Detect and thwart file copy operation using securityExtension.

For a security product, I wonder if security extension has a capability to catch a file during copy operation (I guess it's composed out of multiple basic ops like file read and file write).

I'd like to store the file in some quarantined temporal (let's say when someone copy file from external file system like usb/network location and copy it back once the file has properly scanned.

So far, i've used the authorization capabilities of the security extension. I wonder if there's also an option to change the target location of a file being copied ?

Thanks.

Up vote post of chapo213 Down vote post of chapo213
471 views
Posted by
chapo213
Reply
Add a Comment

Replies

I guess it's composed out of multiple basic ops like file read and file write

That’s correct. If your goal is to block Finder copies specifically, it’s very hard for an ES client to infer that operation based on the low-level operations it sees. I talk about this in some detail in Inferring High-Level Semantics from Low-Level Operations.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Thanks for your quick reply Quinn. I see that in your post you specifically refer to one of the use cases i'm trying to implement which is to catch file copying (either from finder or from terminal using cp) to remote fileStorage device. Perhaps you can give me some guidelines for how to approach this issue ? Does ES have high level interface for file copying ? Perhaps I should use DriverKit to catch the data being copied can block it until scan...

Posted by
chapo213
Up vote reply of chapo213 Down vote reply of chapo213
Add a Comment

Perhaps you can give me some guidelines for how to approach this issue ?

No, sorry. The whole point of that post is to explain the limits of my help in scenarios like this. In the absence of ES supporting a high-level authorise-file-copy operation, you have to infer that from lower-level operations, and the heuristics you use for this inference are your concern.

Perhaps I should use DriverKit to catch the data being copied can block it

Going lower in the stack only makes these problems worse.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment