Release Notes

macOS Catalina compatibility

• Some of the system apps previously found in /Applications have moved to /System/Applications. This version updates your Little Snitch rules accordingly. Please upgrade Little Snitch first, then macOS. If you have upgraded to Catalina already you can either manually change the existing rules in Little Snitch Configuration, or you can create new rules as Little Snitch notifies you about them.
• The animation that’s shown when turning on the “Keep above other windows” option in Network Monitor has been changed so that it no longer requires to record the computer’s screen (which caused a privacy warning on macOS Catalina).
• It’s now possible to restore backups that are located in a privacy protected folder such as Documents, Desktop or Downloads on macOS Catalina.

Improvements

• Little Snitch warns about potential consequences when you deny a connection and Little Snitch knows the purpose of the connection. Since this warning may be annoying, it can now be disabled on a per-application basis.
• Added support for additional remote endpoint types in the Internet Access Policy. The IAP can now contain information about Berkeley Packet Filter access and connections to the local network.
• It’s now possible to simply delete “Code Signature Issue Override Rules” in Little Snitch Configuration. Fixing the underlying issue is still possible in the context menu or by double-clicking the rule.
• Various user interface fixes and improvements.

Bug Fixes

• Fixed: Clicking a column header in the rules list in Little Snitch Configuration didn’t sort the list.
• Fixed a rare kernel panic which could occur when the system runs out of memory.

This version is a hot fix for version 4.4.1, which was released earlier today.

It turned out that the fix for a rare kernel panic introduced a new bug which also triggered a kernel panic. Sorry for the rapid succession of releases and the resulting system restarts!

If you have missed 4.4.1: Please don't overlook the security content of this release!

Security

Version 4.4.0 fixed a vulnerability which allowed privilege escalation to root for any local user. However, in some situations computers were still vulnerable after the upgrade. This version addresses the remaining issue. Please upgrade before details of the vulnerability are published!

This vulnerability has been assigned the number CVE-2019-13014. More information will be made available later.

Little Snitch version 3 is not affected.

Changed Behavior

When Little Snitch detects possibly malicious program modifications in Silent Mode, it now shows its findings immediately in an alert. Previously, the modified program was denied network access silently.

Bug Fixes

• Fixed a rare kernel panic which is related to network file systems.
• Fixed a rare problem where Little Snitch could break DNS lookups.
• Minor GUI and wording changes.

Security

This version fixes a vulnerability which allows privilege escalation to root for any local user. Please upgrade before details of the vulnerability are published!

The vulnerability has been assigned the number CVE-2019-13013. More information will be made available later, when most users have upgraded to the latest version.

Little Snitch version 3 is not affected.

New Features

• Added compatibility with macOS Catalina (10.15).
• Little Snitch now monitors access to Berkeley Packet Filter devices. You can create rules to allow or deny access to these devices for particular applications.

Improvements

• Improved display of information retrieved from an app’s Internet Access Policy.
• Single file executables can now have an Internet Access Policy in their embedded Info.plist file.
• Internet Access Policies from embedded frameworks and apps are now merged with the main application's Internet Access Policy.
• Improved identity check for apps that are signed with a Mac Developer certificate and currently debugged in Xcode.

Bug Fixes

• Fixed an issue causing a message about a checksum failure to be wrongly shown for processes that fork multiple instances (for example a local http-Server).
• Fixed an issue causing the creation of Diagnostics Reports to fail under rare circumstances.
• Fixed an issue which caused Little Snitch to put a high load on one CPU under rare circumstances.

Other

• Numerous user interface fixes and improvements.

Improvements

• Improved performance of Little Snitch Configuration when “combine rules” is enabled.
• Added support for Touch ID to enable/disable rule and profile editing when clicking the lock button in Little Snitch Configuration’s toolbar.
• Process paths are now treated as being case-sensitive, even on case-insensitive file systems. This resolves an issue where rules created manually using Little Snitch Configuration would not match if the entered path didn’t match the actual path exactly. Such rules are now also marked as invalid and can be found in the “Invalid Rules” filter in the left sidebar.
• Code modification alerts can now be minimized, just like regular connection alerts.
• Improved detection of processes whose code signature got invalid because the corresponding code signing certificate was revoked.
• Improved layout of rule group subscription editor.
• Added sharing options for rule group subscriptions. In the left sidebar, Control-click a rule group and select “Share”, or use the share button in the rule group subscription editor to share the rule group with others.
• Added support for WireGuard VPN.
• Added a factory rule for connections from syspolicyd to api.apple-cloudkit.com.
• Rules whose process paths contain symbolic links are now marked as invalid because they can never match.
• Various improvements to Subscribed Rules Inspector.

Bug Fixes

• Fixed an issue where Little Snitch could break DNS lookups for all programs. This bug first occurred in version 4.3.
• Fixed an issue causing the connection alert to create a rule only for the app itself, ignoring the via-process, if the via-process was a Java process.
• Fixed an issue with ask-rules causing the connection alert to create rules that were less specific than the ask-rule that caused the alert to be shown in the first place, leading to repeated alerts.
• Fixed an issue causing Little Snitch to deactivate Silent Mode and switch to Alert Mode unintentionally.
• Fixed an issue in Little Snitch Configuration where dragging of rules didn’t work correctly when “combine rules” was enabled.
• Fixed an issue in Network Monitor where traffic captures were incomplete.
• Fixed a few issues with the network traffic meters in the menu bar.
• Fixed an issue causing the buttons for toggling the map and the inspector in Network Monitor to be not clickable under certain circumstances.
• Fixed an issue causing traffic captures not being stopped when Network Monitor was disabled in preferences while traffic was being captured.
• Fixed a possible crash on OS X 10.11.

Other

• Numerous user interface fixes and improvements.

Fixed a crash of Little Snitch Daemon when updating from Little Snitch 3 directly to Little Snitch 4.3.

This release contains changes in the following areas:

• Improved detection of program modification
• Configuration File Compatibility
• Improved Support for macOS Mojave
• Performance Improvements
• Internet Access Policy
• Process Identity and Code Signature Check Improvements
• Improved Handling of Connection Denials and Override Rules
• UI and UX Improvements
• Other Improvements and Bug Fixes

Improved detection of program modification

Little Snitch has a security mechanism that ensures rules are only applied to programs for which they were originally created. This is to prevent malware from hijacking existing rules for legitimate programs. To do that, Little Snitch must be able to detect whether a program was modified. How Little Snitch does that changes with this version.

Previous versions required a program to have a valid code signature in order to be able to detect illegitimate modifications later on. Programs without a code signature could not be validated and Little Snitch warned accordingly. The focus was therefore on a program’s code signature.

Beginning with version 4.3, Little Snitch can always check whether a program has been tampered with, even if it’s not code signed at all. The focus is now on checking for modifications with the best means available. That is usually still the code signature but for programs that are not code signed, Little Snitch now computes a secure hash over the program’s executable. (There’s still a warning if a process is not signed, but only to inform you about a possible anomaly.)

This change leads to a different terminology. When editing a rule, Little Snitch Configuration no longer shows a checkbox titled “requires valid code signature” but instead one that is titled “check process identity” (or if the rule is for any process: “apply to trusted processes only”).

Instead of a “code signature mismatch”, Little Snitch’s connection alert now informs that “the program has been modified”.

In cases where Little Snitch detects such a modification, it now also better explains the possible underlying cause and the potential consequences.

For more information see the chapter Code identity checks in the online help.

Configuration File Compatibility

This version uses a new format with speed and size improvements for the configuration file in which the current rule set and the preferences are stored. This new file format is not compatible with older versions of Little Snitch, though. When updating to Little Snitch 4.3, the old configuration file is left untouched in case you want to downgrade to a previous version of Little Snitch. All changes made in Little Snitch 4.3 or later are not included in the old file, of course. Note that backup files created using File > Create Backup… in Little Snitch Configuration use the old file format and are therefore backward-compatible with previous versions of Little Snitch.

Improved Support for macOS Mojave

• Improved appearance in Dark Mode.
• Fixed backup restore from Time Machine not working in Little Snitch Configuration due to the new “Full Disk Access” security mechanism.
• Fixed creating Diagnostics Reports for non-admin users (on macOS High Sierra and later). When you contact our tech support, we sometimes ask you to create these reports.

Performance Improvements

• Improved overall performance for large rule sets.
• Reduced CPU load of Little Snitch Daemon during DNS lookups.
• Reduced CPU load of Network Monitor while inactive.
• Improved performance of rule sorting in Little Snitch Configuration, which leads to better overall performance.
• Fixed Little Snitch Daemon hanging while updating a rule group subscription that contains many rules.
• Fixed a memory leak that occurred when closing a snapshot window in Network Monitor.

Internet Access Policy

• Fixed an issue causing an app’s Internet Access Policy not being shown if that app was running in App Translocation.
• Fixed clickable links not working in the “Deny Consequences” popover when creating rules in connection alert or Network Monitor.
• Internet Access Policy file: Fixed large values for a connection’s “Port” being rejected.

Process Identity and Code Signature Check Improvements

• Added support for detecting revoked code signing certificates when checking a process’ code signature. The connection alert and Network Monitor now treat such processes like processes without a valid code signature and show relevant information. Also, rules created will use an appropriate identity check (based on the executable’s checksum, not based on the code signature).
• When showing a connection alert for a process that has no valid code signature, Little Snitch now tries to find out if loading a shared library may have caused the issue with the code signature. If so, this is pointed out in the connection alert.
• Fixed handling of app updates while the app is still running: Previous versions of Little Snitch would complain that the code signature could not be checked if the running app was replaced on disk, e.g. during an update.
• Fixed an issue where connection alerts would erroneously contain a warning that an application’s code signing certificate was unacceptable. This mainly happened when a process’ first connection was an incoming connection.

Improved Handling of Connection Denials and Override Rules

• Improved handling of override deny-rules that were created as a consequence of a suspicious program modification (“Connection Denials”). In Network Monitor, these rules are now marked with a dedicated symbol. Clicking that symbol allows to remove that override rule, if the modification is confirmed to be legitimate.
• Changed override deny-rules created for failed code identity checks to not be editable or deletable. Instead, double-clicking such a rule allows you to fix the underlying issue, which then automatically deletes the override rule.

UI and UX Improvements

• Automatically combine rules: For improved handling of large rule sets with many similar rules that only differ in host or domain names. This is common when subscribing to blocklists, which may contain thousands of similar, individual rules denying connections to various servers. The new “Automatically combine rules” option in Little Snitch Configuration (on by default) now combines such similar rules into a single row, making it much easier to keep track of large lists of rules.
• Improved appearance when Accessibility option "Increase contrast" is active.
• Improved floating window mode in Network Monitor.
• When choosing File > Restore from Backup in Little Snitch Configuration, the list showing possible backup files now includes backups that Little Snitch created automatically.
• Improved the map shown in the “Known Networks” window in Little Snitch Configuration.
• Improved the legibility of traffic rates in the status menu on Retina displays.
• Fixed data rates shown in Network Monitor to match the values shown in the status menu.
• Fixed the “Duration” setting in Preferences > Alert > Preselected Options not being respected.
• Fixed an issue with “undo” when unsubscribing from a rule group or when deleting a profile.
• Fixed an issue in Little Snitch Configuration where the “Turn into global rule” action did not work.
• Fixed an issue where an error that occurred in the course of a previous rule group subscription update was still displayed, even though the problem no longer existed.

Other Improvements and Bug Fixes

• Increased the maximum number of host names allowed in a rule group subscription to 200.000.
• Fixed an issue causing XPC services inside bundled frameworks to not be recognized as XPC. This resulted in connection alerts to be shown for the XPC services themselves instead of for the app the service belongs to.
• Fixed an issue causing Time Machine backups to Samba servers to stop working under some circumstances.
• Fixed an issue related to VPN connections with Split DNS configuration that caused only the server’s IP address to be displayed instead of its hostname.
• Reduced the snap length in PCAP files, allowing them to be analyzed not only with Wireshark but also with “tcpdump”.

Bug Fixes

• This version fixes an issue that could cause a delay during system startup on macOS Mojave under some circumstances.

Bug Fixes

• Fixed an issue where an app’s Internet Access Policy failed to load if the app is not localized into multiple languages.
• Fixed a possible spontaneous crash of various components.
• Fixed a bug where the selected profile was not drawn correctly in the connection alert.
• Fixed an issue where checking for updates of subscribed rule groups would send a truncated value for the If-Modified-Since HTTP header.

Improvements

Improved handling of processes without code signature in Silent Mode. When there was a matching allow-rule for “Any Process” requiring a valid code signature, Little Snitch considered the unsigned process as case of likely tampering and inserted a high priority deny-rule. We now just skip the matching rule and act according to Silent Mode (allow or deny).

If the matching rule requires a particular code signature (from a particular developer), we still consider it as case of likely tampering and add a high priority deny rule. The process has been seen with a valid code signature before, so the code signature must have been removed.

Bug Fixes

• Fixed: The status of rule groups “macOS Services” and “iCloud Services” was not preserved across restarts.
• Fixed a rare crash occurring during concurrent data model updates.
• Fixed an issue where the connection alert could unexpectedly switch to another connection attempt without user interaction.
• Restoring to factory defaults now also removes rule group subscriptions.
• Fixed some UI drawing issues.
• Fixed an issue where the rule group subscription dialog could not be moved on the screen.
• Fixed an issue causing random crashes of the connection alert or the Network Monitor.
• Fixed a bug causing a hang during login under some rare circumstances.

Improvements

• Improved support for Dark Mode in macOS Mojave.
• Added back the ability to use the dark appearance of Little Snitch Network Monitor on older system versions (macOS High Sierra and earlier).

Bug Fixes

• Fixed an issue that caused an alert to be shown for an invalid code signature for the App Store on macOS Mojave for some users. There was a bug that prevented Little Snitch from automatically updating the code signature of existing rules when appropriate. See the Little Snitch help chapter Applications that change their bundle identifier in an update for details about this mechanism.
• Fixed a bug where duplicating a rule in a subscribed rule group would create the duplicate rule in that rule group. The new rule would then be a protected rule that could neither be deleted, nor edited.
• Fixed rule group tags not being shown in “Effective in all profiles”.

New Features

• Compatibility with macOS Mojave (10.14).
• Support for Dark Mode on macOS Mojave.

Private Connections

It’s now possible to declare certain types of connections as “private”. The host and domain name information of such connections is then no longer displayed in Network Monitor. Instead, these connections will be summarized in a single “Private Connections” entry, showing only some total summary information.

You can declare connections as private either in Little Snitch Configuration or in Network Monitor. In Little Snitch Configuration, create a new rule and choose “Private” as the rule’s action (instead of Allow or Deny). In Network Monitor, right-click a process and choose “Make Connections Private”.

You can use this as a privacy measure, e.g. by creating a “Private Browsing” profile that contains a rule declaring all Safari connections as private. Note that creating such a rule does not affect previous connections that are already shown in Network Monitor. To remove previous connections, right-click them in Network Monitor and choose “Remove from List”.

Improvements

• Improved performance of code signature checks when the code signature is checked for the same application multiple times.
• Improved compatibility with NFS server process.
• Improved handling of localized Internet Access Policy of third party apps.
• Added Internet Access Policy for “syspolicyd”.

Improvements

• Improved performance of launching Little Snitch components with large rule sets.
• A connection alert will now point out if it is shown due to a contradiction between two rules about whether a connection should be allowed or denied. This can happen when Little Snitch cannot determine the hostname for a connection and therefore only has an IP address available. Then, if there are two rules with contradictory actions that match that IP address (e.g. allow connections to foo.example.com and deny connections to bar.example.com, both hostnames resolve to the same IP address), Little Snitch shows a connection alert asking what should be done.

Bug Fixes

• Fixed an issue where Little Snitch Agent could crash after wake from sleep.
• Fixed rules not becoming active and operation mode not being switched when deactivating a profile. Activating a profile or switching from one profile to another worked, though.
• Fixed an issue where the connection alert showed an internal error when a running application was replaced on disk without restarting afterwards. This can happen for apps that update themselves while running.
• Fixed an issue where no connection alerts were shown for connections established by the kernel itself.
• Fixed issues with Java apps that would cause problems with code signature checks and incorrect app icons and process paths to be shown.
• Fixed an issue in Little Snitch Configuration’s rule inspector where selecting “Any Port” or “Any Protocol” from the drop down menu did not work.
• Corrected the number of ticks for the “Capacity” slider in the preferences for Little Snitch Network Monitor.

Bug Fixes & Improvements

• Fixed a memory leak in the Little Snitch kernel extension that could amount to high kernel memory usage.
• Fixed an issue that could occur when writing files to NFS network shares (“nfs send error 89” would appear in the system log).

Bug Fixes & Improvements

• Renamed status menu item from “Litte Snitch Configuration” to “Little Snitch Rules”.
• Fixed an issue that could cause the system to hang for a while when reading a version 4.0.x configuration file in version 4.1.
• Connection Alert: Fixed an issue causing the update of a rule’s code signature information to fail under some circumstances, leading to repeated “code signature mismatch” warnings.
• Little Snitch Configuration: Editing a rule’s “Require valid code signature” setting now better handles the case when an exutable’s code signature on disk no longer satisfies the code signature requirement of the rule.

Rule Group Subscriptions

Rule Groups are sets of rules that anyone can create and publish on their web server for others to subscribe to. Whenever changes to the rules are made by the publisher, subscribers receive these changes.

This is useful for providing automatically updating blocklists, distributing a common set of rules to multiple computers in a corporate network, or for app developers who want to provide a set of rules to their customers to make it work seamlessly with Little Snitch.

To let you test this feature we provide an example rule group. To subscribe to this group, open Little Snitch Configuration, choose New Rule Group Subscription from the File menu, and enter the following URL:

https://obdev.at/resources/littlesnitch/blocklist-example.lsrules

You can find more information about subscribing and publishing in the documentation chapter Rule group subscriptions.

Other New Features and Improvements

• Improved display of inactive rules in Little Snitch Configuration. If a rule is inactive for whatever reason — either if it’s not enabled, if it’s part of a profile that’s currently not activated, if it’s in a rule group that’s currently not activated, or if the entire network filter is turned off — the rule is now consistently displayed with a gray text color.
• Focus Mode: Little Snitch Configuration has a new mode that allows you to focus on a specific subset of rules. Selecting one or more rules and then choosing Focus on Selected Rules or Focus on Rules Affecting Selection from the View menu will focus on just the rules you want to see, while leaving the search field free for further filtering. Focus Mode is also used for revealing matching rules from the connection alert or Network Monitor (e.g. by right-clicking a connection and choosing Show Corresponding Rules).
• The rule groups “iCloud Services” and “macOS Services” (previously named “Managed Rules”) can now be activated and deactivated using a checkbox next to their name in Little Snitch Configuration’s left sidebar (previously, these checkboxes could be found in the preferences window). This allows you to see what rules these sets contain before activating them.
• Profiles can now be activated and deactivated in Little Snitch Configuration’s left sidebar using a checkbox next to the profile.
• The special “Code Signature Issue Override Rules” that Little Snitch creates under certain circumstances can now be edited in Little Snitch Configuration just like normal rules. This should make it less confusing to deal with situations where an application is reported to have no valid code signature. See Code signature issues > Special Code Signature Issue Override Rules for more details.
• Connection alerts for applications that have an issue with their code signature now include direct links to the relevant section of the online documentation. The relevant chapter Code signature issues has been extended to provide much more details and examples for how Little Snitch behaves when an application without a valid code signature tries to establish a connection.
• Added support for the current version of the QUIC protocol. This fixes an issue with connections from Google Chrome, where the connection alert only showed the IP address instead of the hostname under some circumstances.
• In addition to checking that an application’s code signature is valid, Little Snitch now also checks the code signing certificate that was used to create the signature. Only certificates that were issued by Apple are currently accepted.
• Improved Little Snitch Installer to prevent malicious software from hijacking the installation procedure. Credit to Patrick Wardle (Digita Security LLC) for discovering this possibility.
• Many more minor improvements.

Bug Fixes

• Fixed CVE-2018-10470: Fixed an issue where some components of Little Snitch would only verify the code signature of the 64 bit slice of a fat binary when performing a code signature check, ignoring the 32 bit slice. With a maliciously crafted binary, this could lead to Little Snitch Configuration and Network Monitor to show that the code signature was valid, while the running process could have a non-valid code signature. Note that this did not affect what connections were allowed or denied. Credit to Josh Pitts (Okta, Inc.) for discovering this issue. For more details, read Josh’s blog post.
• Fixed an issue where a connection alert could sometimes be shown despite an existing rule that allowed the connection. We observed this mainly with Google Chrome.
• Fixed an issue in “Silent Mode – Deny Connections” where incoming TPC connections would sometimes be denied despite an existing rule that allowed the connection.
• Fixed issues with Automatic Profile Switching when joining a new, yet unknown network.
• Fixed an issue in the connection alert in conjunction with terminated processes when the “Confirm connection alert automatically” preferences option was turned on.
• Fixed an issue causing VPN connections to be wrongly considered as local network connections due to an incorrect netmask of the P2P interface set by the IPSec client of macOS.
• Fixed an issue causing the connection alert to repeatedly switch between different, pending connection attempts.
• Fixed multiple issues that could lead to a Code Signature Alert showing an internal error. These alerts should be gone now for universal apps running in 32-bit mode and for Java apps.
• Fixed an issue where a connection alert could disappear when the connecting process terminates.
• Many more minor bug fixes.

Improvements

• Made Silent Mode actually silent again. Starting in Little Snitch 4.0.5, processes with certain code signature issues caused connection alerts to appear even during Silent Mode. These appeared in more situations than we originally intended, though, so we redesigned how this works. Now, no connection alerts will appear during Silent Mode (as it was before Little Snitch 4.0.5), but you may see a notification in the top-right corner of the screen about connections being denied due to code signature issues.

Bug Fixes

• Improved reliability when handling responses to DNS requests delivered via TCP instead of UDP. Credit to Samuel Williams of the RubyDNS project for discovering this issue.
• When changing the active profile using Little Snitch’s menu bar item while a connection alert was shown, the active profile’s name was not updated in the connection alert’s profile picker. This works as expected now. Note that the correct profile was used when creating a rule – just the name in the profile picker was not updated.
• Fixed an issue that could cause connection alerts to appear that would show no host or domain names, but IP addresses. This could sometimes happen relatively early after starting the computer for a very small number of users.

Internet Access Policy

• Little Snitch is now smarter in figuring out what information in your app’s IAP is relevant for a particular connection. This results in more concise and more relevant information being shown to the user. This new behavior is documented here.
• You can now specify that a connection description should match if and only if the user selects a connection for a whole domain or “any connection”. You can find the documentation for this here.
• Links in Markdown syntax now render correctly and show the linked URL as their tooltip.

Bug Fixes

• Fixed a kernel panic introduced in Little Snitch 4.0.4 that would occur when a single process established more than two billion outgoing connections.
• Fixed multiple issues causing a connection alert indicating an internal error related to a code signature mismatch from being shown.
• Fixed an issue where scrolling in Little Snitch Network Monitor’s inspector would not work.
• Fixed incorrect sorting of Time Machine Backups in Little Snitch Configuration’s “Import from Backup…” sheet.

Improvements

• The connection alert now points out if a connection is to or from the local network and offers a new option to create a rule for “Only local network”. Creating such a rule was possible in Little Snitch Configuration, but now you can do this in the connection alert, too.
• For hostnames that end in .local, the connection alert will now create host rules, not domain rules. These rules worked as intended, but it makes more sense to create host rules instead.
• A connection alert informing about a code signature mismatch is now shown even if Silent Mode is active. This is to prevent processes with an invalid code signature from communicating even in Silent Mode.
• If an app changes its bundle identifier in an update, Little Snitch will update any existing rules for that app if the new version is located at the same path and is signed by the same developer. Previously, a connection alert indicating a code signature mismatch was shown.
• Improved a button label in connection alert in case of a code signature mismatch to avoid possible confusion. Previously, it read “Require New Code Signature…” and now it’s “Accept New Code Signature…”.
• Improved alert when macOS blocks Little Snitch’s kernel extension from being loaded. In addition to opening the “Security & Privacy” preferences panel, it also switches to the “General” tab, where it must be allowed.
• Prevented multiple notifications about incoming connections from the local network to processes without a code signature being shown. Details: In earlier versions, if “Ignore code signature for local network connections” was enabled (in Little Snitch Configuration > Preferences > Security), an allow rule for only the specific IP address of the connecting peer was created and a notification was shown each time this happened. With this change, an allow rule for any incoming connection for the local network will be created and only a single notification will be shown. Note that this does not change what connections are accepted, only how many notifications are shown.
• Improved performance when duplicating a large number of rules in Little Snitch Configuration.
• Double-clicking an unapproved rule in Little Snitch Configuration to show the rule inspector now only approves the rule if the inspector is closed with the “OK” button, not with the “Cancel” button.
• Fixed Little Snitch Network Monitor sometimes showing incorrect hostnames for incoming UDP data. Note that only the names shown were incorrect – the network filter and rules were not affected by this.

Internet Access Policy

• Developers can now specify their name that will be shown to users as the source of the IAP information. Previous versions of Little Snitch used the name as defined in the code signing certificate, but this does not work for apps downloaded from the App Store. See the specification of keys for details.
• If the developer’s name is read from the app’s code signing certificate, Little Snitch now shows the name without the country. For example, it’s now “Objective Development”, not “Objective Development, AT”.
• Added support for Internet Access Policy files written in JSON format (in addition to the Property List format). See section File format for more information.
• Added support for Internet Access Policy files embedded in XPC services. See the section Support for XPC services in the developer documentation for details.
• Fixed an issue where developers testing the Internet Access Policy in their apps would not see up-to-date information in Little Snitch, specifically in localizations. Cache invalidation is hard.

Internet Access Policy

In Little Snitch 4 we’ve introduced a new Internet Access Policy (IAP) standard, allowing third party app developers to bundle a policy file with their application containing information about the Internet connections their program is about to establish.

This gives developers the opportunity to describe the purpose of these connections, why they are necessary and why it’s recommended or necessary to allow them.

With Little Snitch 4.0.4 we’ve extended the policy format to allow providing dedicated information about potential consequences when denying a particular connection.

Whenever you choose to deny a connection via Little Snitch — either in the connection alert or in Network Monitor — we now display that information helping you to make a better informed decision.

IAP Improvements

• Little Snitch now includes Internet Access Policies for several Apple processes shipped with macOS.
• Fixed an issue with localized IAP files.
• Added support for Markdown-style links.

Network Monitor

• Blocked connections are now indicated in the map with a red flashing connection line.
• Significantly improved performance when handling large amounts of connects.
• Improved performance in case of large file downloads.
• New action: “Show Recently Used Rule(s)”. Accessible by holding down the Option key while right-clicking a line in the list.
• Fixed an issue causing heavy flickering of the map during zooming or panning on macOS 10.13 High Sierra.
• Fixed locations on Little Snitch Network Monitor’s map being drawn too large on macOS 10.13.
• Fixed: The menu bar did not respond immediately after opening the Network Monitor window.
• Fixed: Network Monitor no longer flashes connection lines that are currently invisible due to filtering.
• The data rate display in the inspector pane now respects the Bits/s vs. Bytes/s user preference.
• The experimental “Handle Connection Attempts in Monitor” preferences option has been removed.

Code Signature Check Improvements

• Fixed an issue that could incorrectly lead to a connection alert indicating a code signature mismatch between a running process and an existing rule.
• Fixed an incorrect message “Incoming Connection Denied due to invalid code signature” being shown, usually for the process netbiosd.
• Improved a confusing code signature mismatch message in connection alert when the bundle identifier of the connecting app changed.
• When a rule is created using the connection alert’s “Deny Any Connection” button (only shown in case of a code signature mismatch or an invalid code signature), that rule is now permanent instead of “Until Quit”.
• Fixed an issue where a deny rule labelled “override due to code signature issue” could inadvertently be turned into a permanent allow rule.
• Fixed an issue where the connection alert would show that an XPC process’ parent app had no code signature. This would happen when the parent app was already terminated at the time when the XPC process tried to establish a connection.

General

• Improved handling and presentation of code signature issues.
• Improved help text of rule suggestions covering multiple connection attempts.
• Improved handling of incoming ssh connections.
• Improved handling of denied incoming connections.
• Improved display of connection alerts on small displays.
• Improved creation of diagnostics reports.
• Improved protection against malware attempting to modify Little Snitch.
• Improved reliability of showing connection alerts in cases where a process only opens a connection, but never actually sends or receives any data.
• For improved privacy the Little Snitch configuration file is now saved in an encrypted format.
• Fixed a vulnerability where the process name in Little Snitch Configuration’s rule inspector could be constructed to execute as a shell command. Security impact: If users follow malicious instructions, they can enter a text string in Little Snitch Configuration which is unexpectedly executed in a shell under the user’s privileges. Not exploitable from remote or by local processes.
• Added a preference option allowing to choose whether OpenVPN remote servers should be distinguished or not.
• Added “Port 22 (SSH)” to the port popup list in the rule editor of Little Snitch Configuration.
• Due to a bug in macOS, applications may hang for a while when they attempt to show animated graphics. Little Snitch detects when important components stop responding and used to generate diagnostics info. Since this further slowed down the machine, we no longer generate these diagnostics and simply restart the affected component.
• Fixed a rare kernel panic.
• Fixed an issue when choosing the “Once” option in the connection alert.
• Fixed an issue related to handling connections via VPN.
• Fixed a rare crash of Little Snitch Network Monitor that could occur when an app would use a network socket in an unusual, but still correct way. This could happen when using the PS4 Remote Play app.
• Fixed a kernel panic by making Little Snitch’s kernel extension more robust when other third party kernel extensions overwrite memory that belongs to Little Snitch.
• Fixed outdated message in installer log when boot cache update failed due to a full Recovery HD.
• Improved detection of which app uses an XPC helper.
• Fixed some unexpected but harmless messages from the kernel in the system log that would occur only on MacBook Pro with TouchBar.
• Several other bug fixes and improvements.

Privacy Note

For improved privacy the Little Snitch configuration file is now stored in an encrypted format. When switching to the encrypted format, a backup of the old, unencrypted configuration file is made. If you prefer to have only encrypted configuration files stored on disk, we recommend to remove any unencrypted backup files. Their filename contains a date and timestamp, and they are located in the following folders:

/Library/Application Support/Objective Development/Little Snitch/
~/Library/Application Support/Little Snitch/

To open these folders you can use Finder’s Go to Folder… command (⇧⌘G).

Downgrading Note

Since this version stores all configuration files in encrypted format, previous versions cannot read them. If you downgrade, all your rules and preferences are lost. In order to prevent data loss, this version makes a backup of your configuration at /Library/Application Support/Objetive Development/Little Snitch/configuration_<dateandtime>.xpl before encrypting. Previous versions can restore from this backup via Little Snitch Configuration > Rules > Import from Backup….

Alternatively, you can make a backup of your configuration even in the new version (via Little Snitch Configuration > Rules > Backup…) and restore it after downgrading. Backups are not encrypted in order to keep them backward-compatible.

Network Monitor

• Added preferences option for showing data rates either in Bytes/s or Bits/s.
• More prominent indication if a filter is currently active.
• Added support for full screen mode.

Notifications

• Improved “Simulated Input Ignored” notification.
• Fixed: Notifications weren’t shown under some circumstances.
• Fixed: Silent Mode Notifications are no longer shown when the Network Filter is turned off.

Little Snitch Configuration

• Improved keyboard control in rule editor.
• Fixed broken help links in the right sidebar of the rules window.

General Improvements

• Improved installation procedure on High Sierra.
• Improved code signature checking.
• Improved Deep Packet Inspection.
• Improved Touch Bar support.
• Improved support for “lftp”.
• Improved support for Viscosity OpenVPN client.
• Improved support for FTP and MySQL.
• Fixed an issue when creating via-rules in the connection alert, when the main-process and the via-process are from different users.
• Various bug fixes and performance improvements.
• Overall improved stability.

General Improvements

• Simplified upgrade procedure for owners of Little Snitch 3.
• Improved demo mode indication.
• Fixed a bug that caused the Little Snitch Configuration to freeze.
• Many minor bug fixes.

Menu Bar Icon

• Added demo mode indication.

General Improvements

• Improved Touch Bar support.
• Improved handling of FTP connections.
• Improved upgrade from version 3 to preserve an active Silent Deny Mode.
• Domains and search-domains that are explicitly configured in macOS System Preferences > Network Preferences > Advanced > DNS are now considered.
• Fixed some spelling errors, improved wording and localization.
• Fixed a crash of Little Snitch Agent when turning off the Network Monitor while Silent Mode was active.
• Fixed an issue when creating a new rule or profile in Little Snitch Configuration while the Known Networks window was open.
• Fixed a possible kernel panic.
• Many minor bug fixes.

Connection Alert

• The connection alert now shows a warning when the connecting application is affected by Gatekeeper Path Randomization (which indicates that the app was not correctly installed).
• The alert now also shows a plain text representation of internationalized domain names containing special characters which require encoding. This makes it possible to identify homograph domain name attacks.
• It’s now possible to get the port and protocol specific option preselected in the connection alert (See Little Snitch Configuration > Preferences > Alert).
• The connection alert now allows to create rules for an entire Content Delivery Network domain.
• Fixed the ordering of minimized alerts: When maximizing the alert, the last minimized alert is opened first.

Menu Bar Icon

• Improved indication of active silent mode in menu bar.
• The menu bar icon is now always shown while “Silent Mode — Deny Connections” is active, regardless of the “Show status in menu bar” preference option.

Network Monitor

• Added preferences option to show the Network Monitor when the mouse hovers the menu bar icon.
• Added “Help” menu item.
• Improved Top Countries summary statistics in Connection Inspector.
• Fixed a bug where Network Monitor became unresponsive when Little Snitch Daemon crashed.
• Fixed an issue causing Network Monitor to start with an empty list instead of showing the stored previous connections.

Connection Alert

• Fixed a bug where the profile selection button was not shown although a profile was currently selected.

Little Snitch Configuration

• Fixed a bug where a warning about changing a code signature requirement was erroneously displayed when editing a rule.

Network Monitor

• Fixed a bug where the Summary Connection Inspector displayed a duplicate line in the top countries statistics.

Other Improvements

• Fixed spelling errors and localization.
• Removed unused files from distribution.

Connection Alert

• Added a preference setting for getting the active profile preselected in the connection alert.

Network Monitor

• Fixed a bug causing Rule Management Buttons in Network Monitor to show a wrong allow/deny status.
• Fixed a bug where a traffic dump caused false incoming connection indications for all connections that occurred during the dump.
• Fixed a hang of several seconds when stopping the traffic dump.

Other Improvements and Bug Fixes

• The “numeric traffic rate” display in the menu bar item now uses the system font.
• Rules for iOS Simulator apps can now require a valid code signature.
• Fixed a crash of Little Snitch Daemon when using the “Search for an Older Mac” option in AirDrop.
• Fixed an issue with domain names containing Unicode characters whose code point is greater than 65535. This bug affected some domains containing emoji.
• Added missing localizations.
• Improved wordings.

Compatibility with macOS High Sierra

• This version is compatible with the beta version of macOS High Sierra 10.13.
• During the Installation of Little Snitch on macOS High Sierra you may see a message: “System Extension Blocked”. This is a new security mechanism in High Sierra, requiring you to explicitly allow the installation of a third party system extension. To complete the installation of Little Snitch you have to allow loading the extension in System Preferences > Security & Privacy > General.
• There’s a known issue in the map view of Network Monitor causing connection endpoints to be shown twice.

Network Monitor

• Fixed a possible crash when zooming to a particular map region in the course of clicking a connection in the list.
• Added further time interval filter options for showing only connections from the last week or the last 30 days.
• The properties shown in the Summary Inspector (denied, unconfirmed, incoming) now correctly correlate to the corresponding filter options.
• Improved pinch-zooming in map: The zooming no longer stops when clusters are expanded into their sites.
• Updated GeoIP database. Network Monitor should now know more locations for IP addresses.

Other Improvements

• Improved texts describing code signature issues.
• Many minor bug fixes and improvements.

Network Monitor

• A status line below the connection list now indicates when only a selection of connections is currently displayed, and it provides a quick way to clear that selection.

Little Snitch Configuration

• The rule editor now warns if an IP address is entered although the input of a host or domain name is expected.
• Automatic software update checks are now always enabled in beta versions.

Other Bug Fixes and Improvements

• Fixed a possible odd behavior if a rule refers to many IP address ranges or host names.
• Fixed an issue were some hosts were not displayed by name, but by IP address only.
• Improved updates of code signature information in rule set.
• Other minor bug fixes.

Network Monitor

• Fixed a possible crash of Network Monitor when selected connections span a broad geographic region on the map.
• Appearance changes (light/dark) are now applied to all windows.
• The context menu now also works for a multiple selection of connections.
• The connection context menu now contains rule editing options. Pressing the Option key allows to create a rule in the current profile.
• Improved undo description for undo/redo of rule manipulation operations.

Little Snitch Configuration

• Fixed: When editing a multiple selection, code signature requirements are no longer removed from edited rules.

First Impression

• Fixed a possible crash of the initial Welcome Window. This crash could prevent Little Snitch Configuration from starting altogether.
• The Network Monitor demo period has been reset to give users upgrading from Little Snitch 3 a chance to try the new version for another month.
• If the Network Monitor demo period has expired and the user turns on Silent Mode, we now show an appropriate message, but no longer ask for starting Network Monitor.

Other Bug Fixes and Improvements

• After confirming a connection alert the keyboard focus is now given back to the previous application. This is the traditional behavior, but was broken due to code refactoring.
• Fixed a crash of Little Snitch Helper when stepping through the connection list in Network Monitor, which triggered lots of code signature checks if the “Code Signature” section was open in the Inspector pane.
• Improved handling of code signature requirements for Apple processes.
• UI graphics and animation improvements.
• Other minor bug fixes.

Network Monitor

• The rule management buttons now always indicate the existence of matching rules. If there’s an exact match for this kind of connections, the buttons are red or green. Otherwise, if the rule matches a subset or superset of connections, the match is indicated in gray.
• The search field has been moved to the top of the window and it now contains a filter menu providing access to various filter options.
• Removed menu button from the window toolbar. The options contained in this menu are now accessible from the main menu and from the filter menu in the search field.
• Significantly improved performance when opening the Network Monitor window.
• “Show Corresponding Rules” in context menu should now work in all cases, no longer reporting that the corresponding rules don’t exist anymore.
• The map now indicates connections that are covered by deny-rules with a red connection line color.
• The map now automatically zooms to the connections that are selected in the list.

Welcome Window

• The initial Welcome Window (which is shown automatically after the first installation) is now kept on top of other windows.
• Connection alerts that occur while the initial Welcome Window is shown are now minimized so they don’t interfere with the initial setup.

General

• Fixed a bug where connections from VirtualBox guest were shown with IP address only.
• Fixed some layout issues on OS X 10.11.
• Fixed an issue with connection alerts for Java applications. The alert always complained about code signature issues.
• Fixed a bug which prevented some web sites from loading when deny-rules blocked some content.
• Many more bug fixes and minor improvements.