Every few hours now, "Hands Off!" warns me about the following:

ksfetch wants to resolve dl.google.com

This is Google Software Update, asking permission for ksfetch to check for/retrieve updates for installed Google products.

But every time ksfetch starts, it starts from a random directory somewhere in /private/tmp - there's no way "Hands Off!" (or any other "application firewall") to create a path-based rule without being too broad. I.e. if we allowed /private/tmp/*/ksfetch, we could just allow everything - not a good idea.

Our best bet would be to change the frequency for updates to be checked, e.g. every two days:

  defaults write com.google.Keystone.Agent checkInterval 172800

Now the screen pops up only every other day, much better than every few hours :-)