The Research Assistant is now also accessible from Network Monitor and from Little Snitch Configuration.
Third party developers can now bundle their apps with an Internet Access Policy file containing descriptions of all network connections that are possibly triggered by their app. Little Snitch will then display that information to users, helping them in their decision how to handle a particular connection. A description of the policy file format will be provided soon.
The new Silent Mode is now tightly integrated with the Network Monitor. It can be used as an alternative to regular connection alerts, which some users may find too intrusive, especially after a fresh installation of Little Snitch with very few filter rules in place, causing connection alerts to appear quite often.
A recommended strategy for new users is to run Little Snitch in Silent Mode for a few days, allowing all connections (same as they did before, when Little Snitch wasn’t yet installed). After that time, all the connections that would have caused a connection alert are now listed in Network Monitor. They are marked with a blue Allow/Deny button. You can then quickly review all these connections, and create a set of rules that perfectly matches your needs based on the applications you use and the connections they make.
When Silent Mode is active, a user notification is shown when a connection got silently allowed or denied (only once per application). If you prefer completely silent operation, you can turn off these notifications in System Preferences > Notifications > Little Snitch Network Monitor.
Another way of dealing with unwanted interruptions caused by a connection alert is the new ability to minimize the alert window. Instead of confirming a connection alert immediately, you can minimize it into a small overlay window and postpone the decision whether to allow or deny the connection.
The context menu of a minimized connection alert offers a “Keep minimized” option. Subsequent connection attempts will then also be collected in the minimized overlay window. A counter shows the number of pending connection attempts.
Once you are in the mood for dealing with these requests you can click on the overlay to reopen the connection alert.
Alternatively you can right click the minimized connection alert to reopen the alert for a particular connection attempt (in case there’s more than one) or to open the Network Monitor for handling all pending connections there instead.
The Network Monitor shows such pending connections with yellow, pulsating Allow/Deny buttons, indicating that these connections are actually stalled, waiting for you to make a decision.
The network filter now performs Deep Packet Inspection instead of the previous IP address based filtering. This results in much more precise filter matching, especially in those cases where one and the same IP address is possibly associated with multiple hostnames (e.g. google.com vs. googleanalytics.com)
The code signature of the connecting processes is now taken into account. If a rule was created for a process with a valid code signature, that rule will no longer match if the signature changes or becomes invalid. This prevents malicious software from hijacking existing rules.
Each rule now provides a “Requires valid code signature” option in the rule editor sheet in Little Snitch Configuration. This option is turned on by default.
When the code signature of a connecting process is invalid, the connection alert now offers additional options for dealing with this situation. In that case the automatic confirmation of the connection alert is suppressed. Here are a few examples of possible scenarios:
Depending on the severity of the issue, the connection alert only shows a warning but lets you create rules as usual, or it shows a detailed description of what is going on, explains what you can do about it and only lets you create a new rule – or modify existing rules, if appropriate – after an additional confirmation.
Creating and inspecting rules in Little Snitch Configuration is also improved in regard to code signature. The info sidebar shows whether a rule requires a valid code signature and a new suggestions filter lists all rules that could require a code signature from their processes but currently don’t.
The connection alert now provides an option to specify whether a rule shall be created in the current profile or if it shall be effective in all profiles.
The new Automatic Silent Mode Switching option (configurable in Little Snitch Configuration) now lets you associate a profile with a particular Silent Mode. Whenever the profile gets activated, the corresponding Silent Mode Switching is performed.
For example, you might create a “Presentation” profile (for being used while making a Keynote presentation) that automatically turns on Silent Mode in order to prevent connection alerts from appearing during the presentation.
Improved UI for managing profiles in Little Snitch Configuration. Profiles are now created and edited in a modal editor sheet. In this sheet you can assign networks for Automatic Profile Switching, configure Silent Mode Switching, rename and activate the profile.
In Little Snitch 3, the priority of a rule was implicitly raised when the rule was moved to a profile.
In Little Snitch 4 a rule’s priority can now be defined separately for each individual rule, independent from its profile.
The priority of a rule can be changed in Little Snitch Configuration by choosing Increase/Decrease Priority from the rule’s contextual menu. Rules with increased priority are indicated with bold text.
As a general rule of thumb it’s recommended to use priority rules only sparingly, in those cases where it’s absolutely necessary in order to make a rule win against other competing rules.
In most cases, the automatic precedence ordering of rules (where more specific rules take precedence over more general ones) is sufficient for achieving the desired rule matching behavior — for example, if you have a more general rule that allows all connections to an entire domain, and another, more specific rule, that denies connections to a particular host within that domain.
An existing ruleset from Little Snitch 3 will be automatically converted. Rules that are associated with a profile (which had an implicitly raised priority before) will get the new high priority option set automatically, but only in those cases where that’s actually necessary.
To avoid a vast numbers of connection alerts from appearing when using common macOS and iCloud services, Little Snitch now provides preconfigured rulesets for these usage areas. They can be turned on in Little Snitch Configuration > General. These rules will we be kept up to date with future updates of Little Snitch.