A confusion about DeepGuard's policy

66f2e490 Posts: 45 Contributor

Hi dev team,

good day. I set a rule watch prefix "/System/Applications/" "any" wc in strict mode.

expected behaviour:

A DeegGuard dialog appears when any process tries to modify "/System/Applications/" folder;

What actually happened:

A DeegGuard dialog appears when any process tries to modify "/Applications/" folder

I think these two folders are not linked technically, we can confirm that with ls command. Seems like DeepGuard treats them as the same folder, is it a bug or a feature by design?

Best regards.

Accepted Answer

  • ArthurVal
    ArthurVal Posts: 235 F-Secure Employee
    Answer ✓


    Thanks for the report! As far as I can see this is indeed not an accident. So at least DeepGuard is working as designed. The original intention of this combination of /Applications and /System/Applications was to remove confusion of users who would like to monitor applications from /Applications.

    When you select /Applications from the system open dialog, it shows you applications both from /Applications and /System/Applications. And thus, giving an impression to the user that there is only one combined Applications directory on the system. Though as you've correctly pointed out, there are indeed two completely separate directories for system default and user installed applications.

    So this behavior is intentional and does not reveal unexpected bugs. Though of course I think it's possible to tweak it and give more granular control in case monitoring of one of those specific directories is required.

    We will discuss this topic with the team and will create an item to our backlog. Thus said, unfortunately I cannot give any estimates on when such functionality will become available as it needs to go through planning and prioritization. But this will be definitely discussed in one of planning sessions.

    Best regards, Arthur

    Best regards, Arthur

    Mac R&D Team