Want to highlight a helpful answer? Upvote!

Did someone help you, or did an answer or User Tip resolve your issue? Upvote by selecting the upvote arrow. Your feedback helps others! Learn more about when to upvote >

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: SaltySailor
SaltySailor Author
User level: Level 1
0 points

crsud process with security update 2013-001

I just installed the new security update, 2013-001, and Little Snitch detected a new process at startup, crsud, which wants to connect to Apple.


I would like to know what this does. My guess is that it checks for updates, perhaps to some security software. Anyone know?


It seems to me that when such a process is added, it is appropriate for Apple to explain itself in the update description, but I am old-fashioned about such things.


Greg

MBP 17" 2.33GHz, Mac OS X (10.5.1)

Posted on Mar 15, 2013 2:08 PM

Reply
168 replies
User profile for user: ds store
ds store
User level: Level 7
30,695 points

Mar 15, 2013 6:12 PM in response to SaltySailor

Yes, it connects to certain Apple servers hosed on Akamai host servers that contain Apple updates in the past.


I suspect it's checking for updates for the malware removal that was installed with the latest update.



Malware removal

Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2

Description: This update runs a malware removal tool that will remove the most common variants of malware. If malware is found, it presents a dialog notifying the user that malware was removed. There is no indication to the user if malware is not found.


https://support.apple.com/kb/HT5672

Reply
User profile for user: MadMacs0
MadMacs0
User level: Level 5
5,221 points

Mar 15, 2013 6:18 PM in response to SaltySailor

Most of thosee of us here can only speculate on what it does and those that might know aren't allowed to post an answer. If you are interested in getting some guesses, it would help to know a bit more about your situation.


Obviously you aren't running OS X 10.5.1 as your profile would indicate, so are you using Snow Leopard or Lion?


Did you install the Safari update at the same time? If so, then it might be a Sarari process.


How often does it try to connect to Apple?


What is the path to crsud? If you double-click on the Little Snitch rule it will show it right below the process name box. Or you should be able to find it using EasyFind, Find Any File or the Terminal app's locate command.

Reply
User profile for user: Derek Currie
Derek Currie
User level: Level 1
123 points

Mar 15, 2013 6:18 PM in response to SaltySailor

I found a similar concern over at a German 'MacUser' thread. Here is what I have figured out so far:


- crsud is an new UNIX executable installed ONLY with Apple Security Update 2013-001. It is NOT installed into OS X 10.8.3. It doesn't exist in 10.8.3.


- In updated 10.6.8 and 10.7.5 it is located at:

/usr/libexec/crsud


- It is dated December 12, 2012.


- The headers for the executable indicate a dependancy on Apple's security system, both Security.framework and SecurityFoundation.framework.


- The footer for the executable apparently includes an Apple security certificate.


That's all so far. I've asked some friends in Mac security for any further information they may have found.


:-Derek

Reply
User profile for user: Derek Currie
Derek Currie
User level: Level 1
123 points

Mar 15, 2013 7:12 PM in response to Derek Currie

A couple Mac security friends chimed in and suggest the following:

Startingcom.apple.softwareupdate.crsucrsud- Has to do with code signing and software update and trust evaluation in Lion. Mountain lion handles it different.

. . .

Code Signing and Software Update was exactly my guess after browsing through the executable’s text content. I was just trying to figure out which part of the update documentation applies, but that doesn’t seem to help.

Reply
User profile for user: ds store
ds store
User level: Level 7
30,695 points

Mar 16, 2013 8:36 AM in response to WZZZ

WZZZ wrote:


Next question awaiting some possible answer is what kind of data does curl send back to Apple here after crsud runs?


Likley your iPhone location data 😁


https://www.apple.com/pr/library/2011/04/27Apple-Q-A-on-Location-Data.html



If Apple wanted to spy, a simple EFI update and one wouldn't know diddly squat.


In fact I saw network traffic occuring over my Wifi while EFI was booting, so I know something is going on behind the scenes already.

Reply
User profile for user: Yeehat
Yeehat
User level: Level 1
49 points

Mar 17, 2013 5:22 AM in response to ApMaX

ApMaX wrote:


I have found that the Little Snitch crsud (/usr/libexec/crsud) warning message about connection attempts during login (outgoing connections to domain apple.com) goes away if


Apple - System Preferences - Security - General - Automatically install important security updates


is unchecked (turned OFF).


Are you on 10.6.8? I don't have this option. The only sort of similar one is Automatically update safe downloads list (and I suppose this one may pertain to crsud and curl).

Reply

crsud process with security update 2013-001

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up