OS X file guard tool in alpha A new OS X utility called FlockFlock that monitors file-system accesses for malicious activity is available as an alpha release for experienced developers to test. Written by computer forensics expert Jonathan Zdziarski, the open-source software hopes to thwart "ransomware, spyware or other malicious programs that might …
I had commented here:
http://forums.theregister.co.uk/forum/1/2016/04/20/mac_ransomware_detection/
that that earlier effort seemed a little half-arsed to me because it did not watch the Applications filesystem (and got downvoted for that, thank you!) and could not be configured to do so.
This approach sounds a little more holistic to me. I'll give it a try once it's in beta.
Wouldn't messing with the Applications filesystem require root? Not that there aren't privilege escalation exploits possible, but that at least raises the bar for the attack to be successful.
There are other ways than watching Applications (and don't forgot the OS binaries) like a hawk, like supporting more fine grained privileges so that "root" isn't all powerful and can't write to those filesystems except in very special circumstances - i.e. a power only available to the software install/patching system.
"Wouldn't messing with the Applications filesystem require root?"
Not for user-installed applications; those are usually not system-level protected. Which is why a ransomware application could merrily encrypt a bit of anti-ransomware--which would reside in the Applications filesystem--without that very anti-ransomware noticing itself being encrypted, if the Applications filesystem is not being watched.
Fine-graining is all very nice with the permissions, but root needs to be root (in case of a seriously banged-up system, you need to have an account capable of fixing it. Trust me on that. Been there.) I'm all for more dexterous permissions, but that's hardly likely to happen in a consumer OS. Granted, the system-level filesystems on MacOS are safeguarded relatively well (compared to certain other players), but the problem remains that the Applications filesystem has mixed permissions depending on who installed what, so remains vulnerable with most user-installed apps being part of Userland.
Yes, I know I'm borderline paranoid. Which I figure is a good thing if you're a sysadmin.
I expect you know this, but use an admin user just to install (okay, copy) software to the /Applications directory and a standard user to run them.
If a standard user copies software to their own ~/Applications then it can get completely owned, just like documents in their home directory. There's not much you can do about that apart from using a monitoring programs like this which hopefully doesn't make daily use too terrible.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
