BlockBlock

| Posted on by



Find Butcher block kitchen countertops at Lowe's today. Shop kitchen countertops and a variety of kitchen products online at Lowes.com. BlockBlock.net The web space of Henri and Jaana-Mari BlockElokuvia ja Valokuvia(Henri's web journal in Finnish)TUB - To the Unknown and Beyond(Jaana-Mari's anthropological adventures in Finnish)Coming soon. BlockBlock - The CompanyElsewhere on the netHenri's images on FlickrJaana-Mari's images on FlickrHenri on TwitterHenri's Instagram photos.

Malware installs itself persistently, to ensure it's automatically (re)executed.
BlockBlock continually monitors common persistence locations and displays an alert whenever a persistent component is added to the OS.
Compatibility: OS X 10.15+
Current version: 1.0.0 beta (change log)
Zip's SHA-1:


BlockBlock is currently still a beta product. This version isn't as fully tested as Objective-See's other software, and thus may contain bugs. If you find any issues while using this beta, please submit an issue here!
Also I'm still working on porting over all plugins for the myriad of persistence types. For now, this version only detects launch agent/daemon persistence. ...more persistence detections will be added soon!

To install BlockBlock simply download, run 'BlockBlock Installer.app' and press the 'Install' button:
Because BlockBlock utilizes Apple's new Endpoint Security Framework (to monitor for persistence), it requires system privileges. As such, during installation the OS will display an authorization prompt:
Another perquisite of using the Endpoint Security Framework (leveraged by Apple) is 'Full Disk Access'. The first time your install BlockBlock it will instruct you how to manually give BlockBlock such disk access.
In short:
  • Click the Open System Preference button

  • Click the 🔒 icon (bottom left of the System Preferences app) and re-authenticate.

  • In the 'Full Disk Access' table, select the check box next to BlockBlock.

Block Blocker

Uninstalling BlockBlock

To uninstall BlockBlock, simply re-run the 'BlockBlock Installer.app'. Click 'Uninstall' to completely remove BlockBlock:
Once installed, BlockBlock will begin running and will be automatically started any time your computer is restarted, thus providing continual protection. If anything installs a persistent piece of software,

Blockblock

BlockBlock aims to detect this and will display an informative alert:

Block By Block Cleaning Services

The alert contains information such as:
  • The process responsible for the action:
    The alerts contains the process name, pid, path, and arguments. There are are also clickable elements on the alert to show the process's code signing information, VirusTotal detections, and process ancestry.

  • The persistent item that was installed: The alert shows both the file that was modified to achieve persistence, and the persistent item that was added.

Block block meme If the process and the persisted item is trusted, simply click 'Allow'. If not, click 'Block'. Both actions will create a rule to remember your selection (unless you select the 'temporarily'). If you decide to block an item, BlockBlock will remove the item from the file system, blocking the persistence.
The 'rule scope' option allow you inform how to apply the rule. Via the drop down, you can decide if the rule should match any combo of the process, the persistence file, and persistence item.
Using BlockBlock (Rules)

Persistence events are either allowed or blocked, based on user input ...which are then turn into BlockBlock's rules. To open the rules window, click on 'Rules' in BlockBlock's status bar menu:
The 'rules' window displays these rules, as well as allows one to manually delete rules:
BlockBlock can be configured via it's preferences pane. To open this pane, click on 'Preferences' in BlockBlock's status bar menu:

Block Blockchain


There are preference options to control various aspects of BlockBlock include its alerting mode, icon mode, and to disable automatic update checks: