BlockBlock



Ervins, Thanks for your review and for alerting us to the seemingly useful, and possibly great security apps at the developers site‼️ After I test them (there are 10 programs), I will review them here.
In reading his notes and 'readme' files for each app, Patrick conveys a real concern with security; not like some who hype their products as ‘the last word’ in Mac security. This developer points out what he sees as both strengths AND weaknesses with his apps –– and his desire to improve them all as he moves forward. Very impressive array of programs and extremely detailed infos on all of his apps.
“OS X malware and security has been a personal passion for many years. However the more I learned about this topic, the more insecure I felt. Malware for OS X is trivial to write and unfortunately has become ever more pervasive. And, using attacks such as dylib hijacking attackers can easily bypass all current OS X security products.
As an avid Mac user, this worried me, so I decided to do something about it. Initially, this was for somewhat 'selfish' reasons; I simply wanted to write OS X security tools to secure my Mac. But then I thought, 'hey, sharing is caring, I should make my tools publicly available, free of charge.' This is the idea that drives the website.”
Patrick Wardle
Not to be missed, is his site’s Blog, where you will find an amazing trove of Mac security information, resources and a detailed overview of the ‘Mac malware’ culture we now find ourselves confronted with.
And as you pointed out –– he has a big heart when it comes to pricing :-)
He very quietly points out (at the very bottom of his site pages), that donations are welcome; but nothing is ‘crippled’
Nice find.
Annie

BlockBlock is currently still a beta product. This version isn't as fully tested as Objective-See's other software, and thus may contain bugs. If you find any issues while using this beta, please submit an issue here! Also I'm still working on porting over all plugins for the myriad of persistence types. BlockBlock.net The web space of Henri and Jaana-Mari BlockElokuvia ja Valokuvia(Henri's web journal in Finnish)TUB - To the Unknown and Beyond(Jaana-Mari's anthropological adventures in Finnish)Coming soon. BlockBlock - The CompanyElsewhere on the netHenri's images on FlickrJaana-Mari's images on FlickrHenri on TwitterHenri's Instagram photos. As seen on CBeebies! Watch Numberblocks full episodes on BBC iPlayer: Subscribe for more Numberblocks: is. 1,033 Posts - See Instagram photos and videos from ‘blockblock’ hashtag. Login to your H&R Block account to check the status of your tax refund and efile status, gain access to past returns or file your taxes online.

Malware installs itself persistently, to ensure it's automatically (re)executed.
BlockBlock continually monitors common persistence locations and displays an alert whenever a persistent component is added to the OS.
Compatibility: OS X 10.15+
Current version: 1.0.0 beta (change log)
Zip's SHA-1:

Block Blocker


BlockBlock is currently still a beta product. This version isn't as fully tested as Objective-See's other software, and thus may contain bugs. If you find any issues while using this beta, please submit an issue here!
Also I'm still working on porting over all plugins for the myriad of persistence types. For now, this version only detects launch agent/daemon persistence. ...more persistence detections will be added soon!

To install BlockBlock simply download, run 'BlockBlock Installer.app' and press the 'Install' button:
Because BlockBlock utilizes Apple's new Endpoint Security Framework (to monitor for persistence), it requires system privileges. As such, during installation the OS will display an authorization prompt:
Another perquisite of using the Endpoint Security Framework (leveraged by Apple) is 'Full Disk Access'. The first time your install BlockBlock it will instruct you how to manually give BlockBlock such disk access.
In short:
  • Click the Open System Preference button

  • Click the 🔒 icon (bottom left of the System Preferences app) and re-authenticate.

  • In the 'Full Disk Access' table, select the check box next to BlockBlock.

Uninstalling BlockBlock

To uninstall BlockBlock, simply re-run the 'BlockBlock Installer.app'. Click 'Uninstall' to completely remove BlockBlock:
Once installed, BlockBlock will begin running and will be automatically started any time your computer is restarted, thus providing continual protection. If anything installs a persistent piece of software, BlockBlock

Block Block Mini

aims to detect this and will display an informative alert:
The alert contains information such as:
  • The process responsible for the action:
    The alerts contains the process name, pid, path, and arguments. There are are also clickable elements on the alert to show the process's code signing information, VirusTotal detections, and process ancestry.

  • The persistent item that was installed: The alert shows both the file that was modified to achieve persistence, and the persistent item that was added.

If the process and the persisted item is trusted, simply click 'Allow'. If not, click 'Block'. Both actions will create a rule to remember your selection (unless you select the 'temporarily'). If you decide to block an item, BlockBlock will remove the item from the file system, blocking the persistence.
The 'rule scope' option allow you inform how to apply the rule. Via the drop down, you can decide if the rule should match any combo of the process, the persistence file, and persistence item.
Using BlockBlock (Rules)

Block Block

Persistence events are either allowed or blocked, based on user input ...which are then turn into BlockBlock's rules. To open the rules window, click on 'Rules' in BlockBlock's status bar menu:

Block Block Meme


The 'rules' window displays these rules, as well as allows one to manually delete rules: Block

Block Block Baby

BlockBlock can be configured via it's preferences pane. To open this pane, click on 'Preferences' in BlockBlock's status bar menu:

Block Blockfi

There are preference options to control various aspects of BlockBlock include its alerting mode, icon mode, and to disable automatic update checks:

Blockblockadblock