Is xfence now able to monitor changes made to inode?

Hi F-Secure dev team, thanks for making such a great App, however I found some issues related to command "mv".

Here are the steps:

  1. switch to "strict mode" and set a watch rule for folder "foo"
  2. use command "mv", moving files inside folder "foo" to $TMPDIR (located under /private/var/folders/, which is not included in the xfence's watch list.)
  3. Result: files are moved without a dialog

I think the root cause is, mv makes changes to inode instead of file data, and if the "DEST" isn't watched by xfence, then this could happen.

BR.

Accepted Answer

  • ArthurVal
    ArthurVal Posts: 233 F-Secure Employee
    Answer ✓

    Hello!

    A small update. We've identified the root cause of this behavior.

    We indeed have support for handling of this operating system event type on DeepGuard (XFENCE) side. However, due to a bug on the implementation side only the target location is currently evaluated (in this case the temporary directory which is not included in monitoring). We are now adding evaluation of source that is being manipulated in this case and validating the fix internally. It will be included in the next FS Protection release.

    We appreciate you reporting the issue to us and helping us improve the quality of the feature and making it more secure!

    Best regards, Arthur

    R&D Team

    Best regards, Arthur

    Mac R&D Team

Answers

  • ArthurVal
    ArthurVal Posts: 233 F-Secure Employee

    Hello!

    Thanks for the report! We will investigate it and will get back to you as soon as we have any results to share.

    Best regards, Arthur

    Mac R&D Team

    Best regards, Arthur

    Mac R&D Team

  • 66f2e490
    66f2e490 Posts: 45 Contributor

    Hello!

    Many many thanks ❤️ . Can't wait to try it out!

    Best regards.

  • 66f2e490
    66f2e490 Posts: 45 Contributor

    Hi ArthurVal,

    Sorry to bother you, may I ask when will the next beta of fs protection release?

    good day & best regards!

  • ArthurVal
    ArthurVal Posts: 233 F-Secure Employee

    Hi!

    Unfortunately, I cannot hare any specific date as it has not been decided yet. But I'm hoping that it will happen in a week or two. We are currently verifying a couple of release blockers and if everything checks out, we will proceed with the release.

    BR, Arthur

    Best regards, Arthur

    Mac R&D Team