66f2e490 Explorer

Hi @ArthurVal Thanks for your quick reply! Another UI issue I found (after updating to 18.2 (41864)) is the LaunchAgent app doesn't obey System's language settings. The language was set for EN, it works in pervious versions. But in this version 18.2 (41864), the LaunchAgent App ignores it and still shows in German. Best…

Hi @ArthurVal , Thanks for your reply allow path "any" "/System/Library/CoreServices/Finder.app/" r "" "APPLE_PF_BINARY" allow prefix "~/" "/System/Library/CoreServices/Finder.app/" rwc "" "APPLE_PF_BINARY" both these policies contain allow decisions for Finder's filesystem read actions. Since "~/" has a longer path than…

Hi @ArthurVal After reloading rules DG will still stop Finder accessing files in ~/Desktop. Now I think watching special folders under "~/" may not be a good idea, this increases the complexity of the rules maintaining works. So I change the rules back to watch prefix "~/" "any" rw And everything works well now. Thanks…

Using $grep I can confirm these policies are stored on disk. Best regards!

Hi @ArthurVal , Thanks for the detailed answear. These three policies are added to file "/Library/Application\ Support/XFENCE/paranoid.rc", I manually changed the default DeepGuard configuration files, that's why local.xfence.rc file seems not containing the related policies. Btw, I just tried adding these three policies…

So basically the problem is: I gave Finder the rights to read anything, but DeepGaurd will still stop Finder and wait for my approval. See the Picture below: Best regards & good day.

Hi @ArthurVal, Thanks for your quick answer, I just try again and can reproduce this problem. System is Monterey (21A559), and DeepGuard is under strict mode. Debug mode is enabled and log files have been upload. Case ID is #SAFE_BUG-03506 Best regards

Good day. I think ES_EVENT_TYPE_AUTH_SIGNAL could be used for preventing being unloaded by launchd. ref: developer.apple.com/forums/thread/681063 Best regards.

Hi, Or can we use the "signatureID/signingID" as a condition to audit launchctl's launch? No matter where the command is located, its "signatureID/signingID" should be the same. Best regards.

Hi @pajp thanks for your answer! Indeed you're right, looks like every app will access /dev/dtracehelper. I always worry unnecessarily about some processes w/ root access would $launchctl unload -w /L/LaunchDaemons/com.f-secure... DG can stop unauthorized root processes to access my file, but can't stop them to use…

Why I wanna watch the "/dev/dtracehelper" instead of "/bin/launchctl", because the following rule can be easily bypassed, just put $launchctl outside of "/bin/". Any good ideas? RULE: watch "/bin/launchtl" "any" rx

Hi, Yes, I believe that FS Protection/SAFE is safe for running under a standard user account, which can't run sudo and give the malicious apps root access. However a lot of mac users are using admin account in their daily life. Personally I'm happy to see kext will be used again to defend attacks from root, which literally…

Hi @ArthurVal , Thanks for your detailed reply. Maybe in the future DeepGuard's daemon can be implemented as system extension, as least nowadays the system extensions can't be uninstalled directly when SIP is on. Best regards.

Thanks! This bug seems to be fixed in the newest release. trustd no more takes too much CPU. Nice day and best regards.

Hi ArthurVal, Sorry to bother you, may I ask when will the next beta of fs protection release? good day & best regards!

Hello! Many many thanks ❤️ . Can't wait to try it out! Best regards.

Hi ArthurVal, It's really a good news! Can't wait for the new release! Thanks for your team's hardworking and have a nice day. Best regards.

Hi @ArthurVal, Thanks for your quick answer! I checked w/ the DeepGuard settings, it's under "Strict" mode ( because I want to also control shells' file access). And I tested w/ Big Sur (Beta 10) and macOS 10.15.7, this issue still exists. Best regards & have a nice day.

Hi ArthurVal, Is it possible that a wrong installer was put on the 'My Fs Protection'? Because once I downloaded and installed it, i was informed the installer is "F-Secure Anti-Virus" instead of "fs protection for Mac". Best regards.

Hi pajp, thanks for your detailed answer. Currently I'm using "Classic" mode now. Have done some tests under "Strict" mode, I did find some shell commands are still excepted from DeepGuard: cd/ls/mv/cp.. Are ALL commands under "/bin" excepted from DG, and is this by design too? Have a nice weekend:)