startup, crsud, which wants to connect to Apple.


I would like to know what this does. My guess is that it checks for updates, perhaps to some security software. Anyone know?


It seems to me that when such a process is added, it is appropriate for Apple to explain itself in the update description, but I am old-fashioned about such things.


Greg

MBP 17" 2.33GHz, Mac OS X (10.5.1)

Posted on Mar 15, 2013 2:08 PM

Reply
168 replies

Mar 17, 2013 7:41 PM in response to ds store

ds store wrote:


Because Apple ... said they did install a anti-malware scanner.

But they have been saying that since MacDefender days and from the looks of the installer, it still has the same MRT elements that have always been there. It certainly sounds like the same thing that has been distributed with every Security and Java update over the past year that runs once and then deletes itself.

Mar 17, 2013 10:09 PM in response to WZZZ

crsud looks at

https://swscan.apple.com/content/catalogs/others/index-cr-lion-1.sucatalog.gz

(change lion for snowleopard)


and finds details of any 'critical' updates… for now, just a SecUpdBase2013-001Test.pkg

these are then downloaded & installed - in the case of this 'test' package, installing an invisible 2 byte payload at /var/.emptypayload

the test package also contains a post-install action, which looks at

https://swscan.apple.com/content/catalogs/others/index-mountainlionseed-1.sucatalog.gz

and searches for a particular 'part number' , downloading it if found… The one looked for by the test package does not exist currently.


So -looking at WZZZ's screenshot earlier - he's already had that test update silently installed - as did I, on first boot to Lion following the 2013-0001 update

Mar 18, 2013 5:30 AM in response to andyBall_uk

That's really impressive Andy. I wouldn't know how to begin to get in and find all that stuff and then examine it. Way above my pay grade. That's great information. Thanks. (Sometime, when you have nothing better to do, I'd love to know how you did that.)


This is interesting:


/private/var/.emptypayload


2 bytes with a created and modified of 5/29/12


I wonder how that arrived, since it pre-dates this current update by many months.


Message was edited by: WZZZ

Mar 18, 2013 7:59 AM in response to WZZZ

>>/private/var/.emptypayload

>>2 bytes with a created and modified of 5/29/12

>>I wonder how that arrived, since it pre-dates this current update by many months.


my check was in Lion, which apparently changed the modified date to last night, although the creation date is also May 2012 - either Snow does something slightly different (the test package from cr-snowleopard is the same one) or some other difference between the way it ran on our two systems.


It was there on your pre-update backup ? likely not, just un-modified during/after install.

Mar 18, 2013 2:07 PM in response to WZZZ

>Sometime, when you have nothing better to do, I'd love to know how you did that

a passing knowledge of software update & the catalog format / url's -

then strings command on crsud, as I suggested to you on the other side,

then did nothing about it since I figured you or ds would be all over it using Little Snitch.


saw your screeny showing the test pkg, but carelessly thought was a rename for testing.

noticed the crsud.plist for root was altered after Lion update, containing an entry mentioning the same test pkg as your screenshot... so I looked more closely at Strings output & found that for now, at least, there's a different URL for critical updates (previously checked the main catalog for 'critical' or anything likely-sounding)

Mar 18, 2013 3:14 PM in response to MadMacs0

MadMacs0 wrote:

curl is a common process for transferring data with URL syntax. I see it used by a number of routines with my setup and it has been permanently approved with port 80 for a very long time.

So why keep using Little Snitch at all?

There is nothing protecting curl from malicious or surreptitious use and it is a very flexible and powerful tool. It is common practice for software that seeks to operate without being noticed to use common tools (e.g. curl, ssh, etc.) to do things like network access which are often watched, so as to look more like routine activity.

Mar 18, 2013 4:26 PM in response to andyBall_uk

andyBall_uk wrote:


…is xprotect disabled on the 10.6.8 mac ?

Not as far as know. At least I've not disabled it. Do note that both Java and Flash Player are totally up to date.

re ML - we know there's no crsud, so perhaps no 'test' package either?. I'm not sure what's in place for ML to ensure critical updates.

I'm not aware of anything except XProtect, which doesn't do any updating, but turns those off. I never do autoupdates of anything, but do keep up to date and manually install all updates.

Mar 18, 2013 4:45 PM in response to baltwo

baltwo wrote:


FWIW, not seeing /var/.emptypayload in my SL or ML boot volumes, both with the latest updates installed. Strange stuff here.

Did you check the box for "Automatically install important security updates"? I realize that's not something you would normally do, but it didn't sound like you would get the test package installation unless it was.

Mar 18, 2013 5:52 PM in response to baltwo

I just went back in and checked "Automatically install...." As soon as I did that, within a half second, Little Sntich came up with crsud wants to connect."


It seems Xprotect and the new crsud are wrapped up together, since that's in the original location for allowing XProtect updates.


Wonder if this is still working in 10.6 to force XProtect to update now.


sudo /usr/libexec/XProtectUpdater


sudo launchctl start com.apple.xprotectupdater

crsud process with security update 2013-001

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.