![what is kext utility what is kext utility](https://mac-cdn.softpedia.com/screenshots/Easy-Kext-Installer_1.png)
A user can also manually resubmit or rescan a file, which will generate outgoing connections to VirusTotal as well. Specifically, hashes of kexts that are enumerated by KextViewr, are automatically and securely sent to VirusTotal to determine if they are associated with known malware. Q: Why does KextViewr access the network?Ī: In order to detect known malware, KextViewr is integrated with the online malware detection service VirusTotal. In order words, don't expect KextViewr to reveal the presence of advanced OS X rootkit kexts! Since KextViewr leverages the capabilites of kextstat, if a kernel extension is not shown by (or is actively hiding from) kextstat, such a kext will also not be shown by KextViewr.
![what is kext utility what is kext utility](https://i.imgur.com/4h6M2oS.png)
$ codesign -display -entitlements - /usr/sbin/kextstat Since it is not possible for 3rd-party applications to obtain this entitlement, KextViewr simple makes use of the OS X utility kextstat, which has the required entitlement: In order to get information about loaded kernel extensions, one must possess the .get-kext-info entitlement. On the right hand-side, unchecking the 'Show OS Kexts' will hide all Apple-signed kernel extension, leaving only 3rd-party ones visible:Īs with any security tool, it is important to understand the tool's limitations. The second will save the KextViewr's results as JSON. The first, when clicked will refresh, or reload the list of loaded kexts.
![what is kext utility what is kext utility](https://www.maketecheasier.com/assets/uploads/2021/08/mac-remove-kext-terminal.png)
signed soley by Apple proper)Īt the bottom of KextViewr's window are several buttons. Only display kexts that belong to the OS (e.g. The list of current support 'hash-tag' filters is: KextViewr also contains special 'hash-tag' filters that can filter kexts based on concepts such as 'all non-Apple (3rd-party) kexts' or 'all unsigned kexts'. For example, typing 'BSD' will show only kexts that contain 'BSD' in their name or path. Simply begin typing to filter all tasks based on their names, paths, etc. The displayed kernel extensions can be filtered using the 'Filter Kexts' search box, found at the top right corner of the app. The 'info' button will display detailed information about the item, including its hash, size, timing informaation, and signed status:Ĭlicking on the final button ('show') in the item's row, will show the item in a Finder window. If known malware is detected, both the kext's name and VirusTotal button will be highlighted in red.
WHAT IS KEXT UTILITY FULL
Known files contain a link to the full analysis report and a 'rescan?' button that will rescan the file. If the file is unknown, clicking the 'submit?' button will submit the file for analysis. With the query complete, the button can be clicked to reveal a popup containing VirusTotal-specific information about the file. Once the query is complete, the title of the button is automatically updated with either the detection ratio, or a '?' if the binary is not known to VirusTotal. While VirusTotal is being queried, this button displays '■ ■ ■'. These buttons provide information about item's VirusTotal (anti-virus) scan results, general information about the file, and the ability to view the item in Finder.įor each kernel extension, KextViewr automatically queries VirusTotal with a hash of the binary in order to retrieve any information. Following this, the kext's name, bundle id and full path are displayed, and then various informational and actionable buttons. First, an icon indicates whether the kext belongs to Apple,, or a 3rd-party (but still signed), or is unsigned. However, the display can be filtered (as described below).Įach row in the table contains a variety of information about a single loaded kernel extension. By design, all kexts, including those signed by Apple are displayed. KextViewr will query the OS to display all loaded kernel extensions. To run the application and view all loaded kernel extensions, simply double click on 'KextViewr.app'. Depending on your browser, you may need to manually unzip the application by double-clicking on the zipped archive:
WHAT IS KEXT UTILITY ARCHIVE
To use KextViewr, first download the zip archive containing the application. Provides invaluable information about persistent files and can automatically detect known malware Shows whether the kext signed or unsigned, and if signed, by whom. On the other hand, KextViewr provides a myriad of infomation about each loaded kext, including:ĭisplays the full path to the kext's on-disk file image For example, it does not provide file paths for loaded kernel extentions, or whether or not, the kext is signed. While Apple's commandline tool 'kextstat' can provide similar information, it is (IMHO), somewhat lacking. KextViewr is a utility with a simply goal display all currently loaded kexts.