Following my recent near miss, I thought it might be helpful to explain the current range of security tools available free from Objective-See, so that you know what to keep ready, and what to reach for in such emergencies.
Looking for trouble
KnockKnock helps you locate persistent components which might be installed by malware. These might be present to enable further intrusion or damage, and are typical of systems which have been taken over for use in a ‘botnet’.
Run this if you think that you may have malware which has already been installed. It will scan the likely components, such as kernel extensions and other items which run during startup or periodically thereafter, and check them against the VirusTotal online database to establish whether they are likely to be malicious or not.
KextViewr is similar to KnockKnock, but only checks kernel extensions (KEXTs). It looks these up using VirusTotal’s online database, to give you an assessment of whether they are likely to be malicious. Although thorough and useful, you will probably find KnockKnock the better all-rounder.
TaskExplorer examines only the tasks/processes which are currently running on your Mac, to screen them to see if they might be malicious. Again it links to the VirusTotal database to provide an assessment of the likelihood of their being malicious.
Tasks are probed in full: many load dynamic libraries (dylibs) which can be a way of malware getting run on your Mac; TaskExplorer examines loaded dylibs and checks them out too. It also examines the files open, and network connections, for each task, which again can reveal any malicious activity.
I ran this immediately after I saw suspicious activity on my Mac (a euphemism if ever I wrote one!) to see if anything nasty was running at the time, as a result of a compromise or intrusion.
Tasks which are not running at the time, such as those which only run periodically, will not be inspected by TaskExplorer until they run, so it does not provide as extensive coverage as KnockKnock, for example. It is great for that moment of near-panic, though.
Keeping out of trouble
BlockBlock is intended to protect your Mac by detecting the installation of persistent software components. It is an excellent way of protecting before anything nasty might get onto your Mac, but not after that has already happened.
Ostiarius is a tool for El Capitan which blocks any unsigned (therefore suspect) code from being run. It is thus a protective tool which aims to close a vulnerability in OS X’s Gatekeeper security mechanism. You would need to install it before potential attack, to obtain its protection.
Dylib Hijack Scanner (DHS) is designed to check your Mac for apps which could be hijacked by malicious dylibs, or have already been hijacked. This is a fairly specific vulnerability, but still a useful tool to have available.
Lockdown is a security audit system for El Capitan, which tells you how well secured your installation is, and allows you to consider adjusting that. It is not intended to cripple your Mac, but as an intelligent guide to how you can improve its security.
Knowing about trouble
Patrick Wardle also runs a high-quality low-volume blog about OS X security, here.
Thank you, Patrick, for developing these invaluable tools and for providing them free.