If you're a Mac power user, you probably install a lot of software, only to delete it later. But how many of those applications, drivers, and customizations tools are still trying to do things when your Mac starts up?
If you're like me, you have no idea, which is why it's good that KnockKnock exists. This free program gives you an overview of all persistent software on your Mac, basically everything that starts up when your Mac does. The information goes well beyond what you can see in System Preferences, and is presented clearly in a single user interface. It's useful for spotting malware, and also for doing some spring cleaning.
KnockKnock is from Objective See, a trusted member of the macOS security community behind a variety of security tools, including one we recommended for finding out when your Mac's camera is active. Installing is simple: just download the ZIP file, click it to unzip it, and then drag the icon to your Applications folder.
Launch KnockKnock and you'll see a simple user interface. Click the "Start Scan" button to begin.
You will be asked for your password.
The scan itself shouldn't take more than a minute or two.
When the scan is done, you can start browsing the results, which are broken down into sections.
For example, there's the macOS extensions section, which includes tools that give applications the ability to integrate with Finder, Notifications Center, and more. You'll see the name of the extension and its location in your file system, alongside information from VirusTotal.
This means that, at a glance, you'll know what something is, where it lives on your computer, and if it's likely to be malware. You'll also see buttons for pulling up more information, and opening a Finder window to the file's location.
It's a lot more information than you get from System Preferences, and you can use this same approach to see your macOS login items.
But we're just getting started. What really makes KnockKnock useful are the more advanced categories, like "Kernel Extensions."
Kernel extensions are software that interfaces with the operating system at the kernel level, and it's not a good idea to leave anything here unless it's necessary.
The locks beside the listings are important to note. To quickly break things down:
- A green lock means something is signed by Apple itself. You'll only see these if you specifically include OS items in the preferences.
- A black closed lock means something is third party, but properly signed.
- An orange open lock means something is unsigned.
For example, in the above screenshot, you can see that my Wireless360Controller extension (an XBox 360 driver) is unsigned, meaning I probably shouldn't keep it around. Happily I can locate the driver in the Finder and delete the kernel extension.
It goes without saying that deleting kernel extensions isn't a good idea if you don't know what you're doing, because you could break things. But for informed Mac power users, KnockKnock gives you a way to check what your Mac is running at boot.
This is a great tool for anyone who wants to learn more about the software running on their Mac, and also gives you one more way to stay on top of the growing Mac malware threat.