WeChat can bypass DeepGuard

66f2e490

It can be reappeared in following steps:

1. set a deny rule for WeChat, prevents it from accessing the Folder "foo"
2. In WeChat, select a file in Folder "foo" and sent it
3. Although DeepGuard triggers a "Access Blocked" notification, the file has been sent successfully anyway. That means WeChat can access the Folder "foo" and the deny rule doesn't work.

Here is the screenshot:

But Hands Off! can block WeChat's file access correctly:

ArthurVal

Hey, @66f2e490!

We have identified the issue and fixed it. We are currently validating the fix internally and will include it to next FS Protection release. Will keep you posted on it. You will also see a new post for the new release in this thread https://community.f-secure.com/en/discussion/123065/fs-protection-for-mac-17-9-releases#latest

Best regards, Arthur

ArthurVal

Hi, @66f2e490!

Thanks for your report. That indeed sounds like an inconsistent behavior. We will check this from our side.

Could you please share which DeepGuard ruleset do you currently have in use? The current rules is shown in DeepGuard Configuration app (can be accessed from the FS Protection preference pane in System Preferences app or by holding down Alt key and opening the FS Protection's menubar icon and selecting "Configure DeepGuard" from the list). The current ruleset is mentioned in the upper-right corner.

If the "Default" ruleset is in use, then F-Secure provided whitelist could be in effect as I see that WeChat's developer team identifier is marked as trusted. There are alternative rulesets ("Classic" and "Strict") which do not include the F-Secure provided whitelist which could help to achieve the behavior that you are interested in.

Could you please try to switch to an alternate ruleset (if you don't already) and let me know if you can still see the same behavior? After you switch the ruleset, close the DeepGuard Configuration app to apply changes.

Best regards, Arthur

F-Secure Mac R&D Team

66f2e490

Hi @ArthurVal,

Thanks for your quick answer! I checked w/ the DeepGuard settings, it's under "Strict" mode ( because I want to also control shells' file access).

And I tested w/ Big Sur (Beta 10) and macOS 10.15.7, this issue still exists.

Best regards & have a nice day.

ArthurVal

Ok, thanks for sharing that!

I indeed can reproduce this behavior on my Mac with Strict mode enabled for DeepGuard. We will take a closer look at the behavior with the team and will assess this issue. Hopefully, we will able to include the fix to the upcoming release of FS Protection if we decide that this cannot wait. We will let you know as soon as the release with the fix for this issue is pushed out. Thanks for reporting this to us!

Best regards and have a nice day too.

Arthur

66f2e490

Hi ArthurVal,

It's really a good news! Can't wait for the new release!

Thanks for your team's hardworking and have a nice day.

Best regards.