Norton Firewall & Application Blocking: How do I know which are OK to approve?

kristenlc · January 5, 2011, 12:36am

After receiving notification from Comcast that I might have a bot on my machine, I installed the Comcast version of Norton Internet Security for the Mac.

I enabled Application Blocking and have allowed all familiar apps that need Internet access. However, there are often notifcations from things I do not recognize and have no idea if it's OK to approve them. I suspect they are necessary functions but would hate to say yes to enabling some bot activity.

How can I tell what is legit beyond familiar app names?

For example:

cupsd (located in /usr/sbin/cupsd)

oscpd (located in /usr/sbin/ocspd)

lots of other stuff in that same spot: racoon, krb5kdc, awacsd

Or this?

PubSubAgent.app which is found in:

/System/Library/Frameworks/PubSub.framework/Versions/A/Resources/PubSubAgent.app/Contents/MacOS/PubSubAgent

jdh · January 12, 2011, 1:12am

Most of the things you don't know what they are, are Apple system functions and are code signed by Apple.

You can make sure they really are Apple system routines by using codesign ( see man codesign )

e.g.

codesign -vv /usr/sbin/cupsd //will check if the Apple signing is valid ( object has not been changed ).

codesign -vvd /usr/sbin/cupsd //will print out details of the signing cert.

kristenlc · January 5, 2011, 12:36am