About Deepguard's self protection

Hi dev team,

good day. Deepguard can deny FS-activists initiated by root, however any process gains root privilege can bypass DG easily by running $launchctl unload -w command.

Does DG have a mechanism to defend such attack from root? Thanks in advance.

Best regards.

Accepted Answer

  • ArthurVal
    ArthurVal Posts: 265 F-Secure Product Expert
    Answer ✓

    Hello!

    I believe that this is one of features that we plan to add in one of future releases. It has not been scheduled to any particular release but we would like to have self protection in DeepGuard at some point so that even root level attacks could be prevented.

    We still have self protection when DeepGuard is running on 10.14 with a kernel extension in place. But unfortunately, we had to re-implement certain areas of DeepGuard with kext deprecation on recent macOS releases and DeepGuard self-protection feature has not been yet ported/implemented in the kext-less FS Protection versions (10.15+).

    Best regards, Arthur

    Best regards, Arthur

    F-Secure Technology, Mac Team

Answers

  • 66f2e490
    66f2e490 Posts: 56 Contributor

    Hi @ArthurVal ,

    Thanks for your detailed reply. Maybe in the future DeepGuard's daemon can be implemented as system extension, as least nowadays the system extensions can't be uninstalled directly when SIP is on.

    Best regards.

  • ArthurVal
    ArthurVal Posts: 265 F-Secure Product Expert

    Hi,

    The system extension approach has been considered when we were making pre-studies of Endpoint Security API framework integration. But unfortunately in its current state it's not user friendly enough for an average customer as it requires a separate Full Disk Access permission to be granted to the system extension bundle. We did not want to complicate the current situation in which we already require granting FDA for the main app bundle.

    This concern was raised to Apple on several occasions but unfortunately it was addressed in time when we needed to complete the transition. But who knows, if Apple makes it more user friendly by our standards, we might reconsider system extension approach. :)

    Our current plan is to expand the approach that we with for self-preservation of DeepGuard kernel extension for the entire FS Protection/SAFE product. So that in addition to DeepGuard, all other vital product components are protected as much as possible.

    BR, Arthur

    Best regards, Arthur

    F-Secure Technology, Mac Team

  • 66f2e490
    66f2e490 Posts: 56 Contributor

    Hi,

    Yes, I believe that FS Protection/SAFE is safe for running under a standard user account, which can't run sudo and give the malicious apps root access. However a lot of mac users are using admin account in their daily life.

    Personally I'm happy to see kext will be used again to defend attacks from root, which literally makes these product more secure.

    Best regards.

Feedback on New Design