DeepGuard can be bypassed via shell commands
Hi I'm using macOS Big Sur now, but this problem also exists on Catalina.
Details:
I set up an obverse rule for folder '~/test', apps try to access it will trigger a DeepGuard dialog. However, when I use '$cd ~/test', in the folder I run commands like $rm $mv $touch, all succeed w/o any faults, and I get 0 DeepGuard dialog.
Expected behaviour:
Shell commands that try to access protected folders should also trigger a DeepGuard dialog.
Accepted Answer
-
Hi,
which ruleset do you use? Apple-signed processes are excepted from DeepGuard rules unless you use the "Strict" ruleset, and yes this includes the shell executables. This is by design and necessary due to the inherent complexities involved in assessing shell script behaviour.
If you wish more fine-grained control, you need to switch to the "Strict" ruleset in the DeepGuard Configuration app. You should then be able to restrict access also of shell processes.
Furthermore, there seems to be a bug in that decisions made while a previous ruleset was in use is cached, and that rules are only applied to new processes, not old processes for which DeepGuard has already made a verdict. We're working on fixing these issues. In the meantime, you can force-reload the current DeepGuard policy by pressing ⌘R in the DeepGuard Configuration app, and test by opening a new Terminal window.
Hope this helps!
We're constantly evolving DeepGuard and it's really helpful to hear your feedback in this matter.
-- Rasmus, F-Secure R&D, Mac Team
Rasmus Sten
F-Secure Technology, Mac Team
Answers
-
Hi pajp, thanks for your detailed answer. Currently I'm using "Classic" mode now.
Have done some tests under "Strict" mode, I did find some shell commands are still excepted from DeepGuard: cd/ls/mv/cp.. Are ALL commands under "/bin" excepted from DG, and is this by design too?
Have a nice weekend:)
🚩 What Do You Think?
We’d love your thoughts on our fresh look! Quick survey, big impact!