Open Spl01ter opened 3 years ago
@Spl01ter have you possibly checked to see if this is still the case with 2.0.3?
It is still the case
I am now testing with https://github.com/RPwnage/EggShell-Community-Fork
Will clarify, but this is by design.
macOS delivers events (such as file events) via the Endpoint Security Framework
.
BlockBlock subscribes to the ES_EVENT_TYPE_NOTIFY_WRITE
event which (as you have noted), is delivered after the event ...it's a notification event. While there are ES_EVENT_TYPE_AUTH*
events (that are delivered before the event occurs), there is no ES_EVENT_TYPE_AUTH_WRITE
...and BlockBlock needs a write event, so we can examine what was added.
When malware installs persistence (tested with https://github.com/neoneggplant/EggShell), the script is loaded into memory before detection and blocking. It is persistent as long as the user does not reboot.