"Who's there?" See what's persistently installed on your Mac!
Malware often installs itself persistently, to ensure it is automatically (re)executed each time a computer is restarted. KnockKnock uncovers persistently installed software in order to generically reveal such malware.
Frequently Asked Questions, and their answers, can be found here.
Running KnockKnock
To use KnockKnock, first download the zip archive containing the application. Depending on your browser, you may need to manually unzip the application by double-clicking on the zipped archive.
There is no need to install anything, and KnockKnock can be run from anywhere. (This also means there is nothing to uninstall, simple delete the application).
To run the application and begin a scan, simply double-click KnockKnock.app.
Launch KnockKnock by double-clicking
Note:
KnockKnock may prompt you to grant it "Full Disk Access".
This is optional, but will allow KnockKnock scan your entire computer.
You can grant KnockKnock this access, via the System Settings app. In the Privacy & Security pane, click on Full Disk Access, then scroll down until you see KnockKnock. Then simply toggle the button, to grant it access:
Granting KnockKnock full disk access
If you don't see KnockKnock in this list, you can click the '+' sign and add it by browsing to its location on disk.
Press the 'Start Scan' button begin a scan. During the scan, KnockKnock will enumerate known locations where persistent software or malware may be installed.
Note:
By design, KnockKnock simply lists persistently installed software. Although by default signed-Apple binaries are filtered out, legitimate 3rd-party software will be displayed!
Thus just because something display in KnockKnock, does not mean it is malware!
The left-handle table contains the categories of persistent software that KnockKnock scans. Each row contains the name and brief description of the category, and the number of detected items.
On the left, you'll find categories of persistent items
Clicking on any of the categories will display the items for that category in the right-hand items' table.
Each row in this table contains the name of the detected item, an icon indicating whether it belongs to Apple, , or a 3rd-party (but still signed) , or is unsigned , its full path, and then various informational and actionable buttons. These buttons provide information about item's VirusTotal (anti-virus) scan results, general information about the file, and the ability to view the item in Finder:
A benign persistent item (LuLu, signed by Objective-See) A malicious persistent item (DazzleSpy, unsigned)
Note:
Though this is covered in more details in the FAQs, generally speaking items that are signed by Apple proper () are safe to ignore.
One exception is that malware may persists scripts via Apple interpreter's (such as bash or Python). Any interpreter that is persisted should be closely examined.
If the item is an executable binary, KnockKnock automatically queries VirusTotal with a hash of the binary in order to retrieve any information. While VirusTotal is being queried, this button displays '■ ■ ■'. Once the query is complete, the title of the button is automatically updated with either the detection ratio, or a '?' if the binary is not known to VirusTotal.
Interpreting VirusTotal results
Note:
In the UI, a '?' is shown for items that are unrecognized or unknown to VirusTotal. This most often happens for new items that simply have not yet been submitted to VirusTotal ...though, yes it could also be (new) malware.
If you click on the '?', you can submit the item to VirusTotal. Moreover, at the end of the scan KnockKnock will display the total number of unknown items, as well as provide the option to submit them all to VirusTotal for analysis:
Upon scan completion, all unknown items can be submitted to VirusTotal
With the query complete, the button can be clicked to reveal a popup containing VirusTotal-specific information about the file. If the file is unknown, clicking the 'Submit?' button will submit the file for analysis. Known files contain a link to the full analysis report and a 'Rescan?' button that will rescan the file:
Clicking on the 'Virus Total' button, information from VirusTotal
If known malware is detected, the item's name and VirusTotal button will be highlighted in red. Moreover, the name of the category will be similarly highlighted:
The 'info' button will display detailed information about the item, including its hash, size, property list (if applicable), and signed status:
Clicking on the 'info' button, reveals more details about the item
If the item is persisted via a property list, one can click on this to view it's contents:
View the content's of a persistent item's property list
Back to the main window, clicking on the final button ('show') in the item's row, will reveal the item in a Finder window.
Configuring KnockKnock
To control or influence the execution of KnockKnock, click the 'Settings' icon found at the bottom left of the window:
KnockKnock's settings can be opened by clicking on the "Settings" button
This will display KnockKnock's setting's window (note, this Window is also displayed via the 'Settings' menu item):
KnockKnock's settings
'Include macOS/known items':
Display everything it finds (by default it filters out signed Apple &amP; white-listed items).
'Disable automatic update check':
When KnockKnock is launched, disable the automatic check for new versions.
'Disable VirusTotal integration':
Do not query VirusTotal with the hashes of persistent items.
Next to the settings icon, is the save icon. Click this to save KnockKnock's findings (as JSON):
Saving Scan Results
Next to the save icon, is a the compare scan icon. Click this to compare a previous scan, with the current scan.
Comparing two scans. Note the addition of (benign) browser extension, and the removal of a (benign) login item.
Note:
The option to compare a scan, is only available about a current scan has been completed.
Currently, the compare logic only detects added, or removed items. Not items that have been modified in place.
KnockKnock's Commandline Interface
KnockKnock can be run via the commandline. There are various benefits to this, including the ability to programmatically deploy and execute KnockKnock (perhaps on a regularly scheduled interval). Via the CLI, KnockKnock can also be executed with elevated privileges (i.e. sudo), which will ensure that KnockKnock will perform a more comprehensive scan of items for all users!
Note:
To run KnockKnock via the commandline, first open a terminal (e.g. /System/Applications/Utilities/Terminal.app).
Then, execute KnockKnock, making sure to specify the full path to the KnockKnock binary within its application bundle!
Pass the -h or -help to display information about the self-explanatory commandline options:
$ ./KnockKnock.app/Contents/MacOS/KnockKnock -h
KNOCKNOCK USAGE:
-h or -help display this usage info
-whosthere perform command line scan
-verbose display detailed output
-pretty final output is 'pretty-printed'
-apple include apple/system items
-skipVT do not query VirusTotal with item hashes
Here's an example, where we perform scan making use of the -verbose flag:
$ ./KnockKnock.app/Contents/MacOS/KnockKnock -whosthere -verbose
Starting scan...
AUTHORIZATION PLUGINS
now scanning...
found 12 Authorization Plugins
scanning via VirusTotal
BROWSER EXTENSIONS
now scanning...
found 3 Browser Extensions
scanning via VirusTotal
...
Scan completed in 00 minutes, 27 seconds
RESULTS:
87 persistent items
0 flagged items
Note:
To capture the output, simply pipe it to a file out of your choice:
Q: KnockKnock found many applications, should I be worried?
A: No. KnockKnock simply enumerates items that are automatically started; either during startup, during login, or during another application's launch (e.g. browser extensions). Although signed-Apple items are filtered out by default, many legitimate 3rd-party items will likely be shown. Of course, the goal is that KnockKnock will also display any persistently installed malware.
Q: Ok, so how do I determine if something is malware?
A: By design KnockKnock itself doesn't try to determine if something is malware or not. However, since VirusTotal is fully integrated into KnockKnock, known malware will be detected (and highlighted in red). The remaining items that are not flagged can be manually examined. Perhaps google the hash of the file, run strings on it, or if you are really concerned about a specific item, email me at contact@objective-see.com and attach the file :)
Q: When I run KnockKnock, why does it ask to access my downloads/desktop/calendar folder, etc?
A: As part of its enumerations, KnockKnock scans running processes and their dependencies. If a process has an item loaded from these locations, when KnockKnock scans it, it may generate an OS alert.
Q: Why does KnockKnock try to access the network?
A: When KnockKnock is started, it connects to Objective-See.com to check if there is a new version of the product. Specifically, it reads the file products.json, which contains the latest version number of KnockKnock. No user or product information is collected nor transmitted.
KnockKnock may generate network traffic related to its integration with VirusTotal. As described above, when a user clicks on 'virus total' in the alert window, this will send generate a request which contains the file's path, name, and hash. Note that the automated version checking can be disabled via the 'disable update checks' option in KnockKnock's settings.
Supported OS: macOS 10.11+
Current version: 2.5.0 (change log)
Zip's SHA-1: 5D4C9E9AE4211AA9D8AF99828ACBD49231477735
Source Code: KnockKnock
, or a 3rd-party (but still signed) 
, or is unsigned 
, its full path, and then various informational and actionable buttons. These buttons provide information about item's VirusTotal (anti-virus) scan results, general information about the file, and the ability to view the item in Finder:
