BlockBlock continually monitors common persistence locations and displays an alert whenever a persistent component is added to the OS.
Compatibility: OS X 10.15+
Current version: 1.0.0 beta (change log)
Zip's SHA-1:
Current version: 1.0.0 beta (change log)
Zip's SHA-1:
- A black bloc is a tactic used by protesters who wear black clothing, ski masks, scarves, sunglasses, motorcycle helmets with padding, or other face-concealing and face-protecting items.
- What is a stellate ganglion block? The stellate ganglion is part of the sympathetic nervous system that is located in your neck, on either side of your voice box.
BlockBlock is currently still a beta product. This version isn't as fully tested as Objective-See's other software, and thus may contain bugs. If you find any issues while using this beta, please submit an issue here!
Also I'm still working on porting over all plugins for the myriad of persistence types. For now, this version only detects launch agent/daemon persistence. ..more persistence detections will be added soon!
Also I'm still working on porting over all plugins for the myriad of persistence types. For now, this version only detects launch agent/daemon persistence. ..more persistence detections will be added soon!
Because BlockBlock utilizes Apple's new Endpoint Security Framework (to monitor for persistence), it requires system privileges. Progressive download mac. Sophos xg 330 firewall price. As such, during installation the OS will display an authorization prompt: Another perquisite of using the Endpoint Security Framework. Aomei download.
To install BlockBlock simply download, run 'BlockBlock Installer.app' and press the 'Install' button:Because BlockBlock utilizes Apple's new Endpoint Security Framework (to monitor for persistence), it requires system privileges. As such, during installation the OS will display an authorization prompt:
Another perquisite of using the Endpoint Security Framework (leveraged by Apple) is 'Full Disk Access'. The first time your install BlockBlock it will instruct you how to manually give BlockBlock such disk access.
In short:
- Click the Open System Preference button
- Click the 🔒 icon (bottom left of the System Preferences app) and re-authenticate.
- In the 'Full Disk Access' table, select the check box next to BlockBlock.
Uninstalling BlockBlock
To uninstall BlockBlock, simply re-run the 'BlockBlock Installer.app'
. Click 'Uninstall' to completely remove BlockBlock: 
Once installed, BlockBlock will begin running and will be automatically started any time your computer is restarted, thus providing continual protection. If anything installs a persistent piece of software, BlockBlock aims to detect this and will display an informative alert:
The alert contains information such as:
- The process responsible for the action:
The alerts contains the process name, pid, path, and arguments. There are are also clickable elements on the alert to show the process's code signing information, VirusTotal detections, and process ancestry. - The persistent item that was installed: The alert shows both the file that was modified to achieve persistence, and the persistent item that was added.
The 'rule scope' option allow you inform how to apply the rule. Via the drop down, you can decide if the rule should match any combo of the process, the persistence file, and persistence item.
Using BlockBlock (Rules)
Persistence events are either allowed or blocked, based on user input ..which are then turn into BlockBlock's rules. To open the rules window, click on 'Rules' in BlockBlock's status bar menu:
Block By Block Ambassador
The 'rules' window displays these rules, as well as allows one to manually delete rules:
BlockBlock can be configured via it's preferences pane. To open this pane, click on 'Preferences' in BlockBlock's status bar menu:
Block Block
There are preference options to control various aspects of BlockBlock include its alerting mode, icon mode, and to disable automatic update checks: