Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Best Anti-virus app that works with Little Snitch

T

Torquemada

macrumors member
Original poster
May 8, 2011
49
16
United Kingdom
My Mac Studio has finally arrived, and like a lot of people, I use Little Snitch. Had to upgrade to version 5, as my previous Mac was only on Catalina.

On my previous Mac I also used Sophos as an Anti-Virus app, but I've heard this has conflicts with the newer version of Little Snitch.

Can anyone recommend some (free) AV software that works with Little Snitch?

Please don't bother saying that AV software is not needed on Macs, I'd rather have it, and not need it, than need it, and not have it.
 
There is one fixable issue on boot when Sophos keeps requiring approval of Little Snitch Rules even though you approved the rules on the last boot.

From Sophos support:

Sophos uses processes called “Sophos[…].bundle” which install itself as a new user on the system (user: “_sophos”).
You can see this when you press the D key in a Little Snitch Connection Alert. This will show you the ID for the user "_sophos".

Rules in Little Snitch can have different kinds of process owners
— the current user “Me” for all processes running for the current active user

— “System” for all system processes running as “root” or other system users (those marked with a gear wheel icon)

— all users respectively “Anyone”—such rules are valid for every user on the system (system and all user processes)

To be able to setup the last-mentioned “Anyone” rules, ”Allow Global Rule Editing” has to be enabled in the “Little Snitch Preferences > Security” settings. There are also rule categories for “Global Rules” and ”System Rules” in the Little Snitch app window to give an overview for such rules.

The “_sophos” user is set up with a user identifier above 500 which is usually not used for such processes (see e.g. https://en.wikipedia.org/wiki/User_identifier#Reserved_ranges).

This is why you cannot create a permanent rule (“Forever”) from that connection alert since it is not made by a system or active user process, but by a different user (“_sophos”) instead.

In order to access the rules for the user “_sophos”, they have to be made available to all users:

— Enable “Little Snitch Preferences > Security > Allow Global Rule Editing”.

— Open Little Snitch app as the user “_sophos” via the following Terminal command:

sudo -u _sophos /Applications/Little\ Snitch.app/Contents/MacOS/Little\ Snitch

(Open /Applications/Utilities/Terminal.app and paste the previous line into it, then hit Return and confirm. If there are error messages in the terminal, you can safely ignore them.)

— After typing your admin password, you should be able to see the Little Snitch app window with the rules for the user “_sophos”.

— Edit those rules to “Owner: Anyone” in order to make them global and set them to your needs.
 
  • Like
Reactions: Torquemada and KaliYoni
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back