KnockKnock

Application Type: System Security, Malware Detection Tool
Supported Systems: macOS 10.15 and above
Latest Version: 4.0.3
License: Free, Open Source
Developer: Objective-See

Overview

KnockKnock (meaning "Knock knock, who’s there?") is a free, open-source security tool developed by the renowned Mac security research organization Objective-See. Its core function is to scan and list all software persistently installed on your Mac, helping users and professionals identify potentially malicious software.

Malware typically leverages various "persistence" mechanisms to "anchor" itself into the system, ensuring it automatically (re)launches every time the computer restarts. KnockKnock was designed specifically to systematically reveal such persistence-based threats in a general-purpose manner.

Core Features and Highlights

1. Comprehensive and In-Depth Persistence Scanning

• System-Level Enumeration: Scans dozens of known macOS persistence locations, including:
  • Login items and startup items
  • Launch Daemons/Agents
  • Browser extensions and plugins
  • Scheduled tasks (cron jobs, emond)
  • Kernel extensions, system daemons, network extensions
  • Advanced items like reboot event monitors
• Categorized Display: All detected persistence items are clearly grouped by type, enabling users to easily view and manage them.

2. Detailed Contextual Information

• For each detected item, KnockKnock displays not only its name and path, but also:
  • Code Signing Status: Clearly identified via icons—whether signed by Apple, a third-party developer, or unsigned.
  • File Hashes (SHA-1/SHA-256)
  • Bundle Information (if an application)
  • First/Last Execution Time
• One-Click Search: Enables quick lookup of filenames or hashes on online platforms like VirusTotal for further analysis.

3. Integrated VirusTotal Check

• Users can (optionally) configure their own VirusTotal API key.
• Once configured, KnockKnock automatically queries the VirusTotal database to quickly identify known malware samples, providing strong reference for judgment.

4. User-Friendly and Non-Intrusive

• No Installation Required: The app is a standalone .app file; unzip the downloaded ZIP and run it directly from any location. Uninstallation is as simple as deleting the app file.
• Guided Initial Setup: Clearly guides users to grant “Full Disk Access” (required for deep scanning) and offers initial configuration options.
• Neutral Results: The tool does not automatically label an item as "malicious"; instead, it objectively lists all persistence items, leaving judgment to the user. By default, it filters out signed Apple binaries to reduce noise.

5. High Transparency and Trustworthiness

• Fully Open Source: Its source code is publicly available on GitHub, allowing anyone to review its logic and ensure it contains no malicious behavior.
• Developed by Objective-See: Created by industry-leading macOS malware researcher Patrick Wardle and his team, with a strong reputation for credibility.

Key Advantages

1. Proactive Defense: Helps users detect malware’s “footprints” before full system compromise, enabling proactive defense rather than reactive cleanup.
2. Deep Discovery: Can uncover threats hidden via complex or novel persistence techniques that traditional antivirus software may overlook.
3. System Monitoring: Ideal for system administrators and advanced users as a system monitoring tool to clearly understand all auto-starting programs and detect “silent” software installations.
4. Education & Research: An excellent educational tool that visually illustrates macOS persistence mechanisms, making it a valuable resource for learning macOS security.
5. Free and Open: Completely free and open source, with no feature limitations or usage barriers.

Quick Usage Guide

1. Download and Run: Download the ZIP file from the official website, extract KnockKnock.app, and double-click to launch.
2. Grant Permissions: On first launch, grant “Full Disk Access” in System Settings → Privacy & Security → Full Disk Access.
3. Initial Configuration: Choose scanning preferences (e.g., ignore Apple items, integrate VirusTotal) in the setup interface.
4. Start Scan: Click “Start Scan” and wait for results to be displayed.

Important Notes

• Exercise Caution: KnockKnock lists all persistence items, including many legitimate third-party applications. The presence of an item in the list does not mean it is malware. Users should judge based on path, signature, developer information, and VirusTotal reports.
• Advanced Tool: While the interface is user-friendly, interpreting results requires some macOS knowledge. For uncertain items, search the name first before taking action—avoid deleting critical system files.

Conclusion

KnockKnock is an essential auxiliary tool in the macOS security landscape. With its simple and efficient approach, it sheds light on the hidden persistence layer of the system, serving as a powerful ally for Mac users, IT administrators, and security researchers in maintaining system integrity and detecting unknown threats. Its open-source, free nature brings professional-grade security capabilities to every user.