Does DeepGuard's code-signing-check impact system 's performance?

Options
66f2e490
66f2e490 Posts: 45 Contributor
in Home Security Beta Programs

Hi dev team,

nice day. I noticed in paranoid.rc almost all policies require DeepGuard to check the teamID "APPLE_PF_BONARY" of Apple's binary files, which xfence.rc and xfence_classic.rc don't.


So the question is, does this code signing check impact the system performance? Several months ago I made some tests (see policies below) under strict mode, which makes the system super laggy, open a new zsh window even requires 14 seconds

Below are the policies added in paranoid.rc:

allow prefix "~/" "/System/Library/CoreServices/" rwc "" "APPLE_PF_BINARY"

allow prefix "~/" "/System/Library/PrivateFrameworks/" rwc "" "APPLE_PF_BINARY"

......

allow prefix "~/" "/usr/libexec/ via any" rwc "" "APPLE_PF_BINARY"


Below is the screenshot of opening a new zsh window:

Thanks in advance and have a nice day!

Like Awesome

Accepted Answer

  • ArthurVal
    ArthurVal Posts: 236 F-Secure Employee
    Answer ✓
    Options

    Hello, @66f2e490 !

    Thanks for reaching out.

    Yes, indeed the Strict ruleset (a.k.a. "Paranoid" mode) validates more system processes activity compared to the Classic and Default rulesets which involves more operations occurring on the DeepGuard's side.

    Which of course should not result in performance degradation to the point of freezing, stalling and other unwanted behavior.

    I've noticed that you've mentioned that these tests were performed several months ago. Did you have a chance to check if the situation improved with latest FS Protection releases?

    The reason why I'm asking this is because we've implemented a couple of bug fixes in the recent releases which were focused on performance while DeepGuard is operating in strict mode. So my hope is that it should be have fixed the issue you were facing.

    So I'd suggest checking this situation with the most recent FS Protection release which should be of version 17.11 (37333). I believe the latest release should include the fix that I am referring to. If you are still facing similar issues with the latest release, do not hesitate and get back to us on that. We'd love to check out if further adjustments are needed for Strict mode to operate properly.

    Cheers!

    Best regards, Arthur

    FS Protection Mac R&D Team

    Best regards, Arthur

    Mac R&D Team

    1Like Awesome

Answers

  • 66f2e490
    66f2e490 Posts: 45 Contributor
    Options

    Thanks! This bug seems to be fixed in the newest release. trustd no more takes too much CPU.

    Nice day and best regards.

    2Like Awesome

Categories