<< back

BlockBlock 2.2.2

Monitors common persistence locations and alerts whenever a persistent component is added

Category: Utilities
Price: Free
Popularity: Medium
Version String: 2.2.2
Release Date: 2024-03-22
Architecture: Intel & AppleSilicon(ARM)
Minimum OS: macOS 10.15
Vendor Name: Objective-See, LLC
Homepage: objective-see.org

Version History 2.2.2

You can find release notes for this version here: [github.com]

Description:

Malware installs itself persistently to ensure it's automatically (re)executed.

BlockBlock monitors common persistence locations and alerts whenever a persistent component is added.


Using BlockBlock (Alerts)

Once installed, BlockBlock will begin running and will be automatically started any time your computer is restarted, thus providing continual protection. If anything installs a persistent piece of software, BlockBlock aims to detect this and will display an informative alert.

The alert contains information such as:

▪ The process responsible for the action: The alerts contains the process name, pid, path, and arguments. There are also clickable elements on the alert to show the process's code signing information, VirusTotal detections, and process ancestry.

▪ The persistent item that was installed: The alert shows both the file that was modified to achieve persistence as well as the persistent item that was added.

If the process and the persisted item is trusted, simply click 'Allow'. If not, click 'Block'. Both actions will create a rule to remember your selection (unless you selected the 'temporarily' checkbox). If you decide to block an item, BlockBlock will remove the item from the file system, blocking the persistence.

The 'rule scope' option allow you inform how to apply the rule. Via the drop down, you can decide if the rule should match any combo of the process, the persistence file, and persistence item.

All alert responses, are logged to: /Library/Objective-See/BlockBlock/BlockBlock.log.


Using BlockBlock (Rules)

Persistence events are either allowed or blocked, based on user input ...which are then turn into BlockBlock's rules. To open the rules window, click on 'Rules' in BlockBlock's status bar menu.

The rules window displays these rules, as well as allows one to manually delete rules.


Using BlockBlock (Preferences)

BlockBlock can be configured via its preferences pane. To open this pane, click on 'Preferences' in BlockBlock's status bar menu.

There are preference options to control various aspects of BlockBlock including its alerting mode, icon mode, and to disable automatic update checks.


Does an alert mean I've been infected?
Not necessarily! By design BlockBlock stives to alert you anytime it detects a persistent component has been added to the system. There are many legitimate reasons why something would be benign persisted. For example BlockBlock persistently installs itself so it can provide continual protection!

Of course malware persists as well. And as such, you should closely examine and understand any alerts, especially before approving it!