DeepGuard keeps asking for mount events

Hi Dev team,
Good day, after upgrading to version 3.0.48998 (48998), DG keeps asking for mount events, the problem here is that I don't have any "watch" rule for mount events. Changing mode from "Strict" to "Default" or "Classic" does NOT help.
The version I used before this was 18.4, and I didn't encounter this problem.
Currently I'm using this rule to mute all mount events:
allow prefix "/" "any" m
System environment: macOS 13.2.1 (22D68)
Best regards.
Answers
-
Hi, @66f2e490!
Took a look at the diagnostics shared previously. Found some evidence of DeepGuard trying to show a prompt for a mount operation. But unfortunately, most of the decision making logs are debug level which are not stored/available for collection by our Support Tool by default.
In my own testing, I could reproduce the behavior in the Strict mode of DeepGuard as it sets a very low level of trust to system activity in general. But other rulesets did not cause prompts for mount activity.
One thing came to mind since you mentioned that this behavior started happening after a product update. For quite awhile we did have mount support on DeepGuard side disabled due to issues on Apple's side with how the system treats user "deny" actions. We have been in contact with Apple and they fixed few reported use case scenarios. Following that, we re-enabled support for mount operations on DeepGuard side. So that could explain why the behaviour was not observed previously as this type of operations was not intercepted by DeepGuard.
If the issue is still occurring on your Mac, I would suggest enabling debug level logs to reproduce the issue again and collect fsdiag capture once more. Hopefully that will reveal the situation in more detail.
One note worth mentioning. I've noticed an unexpected configuration of our product captured in fsdiag. There is only a limited number of crucial services running. This adds up entropy in the core functionality services like DeepGuard. This is something to keep in mind as we usually focus on the default configuration of the product during development & testing taking into account that some features like DeepGuard allow customization such as alternate rulesets.
The tune up that DeepGuard performs when ruleset is changed takes into account graceful disabling of unused services.
Those customization options which are offered by the product are of course covered in our testing. But for example disabling or removal of product helper processes which are made with help of external tools are generally advised against as we cannot guarantee certainty level of quality in this case.
Best regards, Arthur
Mac R&D Team