DeepGuard keeps asking for mount events

Hi Dev team,

Good day, after upgrading to version 3.0.48998 (48998), DG keeps asking for mount events, the problem here is that I don't have any "watch" rule for mount events. Changing mode from "Strict" to "Default" or "Classic" does NOT help.

The version I used before this was 18.4, and I didn't encounter this problem.

Currently I'm using this rule to mute all mount events:

allow prefix "/" "any" m


System environment: macOS 13.2.1 (22D68)


Best regards.

Answers

  • ArthurVal
    ArthurVal Posts: 196 F-Secure Employee

    Hi, @66f2e490!

    Could you please run Support Tool and submit fsdiag.tar.gz file on beta.f-secure.com?

    We can then take a closer look to diagnose this behaviour. Thanks.

    Best regards, Arthur

    Mac R&D Team

    Firmy
  • 66f2e490
    66f2e490 Posts: 42 Contributor
    edited July 29
  • ArthurVal
    ArthurVal Posts: 196 F-Secure Employee

    Thanks!

    We will take a look and will get back to you as soon as we learn more about the root cause behind this behaviour.

    Best regards, Arthur

    Mac R&D Team

    Firmy
  • ArthurVal
    ArthurVal Posts: 196 F-Secure Employee

    Hi, @66f2e490!

    Took a look at the diagnostics shared previously. Found some evidence of DeepGuard trying to show a prompt for a mount operation. But unfortunately, most of the decision making logs are debug level which are not stored/available for collection by our Support Tool by default.

    In my own testing, I could reproduce the behavior in the Strict mode of DeepGuard as it sets a very low level of trust to system activity in general. But other rulesets did not cause prompts for mount activity.

    One thing came to mind since you mentioned that this behavior started happening after a product update. For quite awhile we did have mount support on DeepGuard side disabled due to issues on Apple's side with how the system treats user "deny" actions. We have been in contact with Apple and they fixed few reported use case scenarios. Following that, we re-enabled support for mount operations on DeepGuard side. So that could explain why the behaviour was not observed previously as this type of operations was not intercepted by DeepGuard.

    If the issue is still occurring on your Mac, I would suggest enabling debug level logs to reproduce the issue again and collect fsdiag capture once more. Hopefully that will reveal the situation in more detail.

    One note worth mentioning. I've noticed an unexpected configuration of our product captured in fsdiag. There is only a limited number of crucial services running. This adds up entropy in the core functionality services like DeepGuard. This is something to keep in mind as we usually focus on the default configuration of the product during development & testing taking into account that some features like DeepGuard allow customization such as alternate rulesets.

    The tune up that DeepGuard performs when ruleset is changed takes into account graceful disabling of unused services.

    Those customization options which are offered by the product are of course covered in our testing. But for example disabling or removal of product helper processes which are made with help of external tools are generally advised against as we cannot guarantee certainty level of quality in this case.

    Best regards, Arthur

    Mac R&D Team

    FirmyUkko