What is rapportd? In /usr/libexec/rapportd After update to 10.13.2 Firewall asked about it

Hello whstlblwr,

Yes. You are correct. There is a lot of confusion over this issue because there is a 3rd party security product called "Trusteer Rapport" that banks have been pushing on their customers for years. I'm not sure what Trusteer Rapport does, but it sure doesn't protect against adware. Here is a great example showing a truly scary amount of adware installed right alongside Trusteer Rapport: EtreCheck has detected infected adware, should I delete files?

Unfortunately, in macOS Sierra, Apple introduced a new background process and named it "rapportd". That was the source of the confusion in this thread. I've seen similar confusion in other threads.

This happens to me too. I don't think it is related to Trusteer nor IBM.

Examination of the /usr/libexec/rapportd (dated Dec 1, 2017 15:46) shows a '--version' option as:

Rapport daemon version 120.48

Makes uses of the following classes:

• com.apple.rapport
• com.apple.rapportd
• com.apple.notifyd.matching
• com.apple.rapport.prefsChanged
• com.apple.rapport.Client
• com.apple.rapport.KeepAlive
• com.apple.private.xpc.launchd.event-monitor

Appears to be an XPC-based network daemon with levels of -->multipeer<-- 'chatty'-nist and private/public flag.

Pattern 'rapportd' is found in the following file:

• /usr/libexec/rapportd
• /usr/sbin/systemstats <--- sounds legit
• /usr/share/man/man8/rapportd.8

So, there is a MAN page: Executed 'man rapportd' and I get the following:

rapportd(8) BSD System Manager's Manual rapportd(8)

NAME

rapportd -- Rapport Daemon.

SYNOPSIS

Daemon providing support for the Rapport connectivity framework.

Use '/usr/libexec/rapportd -V' to get the version.

LOCATION

/usr/libexec/rapportd

December 7, 2017

Looks like this is directly related to the Mac OSX System Update that I performed on that man page's date timestamp.

But ZERO hit on Bing/Google/Search.Com on the search phrase "Rapport connectivity framework"

What is extremely disappointing of Apple Support is their unwillingness to explain in their Support Discussion groups, much less in their 10.13.2 Release Notes, what exactly this `rapportd` daemon does.

All we know from the threads and my experiences are these:

• It is an undocumented 'Rapport Connectivity Framework' (RCF),
• Port 49158/tcp
• It is not power-friendly, wakes up the entire box too often
• systemstat starts this rapportd daemon
• RCF is a multi-client chatty protocol
• iPhone and iPad makes effort to connect with iMac

Also, Rapport Connectivity Framework (rapportd) daemon opens TCP port 49158, so your firewall should be blocking it until this daemon has been vetted, publicly and by Apple.

# lsof -i -P | grep -i rapport

rapportd 334
jdoe3uIPv4 0xc1e2ffdef2ba45df0t0TCP *:49158 (LISTEN)

rapportd 334 jdoe4uIPv6 0xc1e2ffdeed4f37b70t0TCP *:49158 (LISTEN)

Internet Storm Center has little info on this port number:

TCP/UDP Port 49158 Activity - SANS Internet Storm Center

I don't know what it is but it is causing my iMac to wake up a lot. In terminal if you issue this command:

log show --style syslog | fgrep "Wake reason"

You may find lots of lines with "Wake reason: Enet.Service - Connection attempt with TCP from..." I found my Apple TV, iPad and iPhone were trying to connect. I found out the port they are trying to connect to is this command, '/usr/libexec/rapportd'.

I have also seen network access issues related to rapportd. In my case, the problem is that my iPhone and iPad, when they are on my local WiFi, try to contact rapportd running on my iMac. This did not happen before the Mac OS 10.13.2 update. I have removed rapportd, and everything seems to work fine on my iMac.

There are probably many ways to do it. I used Recovery Mode to pull up a terminal window. I then used Unix commands to go to where the file is stored (cd /Volumes/XXX/usr/libexec/ where XXX is the name of your boot disk) and moved the file up one level (mv rapportd ../rapportd). When you start up Mac OS, you will get log messages that launchd could not find the file, but I have not found any other problems. If you are not familiar with Unix, you should probably not try this way. Perhaps others can respond with a non-Unix way.

getting the same thing, already clean installed sierra onto my air will be doing the same with my MacBook pro .. high sierra has been nothing but problems for me. i read Pat Wardle's blog quite often (responsible for many recent security updates). he has private bugs which are stunning to say the least. this "version" was rushed. nothing makes sense and everything needs constant network connectivity. at least Sierra worked "well".

personally i believe this rapportd "daemon" (i also viewed the man page) is for crypto currencies. high sierra is junk. i can't wait until Huawei's next ZenBook is released.. ill be moving over to a linux system with one of their high end laptops. never thought id say this, huge apple fan boy too. iPad pro, air, probook, iPhone X, Airport Extreme 2TB, with express extenders and every imaginable accessories ..

RIP - Apple ... Steve Jobs would be so sad. problems and no innovation ...

Yes cryptocurrency. Was used for banking via IBM in the past. I believe now it's part of Google Chrome and their effort to add google wallet with block chain options. I haven't reinstalled Chrome on my wiped Sierra and no rapportd. However my MacBook Pro is now running it, and it also asked me to update "Command Line Tools (MacOS High Sierra version 10.13) for xCode. When I do not have xCode on the MacBook Pro. Aft6er work thats being wiped as well. Sierra is going back on the Pro too.

Your iPhone tries to connect to macOS via this "rapportd" .. CONSTANTLY. And I do have banking info, etc on my phone. And btw stop relying on little snitch. I used to use it until it became a bloated vulnerable piece of junk, try Pat's LuLu. Does the same thing as little snitch. Search LuLu firewall for macOS.

I think you are talking about a different rapportd (as others have mentioned above). I have no online banking, no Google chrome yet I suffered this notification/question immediately on upgrading to 10.13.2.

The IBM/others Rapport system is an installable package (links to it earlier in the thread)

No.

I'm just trying to the most logical conclusion. I did NOT install any packages and or repository which included the rapportd application. I did however have Google Chrome on my MacBook Air and MacBook Pro. Last night I did the old add bios/firmware pass so your machine is FORCED to do a clean reinstall back to its "out of the box OS". My pro is a bit older "late 2014" so I ended up with Mavericks! I had to upgrade to Yosemite but I think I'm staying there. it literally has every function Sierra has i.e airplay, handoff, and all of that other crap. Yet there is only ONE outgoing connection while idle. It's also secure. I read a lot about Yosemite last night and some people say it was the last "good" release. When Apple took their time and only released something once a year. I need to look into El Capitan, however it seems as though you don't get much added on the user end.

Like I said my Air is running Sierra, however that's due to the fact it's newer and I can't go back any farther unless I install from a USB. That may break my warranty though.

Cheers - Mamba / x0

It is an Apple process so you can allow it. It isn't a virus or third party software.

No one appears to know what it actually does. So you can't know what all the consequences are of allowing or denying it. For me one consequence seems to be it wakes my iMac up way too frequently.

Firewall isn't notifying me, but Norton Antivirus says a server at 192.168.200.111 is requesting access to rapportd. Domain search for 192.168.200.111 gives me suspicious results. WhoIS search says it is in Rome Italy. I blocked it. What is going on?

Norton Antivirus notified me that a server at 192.168.200.111 was trying to access my rapportd. A WhoIs search for that address says it is a private server in Rome, Italy. A Traceroute on whoisip.ovh had 30 steps, three of them in France and the rest not clear to me. I just had Norton block access.

I would agree. On my laptop Little Snitch is completely ignoring rapportd (because it seems only on local network) and it was only the macOS Firewall that was asking.

And I suspect it was only asking because, being a naturally untrusting person where computer security is concerned, on my macOS Firewall I've unchecked the "Automatically allow built-in software to receive incoming connections" but I disallowed that so long ago I've no idea what the default setting is (but it might explain why so few are asking this question).