Yes, it connects to certain Apple servers hosed on Akamai host servers that contain Apple updates in the past.
I suspect it's checking for updates for the malware removal that was installed with the latest update.
- Malware removal
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2
Description: This update runs a malware removal tool that will remove the most common variants of malware. If malware is found, it presents a dialog notifying the user that malware was removed. There is no indication to the user if malware is not found.
- Malware removal
Most of thosee of us here can only speculate on what it does and those that might know aren't allowed to post an answer. If you are interested in getting some guesses, it would help to know a bit more about your situation.
Obviously you aren't running OS X 10.5.1 as your profile would indicate, so are you using Snow Leopard or Lion?
Did you install the Safari update at the same time? If so, then it might be a Sarari process.
How often does it try to connect to Apple?
What is the path to crsud? If you double-click on the Little Snitch rule it will show it right below the process name box. Or you should be able to find it using EasyFind, Find Any File or the Terminal app's locate command.
I found a similar concern over at a German 'MacUser' thread. Here is what I have figured out so far:
- crsud is an new UNIX executable installed ONLY with Apple Security Update 2013-001. It is NOT installed into OS X 10.8.3. It doesn't exist in 10.8.3.
- In updated 10.6.8 and 10.7.5 it is located at:
- It is dated December 12, 2012.
- The headers for the executable indicate a dependancy on Apple's security system, both Security.framework and SecurityFoundation.framework.
- The footer for the executable apparently includes an Apple security certificate.
That's all so far. I've asked some friends in Mac security for any further information they may have found.
Thanks all, esp Derek. It seems like it is something to allow permanent access. Still wish Apple would explain themselves, as a lot of us do take ownership of our computers and watch what is happening.
I didn't realize my profile had the old OS - now fixed. Still, this thread is in the Snow Leopard community...
A couple Mac security friends chimed in and suggest the following:
Startingcom.apple.softwareupdate.crsucrsud- Has to do with code signing and software update and trust evaluation in Lion. Mountain lion handles it different.. . .Code Signing and Software Update was exactly my guess after browsing through the executable’s text content. I was just trying to figure out which part of the update documentation applies, but that doesn’t seem to help.
Next question awaiting some possible answer is what kind of data does curl send back to Apple here after crsud runs?
Likley your iPhone location data
If Apple wanted to spy, a simple EFI update and one wouldn't know diddly squat.
In fact I saw network traffic occuring over my Wifi while EFI was booting, so I know something is going on behind the scenes already.
I have found that the Little Snitch crsud (/usr/libexec/crsud) warning message about connection attempts during login (outgoing connections to domain apple.com) goes away if
Apple - System Preferences - Security - General - Automatically install important security updates
is unchecked (turned OFF).
Are you on 10.6.8? I don't have this option. The only sort of similar one is Automatically update safe downloads list (and I suppose this one may pertain to crsud and curl).