F-Secure XFENCE (Little Flocker)

I use Macs both at home and at work, and as a nerd, I enjoy using interesting stand-alone tools and apps to keep my environment secure. Some of my favorites are knockknock, ransomwhere?, and taskexplorer, from the objective-see website. I’ve also been recently playing around with (and enjoying)  Monitor.app from FireEye.

When I heard that Little Flocker had been acquired by F-Secure, I paid a visit to our Mac team to find out more about it. The first thing I learned: Little Flocker has been renamed F-Secure XFENCE.

Our Mac developer tasked with this project described XFENCE as a “firewall for files.” I think that sums it up pretty well.

Here’s how it works. After an initial install and reboot, the tool goes into “learning mode”. While in this mode, XFENCE builds rules based on process behaviors and file accesses it sees, so it’s wise to do the stuff you’d usually do on your system – launch applications, access common files, and that sort of thing. Upon exiting learning mode, XFENCE saves the rules it collected, and then enters protection mode, where it prompts on any “out of the ordinary” behavior (i.e., anything it didn’t create a rule for during learning mode). Interacting with XFENCE prompts will cause new rules to be created.

We’ve had behavioral blocking mechanisms on the Windows side for ages already. Integrating XFENCE/Little Flocker’s technologies into our Mac products will finally bring that security layer to macOS. However, as you might guess from my description, XFENCE is pretty much a power-user tool at the moment. Every prompt presents the owner of the system with a decision that can only be answered correctly if the user has enough knowledge of what wanted and unwanted behavior looks like. In order to make this technology friendly for non-power-users, we’ll be turning to cloud lookups.

Our security components (on all platforms) perform reputation lookups for objects such as URLs, files, and certificates. Client-side decision logic factors in the results of these queries when deciding whether to allow an executable to run or whether a website should be blocked. In a similar vein, we’ll be building mechanisms into XFENCE to allow it to query behavioral patterns. In the future, if XFENCE sees a Microsoft Word document attempting to run an executable, it’ll prevent that from happening by default, without prompting the user (in the same way that our DeepGuard component on Windows works right now). Because launching an executable from a word document is pretty much never legit behavior.

Well, almost. An analyst on our Threat Intelligence team recently recently discovered a sample in-the-wild in which an IT guy (presumably) was attempting to deploy updates to computers in his organization by emailing employees with Word docs containing embedded executables. Our product would prevent such “update mechanisms” from working. And we recommended approaching such tasks in a different (and more sane) manner. 🙂

We’ve started up a beta program for folks who would like to help us test XFENCE, and use it for free (as in beer). And we plan to add features such as the cloud lookup mechanisms I detailed here. We’re very keen on getting feedback! You can find the beta program for XFENCE here.



Articles with similar Tags