Creating and inspecting rules in Little Snitch Configuration is also improved in regard to code signature. The info sidebar shows whether a rule requires a valid code signature and a new suggestions filter lists all rules that could require a code signature from their processes but currently don’t. The Configuration Window. When you load up Little Snitch for the first time, you will see that there are already a lot of rules created for you. Most of these rules have a lock on them, and are required for normal system operation. While you can disable them, you cannot (and should not) delete them. Overview; Create and edit rules; Inspect and analyze rules; Search and filter; Rule suggestions. The.lsrules file format; Little Snitch Help.
Enjoy a completely redesigned Network Monitor with a world map for visualizing network connections based on their geographic location, a new, improved Silent Mode, an option to minimize the connection alert to defer decisions about pending connections, improved hostname based filtering accuracy using Deep Packet Inspection, and much more.
Overview
- Overall modernized design of all user interface components.
- Completely redesigned Network Monitor with map view for visualizing worldwide network connections based on their geographic location.
- Improved Research Assistant, now also accessible from Network Monitor and Little Snitch Configuration.
- New, redesigned Silent Mode. As an alternative to confirming lots of individual connection alerts it’s now possible to create and change rules with a single click right from within the Network Monitor.
- The connection alert can be minimized to defer the decision whether to allow or deny a connection.
- Improved DNS name based traffic filtering using Deep Packet Inspection.
- Code signature secured filter rules to prevent processes without a valid code signature from accessing the Internet.
- Improved working with profiles.
- Automatic Silent Mode Switching when switching to a different profile.
- Priority Rules for more fine grained control over the precedence of rules.
- Rule groups covering common macOS and iCloud services.
- Touch Bar Support.
Details
Completely redesigned Network Monitor
- The new map view in Network Monitor shows realtime information about all current and past network connections and their geographic location. It provides powerful filtering and selection options helping to assess particular connections based on the server’s location.
- It’s now also possible to create and change rules with a single click right from within the Network Monitor. This is especially useful in conjunction with the new Silent Mode. You may run Silent Mode for a while, then later create rules for connections that occurred during that time (those connections are displayed with a blue Allow/Deny button).
- An application’s connections shown in the connection list are now displayed grouped by domain, making it easier to create rules that match an entire domain instead of just a single host. But it’s still possible to drill down to the host-level of each connection.
- The connection information is persisted across restarts of the application (i.e. logout/login or restarting the computer).
- While the Network Monitor window is open, the app has a Dock icon and it’s shown in the Command-Tab app switcher of macOS.
- A new “Since Timestamp” filter allows to temporarily clear the connection list, and to show only connections that occurred after the filter was turned on. The filter can be activated by choosing “Since Timestamp” from the filter menu in the search field, or by pressing Command-K.
- You can choose between a light and a dark appearance of the Network Monitor window. The desired appearance can be selected in the View > Appearance menu in the menu bar.
Extended Research Assistant
The Research Assistant is now also accessible from Network Monitor and from Little Snitch Configuration.
Third party developers can now bundle their apps with an Internet Access Policy file containing descriptions of all network connections that are possibly triggered by their app. Little Snitch will then display that information to users, helping them in their decision how to handle a particular connection. A description of the policy file format will be provided soon.
Redesigned Silent Mode
The new Silent Mode is now tightly integrated with the Network Monitor. It can be used as an alternative to regular connection alerts, which some users may find too intrusive, especially after a fresh installation of Little Snitch with very few filter rules in place, causing connection alerts to appear quite often.
A recommended strategy for new users is to run Little Snitch in Silent Mode for a few days, allowing all connections (same as they did before, when Little Snitch wasn’t yet installed). After that time, all the connections that would have caused a connection alert are now listed in Network Monitor. They are marked with a blue Allow/Deny button. You can then quickly review all these connections, and create a set of rules that perfectly matches your needs based on the applications you use and the connections they make.
When Silent Mode is active, a user notification is shown when a connection got silently allowed or denied (only once per application). If you prefer completely silent operation, you can turn off these notifications in System Preferences > Notifications > Little Snitch Network Monitor.
Improved connection alert
- In Little Snitch Preferences > Connection Alert you can now choose the options that shall be preselected when a new connection alert is shown.
- It’s now possible to choose if the created rule shall be effective in the current profile or in all profiles.
- The details sections now shows code signature information for the connecting process.
- The connection alert now offers an “Only local network” option if a connection attempt was made to an address in the local network.
Minimizing the connection alert
Another way of dealing with unwanted interruptions caused by a connection alert is the new ability to minimize the alert window. Instead of confirming a connection alert immediately, you can minimize it into a small overlay window and postpone the decision whether to allow or deny the connection.
The context menu of a minimized connection alert offers a “Keep minimized” option. Subsequent connection attempts will then also be collected in the minimized overlay window. A counter shows the number of pending connection attempts.
Once you are in the mood for dealing with these requests you can click on the overlay to reopen the connection alert.
Alternatively you can right click the minimized connection alert to reopen the alert for a particular connection attempt (in case there’s more than one) or to open the Network Monitor for handling all pending connections there instead.
The Network Monitor shows such pending connections with yellow, pulsating Allow/Deny buttons, indicating that these connections are actually stalled, waiting for you to make a decision.
Improved DNS name based traffic filtering
The network filter now performs Deep Packet Inspection instead of the previous IP address based filtering. This results in much more precise filter matching, especially in those cases where one and the same IP address is possibly associated with multiple hostnames (e.g. google.com vs. googleanalytics.com)
Code signature secured filter rules
The code signature of the connecting processes is now taken into account. If a rule was created for a process with a valid code signature, that rule will no longer match if the signature changes or becomes invalid. This prevents malicious software from hijacking existing rules.
Each rule now provides a “Requires valid code signature” option in the rule editor sheet in Little Snitch Configuration. This option is turned on by default.
When the code signature of a connecting process is invalid, the connection alert now offers additional options for dealing with this situation. In that case the automatic confirmation of the connection alert is suppressed. Here are a few examples of possible scenarios:
- The connecting process does not have a code signature at all.
- The connecting process has a code signature by its developer, but it was modified either on disk or in memory.
- A process tries to establish a connection that’s covered by an existing rule, but the code signature of the running process does not match what the rule requires.
Depending on the severity of the issue, the connection alert only shows a warning but lets you create rules as usual, or it shows a detailed description of what is going on, explains what you can do about it and only lets you create a new rule – or modify existing rules, if appropriate – after an additional confirmation.
Creating and inspecting rules in Little Snitch Configuration is also improved in regard to code signature. The info sidebar shows whether a rule requires a valid code signature and a new suggestions filter lists all rules that could require a code signature from their processes but currently don’t.
Improved working with profiles
The connection alert now provides an option to specify whether a rule shall be created in the current profile or if it shall be effective in all profiles.
The new Automatic Silent Mode Switching option (configurable in Little Snitch Configuration) now lets you associate a profile with a particular Silent Mode. Whenever the profile gets activated, the corresponding Silent Mode Switching is performed.
For example, you might create a “Presentation” profile (for being used while making a Keynote presentation) that automatically turns on Silent Mode in order to prevent connection alerts from appearing during the presentation.
Improved UI for managing profiles in Little Snitch Configuration. Profiles are now created and edited in a modal editor sheet. In this sheet you can assign networks for Automatic Profile Switching, configure Silent Mode Switching, rename and activate the profile.
Priority Rules
In Little Snitch 3, the priority of a rule was implicitly raised when the rule was moved to a profile.
In Little Snitch 4 a rule’s priority can now be defined separately for each individual rule, independent from its profile.
The priority of a rule can be changed in Little Snitch Configuration by choosing Increase/Decrease Priority from the rule’s contextual menu. Rules with increased priority are indicated with bold text.
As a general rule of thumb it’s recommended to use priority rules only sparingly, in those cases where it’s absolutely necessary in order to make a rule win against other competing rules.
In most cases, the automatic precedence ordering of rules (where more specific rules take precedence over more general ones) is sufficient for achieving the desired rule matching behavior — for example, if you have a more general rule that allows all connections to an entire domain, and another, more specific rule, that denies connections to a particular host within that domain.
An existing ruleset from Little Snitch 3 will be automatically converted. Rules that are associated with a profile (which had an implicitly raised priority before) will get the new high priority option set automatically, but only in those cases where that’s actually necessary.
- Automatic ruleset analysis detects rules whose priority has been unnecessarily increased. This helps to figure out, if a rule’s priority has actually an effect on its overall precedence in relationship to other rules — in other words, if raising its priority is necessary at all.
- Rules with an unnecessary priority are marked with a blue or gray exclamation mark triangle. The blue triangle indicates that the priority is completely unnecessary and can be removed. The gray triangle indicates that the priority will become unnecessary as soon as the unnecessary priority of other rules got removed.
- When a priority rule is selected, rules that are affected by the priority of this rule are marked with a light blue background color. If no such affected rule exists, the priority of this rule is unnecessary and the rule marked with a blue triangle.
Rule Groups
To avoid a vast numbers of connection alerts from appearing when using common macOS and iCloud services, Little Snitch now provides preconfigured rule groups for these usage areas. They can be turned on in the sidebar of Little Snitch Configuration. The rules in these groups will we be kept up to date with future updates of Little Snitch.
Alerts you about outgoing network connections for your Mac
What's new in this version:
Improved detection of program modification:
- Little Snitch has a security mechanism that ensures rules are only applied to programs for which they were originally created. This is to prevent malware from hijacking existing rules for legitimate programs. To do that, Little Snitch must be able to detect whether a program was modified. How Little Snitch does that changes with this version
- Previous versions required a program to have a valid code signature in order to be able to detect illegitimate modifications later on. Programs without a code signature could not be validated and Little Snitch warned accordingly. The focus was therefore on a program’s code signature
- Beginning with version 4.3, Little Snitch can always check whether a program has been tampered with, even if it’s not code signed at all. The focus is now on checking for modifications with the best means available. That is usually still the code signature but for programs that are not code signed, Little Snitch now computes a secure hash over the program’s executable. (There’s still a warning if a process is not signed, but only to inform you about a possible anomaly)
- This change leads to a different terminology. When editing a rule, Little Snitch Configuration no longer shows a checkbox titled “requires valid code signature” but instead one that is titled “check process identity” (or if the rule is for any process: “apply to trusted processes only”)
- Instead of a “code signature mismatch”, Little Snitch’s connection alert now informs that “the program has been modified”
- In cases where Little Snitch detects such a modification, it now also better explains the possible underlying cause and the potential consequences
- For more information see the chapter Code identity checks in the online help
Configuration File Compatibility:
- This version uses a new format with speed and size improvements for the configuration file in which the current rule set and the preferences are stored. This new file format is not compatible with older versions of Little Snitch, though. When updating to Little Snitch 4.3, the old configuration file is left untouched in case you want to downgrade to a previous version of Little Snitch. All changes made in Little Snitch 4.3 or later are not included in the old file, of course. Note that backup files created using File > Create Backup… in Little Snitch Configuration use the old file format and are therefore backward-compatible with previous versions of Little Snitch
Improved Support for macOS Mojave:
- Improved appearance in Dark Mode
- Fixed backup restore from Time Machine not working in Little Snitch Configuration due to the new “Full Disk Access” security mechanism
- Fixed creating Diagnostics Reports for non-admin users (on macOS High Sierra and later). When you contact our tech support, we sometimes ask you to create these reports
Performance Improvements:
- Improved overall performance for large rule sets
- Reduced CPU load of Little Snitch Daemon during DNS lookups
- Reduced CPU load of Network Monitor while inactive
- Improved performance of rule sorting in Little Snitch Configuration, which leads to better overall performance
- Fixed Little Snitch Daemon hanging while updating a rule group subscription that contains many rules
- Fixed a memory leak that occurred when closing a snapshot window in Network Monitor
Internet Access Policy:
- Fixed an issue causing an app’s Internet Access Policy not being shown if that app was running in App Translocation
- Fixed clickable links not working in the “Deny Consequences” popover when creating rules in connection alert or Network Monitor
- Internet Access Policy file: Fixed large values for a connection’s “Port” being rejected
Process Identity and Code Signature Check Improvements:
- Added support for detecting revoked code signing certificates when checking a process’ code signature. The connection alert and Network Monitor now treat such processes like processes without a valid code signature and show relevant information. Also, rules created will use an appropriate identity check (based on the executable’s checksum, not based on the code signature)
- When showing a connection alert for a process that has no valid code signature, Little Snitch now tries to find out if loading a shared library may have caused the issue with the code signature. If so, this is pointed out in the connection alert
- Fixed handling of app updates while the app is still running: Previous versions of Little Snitch would complain that the code signature could not be checked if the running app was replaced on disk, e.g. during an update
- Fixed an issue where connection alerts would erroneously contain a warning that an application’s code signing certificate was unacceptable. This mainly happened when a process’ first connection was an incoming connection
Improved Handling of Connection Denials and Override Rules:
- Improved handling of override deny-rules that were created as a consequence of a suspicious program modification (“Connection Denials”). In Network Monitor, these rules are now marked with a dedicated symbol. Clicking that symbol allows to remove that override rule, if the modification is confirmed to be legitimate
- Changed override deny-rules created for failed code identity checks to not be editable or deletable. Instead, double-clicking such a rule allows you to fix the underlying issue, which then automatically deletes the override rule
UI and UX Improvements:
- Automatically combine rules: For improved handling of large rule sets with many similar rules that only differ in host or domain names. This is common when subscribing to blocklists, which may contain thousands of similar, individual rules denying connections to various servers. The new “Automatically combine rules” option in Little Snitch Configuration (on by default) now combines such similar rules into a single row, making it much easier to keep track of large lists of rules
- Improved appearance when Accessibility option 'Increase contrast' is active
- Improved floating window mode in Network Monitor
- When choosing File > Restore from Backup in Little Snitch Configuration, the list showing possible backup files now includes backups that Little Snitch created automatically
- Improved the map shown in the “Known Networks” window in Little Snitch Configuration
- Improved the legibility of traffic rates in the status menu on Retina displays
- Fixed data rates shown in Network Monitor to match the values shown in the status menu
- Fixed the “Duration” setting in Preferences > Alert > Preselected Options not being respected
- Fixed an issue with “undo” when unsubscribing from a rule group or when deleting a profile
- Fixed an issue in Little Snitch Configuration where the “Turn into global rule” action did not work
- Fixed an issue where an error that occurred in the course of a previous rule group subscription update was still displayed, even though the problem no longer existed
Other Improvements and Bug Fixes:
- Increased the maximum number of host names allowed in a rule group subscription to 200.000
- Fixed an issue causing XPC services inside bundled frameworks to not be recognized as XPC. This resulted in connection alerts to be shown for the XPC services themselves instead of for the app the service belongs to
- Fixed an issue causing Time Machine backups to Samba servers to stop working under some circumstances
- Fixed an issue related to VPN connections with Split DNS configuration that caused only the server’s IP address to be displayed instead of its hostname
- Reduced the snap length in PCAP files, allowing them to be analyzed not only with Wireshark but also with “tcpdump”
Join our mailing list
Stay up to date with latest software releases, news, software discounts, deals and more.
Comments are closed.