racoon "-D"? "secure.onavo.com"?

A .plist is just a preference file, not an app. It can't do anything by itself. The question is, what app is calling the UNIX command "racoon" to run?

As far as the -D option, it's not necessarily undocumented. Often, a lowercase and uppercase switch mean the same thing, they just don't note it.

It also appears to be a default part of Mountain Lion. The .plist file is in the /System/Library/LaunchDaemons/ folder so the OS reads it on each restart of the Mac. Part of the .plist tells the OS to RunAtLoad. What does it do? Got me, but I wouldn't worry about it. Apple must have it there for a reason.

Where does "secure.onavo.com" come in? Can't say. My guess would be it's tied to iTunes. However, the text for racoon says (in part) this about it:

The SPD (Security Policy Database) in the kernel usually triggers racoon.

So much more likely, it's probably tied to the new security measures in Mountain Lion. Still doesn't explain why it would be trying to talk to Onavo.

The domain "secure.onavo.com" is on a security blacklist:

IP Blacklist Check Status: Suspicious, Comment Spammer | IP-Tracker.org

and has been associated with rogue activity:

Probable Picscout or Image scanner

Someone from there tried to connect to your VPN server.

racoon is OS X's VPN client and it runs whenever a user establishes a VPN connection.

Onavo Extend and Onavo Count are iPhone only apps, which may establish a VPN connection to secure.onavo.com (from the phone). It looks like in your case you may have somehow installed the VPN configuration generated by one of the apps on your Mac, and therefore triggered the racoon process.

The blacklisting referred to is old and was a result of a mis-identification (notice the date).

Don't install Onavo. If you read their Terms they basically say they can do anything with the data that passes through their servers. What they are doing to "compress your data" is to redirect your request through their servers, collect the data, compress it and send it back to you. Not safe, and I stopped using it, and I warn everyone that uses it.

On your question, I cannot find com.apple.racoon in my Launch Daemons so I would search up on it and delete it.

That's what I would do, but it's your system and your choice, I am in no way responsible for damage to your system. Just needed to get that out there 😝

Hello,

I'm Galed and I'm the Head of Operations at Onavo. I'll try to explain some of the behaviours mentioned above although not all of them can be explained as they are not supposed to happen.

Racoon

Racoon is an open source VPN client/server, used by many operating systems and companies. Racoon is a built in VPN client used by iOS and this is the way Onavo creates a VPN connection from an iPhone to our servers. It is important to understand we do not install this process, it's there by default. Onavo sends as part of the installation flow of our apps a profile (known as mobileconfig) that only includes the configuration settings required to connect to our VPN servers.

The behaviour mentioned in this thread

The behaviour you mention here is something we do not understand because obviously our app is not supposed to be installed on Mac computers, we only support mobile devices. I can't really explain why you see a Racoon process trying to access our servers on your computer. Racoon is installed by default on all OS X operating systems, we did not install it there. The only explanation I can think of is either you, or someone else has installed our app on a simulator, or took the mobileconfig we generate for iPhone devices and ran it on a Mac. OS X is able to open and parse this mobileconfig and even try to initiate a Racoon connection - this is the only behaviour that may explain this.

Further investigation

@MrElvey - I will be happy to investigate this behaviour with you, if you wish to do that please send an email to our support team (support _AT_ onavo.com) and ask that the case will be sent to me (Galed).

For any other questions you can also feel free to contact our support team and they will be happy to assist.

Thank you,

Galed.

Good to hear from someone at Onavo with detailed info on their process.

Sure, but by the same token, an app can't do anything by itself; it needs an OS to run on. :-)

The difference though is a .plist really can't do anything by itself. It's a preference file, and that's it.

But I don't know what you mean by 'It'.

"It" refers to racoon. As Galed noted, it's installed by the OS itself. It's a UNIX command you can run in Terminal. If you want to get an idea of what it does, open Terminal and type in:

man racoon

"man" stands for "manual". A listing of what the app does and it's options are shown. There may be more than a page worth. When you're done reading, press x.

I think it's rare that options aren't case sensitive.

Not really. It's only necessary to make an option case sensitive when you're using the same letter to do two different things. All depends on who wrote the command, but I have often run across Terminal commands that don't give a hoot which way you enter an argument.

>>undocumented '-D'

It's not in the man page, but try an illegal option & you'll see :

usage: racoon [-BdDFvs46] [-a (port)] [-f (file)] [-l (file)] [-p (port)]

>> snip

-d: debug level, more -d will generate more debug message.

-D: started by LaunchD (implies daemon mode).

...