I monitor all my traffic using Little Snitch. Recently, I've noticed strange IP addresses making connections to the "mach_kernel" process. Most of these IP addresses seem to originate from other programs (for example, I might see a Google address connected to mach_kernel when I'm browsing Gmail via my browser).
Is my Mac infected? The main concern here is that I have a virus which is MitMing traffic of other programs on my box. How can I tell if this is the case?
Best Answer
I have asked the Little Snitch development team at obdev about this issue. Here is the response:
"the tables in Little Snitch Network Monitor cache got mixed somehow"? Seriously?
It does indeed seem to happen after my machine has been running for days or weeks without reboot. And a reboot will fix it temporarily. It is possible that this is simply a bug in Little Snitch.
However, I find it dubious that traffic routed over
mach_kernel
"cannot be treated the same way as other processes". I am not informed about how Little Snitch is architected. It may not be able to run in kernel space (ring 0), but I find it terribly convenient in today's climate of mass government spying that the OSX kernel can simply take over and get around Little Snitch. I believeIPTables
would have no such trouble in blocking traffic, but it is most certainly of a different architecture and user model altogether.See here for additional reference: https://security.stackexchange.com/questions/58815/do-firewalls-always-run-in-userspace
Switching to FOSS/Linux is looking more and more like the path to be on.