5 Replies Latest reply: Feb 27, 2015 6:15 AM by username121
Frank Nospam Level 2 (150 points)

After upgrading to Mavericks, I ran Activity Monitor and saw some new background daemons. The one that stood out to me was "Escrow Security Alert". Anyone know what this is? Its open files & ports list is:



/System/Library/PrivateFrameworks/CloudServices.framework/Versions/A/Resources/E scrowSecurityAlert.app/Contents/MacOS/EscrowSecurityAlert


/System/Library/ColorSync/Profiles/sRGB Profile.icc




/System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Resources/AppleKeyboardLayouts-L.d at

/System/Library/PrivateFrameworks/CoreUI.framework/Versions/A/Resources/SArtFile .bin






MacBook Pro (15-inch 2.4/2.2 GHz), OS Xi Spinal Tap (11)
  • tyler8541 Level 1 (10 points)

    I've taken a (very) brief look at the EscrowSecurityAlert application's code and it appears to sync your icloud keychain information. The whole process also looks like it might sync other settings with iCloud as well. If you open a finder window and press shift + Command + G and copy the path: /System/Library/PrivateFrameworks/CloudServices.framework/Versions/A/Resources/

    paste it into the open "Go to the folder:" field. Once there you can inspect items by right clicking them and selecting open with>change the "enable" pull down to "all applications"> select text edit> click open.


    ***IMPORTANT*** close without saving changes (you should not try to make any either).


    You will have to scroll a ways down to get to items that you can actually read. Once you have scrolled a ways down, you can see in plain text-ish what items are being sync'd and what the code is doing. Again I took a very brief look at this code, but I am fairly certain it is legitimate.


    source: I'm a former Mac Genius and current information security professional for a fortune 100 company.

  • Frank Nospam Level 2 (150 points)

    That's about what I figured.


    I'm not using iCloud Keychain, so I wish Mavericks would be smart enough to shut down unneeded parts (like this one).

  • VilleFromFinland Level 1 (0 points)



    Any ideas how to shut it down?


    In my point of view, this kind of parts raise internet security threat.

    I don't use iCloud but I use keychain and gmail, etc...


    Am I just being paranoid or stupid...

    Anyway, thanks in advance

  • andreasbeer1981 Level 1 (0 points)

    No, you're not. This should be perfectly fine as something like iCloud should be isolatable for exactly these security reasons, and giving the user a switch to toggle iCloud on and off should include _all_ processes that are only necessary for iCloud.


    Like I just kill "bird" and "cloudd", which were running all the time on Yosemite even though I don't use iCloud. I think this is yet another dark pattern used by Apple to sneak iCloud into everything. No wonder devices suddenly have undeletable U2-songs appearing.

  • username121 Level 1 (0 points)

    No need to shutdown EscrowSec:


    Below is what the code file looks like, simple routine IF THEN what to do with the Keys.

    Openssl has been depreciated for tis and custom cryptoLIBS.

    -------------------------------------------------------------------------------- -------------------------


    <?xml version="1.0" encoding="UTF-8"?>

    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

    <plist version="1.0">







      <string>Create New Code</string>




      <string>A new security code must be created because of a change to iCloud Keychain servers.</string>


      <string>Create New iCloud Security Code</string>


      <string>iCloud Keychain</string>


      <string>Keychain Backup Alert</string>




      <string>Learn More</string>


      <string>Not Now</string>


      <string>Your security code was incorrectly entered too many times on one of your other devices and can no longer be used.</string>


      <string>Update Your iCloud Security Code</string>


      <string>Reset &amp; Turn Off Keychain</string>


      <string>All passwords in iCloud Keychain will be deleted, and iCloud Keychain will be turned off on all your devices.</string>


      <string>Reset and Turn Off iCloud Keychain?</string>




      <string>Update Security Code</string>


      <string>Your previous code was entered incorrectly too many times.</string>


      <string>A new iCloud Security Code must be created.</string>





    IF you want to kill a pid (process) do as the following:


    lsof (find the agonizing PID # next to the EscrowSec, i.e. 4251)

    lsof -n -i | grep 4251


    kill 4251

    ---------------------------Have a Nice Day------:-)-----------------