Incoming connection from docker.backend

Docker Desktop
, ,
1

Hi All,

Im running docker on macos and have norton antivirus which flagged an incoming connection

File path: /Applications/Docker.app/Contents/MacOS/com.docker.backend
User: js (501)
IP Address: 216.245.177.193
Direction incoming
UDP Port: 0

Is this a security concern? Please find attached the screenshot

Appreciate the support

docker_block_norton
docker_block_norton925×486 39.5 KB

2

com.docker.backend is needed by Docker DEsktop and Norton Antivirus likely flags it because of what is it for and users normally don’t run such applications on their machine. I don’t know how its parameters could be listed officially, but when I have Docker Desktop running already, when I use the non-existent -h flag, I get this:

/Applications/Docker.app/Contents/MacOS/com.docker.backend -h

Output:

[2025-08-03T14:21:31.395355000Z][com.docker.backend] running monitor
[2025-08-03T14:21:31.445088000Z][com.docker.backend] running services
[2025-08-03T14:21:31.444540000Z][com.docker.backend] running fork/exec server
Usage:
  -accept-license
    	accept license
  -add-host-docker-internal-registry
    	register host.docker.internal:5000 as insecure registry mirror when creating daemon configuration
  -analytics-port int
    	analytics port
  -autostart
    	indicate that app has been started at login
  -engine string
    	override settings to select the local engine type (can be HyperV, WSL2, WindowsContainers)
  -telemetry
    	turn on system telemetry export
  -telemetry-endpoint string
    	OTLP/HTTP endpoint for system telemetry upload (default "https://desktop.observability-stage.docker.com")
  -unattended
    	unattended mode for the CI
  -with-frontend
    	starts electron manager (default true)
[14:21:31.446462000Z][main                  ][W] failed to parse args:flag: help requested
[14:21:31.446490000Z][main                  ][W] system telemetry disabled, custom otlp endpoint "https://desktop.observability-stage.docker.com" will be ignored
[14:21:31.488794000Z][main                  ] backend server is already running

When Docker Desktop is not running, it starts Docker Desktop even with the invalid argument. When you list the processes on a macOS where Docker Desktop is running, you see it runs “com.docker.backend services”.
and com.docker.backend fork. too. and there is also “monitor” in the previous output. I assume a monitoring could be considered suspicious, and it also has a telemetry endpoint, but I don’t know what incomming connections you could expect. I will try to learn more about it.

update:

That process is also menitoned in the documentation: https://docs.docker.com/security/faqs/networking-and-vms/

All host networking is performed using normal TCP/IP sockets from the com.docker.vpnkit.exe and com.docker.backend.exe processes. For more information see How Docker Desktop networking works under the hood.

I haven’t read the whole post yet about Docker Desktop Networking.