search

objective-see / BlockBlock

BlockBlock provides continual protection by monitoring persistence locations.
GNU General Public License v3.0
619 stars 38 forks source link

Duplicate rules for TeamsUpdaterDaemon #48

Open jguerin opened 1 year ago

jguerin commented 1 year ago

This issue might be unique to me, as I'm dogfooding Teams, but I'm getting tons of duplicate rules for the same TeamsUpdaterDaemon in BlockBlock:

image

This might be due to the plist constantly being modified - is this causing BlockBlock to see it as a new item? Given that it's the same plist, shouldn't it just go through the existing allow rule?

apfrod commented 1 year ago

I am seeing the same issue but for bash (com.apple.bash) file: /Library/LaunchAgents/com.kaseya.update.plist

objective-see commented 1 year ago

@jguerin / @apfrod can you post a copy of the plists?

The issue is BlockBlock isn't able (for some reason) to pull out the item that is being persisted (from the plist) ...hence shows "item: not specified" ...hence creates multiple rules.

Seeing the plists would help track down why this is this case! Thanks!

jguerin commented 1 year ago

Here's what's in the TeamsUpdater plist:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>com.microsoft.teams.TeamsUpdaterDaemon</string>
    <key>MachServices</key>
    <dict>
        <key>com.microsoft.teams.TeamsUpdaterDaemon</key>
        <true/>
    </dict>
    <key>Program</key>
    <string>/Applications/Microsoft Teams.app/Contents/TeamsUpdaterDaemon.xpc/Contents/MacOS/TeamsUpdaterDaemon</string>
</dict>
</plist>

Let me know if you need an actual copy of it.

apfrod commented 1 year ago

Sorry, my plist seems to no longer be there. But here is /Library/LaunchAgents/com.kaseya.kusrtsk.plist from the same vendor:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>com.kaseya.KUsrTsk</string>
    <key>ProgramArguments</key>
    <array>
        <string>/Applications/KUsrTsk.app/Contents/MacOS/KUsrTsk</string>
    </array>
    <key>RunAtLoad</key>
    <true/>
    <key>LimitLoadToSessionType</key>
    <string>Aqua</string>
</dict>
</plist>