Little Snitch 6 Help

Warnings

Little Snitch’s primary objective is to monitor processes for internet connections and let the user decide whether to allow or deny them. However, Little Snitch sometimes notices that something is fishy about a program. In this case it wants to let you, the user, know what it has found.

App Translocation warning

This warning is a hint only. It informs you that permanent rules for this process might not work.

App Translocation is a security mechanism Apple introduced with macOS 10.12 (Sierra). If an application has not been “properly installed”, the operating system maps it to a random path before launching, usually somewhere in /private/var/folders/. This path randomization prevents the loading of resources shipped alongside with the application, a mechanism often used by malware. “Properly installed” means that the application must be started from a code-signed disk image or that it must have been copied to a new location in Finder.

Why is this important to Little Snitch? Since Little Snitch rules might refer to processes by their file system path (if there is no code ID), rules created for one instance of the application may not work the next time it is launched from a different random path. Luckily, the problem can easily be fixed by moving the application to another location in Finder (and optionally back to its original position, if you prefer to have it there).

Internationalized domain name warning

This warning is a hint only. It informs you that the displayed domain may be a look-alike.

Warning IDN

Internationalized domain names may contain any Unicode character. However, the Unicode character set contains many very similar looking characters. Using these characters, an attacker can construct a domain which is optically indistinguishable from a popular domain in latin characters (“IDN homograph attack”). Consider the domain “applе.com”. Would you have noticed that the “е” is a Cyrillic letter? Little Snitch adds a hint when it detects an internationalized domain name, printing its Punycode representation for detailed analysis.

Suspicious program warning

This warning is a hint only. It informs you that the process may not be trustworthy.

Warning Suspicious

Almost all programs come with a valid code signature from Apple or from a registered developer these days. When Little Snitch finds a program without code signature or signed using a certificate not issued by Apple, it warns you in the connection alert. The following cases lead to a warning:

Program modification warning

This warning is not just a hint, it requires that you make a decision.

Before Little Snitch applies an Allow-rule, it checks the identity of the program. If this check fails and the identity has changed or cannot be confirmed, it shows an alert with a warning. There are several types of identity check, resulting in several possible errors conditions each. This results in a big matrix of possible error messages. All these messages explain how the check was made, what was expected and how the program failed to meet the requirements.

Warning Modified

Whatever the message of the warning is, there are usually three options on how to proceed:

  1. Deny this and every future network connection of the program. When you choose this option, an extra-high priority rule is created which denies all network connections. While the program is detached from the network, you have time to research the issue. If you later decide that the modification was OK and you want to allow connections again, open Little Snitch Configuration, search for the program and double-click the extra-high priority Deny-rule. Little Snitch now gives you the option to update the identity check and remove the extra-high priority Deny-rule.
  2. Accept the change, apply the rule and update the identity check to match the current version of the program. This option is only available if an identity check can be made for the currently running process. Choose this option if you know that the modification was legitimate.
  3. Disable identity checks altogether. If you frequently update a program without code signature, it may be inconvenient to update the identity check for every new version. Or if the program always loads an unsigned library and the code signature becomes invalid, you may decide to disable identity checks and accept the additional risk.

Was this help page useful? Send feedback.
© 2016-2024 by Objective Development Software GmbH