The recent resurgence of Hacking Team is a powerful reminder that Mac security should be taken seriously nowadays. Apple’s doing its share of the work with tools like System Integrity Protection (SIP) but a third-party tool from respected security researcher Objective-See is a must-install for anybody who wants to protect their system.
BlockBlock runs in the background at all times and monitors file system locations where apps are placed if the creator wants them to be persistent – that is, to run all the time without the user’s knowledge, and to restart invisibly when the user boots the computer. If BlockBlock detects any app trying to install persistently it immediately alerts the user (rather like the equally invaluable Little Snitch).
There are many legitimate persistent apps. BlockBlock itself is one, of course, but Google, Microsoft and Adobe all install persistent background update checkers that ensure you get the latest versions of their software. Unless you look for these apps, you won’t even be aware they’re running until they flash up a dialog box offering you a new download.
However, malware like rootkits and botnets also need to be persistent in order to hide from the user.
Installing and setting-up BlockBlock
Download BlockBlock, double-click the installer package, and then click the Install button in the dialog box that appears. Because BlockBlock has to install itself persistently, you’ll need to type your login password when prompted.
BlockBlock will start running immediately and the only sign of this will be a new icon in the menu bar at the top right of the desktop. There is nothing to configure. BlockBlock’s preferences dialog box offers a handful of options but these are only for diagnostic purposes. Definitely do not check the “Run in passive mode” box because this will effectively turn off BlockBlock and let any app install persistently.
Dealing with a BlockBlock notification
If any app tries to install itself persistently BlockBlock will pop-up a dialog box showing details, as seen below. It’s very important to note that most apps that you get notified about will be legitimate, especially if BlockBlock’s alert pops-up while you’re in the process of installing an app. However, look at the name of the app and try to work out if it’s safe. Google can help but sadly there’s no hard and fast rule, and you’ll need to use common sense.
Assuming you consider the app to be legitimate and safe click the “Remember” checkbox and then the Allow button.
Should a BlockBlock window pop-up when you’re not expecting it then be extremely wary. Should one pop-up while you’re browsing the web, for example, or after you’ve just opened an email or document then it’s very likely something is wrong. You might consider taking a screenshot of the window for further reference (tap Shift+Command+4, then tap Space, and then click the BlockBlock notification), before clicking the Block button. This will stop the app in question from installing in a persistent file system location, and remove it from your system. You should then use a virus and/or malware scanner to thoroughly scan your system. I recommend Malwarebytes Anti-Malware for Mac and BitDefender Virus Scanner, both of which are free.