BlockBlock icon indicating copy to clipboard operation
BlockBlock copied to clipboard

Published 20 hours ago verified publisher icon objective-see

`mobileassetd` and macOS Ventura Beta

Open chrisspiegl opened this issue 1 year ago • 1 comments

Hi Team,

I just upgraded to the Ventura Beta and got a tone of BlockBlock alerts.

I am now wondering if this is expected? Or simply new behavior? I am not exactly sure how to deal with this wall of alerts.

All of them are from the process mobileassetd and they pertain to all kinds of different kext files (two examples):

/System/Library/AssetsV2/com_apple_MobileAsset_MacSoftwareUpdate/9420AD96-B032-45A3-B477-1B8561329D76-429-000000B53E3181D5/AssetData/payloadv2/patches/System/Library/Extensions/IOFireWireSBP2.kext
/System/Library/AssetsV2/com_apple_MobileAsset_MacSoftwareUpdate/9420AD96-B032-45A3-B477-1B8561329D76-429-000000B53E3181D5/AssetData/payloadv2/patches/System/Library/Extensions/AppleConvergedIPCOLYBTControl.kext
Capture 2022-09-10 at 11 23 25

Any help would be very welcome. Thank you.

chrisspiegl avatar Sep 10 '22 09:09 chrisspiegl

This has been happening for a few months to me as well. Not very often but once it happens it's a true pain in the ass. As the paths suggest it's Mac updating kexts. @objective-see Is there a way to whitelist the "mobileassetd" process? Clicking allow on all its pop-ups does not fix it.

MMMXXXZZZ avatar Sep 11 '22 17:09 MMMXXXZZZ

Ditto. May be due to the new Ventura Rapid Security Response update process that patches the OS while it's still running?

jguerin avatar Oct 04 '22 23:10 jguerin

I am getting the error on Ventura stable:

Screenshot 2022-11-09 at 3 44 16 PM

It spooked me as I really didn't want a random kernel extension being installed in the middle of the workday but @jguerin's note regarding rapid security response gave me the confidence to approve it on a process basis.

kylehotchkiss avatar Nov 09 '22 23:11 kylehotchkiss

I want to note that I am not a MacOS security expert and was just guessing. However, I've had to disable BlockBlock whenever I take a MacOS update due to the overwhelming number of windows.

jguerin avatar Nov 10 '22 00:11 jguerin

same here with OSX 13.01 Update

Flashget avatar Nov 10 '22 09:11 Flashget

Thanks for the bug report! ...updated the "kext"-matching regex to:

^(\/System|)\/Library\/Extensions\/[^\/]+\.(?i)kext$

Now, should now only match *.kexts in /System/Library/Extensions/ or /Library/Extensions (the /[^\/] prevents sub-directory matching).

Matches: image

No (Ionger) matches: image

objective-see avatar Nov 10 '22 20:11 objective-see

Thank you! Looking forward to the update - do you have a rough idea of when you'll issue a new build?

jguerin avatar Nov 10 '22 21:11 jguerin

Thank you! Looking forward to the update - do you have a rough idea of when you'll issue a new build?

Just released v2.1.5 ☺️

I'll keep this issue open for a few more days, but please lmk if its still an issue/insufficient fix.

objective-see avatar Nov 11 '22 05:11 objective-see

Closing, as this has now been fixed in v2.1.5 (See: https://github.com/objective-see/BlockBlock/commit/ed7d7b653f609b783a3ac6b482a3845a20da03a6)

objective-see avatar Nov 11 '22 19:11 objective-see

Updated to v2.1.5, will need to wait until the next MacOS update to confirm the fix.

jguerin avatar Nov 13 '22 01:11 jguerin

Actually, just took an update on my other MacOS partition with the new build and no more prompts for kexts 👍🏼

jguerin avatar Nov 13 '22 02:11 jguerin