ksurl – make yourself at home, take whatever you want…

SubterfugeThe other day I invited some friends round. I cooked them a nice meal and we enjoyed drinks and a movie, then as the hour became late we said our goodbyes promising to catch up again soon. I didn’t realize quite how soon though…  The following day I was working at home as I usually do, when I heard a noise downstairs. On investigating I found that my new friends had let themselves in, were helping themselves to my snacks and were watching a movie on my TV, using my electricity and generally making themselves at home.

Now you might think this is a bit off. It’s one thing to invite your friends round when you’re ready to entertain and give your house over to them, but it’s another thing entirely if they abuse that trust and without so much as a “Please may I…” they just do as they please with your place. Well if like me you’ve tried Google Chrome, then you’ve got these same friends as well!

You see a while ago I installed Google Chrome after reading how quick it is, and how it makes Firefox (my current browser of choice) look Google Chromelike some lardy pizza shop owner. Indeed Chrome does feel quite sprightly, and I must say I do like the Speed Dial extension, which looks far superior to its Firefox counterpart. However what I didn’t realize when I installed Chrome, and which is probably buried in the small print somewhere, is that Chrome will run a process on my Mac even when Chrome itself isn’t even running. It’s called KSURL and at least four times a day it will attempt to call home, presumably to see if there’s a new version of Chrome or some other Google component that needs updating.

In fact, had it not been for Little Snitch blowing the whistle on ksurl, I would never even have known that it was running and helping itself to my Mac’s CPU and memory resources. You see up popped a warning that process ‘ksurl’ was trying to connect to a Google web address (cache.pack.google.com), but looking in Activity Monitor there was nothing, not even when I chose to view all processes rather than just my own. So, even though Chrome isn’t even running, some process has been spawned by installing Chrome, that periodically runs and calls home to see if there’s an update. Ok, the resources used by this process are probably tiny, but that’s not the point. It’s the fact that the authors of Google Chrome decided to let it behave like this – basically to run on your Mac without your knowledge or permission.

Little SnitchNow I’ve got quite a few applications on my Mac that check for updates and the accepted way seems to be a preferences setting that says ‘Automatically check for updates on start-up, or daily, or whatever’. Basically when you run the app then with your permission the first thing it does is to check to see if there’s a newer version of itself. Why isn’t that good enough for Google Chrome? Why do they have to be sneaky about it? Sure there’s a, ‘Update now’ button on the About Chrome dialogue, but if Chrome is constantly checking for updates in the background, then what’s the point? Imagine if every single app you installed on your Mac took the same approach – you could have potentially hundreds of background processes always running, always calling home, always consuming your precious resources.

Now it just remains for me to find the process that triggers these ‘ksurl’ warnings in Little Snitch, so that I can kill it off.

33 Responses

  1. Are you sure it’s not a cron job or something?

    • I did have a look (using the crontab terminal command) but there’s nothing there for ksurl. Whatever it is, it’s very sneaky.

  2. I noticed the same thing. As I’m on terrible satellite internet, I have to watch my data usage, so I had to Google to find out what it was. ksurl is a form of curl, apparently. A UNIX command to download something (a URL).

  3. Thanks for shedding light on KSURL. I deny it access each time Little Snitch sounds the warning.

    There are more such parasites “phoning home” and they all need to be smoked out and dealt with. It’s a form of spyware.

  4. Thanks for the info. I denied ksurl access via Little Snitch permanently. The request I’ve been getting is for dl.google.com. Lets see if anything blows up on my MB P…

    • Thanks for writing about this Robin, I didn’t knwo what the hell was going on w/ ksurl, my little snitch install was going crazy. Fernando, you are a godsend! I was about to throw my laptop out the window!

  5. I googled for ksurl and found your site. Little Snitch didn’t tell me about it. Intego VirusBarrier did.

  6. ksurl is a temporary function each time it happens. so if you try blocking with Little Snitch, that blocking rule won’t apply to the next time when a new ksurl pops up again.

    you can edit a .plist file to change the intervals when ksurl does anything to 0 to prevent ksurl from trying to update.

    go to ~/Library/Preferences and look for the file:


    edit that file with Property List Editor and change checkInterval to 0

    • I don’t even have the “com.google.Keystone.Agent.plist” but am having the same problem…

  7. @dude- your ‘fix’ worked, thanks!

  8. There’s absolutely nothing “very sneaky” going on here. Google Software Update seems to be run as a personal launch agent, through ~/LaunchAgents/com.google.Keystone.Agent.plist, when you log into a GUI session. Apple replaced cron (and a bunch of other stuff) with launchd and launch agents, so any “well-coded” OS X software would use those instead of the older methods of running programs automatically.

    I admit it’s somewhat rude to not make disabling this an user-visible option that’s given on first run like Sparkle does it, but you /do/ get the option to not send a usage profile when you download the browser.

    Considering that browsers are such an attractive attack vector for malware, for the regular user I’d argue it’s better they be kept up-to-date, always, as opposed to conserving the minute amount of “precious resources” a HTTP hit takes. Any full-fledged computer bought within the past few years has such ludicrous amounts of CPU resources that I doubt even every single app running a reasonably well programmed call-home process *all the time* would make a dent.

    • You make a good point, and I wouldn’t argue with the fact that an up-to-date browser will reduce your security exposure, nor would I argue that modern PCs/Macs have way more processing power and RAM that is probably necessary for most people.

      However, we’re now in danger of saying that software authors can have free-reign to use that ‘excess’ as they see fit, and isn’t this how we ended up in this boat of needing ever more powerful machines to do basically the same tasks we did years ago? Like the old adage of work expanding to fill the time available, in computing terms this becomes background processes expanding to take the resources available. Besides, the most susceptible component of all is the OS, and if Microsoft themselves can see fit to allow users to configure how updates to their OS are delivered, then surely other companies such as Google and Adobe could also extend the same courtesy.

      I have no issue with software presenting it’s update mechanism as a configurable option with the default being to auto-update, and if they’re transparent and say we’ll install a background agent that runs independently of the software if you’ll let us, that’s fine too. They can even pop up dire warnings about security threats if I have the temerity to un-check the auto-update/agent option – I can live with that. But to fail to communicate any of this to the end-user is just the thin end of the wedge IMHO.

    • I agree with Robin here and also want to point out the importance of always letting the user choose when to download and update.

      If I run my laptop with a mobile broadband internet connection (especially if it’s through a smart phone) I might pay per MB and don’t want to download a 50 MB update. Even worse if I at the same time happen to be abroad. I live in Sweden and if I got to Croatia for example the cost per downloaded MB is more than 10$ with my current plan.

      • Whilst you make valid points David, there absolutely IS something very sneeky going on here. Sneeky being “without your knowledge and consent”. What it’s doing being reasonable or helpful wouldn’t make a blind bit of difference

  9. thanks @dude for the tip.

    here is the evil little part of that agreement everyone just clicks by in a second:

    11. Software updates

    11.1 The Software which you use may automatically download and install updates from time to time from Google. These updates are designed to improve, enhance and further develop the Services and may take the form of bug fixes, enhanced functions, new software modules and completely new versions. You agree to receive such updates (and permit Google to deliver these to you) as part of your use of the Services.

  10. Okay, I understand both sides of the argument here. Assuming one has installed google software, they must have agreed to the 11.1 clause, right?

    I’m not too great with this kind of thing. I run Little Snitch and I deny every time I get the ksurl (nobody) alert. I haven’t tried the Dude’s method yet, and maybe that would make it stop.

    But one thing is not clear to me, and it strikes me as somewhat frightening: I have not installed any google software on my mac. Not Earth, not Chrome, nothing whatsoever. And yet, that ksurl is reporting to google. Exactly what is it saying when it calls home? It can’t be checking for updates…updates for what? To me, it just seems like data collection. Probably web activity for consumer research, which I am not cool with sharing.

    • @Mediocre: Same here. no chrome, no earth…. I have google apps on my iphone. That’s about it.

      @Dude: Thanks!

      Just the sound of it “ksurl (nobody)” is shady. It was calling out 2ce every hour or so… that’s just wrong.

  11. The Chrome browser is under constant development, and as a result is being constantly updated. This built-in automated update checking is what’s responsible for keeping the browser up-to-date, which not only ensures that exploits and bugs are patched frequently, but also that new features are automatically rolled out to end-users.

    Check out the Chrome browser share graph in this article to see how successful the auto-update feature is:


    Why do I care? Because I’m a web developer. Knowing that Chrome automatically updates itself, unlike any other browser, I and other web developers no longer need to test our code against older versions of Chrome, and as such, don’t actively support older versions of the browser (unlike IE and Firefox, where we have to support every separate, discrete major version).

    Sure, you can disable the phoning home and automatic updates, but you’re really doing yourself a disservice because your browser will be missing out on key bug fixes and functionality updates. Believe me, they roll out new versions of Chrome far more frequently than you’re going to feel like manually updating it.

    Just my $0.02.

  12. @ Ben: I understand that you care because it makes development easier. I work in web development as well. But that line of thinking is seriously flawed; we can’t simply foist something on the population because it makes our jobs easier. Especially if it makes other people’s lives more difficult. Software is supposed to improve lives, not make them more annoying. Ksurl certainly makes peoples lives more annoying (mine included). Twice an hour? Really? They need to update it 48 times/day? How ’bout once/week – surely that’s enough.

    So… does anybody know if I can easily update Chrome AFTER I kill the ksurl call?

  13. “We can’t simply foist something on the population because it makes our jobs easier. Especially if it makes other people’s lives more difficult.”

    Developers can do that and do so, all the time. You sacrifice CPU cycles to be able to use a scripting language, you sacrifice memory to be able to use a garbage collector, you sacrifice wider OS support to be able to add bells and whistles, and I could go on and on. The problem you have is that a) the Chrome team drew the line in a way that includes a personal pain point; b) to gain something you don’t value; and c) is still something you’d like to use over the competition.

    I can’t agree that every software developer has an obligation to fulfill every wish of every user.

    “So… does anybody know if I can easily update Chrome AFTER I kill the ksurl call?”

    I just downloaded the DMG of Chrome’s dev channel which is updated very frequently, and the download has the latest version; so downloading the new version by hand when http://googlechromereleases.blogspot.com/ has an announcement should work.

  14. I realize this issue has already been solved, but in case you were wondering, Google has a help page that explains the same at http://www.google.com/support/installer/bin/answer.py?hl=en&answer=147176

  15. Yeah, but even with the nice FAQ these (nobody) sneaky buggers took out the piece of code where peeps could make the change. Looking now at the com.google.Keystone.Agent.plist has nomore the snippet “checkinterval” they CHANGED the code in a way that just so happens to get rid of this solution.

  16. I don’t think it’s particularly sneaky (even though it sounds really sinister) but it is truly annoying that I get Little Snitch warning constantly for this process. Nearly all of my software checks regularly for updates. Why is Google’s process so different and so incompatible?

  17. Great analogy but I think you are perhaps being too kind. To me it’s more like coming home to find your friends have let themselves in and are painting the walls without first asking if it’s OK. So yes they could argue they can anticipate what you want and painting a room for you is a nice thing to do, but real friends would simply never do such a thing without asking first.

  18. Google, Google… Oh yes, the company that does no evil, whilst running around with street view scavenging people’s networks. Well, if one is going to live in a police state, one must become inured to this sort of thing.

  19. I uninstalled every Google app and that was the only way I could get rid of the Little Snitch pop ups every hour. Now it’s back… not sure what program is responsible but I have no “.plist” files to edit anywhere.

    The thing that really sucks, is that as mentioned earlier, there is no way to set any rules around this sort of call home because it keeps changing it’s name and the address that it’s going out to.

    This seems like an attempt to frustrate smart users to the point of dumping firewalls.

  20. I haven’t installed Chrome and I get these ksurl things. 😦

  21. The bad thing is that these ksurl processes use a different full path for the executable. This makes it impossible to permanently disable (or enable) their access in HandsOff firewall (not sure about LittleSnitch).

  22. Execute this command from your terminal to add the check interval option to the plist file mentioned. Ignore the inverted commas.

    “defaults write com.google.Keystone.Agent checkInterval 0”

Leave a Reply to No way Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: