santa icon indicating copy to clipboard operation
santa copied to clipboard

Published 20 hours ago verified publisher icon google

'Notify-only' Mode

Open arubdesu opened this issue 7 years ago • 6 comments

I certainly don't want to be asking for a million knobs, but would a 'just nag' mode be acceptable? While in a limited testing deployment I feel like I'd rather folks freak out and tell us about a message they receive (after being stopped the first time) and I'll see the log entry, rather than automatically BLOCK them from running the binary.

arubdesu avatar Oct 13 '16 20:10 arubdesu

I second this, in Germany we may run into issues to track all the data for clients without extra permission. so far we only use Santa where we have a dedicated agreement in place, this limit the scope we'd love to use Santa for

headmin avatar Oct 14 '16 05:10 headmin

I second this too. Would be useful in our environment, as we are supporting researchers who run all kinds of small and self compiled binaries (e.g. in physics related areas).

apettinen avatar Oct 14 '16 13:10 apettinen

Proactively addressing a counter-point - I see how this could cause blind 'click to make it go away' alert fatigue-type reactions from customers, but the whole purpose for me, implementation-wise, is that it should be a RARE occurrence since I've whitelisted all the non-malware stuff. And, if coupled with a log watcher that sends DENY notifications, when I come back to remediate customers may be able to associate the message they saw with the assistance I'm now providing. It turns into 'that was a helpful alert trying to protect me, I'll pay attention in the future', with the added benefit of only briefly ever interrupting their usage of software.

arubdesu avatar Oct 14 '16 13:10 arubdesu

Not opposed to this feature, low down on priorities though. Pull requests welcome 🛩

tburgin avatar Oct 24 '16 16:10 tburgin

Going through the backlog here, to rephrase is the request here to have a mode where you pop up a dialog to the the user and ask do you want to allow this?

pmarkowsky avatar Apr 27 '22 21:04 pmarkowsky

Yes, with the difference from Windows-alike UAC prompts being that there probably shouldn't be auth mentioned in the alert or directly involved, just a one-time friendly speedbump notice. The decision may therefore also want to be cached by default (until a rule specifies handling behavior) in the same way that block actions can be told to snooze its prompts.

arubdesu avatar Apr 27 '22 23:04 arubdesu