.... have can

[unrigestered]

I'm asking since i was planning to install Nmap, downloaded from this link https://nmap.org/download.html#macosx on my system, which to my knowledge should be more or less consisting of some binaries and maybe some accompanying libraries, but a scan on Virustotal, while finding no security concerns, is showing a ******** of weird stuff under "Behavior", with some "highlights" like change of csrutil settings, creation of Launch Agents and Daemons?

this can't be right, right?

examining the nmap pkg and the BOM file is only showing some bin and share folders affected

 

[bogdanw]

In my opinion, you should disregard the OS X Sandbox results
Compare the Behavior tab for the nmap-7.93.dmg with the one for the contained nmap-7.93.mpkg
https://www.virustotal.com/gui/file...8a9e9b3c83edad2193054b31a203a410270c/behavior
https://www.virustotal.com/gui/file...46d3e98cae52870a85caa0bd1893d5af4964/behavior
Launch Agent appears only on the dmg.
If you examine nmap-7.93.mpkg with Suspicious Package (https://www.mothersruin.com/software/SuspiciousPackage/) you can see what is being installed and where.

 

[unrigestered]

thanks!

Launch Agent appears only on the dmg.

yes, i've noticed that too, was just wondering wtf this thing would need persistencies, if that analysis was right at least?

regarding Suspicious Package, i had already downloaded it, (as it had been mentioned on objective see! 🤘) but have not installed it yet, as i thought i can mostly come by with macOS's native utilities and only install stuff when really needed.

Nmap isn't truly vital either, i just hadn't found a native solution to check the port behavior of my router yet, as the maker simply claims that it's impossible to be penetrated from the outside as all ports that are not in use are closed per default.

 

[bogdanw]

would need persistencies, if that analysis was right at least?

I’ve installed nmap-7.93 in a Monterey virtual machine with BlockBlock https://objective-see.org/products/blockblock.html
Neither BlockBlock, nor I or KnockKnock can see any evidence of persistence.
But the app does require administrator password to run and it freezes a lot in a virtual machine.

 

[unrigestered]

oh, i see.

i thought Nmap was some kind of de facto standard "everybody" was using?

what do you use for port scanning then, or isn't that of too much importance anyway?

 

[bogdanw]

I don’t use anything.
I know some potentially useful apps
Debookee https://debookee.com & LanScan https://apps.apple.com/app/lanscan/id472226235
PortsMonitor for Mac https://tickplant.com/portsmonitor/
Angry IP Scanner https://angryip.org
Wireshark https://www.wireshark.org
Charles https://www.charlesproxy.com

 

[unrigestered]

I have a question again:
i now have Suspicious Package installed per drag & drop of it's folder into my Applications directory

i haven't done so before because i've seen that Finder will have the right click option to “open with Suspicious Package“ and i generally prefer not to use apps that are rooting too deeply into a system if possible.

but how is that permanent connection Finder -> “Open with Suspicious Package“ established when all that i (think) have done is moving one folder?
ok, not sure anymore, but i think i've launched that app, so that must have created this

there surely must be some (Finder) PLISTs involved or something, but i couldn't find that link at the moment






edit: i think i've found it inside com.apple.finder.plist while browsing manually for such a file

strangely, Finder's search function for recently changed (system) files hadn't listed it

 

[bogdanw]

Apps declare what files they can open in the Info.plist file.
For Suspicious Package.app/Contents/Info.plist CFBundleURLSchemes x-apple-installer-package
Once added in any Finder folder, the app is added to the "Open with" menu by LaunchServices lsregister
https://osxdaily.com/2013/01/22/fix-open-with-menu-mac-os-x/