Boost your Mac’s performance and track down malware, with KnockKnock

If you love trying out new applications, then it’s easy to lose track of the programs that launch automatically, every single time you boot up your Mac.

Having a tonne of programs running in the background is bad news for performance, so identifying apps that don’t need to launch at startup is one of the easiest ways to boost your Mac’s performance – and it can even help you identify potential malware!

The majority of malware executes automatically as soon as you log into your user account, so reviewing the software that launches at startup can help you zero in on any malicious software that’s found its way onto your Mac.

While your Mac’s System Preferences does list the applications that launch at startup, it isn’t just applications that you need to worry about! In this article, we’re going to dig a bit deeper and uncover everything that launches every single time you boot up your Mac, including scripts, cron jobs, kernel extensions and browser extensions.

KnockKnock…who’s there?

KnockKnock is an application that scans locations where persistent software and malware is commonly installed. KnockKnock then displays detailed information about all the items it discovers in these locations, that are set to launch at startup. Armed with this data, you can decide whether an item really does need to launch automatically, and whether it may actually be malware.

Note that by default, KnockKnock filters out signed Apple and white-listed items, so these won’t appear in your KnockKnock results.

To perform a scan:

• Head over to the Objective-C website and download the latest version of KnockKnock. Although you can download KnockKnock for free, if you find this app useful then you should consider donating to the developer.
• Unzip and launch KnockKnock.
• Click ‘Start Scan.’
• After a few moments, KnockKnock will return your results, broken down into sections.

Work your way through these sections, and you’ll see the following information for each item that KnockKnock has detected:

• The item’s name.
• A colour-coded lock. Green means that this item is signed by Apple; black means it’s signed by a third party; and an orange, open lock indicates that this item is unsigned.
• The full file path. You can jump straight to this location in a new Finder window, by clicking the ‘Show’ button.
• A ‘VirusTotal’ score. VirusTotal is an online malware detection service that provides aggregated data based on the output of various antivirus engines, website scanners, URL and file analysis tools, plus user contributions such as comments and votes. If the item is associated with known malware, then both its name and VirusTotal score will be highlighted red.

To view even more information about the item, click its accompanying ‘info’ button, which launches a popup containing the following information:

• Hash. This is a string of characters that uniquely identifies this file. Some developers and organisations publish an official list of hashes for their software. Modifying a file in any way will change its hash, so you can check whether a file has become corrupted or been maliciously tampered with, by comparing its hash to the list of official hashes. For example, if you downloaded some software from a third party website, and the third party modified the software to include adware, then its hash will be different to the official list of hashes.
• Size. How much space this item is taking up.
• Time. When this item was created, and when it was modified last.
• List. Wherever possible, KnockKnock will display an item’s plist, which is a text or binary document containing the item’s properties and settings.
• Signed. Whether the application is signed, and the individual or organisation who this certificate is associated with, if available. Note that just because an application is unsigned, doesn’t automatically mean it’s untrustworthy.

When reviewing your results, just be aware that KnockKnock will list all items that are set to launch at startup, except for signed Apple and white-listed items. It’s highly likely that your KnockKnock results will include lots of legitimate software that should be launching at startup, so don’t panic if KnockKnock returns a long list of software!