BlockBlock is not active popup; Even on uninstall

objective-see / BlockBlock

BlockBlock provides continual protection by monitoring persistence locations.

GNU General Public License v3.0

626 stars 39 forks source link

BlockBlock is not active popup; Even on uninstall #15

Closed cgarrovillo closed 3 years ago

cgarrovillo commented 3 years ago

Not so sure how to debug this so i'm posting here

BlockBlock shows that it's not active every startup, even after installing and even if it is active. There are no logs that show either in console.app.

objective-see commented 3 years ago

Thanks for the bug report!

A few ideas to help resolve this:

Can you check if the BlockBlock daemon is running (either via Activity Monitor with View->All Processes checked):

Or via the terminal,

$ ps aux | grep -i BlockBlock

root     /Library/Objective-See/BlockBlock/BlockBlock.app/Contents/MacOS/BlockBlock
patrick  /Applications/BlockBlock Helper.app/Contents/MacOS/BlockBlock Helper

Confirm that the BlockBlock item in System Prefs/Full Disk Access points to /Library/Objective-See/BlockBlock/BlockBlock.app/ (right click on it, then, "Show In Finder")

...if it does not, manually remove it, then manually add it (click '+' then /Library/Objective-See/BlockBlock/BlockBlock.app/)

cgarrovillo commented 3 years ago

Okay so it looks like the daemon didn't run at all.

christian 1365 0.0 0.6 9043872 98800 ?? Ss 11:50pm 0:20.56 /Applications/Visual Studio Code.app/Contents/MacOS/Electron /Users/christian/GitHub/BlockBlock

christian 496 0.0 0.2 4983212 26704 ?? S 11:50pm 0:00.57 /Applications/BlockBlock Helper.app/Contents/MacOS/BlockBlock Helper

This was taken right after a restart and opening up VSCode. Doing a sudo launchctl list | grep objective also yielded nada

158 0 com.objective-see.ransomwhere

What's weird is after many uninstall -> AppCleaner -> clean shutdown -> install cycles the FDA in System Preferences would be prefilled with the checkbox ticked already. (disappears on uninstall and reappears instantly ticked on re-install) After executing the line pkill -HUP -u root -f tccd that issue seems to disappear, as I had to manually add the app, but it's still broken.

cgarrovillo commented 3 years ago

One more thing I want to add, it looks like my preferences are also not being respected anymore:

and I saw in the code that there are checks regarding FDA referencing preferences.plist

Not sure if you can deduce anything out of these issues haha but figured it's a step

objective-see commented 3 years ago

No running daemon would result in both the FDA alert and in issue with the preferences.

The daemon is started via /Library/LaunchDaemons/com.objective-see.blockblock.plist ...so can you confirm that file exists?

And what happens if you manually start it? sudo launchctl load /Library/LaunchDaemons/com.objective-see.blockblock.plist

Issues/errors would be logged (visible in Console.app, filtering on BlockBlock)

...a full uninstall/re-install of BB might also fix this?

cgarrovillo commented 3 years ago

Solved. the daemon was disabled and forcefully loaded by the -w flag.

sudo launchctl load -w /Library/LaunchDaemons/com.objective-see.blockblock.plist

Weird that this persisted throughout restarts, clean install/uninstalls. The man page says the state is stored elsewhere on disk. No idea where?

I also think this might've been because I started disabling random stuff using KnockKnock.