What’s new in Little Snitch 4

Enjoy a completely redesigned Network Monitor with a world map for visualizing network connections based on their geographic location, a new, improved Silent Mode, an option to minimize the connection alert to defer decisions about pending connections, improved hostname based filtering accuracy using Deep Packet Inspection, and much more.

Overview

Overall modernized design of all user interface components.

Completely redesigned Network Monitor with map view for visualizing worldwide network connections based on their geographic location.

Improved Research Assistant, now also accessible from Network Monitor and Little Snitch Configuration.

New, redesigned Silent Mode. As an alternative to confirming lots of individual connection alerts it’s now possible to create and change rules with a single click right from within the Network Monitor.

The connection alert can be minimized to defer the decision whether to allow or deny a connection.

Improved DNS name based traffic filtering using Deep Packet Inspection.

Code signature secured filter rules to prevent processes without a valid code signature from accessing the Internet.

Improved working with profiles.

Automatic Silent Mode Switching when switching to a different profile.

Priority Rules for more fine grained control over the precedence of rules.

Rule groups covering common macOS and iCloud services.

Touch Bar Support.

Details

Completely redesigned Network Monitor

The new map view in Network Monitor shows realtime information about all current and past network connections and their geographic location. It provides powerful filtering and selection options helping to assess particular connections based on the server’s location.

It’s now also possible to create and change rules with a single click right from within the Network Monitor. This is especially useful in conjunction with the new Silent Mode. You may run Silent Mode for a while, then later create rules for connections that occurred during that time (those connections are displayed with a blue Allow/Deny button).

An application’s connections shown in the connection list are now displayed grouped by domain, making it easier to create rules that match an entire domain instead of just a single host. But it’s still possible to drill down to the host-level of each connection.

The connection information is persisted across restarts of the application (i.e. logout/login or restarting the computer).

While the Network Monitor window is open, the app has a Dock icon and it’s shown in the Command-Tab app switcher of macOS.

A new “Since Timestamp” filter allows to temporarily clear the connection list, and to show only connections that occurred after the filter was turned on. The filter can be activated by choosing “Since Timestamp” from the filter menu in the search field, or by pressing Command-K.

You can choose between a light and a dark appearance of the Network Monitor window. The desired appearance can be selected in the View > Appearance menu in the menu bar.

Extended Research Assistant

The Research Assistant is now also accessible from Network Monitor and from Little Snitch Configuration.

Third party developers can now bundle their apps with an Internet Access Policy file containing descriptions of all network connections that are possibly triggered by their app. Little Snitch will then display that information to users, helping them in their decision how to handle a particular connection. A description of the policy file format will be provided soon.

Redesigned Silent Mode

The new Silent Mode is now tightly integrated with the Network Monitor. It can be used as an alternative to regular connection alerts, which some users may find too intrusive, especially after a fresh installation of Little Snitch with very few filter rules in place, causing connection alerts to appear quite often.

A recommended strategy for new users is to run Little Snitch in Silent Mode for a few days, allowing all connections (same as they did before, when Little Snitch wasn’t yet installed). After that time, all the connections that would have caused a connection alert are now listed in Network Monitor. They are marked with a blue Allow/Deny button. You can then quickly review all these connections, and create a set of rules that perfectly matches your needs based on the applications you use and the connections they make.

When Silent Mode is active, a user notification is shown when a connection got silently allowed or denied (only once per application). If you prefer completely silent operation, you can turn off these notifications in System Preferences > Notifications > Little Snitch Network Monitor.

Improved connection alert

In Little Snitch Preferences > Connection Alert you can now choose the options that shall be preselected when a new connection alert is shown.

It’s now possible to choose if the created rule shall be effective in the current profile or in all profiles.

The details sections now shows code signature information for the connecting process.

The connection alert now offers an “Only local network” option if a connection attempt was made to an address in the local network.

Minimizing the connection alert

Another way of dealing with unwanted interruptions caused by a connection alert is the new ability to minimize the alert window. Instead of confirming a connection alert immediately, you can minimize it into a small overlay window and postpone the decision whether to allow or deny the connection.

The context menu of a minimized connection alert offers a “Keep minimized” option. Subsequent connection attempts will then also be collected in the minimized overlay window. A counter shows the number of pending connection attempts.

Once you are in the mood for dealing with these requests you can click on the overlay to reopen the connection alert.

Alternatively you can right click the minimized connection alert to reopen the alert for a particular connection attempt (in case there’s more than one) or to open the Network Monitor for handling all pending connections there instead.

The Network Monitor shows such pending connections with yellow, pulsating Allow/Deny buttons, indicating that these connections are actually stalled, waiting for you to make a decision.

Improved DNS name based traffic filtering

The network filter now performs Deep Packet Inspection instead of the previous IP address based filtering. This results in much more precise filter matching, especially in those cases where one and the same IP address is possibly associated with multiple hostnames (e.g. google.com vs. googleanalytics.com)

Code signature secured filter rules

The code signature of the connecting processes is now taken into account. If a rule was created for a process with a valid code signature, that rule will no longer match if the signature changes or becomes invalid. This prevents malicious software from hijacking existing rules.

Each rule now provides a “Requires valid code signature” option in the rule editor sheet in Little Snitch Configuration. This option is turned on by default.

When the code signature of a connecting process is invalid, the connection alert now offers additional options for dealing with this situation. In that case the automatic confirmation of the connection alert is suppressed. Here are a few examples of possible scenarios:

The connecting process does not have a code signature at all.

The connecting process has a code signature by its developer, but it was modified either on disk or in memory.

A process tries to establish a connection that’s covered by an existing rule, but the code signature of the running process does not match what the rule requires.

Depending on the severity of the issue, the connection alert only shows a warning but lets you create rules as usual, or it shows a detailed description of what is going on, explains what you can do about it and only lets you create a new rule – or modify existing rules, if appropriate – after an additional confirmation.

Creating and inspecting rules in Little Snitch Configuration is also improved in regard to code signature. The info sidebar shows whether a rule requires a valid code signature and a new suggestions filter lists all rules that could require a code signature from their processes but currently don’t.

Improved working with profiles

The connection alert now provides an option to specify whether a rule shall be created in the current profile or if it shall be effective in all profiles.

The new Automatic Silent Mode Switching option (configurable in Little Snitch Configuration) now lets you associate a profile with a particular Silent Mode. Whenever the profile gets activated, the corresponding Silent Mode Switching is performed.

For example, you might create a “Presentation” profile (for being used while making a Keynote presentation) that automatically turns on Silent Mode in order to prevent connection alerts from appearing during the presentation.

Improved UI for managing profiles in Little Snitch Configuration. Profiles are now created and edited in a modal editor sheet. In this sheet you can assign networks for Automatic Profile Switching, configure Silent Mode Switching, rename and activate the profile.

Priority Rules

In Little Snitch 3, the priority of a rule was implicitly raised when the rule was moved to a profile.

In Little Snitch 4 a rule’s priority can now be defined separately for each individual rule, independent from its profile.

The priority of a rule can be changed in Little Snitch Configuration by choosing Increase/Decrease Priority from the rule’s contextual menu. Rules with increased priority are indicated with bold text.

As a general rule of thumb it’s recommended to use priority rules only sparingly, in those cases where it’s absolutely necessary in order to make a rule win against other competing rules.

In most cases, the automatic precedence ordering of rules (where more specific rules take precedence over more general ones) is sufficient for achieving the desired rule matching behavior — for example, if you have a more general rule that allows all connections to an entire domain, and another, more specific rule, that denies connections to a particular host within that domain.

An existing ruleset from Little Snitch 3 will be automatically converted. Rules that are associated with a profile (which had an implicitly raised priority before) will get the new high priority option set automatically, but only in those cases where that’s actually necessary.

Automatic ruleset analysis detects rules whose priority has been unnecessarily increased. This helps to figure out, if a rule’s priority has actually an effect on its overall precedence in relationship to other rules — in other words, if raising its priority is necessary at all.

Rules with an unnecessary priority are marked with a blue or gray exclamation mark triangle. The blue triangle indicates that the priority is completely unnecessary and can be removed. The gray triangle indicates that the priority will become unnecessary as soon as the unnecessary priority of other rules got removed.

When a priority rule is selected, rules that are affected by the priority of this rule are marked with a light blue background color. If no such affected rule exists, the priority of this rule is unnecessary and the rule marked with a blue triangle.

Rule Groups

To avoid a vast numbers of connection alerts from appearing when using common macOS and iCloud services, Little Snitch now provides preconfigured rule groups for these usage areas. They can be turned on in the sidebar of Little Snitch Configuration. The rules in these groups will we be kept up to date with future updates of Little Snitch.