• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

Kudos0

Norton Firewall & Application Blocking: How do I know which are OK to approve?

After receiving notification from Comcast that I might have a bot on my machine, I installed the Comcast version of Norton Internet Security for the Mac. 

I enabled Application Blocking and have allowed all familiar apps that need Internet access. However, there are often notifcations from things I do not recognize and have no idea if it's OK to approve them. I suspect they are necessary functions but would hate to say yes to enabling some bot activity.

How can I tell what is legit beyond familiar app names?  

For example: 

cupsd (located in /usr/sbin/cupsd)

oscpd (located in /usr/sbin/ocspd)

lots of other stuff in that same spot: racoon, krb5kdc, awacsd

Or this?

PubSubAgent.app which is found in:

/System/Library/Frameworks/PubSub.framework/Versions/A/Resources/PubSubAgent.app/Contents/MacOS/PubSubAgent

Replies

Kudos0

Re: Norton Firewall & Application Blocking: How do I know which are OK to approve?

After receiving notification from Comcast that I might have a bot on my machine, I installed the Comcast version of Norton Internet Security for the Mac. 

I enabled Application Blocking and have allowed all familiar apps that need Internet access. However, there are often notifcations from things I do not recognize and have no idea if it's OK to approve them. I suspect they are necessary functions but would hate to say yes to enabling some bot activity.

How can I tell what is legit beyond familiar app names?  

For example: 

cupsd (located in /usr/sbin/cupsd)

oscpd (located in /usr/sbin/ocspd)

lots of other stuff in that same spot: racoon, krb5kdc, awacsd

Or this?

PubSubAgent.app which is found in:

/System/Library/Frameworks/PubSub.framework/Versions/A/Resources/PubSubAgent.app/Contents/MacOS/PubSubAgent

Kudos1 Stats

Re: Norton Firewall & Application Blocking: How do I know which are OK to approve?

There is no Mac virus that can be a "bot."  In fact, there is no Mac virus that can jump from machine to machine.  Therefore, Comcast is barking up a tree.  The only reason to have an AV on the Mac is to not infect Windows users with infected files that you may have received from someone else and pass on.

In fact, there is no Mac malware whatsoever that can install itself.  The only relativeily minor concern is "OSX.Iservice / OSX.Iwork" trojan horse (early 2009) that some people got by downloading pirated copies of iWork '09 and installed. More info: http://www.symantec.com/connect/blogs/osxiservice-it-s-not-going-iwork-you 

If you're wondering about a specific process, Google it. 

For example, PubSubAgent is not a problem.  Apple says: “The PubSub agent syncs the RSS read/unread status of bookmarked RSS feeds between computers using Mac OS X 10.5 that are syncing bookmarks via .Mac Sync.”

I would ensure that, if you are using a wireless router, that it is password protected, and you are using WPA encryption.  A neighbor may be using your bandwidth, and their machine is a compromised Windows machine.  If it is password protected, change the password to be safe.  I got a similar message from Comcast previously, and they were wrong.

If you want total control over what application "phones home," I recommend Little Snitch.

Kudos0

Re: Norton Firewall & Application Blocking: How do I know which are OK to approve?

Most of the things you don't know what they are, are Apple system functions and are code signed by Apple.

You can make sure they really are Apple system routines by using codesign  ( see man codesign )

e.g.

codesign -vv /usr/sbin/cupsd           //will check if the Apple signing is valid ( object has not been changed ).

codesign -vvd /usr/sbin/cupsd         //will print out details of the signing cert.

John HansenSr. Principal Software EngineerMacintosh Group

This thread is closed from further comment. Please visit the forum to start a new thread.