Knock Knock, me again!

29. April 2015 Security 1

Last October I wrote an article about Knock Knock, a tool that checks common hiding places of malware. You can read this article here. Overall a good tool but it was command line only. Immediately after writing the article I was asked both in the comments and via email to do a follow up piece with instructions on how to use it. I said I would but I never got around to it. The article ended with me saying the following “If the developer keeps working on this tool, possibly give it a GUI and make it run on a Mac all the time, this would be a great way to keep an eye on your system.”.

Today I received an email from the Knock Knock creator, Patrick Wardle, to say that he had done just that. Knock Knock now has a neat user interface which will make it a lot easier and more fun (for nerds like me anyway) to use. On top of that he integrated VirusTotal so you can see if a particular file is thought of as malware. VirusTotal is not foolproof and may not show a detection for everything but it can certainly give a good indication as to whether a file should be investigated further.

Let’s take it for a spin and see what we got!
If you prefer to explore for yourself, download Knock Knock here.

The application is a very light 1.5MB and the UI is very clean. I tested the app on my main system first (OS X 10.10.3). Simply clicking the “Start Scan” button immediately resulted in a permission request dialog asking me if Knock Knock could access confidential information from the Safari Extensions List. I allowed it once, then did another scan and denied the access. Allow or Deny, the scan still shows you results for browser extensions, the only difference is that Safari results are omitted if you deny the access. I believe you can safely allow this access. Knock Knock only attempted to make one connection to a remote server during and after the scan, to Google for the VirusTotal results. The connection to “ghs-svc-https-c46.ghs-ssl.googlehosted.com” was blocked by my Little Snitch so initially I did not get any VirusTotal results. If you block any and all Google related connections, Knock Knock still functions. You just miss out on the VirusTotal results which could help you if you are new at this.

Knock Knock showed me a little over 30 results which were all clean. This list may seem small but this is because Knock Knock omits OS and known items. If you want the full list, every kernel extension and login item, click the gear and check “show os/known items”. Then run the scan again. If you do not want to confuse yourself, stick with the default settings. In the preferences you can also disable VirusTotal integration and enable the app to save the results for you. If enabled, there will be a “kkFindings.txt” in your downloads folder after a scan. Make sure you rename that text file if you want to save the results as Knock Knock will overwrite that same file with the next scan results. A little colored lock icon also shows if a found file is signed or unsigned which can be helpful.

Everything looks and works well on a clean system. No abnormal CPU or memory usage, no hangs or freezes. Let’s see how it handles an infected OS.

Thanks to the VirusTotal integration it’s very obvious if something is detected. Knock Knock will mark the category that has potentially infected items in bright red and the individual suspect files show their VirusTotal score in red as well. As mentioned before, VirusTotal is not foolproof so as expected a lot of files were not flagged as malware. To be clear, Knock Knock showed them all, VirusTotal just didn’t flag them. The files that you want gone can easily be exposed with the “show” icon which will take you to the Finder location of that file.
I did notice on the infected system (OS X 10.9.5) Knock Knock did not prompt me for access to Safari Extensions and no Safari extensions were listed in the scan results even though Safari is heavily infected with all kinds of malware. It did find Chrome and Firefox extensions. Even with this small issue, I still recommend at least trying Knock Knock 1.0.0. Keep it on your system if you like it/find it helpful and just like AdwareMedic, run it periodically to see if anything shows up that raises red flags.

Knock Knock is not an all-in-one security solution, such solutions do not exist. As mentioned before, the best security comes in layers and Knock Knock is certainly one of many layers worth having.

UPDATE: Patrick sent me an email today where he told me the issue with Safari extensions on older systems was resolved. Knock Knock 1.2.2 can be downloaded at the link below.

Previous writeup on Knock Knock.
Knock Knock download and basic instructions.
Also mentioned: AdwareMedic
Also mentioned: Little Snitch


1 thought on “Knock Knock, me again!”

  • 1
    Tom on April 25, 2015 Reply

    Thanks for posting this, I totally forgot about Knock Knock because I don’t want to learn how to run it since I am a GUI guy. I also noticed the developer of this program has impeccable credentials and has a couple of other programs to help out us people who want to keep our OS X computers clean. My thanks to Patrick for all your work and also Jay for having this site too.

Leave a Reply

Your email address will not be published. Required fields are marked *

*