santa icon indicating copy to clipboard operation
santa copied to clipboard

Published 20 hours ago verified publisher icon google

Blocking execution of files based on quarantine_url

Open PickmanSec opened this issue 6 years ago • 4 comments

I would to be able to add a rule to the conf that would block or allow files downloaded from specific domains. This could help with some types of malware.

PickmanSec avatar Sep 22 '17 17:09 PickmanSec

The quarantine extended attribute can be deleted or modified by any user with write access to the file.

So, technical feasibility aside, I'm not sure what actual security would be gained.

ccaviness avatar Sep 22 '17 19:09 ccaviness

I think the idea is that most malware and users do not attempt to effect this metadata (Sure, security through obscurity but if someone is using xattrs to modify that attrib I want to know about that anyway) . The types of malware that would be blocked by this are malware downloading stagers and then executing them, this would probably only work in pretty locked down enviroments.

Other things I would like to do is block binaries downloaded from websites that typically bundle adware/PUA.

But I think that having options for blocking would be useful especially if you run lockdown mode and want to blanket approve binaries downloaded from specific internal websites for execution.

PickmanSec avatar Sep 26 '17 22:09 PickmanSec

I think this is an interesting idea and can see why it could be useful, the main problem I have is the feasibility, particularly due to performance. Let me mull it over.

russellhancox avatar Sep 28 '17 10:09 russellhancox

Circling around (after all this time), I can still see why this would be useful but my concerns about performance haven't diminished (looking things up in the quarantine DBs has always been best-effort and not in the critical performance path). However, this is a feature that could easily be put behind a configuration flag so that the check is only done if the flag is enabled.

Unfortunately we don't have time to work on this right now, so I'll document what needs to be done in case we can in the future or someone else wants to tackle it, we'd be happy to review pull-requests.

Required Changes:

  1. Add said flag (EnableQuarantineURLBlacklisting)
  2. Add a new rule type (like QUARANTINE_URL) to SNTCommonEnums.h
  3. Add support for the new rule type in SNTRuleTable.m (see below). This would involve extending the ruleForBinarySHA256:certificateSHA256 method to add a third parameter for the quarantine URL and handling the queries properly.
  4. Add handling of the rule type in SNTPolicyProcessor - this is where the flag would be used, where the call to lookup rules happens, the quarantine URL parameter will only be sent if the flag is true.
  5. Add handling of the rule type to santactl/rule and santactl/sync.

SNTRuleTable

The current code for looking up rules is relatively simple, because all the rules can be looked up as exact matches. This change would necessitate having fuzzy rules, otherwise the feature is a bit useless. Regexes are probably to expensive, but LIKE queries could work quite well:

SELECT * FROM rules WHERE "the-full-quarantine-url-here" LIKE shasum

So the rules as added could include SQL wildcards, like %somebaddomain.com/%.

russellhancox avatar May 18 '18 16:05 russellhancox

Due to changes in macOS I don't believe this is possible any longer. Given that constraint I'm going to close this issue.

Please feel free to reopen.

pmarkowsky avatar Aug 15 '23 19:08 pmarkowsky