How reliable and trustworthy are the Objective-See Security tools (KnockKnock (UI), Dynamic Hijack Scanner and BlockBlock)?

Question

DHS found an issue Is this a false positive? Anybody else with the same message?

I installed BlockBlock. What do you think about it? Do you trust those Security tools?

BlockBlock (beta)

BlockBlock provides continual protection by monitoring persistence locations. Any new persistent component will trigger a BlockBlock alert, allowing malicious items be blocked.

URL: Free OS X Security Tools

Answer 1

If you look at the code in the git repos, the author of a lot of the code is Patrick Wardle who appears to be a principal security researcher for Jamf. Seems pretty trustworthy.

Answer 2

I use many of their tools and this is probably not a false-positive. The only currently known false positives stated on their Dynamic Hijack Scanner webpage (at the bottom) ia Microsoft Messenger (mbukernel) and Microsoft Messenger Daemon (mbuinstrument).

About your scan results, I also have BitTorrent Sync installed on my Mac and I get the same message (tested on 2 other Macs). If I do a full system scan with DHS, I get many other applications that have the rpath vulnerability and the weak vulnerability, including iMovie and many Xcode tools. Please note that this is not something to be too worried about, as none of your Applications are "Hijacked" and dylib hijacking is quite a newly discovered vulnerability in OS X, and therefore your probably not going to see any in-the-wild attacks yet. If you are of the more technical sort, you can read their slides presented on this at CanSecWest here and the technical paper here.

I do trust the tools from this company and the person behind this (Patrick Wardle) is clearly stated on their About page. He has published more of his OS X research papers that are available at the bottom of that webpage. He has also done many presentations at security conferences including DefCon, and is the Director of R&D at Synack.

KnockKnock is a tool that scans for persistently installed items on your Mac, including Kernel Extensions, Launch Items, and Login Items and lists them on the screen.

Lastly, BlockBlock is simply a tool that watches for anything that becomes persistently installed (executed at boot every time your mac boots up), such as malware - the tool is still in beta as of this writing.

At the end, they are all great Mac security tools to check-up your mac :).

Answer 3

Most of the tools by objective-see seem to be provided without source code. As this precludes verification of the stated functionality and the ability to build these products yourself, security conscious people should not install these tools. Given the fact that these tools often operate with high privileges cautiousness is paramount.

Should I be wrong, then the information on getting the source code should at least be made more readily available.

Answer 4

I've installed Objective-See's tools as well as communicated a few times with Warden about some questions.

Knock Knock seems OK and includes a built-in link to Virus total with each report row so you can immediately get a VT scan for the item. Neat.

Block Block seems to catch anything attempting to install for boot launching. But it's beta, so mileage may vary.

Today (4/27) Objective-See tweeted on nasty Mac OS malware discussion posted by Checkpoint. Bundled in the tweet are screenshots of Block Block picking the malware up and giving user a chance to block the install. (The malware at the moment is hitting European taxpayers in Checkpoint's report). A handful of Virus Totals AV agents have just been begun to pick it up. The fact that Block Block detected it by process and not a white list is exciting.