Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cisco Secure Endpoint detects SupportApp as trying to evade Gatekeeper #136

Closed
d3xbot opened this issue Jul 20, 2023 · 2 comments
Closed

Cisco Secure Endpoint detects SupportApp as trying to evade Gatekeeper #136

d3xbot opened this issue Jul 20, 2023 · 2 comments

Comments

@d3xbot
Copy link

d3xbot commented Jul 20, 2023

When distributing the Support App, Cisco Secure Endpoint shows the following detection:

Description:

A quarantine flag is read by Gatekeeper, the security feature on macOS, to restrict execution when this file attribute is set. An attempt to remove this flag has been observed, which is unusual, and warrants further investigation. This technique can be used by malicious actors to bypass Gatekeeper protection.

File path:

file:///usr/bin/xattr

Command Line Arguments:

xattr -d -r com.apple. quarantine /Applications/Support.app

Plist file (added .txt to enable uploading to Github)
supportconfig.plist.txt
@kevinmcox
Copy link

Probably Line 29 in the package postinstall script.

https://github.com/root3nl/SupportApp/blob/master/pkgbuild/scripts/postinstall#L28-L29

@jordywitteman
Copy link
Contributor

The specific action in the postinstall script was removed a while ago and this should be resolved.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@d3xbot @kevinmcox @jordywitteman