Q&A: MacFixIt Answers

MacFixIt Answers is a feature in which we answer questions e-mailed in by our readers. This week we answer questions on the MRT process in the latest security update for OS X, odd and cryptic-looking names in an application firewall list, and whether Apple's security efforts against the MacDefender malware are for OS X 10.6 only. We continually answer e-mail questions, and though we present a few answers here, we welcome alternative approaches and views from readers and encourage you to post your suggestions in the comments.

Question: Cannot find MRT process after applying security update
MacFixIt reader "Niel" asks in response to today's article on performance issues after the latest OS X security update:

I have a MacBook Pro running 10.6.7 and have installed Security Update 2011-003. Software Update shows the update was installed. I have found no evidence that the MRT tool exists on my mac. I have used the terminal to run "sudo launchctl start com.apple.mrt" and receive the following: "launchctl start error: No such process." What might have gone wrong and how might I get MRT to protect my system?

Answer:
Is the program causing high CPU usage on your system? If not then there is nothing to worry about. After a successful installation the MRT tool will run and then delete itself, so if you do not see the tool or its components after updating then it has run as expected.

Question: Odd and cryptic entries appearing in the system firewall
MacFixIt reader "AK" asks:

In SystemPreferences>Security>Firewall>Advanced we can allow or block incoming connections to applications. This is fine and transparent as long as they are known applications. However, besides those, there are also (system related?) apps that I don't know and that have cryptic names: cupsd, Java, Java Preferences, JavaApplicationStub, krb5kdc, etc.

Can someone explain which of these cryptic apps should be allowed incoming connections and which not for an optimum balance of security and versatility of OSX? I run OS 10.6.7.

Answer:
These applications should not be showing up in the Firewall. They are system services for functions like printing and authentication management, which should be running behind the scenes as "essential services" for OS X. If they are appearing in the firewall it usually means your firewall settings have become corrupted and the firewall is no longer distinguishing between these essential services and standard user applications (after all, these services are programs just like user applications). Sometimes this can happen after caches are cleared or otherwise tampered with, when the OS is restored from backup or reinstalled, or if the system experiences a major crash or power outage. It can also happen if there are hardware changes to the system such as a new add-in card or upgrade of some kind.

To clear this problem and prevent these system applications from popping up again, remove the firewall preferences file and have the firewall rebuild its list of items. To do this, go to the /Macintosh HD/Library/Preferences/ folder and remove the file called "com.apple.alf.plist." Then restart the computer; the firewall should now work properly. Check the firewall to make sure it is set according to your preferences, and you should then start seeing the system ask for firewall access for various applications again (though this should happen only once per new application).

Question: MacDefender security update for OS X 10.6 only?
MacFixIt reader "Jerry" asks:

It is unclear to my User's Group whether the Apple update to combat malware is for OS 10.6.x only or whether it covers other versions. Also, we wonder if the malware is seeking to install on older OS versions as well as 10.6.x? Any clarification?

Answer:
The security update is for Apple's XProtect malware detection technology. This was introduced in OS X 10.6 so users of OS X 10.4 and 10.5 will not benefit from the update (and will not be able to install it). Users of OS X 10.4 and 10.5 will need to use a third-party scanner to detect the malware or use a manual method for removing the malware.

Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.