[DeepGuard] Issue with specific rules no working

66f2e490

Hi dev team,

Good day. I'm trying to customise my own rules for DeepGuard.

Specifically, I have configured the following rules:

deny prefix "/Library/F-Secure/" "any" wc 

allow prefix "/Applications/F-Secure/" "any" wc "t" "APPLE_PF_BINARY"

(the latter one is just for testing)

As per my understanding, these rules should enforce the following behavior:

• No program, regardless of its signature, should be allowed to modify or create files under  /Library/F-Secure/
• Only programs with the APPLE_PF_BINARY signature should be allowed to modify or create files under /Applications/F-Secure/ directory

However, I have observed that program with the APPLE_PF_BINARY signature are still able to modify and edit files within the /Library/F-Secure/ directory, effectively bypassing the deny rule. It appears that the deny rule is not being enforced as expected in this scenario.

Additionally, I noticed that the same APPLE_PF_BINARY-signed programs can modify critical folders such as /Library/LaunchDaemons/ without triggering the expected DeepGuard prompts.

If I want to create a allow/deny rule based on signatures (without relying on file paths), how should I write it? Given that users can launch programs from any location, it’s crucial for me to enforce restrictions based solely on the signature.

Thank you for your time. I look forward to your response.

Best regards

PawełP

Hello @66f2e490

We would be happy to give you a more detailed answer, but we need additional information from you. First of all, what base ruleset are you using? In Classic and Standard ruleset, APPLE_PF_BINARY processes are always whitelisted. Only strict ruleset allows for denying platform binaries. 

Furthermore, it is currently not possible to write a rule based only on signatures. The base matching criteria are paths (most specific path has precedence) and code signature information is a constraint that can be applied on top of that. (With the exception of "allow any" rules which can whitelist a team ID).

So please write what base ruleset you use.

Thank you.

Pawel

66f2e490

Hi @PawełP

I'm running DeepGuard under "strict" mode now. The "APPLE_PF_BINARY" here is just an example or placeholder, change it to any other software's signature still cause the same situation.

"With the exception of "allow any" rules which can whitelist a team ID"

I also tried this with the "t" flag, just like the template one. But basically this bypass all other rules, it just let the exec with that team ID to do whatever it wants.

So I tried creating the following rule based on team ID, and so far it seems to be working well. However, I'm not sure if this is the proper way to do it.

allow suffix ".xls" "/ via any" rw "" "UBF8T346G9" ; Microsoft

allow suffix ".xlsm" "/ via any" rw "" "UBF8T346G9" ; Microsoft

allow suffix ".xlsx" "/ via any" rw "" "UBF8T346G9" ; Microsoft

Best regards

66f2e490

https://community.f-secure.com/en/discussion/comment/138241#Comment_138241

Today I found that "With the exception of "allow any" rules which can whitelist a team ID" is not 100% true.

allow suffix ".mp4" "any" rw "t" "67CQ77V27R" ; IINA

allow suffix ".mp4" "any" rw "t" "46F6T3M669" ; LosslessCut

for example here I allow IINA and Lossless Cut to access .mp4 file, theoretically DeepGuard will only allow these 2 apps to read/write .mp4 file. But the reality is that even I drag-n-drop a mp4 file into excel or any other apps, it WON'T trigger any DeepGuard pop-up.

So the “allow any” rule doesn’t seem to whitelist the TeamID but rather whitelists the target path (such as an mp4 file in this case).