WeChat can bypass DeepGuard

It can be reappeared in following steps:

  1. set a deny rule for WeChat, prevents it from accessing the Folder "foo"
  2. In WeChat, select a file in Folder "foo" and sent it
  3. Although DeepGuard triggers a "Access Blocked" notification, the file has been sent successfully anyway. That means WeChat can access the Folder "foo" and the deny rule doesn't work.

Here is the screenshot:


But Hands Off! can block WeChat's file access correctly:



Best Answer

Answers

  • ArthurValArthurVal Posts: 51 F-Secure Employee

    Hi, @66f2e490!

    Thanks for your report. That indeed sounds like an inconsistent behavior. We will check this from our side.

    Could you please share which DeepGuard ruleset do you currently have in use? The current rules is shown in DeepGuard Configuration app (can be accessed from the FS Protection preference pane in System Preferences app or by holding down Alt key and opening the FS Protection's menubar icon and selecting "Configure DeepGuard" from the list). The current ruleset is mentioned in the upper-right corner.

    If the "Default" ruleset is in use, then F-Secure provided whitelist could be in effect as I see that WeChat's developer team identifier is marked as trusted. There are alternative rulesets ("Classic" and "Strict") which do not include the F-Secure provided whitelist which could help to achieve the behavior that you are interested in.

    Could you please try to switch to an alternate ruleset (if you don't already) and let me know if you can still see the same behavior? After you switch the ruleset, close the DeepGuard Configuration app to apply changes.

    Best regards, Arthur

    F-Secure Mac R&D Team


  • 66f2e49066f2e490 Posts: 7 New Member

    Hi @ArthurVal,

    Thanks for your quick answer! I checked w/ the DeepGuard settings, it's under "Strict" mode ( because I want to also control shells' file access).

    And I tested w/ Big Sur (Beta 10) and macOS 10.15.7, this issue still exists.

    Best regards & have a nice day.

    ArthurVal
  • ArthurValArthurVal Posts: 51 F-Secure Employee

    Ok, thanks for sharing that!

    I indeed can reproduce this behavior on my Mac with Strict mode enabled for DeepGuard. We will take a closer look at the behavior with the team and will assess this issue. Hopefully, we will able to include the fix to the upcoming release of FS Protection if we decide that this cannot wait. We will let you know as soon as the release with the fix for this issue is pushed out. Thanks for reporting this to us!

    Best regards and have a nice day too.

    Arthur


    Ukko
  • 66f2e49066f2e490 Posts: 7 New Member

    Hi ArthurVal,

    It's really a good news! Can't wait for the new release!

    Thanks for your team's hardworking and have a nice day.

    Best regards.

Sign In or Register to comment.