search

objective-see / BlockBlock

BlockBlock provides continual protection by monitoring persistence locations.
GNU General Public License v3.0
619 stars 38 forks source link

`mobileassetd` and macOS Ventura Beta #52

Closed chrisspiegl closed 1 year ago

chrisspiegl commented 1 year ago

Hi Team,

I just upgraded to the Ventura Beta and got a tone of BlockBlock alerts.

I am now wondering if this is expected? Or simply new behavior? I am not exactly sure how to deal with this wall of alerts.

All of them are from the process mobileassetd and they pertain to all kinds of different kext files (two examples):

/System/Library/AssetsV2/com_apple_MobileAsset_MacSoftwareUpdate/9420AD96-B032-45A3-B477-1B8561329D76-429-000000B53E3181D5/AssetData/payloadv2/patches/System/Library/Extensions/IOFireWireSBP2.kext
/System/Library/AssetsV2/com_apple_MobileAsset_MacSoftwareUpdate/9420AD96-B032-45A3-B477-1B8561329D76-429-000000B53E3181D5/AssetData/payloadv2/patches/System/Library/Extensions/AppleConvergedIPCOLYBTControl.kext
Capture 2022-09-10 at 11 23 25

Any help would be very welcome. Thank you.

MMMXXXZZZ commented 1 year ago

This has been happening for a few months to me as well. Not very often but once it happens it's a true pain in the ass. As the paths suggest it's Mac updating kexts. @objective-see Is there a way to whitelist the "mobileassetd" process? Clicking allow on all its pop-ups does not fix it.

jguerin commented 1 year ago

Ditto. May be due to the new Ventura Rapid Security Response update process that patches the OS while it's still running?

kylehotchkiss commented 1 year ago

I am getting the error on Ventura stable:

Screenshot 2022-11-09 at 3 44 16 PM

It spooked me as I really didn't want a random kernel extension being installed in the middle of the workday but @jguerin's note regarding rapid security response gave me the confidence to approve it on a process basis.

jguerin commented 1 year ago

I want to note that I am not a MacOS security expert and was just guessing. However, I've had to disable BlockBlock whenever I take a MacOS update due to the overwhelming number of windows.

Flashget commented 1 year ago

same here with OSX 13.01 Update

objective-see commented 1 year ago

Thanks for the bug report! ...updated the "kext"-matching regex to:

^(\/System|)\/Library\/Extensions\/[^\/]+\.(?i)kext$

Now, should now only match *.kexts in /System/Library/Extensions/ or /Library/Extensions (the /[^\/] prevents sub-directory matching).

Matches: image

No (Ionger) matches: image

jguerin commented 1 year ago

Thank you! Looking forward to the update - do you have a rough idea of when you'll issue a new build?

objective-see commented 1 year ago

Thank you! Looking forward to the update - do you have a rough idea of when you'll issue a new build?

Just released v2.1.5 ☺️

I'll keep this issue open for a few more days, but please lmk if its still an issue/insufficient fix.

objective-see commented 1 year ago

Closing, as this has now been fixed in v2.1.5 (See: https://github.com/objective-see/BlockBlock/commit/ed7d7b653f609b783a3ac6b482a3845a20da03a6)

jguerin commented 1 year ago

Updated to v2.1.5, will need to wait until the next MacOS update to confirm the fix.

jguerin commented 1 year ago

Actually, just took an update on my other MacOS partition with the new build and no more prompts for kexts 👍🏼