Vous êtes sur la page 1sur 26












































































F - Secure XFENCE for Mac is a security and privacy tool to help protect your personal data from being deleted, ransomed, or stolen b y malware, and to help detect syst em compromises or a pplications that are not respecting your privacy. F - Secure XFENCE helps protect against ransomware, spyware, misbehaving applications, and other threats to your data by requiring that applications get your permission before reading or writing to your personal files.

But F - Secure XFENCE protects more than just your files. It also requires applications get your perm ission before they can use your webcam, install new startup programs, take control of other programs , eavesdrop on your Intern et connection, and more. F - Secure XFENCE also actively monitors for keyboard eavesdropping, microphone use, and other activities that can affect your privacy.

Security should always be thought of in terms of layers. F - Secure XFENCE is one of many solution s that, combined, can help to improve the security of your computer system.


One of the worst parts about being compromised is not knowing it, and having your data stolen or ransomed right out from under your nose. F - Secure XFENCE works with macOS ’ built- in security features to deliver a more secure environment for your data to live, and to notify users when suspicious activities are occurring.

Between spyware, ransomware, trojans, misbehaving applications, back doored software, government NITs, and other threats, detecting compromises can require extra layers of security. F - Secure XFENCE increases the cost and time required of malware authors by protecting your data at a level closely tied to the operating system.

Technical Description

In its most technical terms, F - Secure XFENCE is a programmable macOS extension that enforces file access and system behavior policie s using macOS's mandatory access control framework ( MACF ). This framework began life in BSD many moons ago, and was later adopted i nto the Darwin/XNU kernel ; it's used by Apple to hook a number of tasks related to SIP and sandboxing on macOS and iOS. This framework allows F - Secure XFENCE to preemptively intercept every file operation, and a ho st of other types of activities on the sys tem, and analyze them against a set of policies that are programmed into the kernel at boot time. Even if malware should get root on your system, F - Secure XFENCE continues to enforce the user's rules, and cannot be unloaded from the operating system. F - Secure XFENCE also has its own form of integrity protection to protect itself from being tampered with.

F - Secure XFENCE comes in three core pieces: the kernel extension, which contains a live copy of all active rules, a helper daemon that programs the kernel module at boot time, and a user space client that presents prompts to the user and a status bar to control F - Secure XFENCE . At a kernel level, malware is prevented from tampering with any of these.

Supported Operating Systems

El Capitan (macOS 10.11)

Si erra (macOS 10.12)

Compatibility Warnings

F - Secure XFENCE presently has a compatibility addendum for the following software suites:

ESET Cyber Security Suite

McAfee Virus Scan

McAfee Endpoint Protection

Kaspersky Antivirus and Internet Security

Hands Of f!

Please see the addendum at the end of this document for these products.


Real - time, aggressive protection against unauthorized access to your files. Defend against ransomware, spyware, trojans, back doors, or other malicious programs that migh t attempt to steal, encrypt, or destroy your personal files

Monitor applications to ensure they aren’t misbehaving, and are respecting your personal privacy by staying out of areas they shouldn’t be in

Protect your removable media ( Time Machine drives, USB sticks, external hard disks, and so on) from being accessed by applications without your permission

Choose which applications are allowed to use your webcam, and which can’t, block it completely, or require authorization for every use

Block applications f rom eavesdropping on your Internet connection without your permission

Receive eavesdropping notifications when your microphone or webcam are in use, or when an application is intercepting your keyboard presses or mouse clicks

Prevent malware from taking co ntrol of other programs on your computer

Prevent applications from installing persistent processes, or junk that runs at startup, which can slow down your computer

Prevent malware from running within your home directory

Protect the pairing records your computer uses to talk wirelessly to your iPhone, iPad, and other iOS devices

A user- friendly interface to manage F - Secure XFENCE , edit rules, and receive notifications

“Learning Mode” that can be used to train F - Secure XFENCE for new applications, if you don’t want to click through initial popups

Restrictive “parental controls” style options for non- admin users

Simple mode for non- technical users

Much more!

Technical Capabilities

Full file access control based on user rules: read, write, create, and execute

Local and network disk mount and access control

AppleScript component access control

Webcam component access control

Berkeley Packet Filter device control

Launch daemon, agent, and login item control

Binary execution and signature validation control

Attach and debugging control via task_for_pid

Pairing record file access control

CoreMediaIO and CoreAudio monitoring (microphone and webcam)

Event Tap monitoring (keyboard and mouse loggers)

NVRAM write control (advanced)

Kernel extension load control (advanced)

Installing F - Secure XFENCE for Mac

Verifying Authenticity of the Software

The install er package (and all the code it contains) is signed with F - Secure’s signing certificates . You can verify the authenticity of the installer package using the pkgutil command :

$ cd /Volumes/F-Secure\ XFENCE/

$ pkgutil --check-signature Install\ F-Secure\ XFENCE.pkg Package "Install F-Secure XFENCE.pkg":

Status: signed by a certificate trusted by Mac OS X Certificate Chain:

1. Developer ID Installer: F-Secure Corporation SHA1 fingerprint: 6B 8A 26 62 64 D1 B4 5A 49 03 C2 69 3E 59 6D A0 63 80 74 C0


2. Developer ID Certification Authority

SHA1 fingerprint: 3B 16 6C 3B 7D C4 B7 51 C9 FE 2A FA B9 13 56 41 E3 88 E1 86


For more information about F - Secure code signing certificates, see:

https://community.f - secure.com/t5/Common - topics/F - Secure - code - signing/ta - p/77546

Step 1 : Install the F - Secure XFENCE Package

To install, open the .dmg, then double- click the file named Install F - Secure XFENCE .pkg . As an additional step of verifying the software's authenticity, you can click the lock in the upper- right hand corner of the installer's menu bar to view the developer's code signing information.

If you are upgrading F - Secure XFENCE , be sure to first disable it first from the menu bar, otherwise the installation will fail.

Follow the instructions as you are guided through the installation process. A reboot will be required after installation. When the system reboots, you’ll see F - Secure XFENCE ’s menu on your status bar.

You must log into an admin account to finish the first run , and wait until first run mode exi ts. See the instructions in this document for provisioning non- admin accounts.

Step 2 : Let F - Secure XFENCE Profile Your System

The first time you log back in, you’ll be prompted to allow F - Secure XFENCE to analyze your system. This is a one- time activity to learn all of your system’s startup processes and suggest rules for them so that you’re not bombard ed with popups out of the gate. Duri ng this period, keep your system idle and don’t launch applications; wait until you are confident that your login applications have finished loading, then click the button at the bottom. As a precaution, F - Secure XFENCE will automatically time out this pro filing mode after four minutes.

time out this pro filing mode after four minutes. During the profiling period, you’ll see a

During the profiling period,

you’ll see a small


bulb indicator appear next to the F - Secure XFENCE icon. The light bulb indicates that F - Secure XFENCE is in Learning Mode , and is identifying all of your startup pro cesses. When you’ve ended this process, the indicator will disappear. If F - Secure XFENCE detected any startup applications, all of the activity that F - Secure XFENCE has learned will be presented to

XFENCE detected any startup applications, all of the activity that F - Secure XFENCE has learned

you as a list of suggested rules. These are rules that F - S ecure XFENCE has created based on what runs at startup on your system.

Any rules learned during the first run, or whenever using Learning Mode, are only temporary until the user imports them.

Mode, are only temporary until the user imports them. Review the rules and uncheck any that

Review the rules and uncheck any that you don’t want. For example, a virus scanner may have triggered a dozen or more rules, because it accesses everything on the system - but what you really want to do is uncheck all of them, then add a rule later on to allow your virus scanner to access “any” files. F - Secure XFE NCE does its best to try and reduce redundant paths, but sometimes this may require a bit of fine tuning.

When finished reviewing the suggestions, click Import to import them into your ruleset. When you exit the rules editor, your rules will be automatically reloaded.

F - Secure XFENCE will go through a similar process if any program makes an unauthorized access attempt during boot, and will prompt you with the new rule suggestions after you’ve finished booting . This is called fail - safe mode, except during fail - safe mode, unauthorized applications will be denied access instead of allowed.

Review ing Defaults

be denied access instead of allowed. Review ing Defaults By clicking that are preloaded into F

By clicking

that are preloaded into F - Secure XFENCE . These rules are read - only when viewed in the rules editor, and cannot be directly altered. The default rules are designed to err on the side of security, and most can be overridden by adding a counter- rule to your own rule set.

Show System Rules in the rules editor, you can view all of the active system rules

You can override system rules by creati n g a counter- rule in the rules editor. F - Secure XFENCE will give your rule preference over an identical system rule.


A number of settings can be changed in F - Secure XFENCE ’s preferences, accessible from the menu bar.

Lock Screen Prompts Prompts are presented while the system is locked, and will be treated with the same behavior as a non - admin user. If non - admin users are allowed to create rules, then rules can also be created on the lock screen. If non - admin users are not allowed to create rules, then any rules created on the lock screen will first be presented to an administrator before they’re made permanent. If you don’t want to allow prompts from the lock screen, uncheck the box Allow screen prompts while locked or logged out. Be warned, this means any requests for access that occur on the lock screen will automatically be denied. This can include third party background applications, remote ssh sessions, and other types of activity that might otherwise need attention from the lock screen. The default assumes that anyone with physical access to a machine can probably be trusted to at least temporarily approve an access request. It is recommended that you leave this feature turned on unless there is a valid reason to turn it off where you are both 1. Concerned about physical security and 2. Concerned about unauthorized users acknowledging F - Secure XFENCE prompts from the console.

acknowledging F - Secure XFENCE prompts from the console. Non - Admin Users By default, non

Non- Admin Users By default, non - admin accounts will not be able to create permanent rules, but only temporarily allow or deny operations . This allows for easy management of a typical parental - control like setup , so that an administrator can create the initial rules for the system, leaving other family members without the ability to make any permanent alterations . If you would like to enable rules editing for non - admin users, check the box Allow non- admin users to create rules .

By enabling non - admin rules editing, you're also allowing them to create rules outside o f their home folder, including rules that can affect your own home folder or the entire system. You can restrict this by checking the box Restrict non- admin rules to the user’s home folder. Note that you will then want to set up some basic rules for all users to make their lives easier, such as Finder access and access for popular applications. When this restriction is enabled, users will not be able to respond to prompts from outside their home directory, so be sure to account for any such possibilities (such as /Volumes ) in your admin user rules.

The Leve l of Detail menu allows you to choose the default level of detail a non - admin user sees by default.

Monitoring Policies

By default, F - Secure XFENCE monitors a number of behaviors that affect your personal privacy, o ver and above file access. F - Secure XFE NCE will prompt you when any application is launched that accesses the webcam, whenever an ap plication attempts to install or change startup programs (such as a launch daemon, agent, or login item), when a program attempts to execute from inside your home directory (except for ~/Applications) , and when a program tries to take control of another program ( by invoking task_for_pid , used by debuggers, cycript, and other tools ) . If you wish to turn any of these monitors off, uncheck the box next to the corresponding preference.

Whitelisting policies can also be changed from the policy section of the preferences window. By default, preloaded Apple applications come with a set of rules used by F - Secure XFENCE to allow basic access to application - specific content (such as Photos having access to your default photo album) . These can be disabled if you wish you manually approve access for these items.

Signed Applications

If you wish to allow signed binaries to execute from the home directory without a prompt, check the box Allow all signed applications execute permission. This was designed for certain advanced rulesets that can be imported , such as the System Execution Monitor; the two can be used in tandem to monitor for unsigned execution from anywhere on the system.

Touch Bar If you are concerned about malware controlling the mouse or keyboard of your system, and your system is equipped with a Touch Bar, you can check the box Require Touch Bar to respond to prompts. This is only necessary for highly secure (or hi ghly paranoid) installations, and it’s a good idea to enable this feature only after you’ve set up your initial application rules, for mere sanity’s sake. You can also choose to require authentication in order to click allow for any prompts; a feature you may wish to turn on after configuring F - Secure XFENCE .

Software Composed Keypresses and Mouse Clicks By default, software composed keypresses and mouse clicks (that is, interaction that is simulated by unprivileged software) is ignored. If you are using V NC remote desktop software, or certain mouse or keyboard managers, click Allow software - composed mouse clicks and keypresses to allow these applications to respond to prompts. Note that this somewhat compromises security by allowing malware to also control your mouse and keyboard; in most cases, such behavior is visible to the user.

Authentication As a final means of screen security, you can require authentication either by password or Touch ID for every "allow" prompt by checking the box Require authentic ation to approve prompts.

Eavesdropping Notifications

F - Secure XFENCE includes several live activity monitors that notify you of eavesdropping activity on your system, such as programs that intercept keyboard presses, or when your microphone becomes acti ve. Some applications have a legitimate need to monitor keystrokes, such as virtual machines. Other tools, such as Adobe Photoshop, have legitimate cause to monitor mouse clicks. Obviously, applications such as Facetime have a legitimate reason to activate the microphone and webcam. Use your best judgment in discerning whether the warning poses an actual threat.

If one particular application performs heavy switching of monitoring, clicking the Ignore button will present a menu allowing you to ignore the application until a restart or forever. Each individual live monitor can be enabled or disabled directly from the Live Monitoring menu on the F - Secure XFENCE menu bar.

Miscellaneous Settings

on the F - Secure XFENCE menu bar. Miscellaneous Settings By default, the user guide is

By default, the user guide is opened whenever F - Secure XFENCE i s installed or updated. If you would like to prevent this for future updates, disable F - Secure XFENCE , run the following command, and then re- enable it.

defaults write \ "/Users/Shared/F-Secure XFENCE/com.fsecure.XFENCE.preferences.plist" \ ui.postinstall.manual -integer 2

We've buried this in the user guide to ensure you've read it.

Using F - Secure XFENCE

Using F - Secure XFENCE should be a pleasant experience. The user interfaces provide content whenever an unauthorized access takes place. Once rules have been initially set up, F - Secure

XFENCE should be relatively quiet until it’s needed. This section will help you to configure F - Secure XFENCE in a way that you are not bothered very often.

Responding to Access Prompts

When an application attempts to access content that you’ve not previously granted access to, you'll be prompted with a drop - down menu displaying the possible directory paths you can choose to allow or deny. For best results, choose the shortest path specific to the application; for example, ~/Library/Application Support/Adobe/ would be a good choice to allow Adobe applications, so that you're confining the application to subfolders specifically for Adobe software. This will avoid being prompted more often for folders inside the Adobe folder, which is unnecessary. F - Secure XFENCE will make initial recommendations when possible, by highlighting the default that it thinks is most suitable. It may not always be the best option, however, and you are free to override this.

You will also be able to select how long a rule should take effect for.

Once: You'll be prompted the next time the application needs access

Until Quit: The application will be allowed access until it quits

Until Restart: The application is allowed access until you restart your computer, reload your rules, or disable and re- enable F - Secure XFENCE .

Forever: A rule will be added to your rules file and access is perpetual un less deleted

Simple Mode vs. Power User Mode

F - Secure XFENCE allows you to switch between two modes from the menu bar: Simple Mode and Power User Mode.

Simple Mode presents you with minimal detail s , and is ideal for non - technical users or users who don ’t need as much control over applications. Simple Mode will typically only present you with the top - level folder that the application is requ esting access to, such as your Documents folder, for example. This can be much more convenient for those who don’t need to create complex policies.

for those who don’t need to create complex policies. The downside to this is that you’re

The downside to this is that you’re granting much broader access rights to applications. What you gain in having a much simpler interface, you lose in the ability to see some of the finer grained activities going on in your system.

In Simple mode, F - Secure XFENCE can’t provide as strong protection as it can when in its default standard mode, however it provides what many would consider “good enough” protection .

In contrast to Simple Mode, the default standard mode gives the user much more control over access rights, and much more information about what the application is going.

much more information about what the application is going. In this mode , process and parent

In this mode, process and parent information is presented to the user, along with details about the file being accessed. The user may also select from a dropdown of paths on a dropdown list. By clicking the process name, new rules can be created for a variety of different process spawning configurations, or you can even grant a broad permission to every application at once. This mode also inclu des a Once option, allowing the user to grant access to the resource only once.

The checkbox Apply to software updates, when checked, will allow the software to be updated and will apply this rule so long as the original developer's code signing team stil l matches. This is a convenient way to trust the software manufacturer as a whole, rather than just the one version of software. Unchecking this checkbox will, instead of relying on the developer's code signature, take a SHA256 hash of the binary and inval idate the rule should the binary change. This is also d one for any unsigned binaries. Using a hash is more secure, in that any change to the binary will invalidate the rule. This can often be inconvenient, however, as it prevents updates without recreating the rule. If the binary being executed is in an Apple SIP- protected folder, this checkbox will not be displayed at all; F - Secure XFENCE works with macOS and allows SIP to protect components of the operating system it has authority over.

If any of the information fields are truncated, hover over the field to display a tooltip containing the longer path.

Global Access Rules

Some applications tend to function better with global access to your system; for example, antivirus applications that scan the entire hard drive may continually prompt you every time they try and access a new folder. Presuming you fully trust these applications, you may consider granting them access to Any Files, an option on the dropdown of every prompt.

to Any File s, an option on the dropdown of every prompt. When you do this,

When you do this, you’re granting the application carte blanche access to your computer, so it is only recommended that you grant such broad permissions for applications that you fully trust.

Shell Scripts and Unix Commands

In many cases, you may need to allow anything executed by a shell script or a particular Unix command to have certain access rights. To do this, click the program title at the top of the prompt window. A dropdown window will appear, giving you a list of parent/child relationships to choose from.

In the above example, selecting any process via buildpkg.sh will apply the rule to anything

In the above example, selecting any process via buildpkg.sh will apply the rule to anything that

is directly executed by the script buildpkg.sh . Selecting any process parent buildpkg.sh will apply

the rule to anything whose parent process i s the program; similar, but slightly different.

Thi s same menu can be used to selectively apply rules to programs that are executed by a

number of o ther different Unix programs. For example, when using Xcode, you may encounter

a prompt to allow ld via clang as the default. This giv es you the following options:

1. Make the rule apply to ld regardless of what calls it: select ld from the menu (with no via

clang )

2. Make the rule apply to anything run by clang : select any process via clang from the menu

3. Make the rule apply only to ld when run by clang ; this is the default


If a program was launched by another application, which was launched by another application, you may see some ancestry options presented to you from the program title menu.

Ancestry rules are particularly usef ul in development environments, where various tools run scripts or

Ancestry rules are particularly usef ul in development environments, where various tools run

scripts or other tools , which invoke other tools , and so on . In the example above, the compiler

is calling itself, and so is not a direct child of Xcode, but rather of clang , which is, itself , a child of

Xcode. Rather than granting permission to every single script or tool in your build process, selecting any with ancestor Xcode allows the rule to apply to any process that is a descendent Xcode. This is different than the option any process via Xcode, which requires that Xcode be the process' direct parent; using any with ancestor applies to any process having Xcode anywhere in its ancestry. In this example, the user is choosing to allow any process to be executed from the folder specified, so long as i t was directly or indirectly kicked off by Xcode.

Ancestry rules are slightly more expensive than other rules , and so you should only use them when necessary. For example, if you have only one or two scripts or tools included in your build process, you ma y consider selecting the tool by name instead.

Auto - detected Rules

F - Secure XFENCE includes a small library of preprogrammed rules that will be presented to the user the first time a matching application needs permission to access a resource. You'll receive

a notification in the upper- right hand corner of your screen prompting you to import

preconfigured rules. By clicking Import, the rules will be automatically loaded and tagged into your ruleset, and will immediately take effect. The current window wi ll be dismissed, and re- evaluated against the new rule changes. If you click ignore, or allow the window to time out, F - Secure XFENCE won't prompt you again about this particular application, however you can always import the rulesets later on by using the import option of the rules editor. If you would like to be prompted next time you launch the application, click on the content of the notification and it will remember to ask you again later.

Overriding Rules

When overriding rules, keep in mind that F - S ecure XFENCE uses a basic path complexity algorithm to determine which rule should take precedence. For example, if the folder

~/Documents is denied to a program, but you also have created a rule allowing ~/Documents/Private/, then the second rule will take precedence whenever a file in that folder

is accessed, because that rule has a longer path.

Keep this in mind when overriding system rules, especially. If, for example, a particular folder or file is allowed, you will need to override it with a path of the same or greater length in order to deny it.

Hot Keys

The following hot keys can be used during a permissions prompt:

Command - Return: Allow

Escape: Deny

Command - O or Command - 1: Select Once

Command - Q or Command - 2: Select Until Quit

Command - R or Comma nd - 3: Select Until Restart

Command - F or Command - 4: Select Forever

Left/Right Arrow Keys: Change Path Pop - Up Menu

Up/Down Arrow Keys: Change Process Selection Pop - Up Menu

Editing Rules

F - Secure XFENCE includes a policy editor. S elect Rules … from the menu bar, or double click on the F - Secure XFENCE Configuration application inside the Applications folder. Here, you can review all of the rules you’ve created and add, modify, or delete them, or even create new ones .

A few things to note about the rules editor:

Rules that may no longer be valid will appear in red; for example, if a path to a file or folder , or to an application , no longer exists. These include rules that may still be valid, but apply to a volume that is not currently mounted.

Redundant rules will appear in orange, and are usually safe to delete.

Rules created within the last 24 hours display a pencil icon in the field next to the application name.

When viewing system rules, system rules are distinguished by a gear icon in the field next to the application name.

To edit a rule, simply double- click on it, and a window will appear.

rule, simply double- click on it, and a window will appear. From here, you can change

From here, you can change information about the rule. A few things to note:

You may use a prefix of ~/ to denote your home folder in both the application and file path fields.

The "Team ID" or "SHA256" field will update its label depending on whether a 64- byte sha256 hash is provided, or a different value.

The application field can be truncated to a folder name, and so long as it has a trailing slash ( / ), will be t reated as a wildcard. This is a good way to whitelist an entire folder hierarchy. The "Team ID" or "Hash" you supply will still be a constraint for this rule, and so only files in that folder matching the team id or hash will be granted the rule's permissi ons.

When running sandboxed applications, the path may be trans located in /private/var/folders/ ; due to the behavior of sandboxed applications, you can truncate the path leaving the trailing period before unique filenames, and F - Secure XFENCE will treat th is as a wildcard as well. If this was an application downloaded from the Internet, you may also choose to remove the quarantine bit so that it can run out of a normal directory structure.

You may delete the contents of the "Team ID" or "Hash" field entirel y if you don't want to enforce any kind of code sign ing or hash checking for this rule. Be advised, this means that anything replacing the binary at this path will be granted the same permissions. If this is necessary, you may wish to add a "watch" rule to the path as well, so that you'll need to authorize any updates to the binary.

You may also double click on any system rule, however will not be able to modify them.

There are two ways to create new rules. Clicking the New Rule button on the toolbar wil l create

a new, empty rule. If you wish to create a rule for an

application that you’ve already added to your rules file, right - click on any rule for that application and select New Rule . This will create a new rule based on the application you’ve selected; creating a rule

this way will cause the new rule to inherit many of the characteristics of the old rule.

rule to inherit many of the characteristics of the old rule. When you exit the rules

When you exit the rules editor, your rules will automatically be reloaded if you've made any changes.

Tagging Rules

Tags can be created ad - hoc for each rule, allowing you to easily identify the purpose of certain groups of rules. You can also sort by rule tags. To change a tag, double click the rule's tag field, or press enter. Tags are treated entirely as user data, intended to help you sort and organize your rules.

Invalid Rules

F - Secure XFENCE keeps track of the applications for your rules, and monitors them for changes.

If an application is updated, the rules corresponding with that application become invalidated.

This is an added security mech anism to prevent malware from replacing a trusted binary with one of its own. When a rule becomes invalid, the application will be highlighted in red in F - Secure XFENCE Configuration. This feature can be turned off in Preferences.

Because of this security mechanism, you may encounter what might first appear as repeat prompts when upgrading an application. F - Secure XFENCE treats the update as if it were a completely different application, and therefore will prompt you again for access permissions.

Rules can also appear in red if the application no longer exists, or if the path specified by a rule does not exist. In some cases, rules may exist for mounted volumes, such as external disk drives or usb sticks; when they are not mounted, the rule will appear in red . In these cases, the red warning highlight can be ignored, as the rule is still valid whenever the device is connected.

Adding New Users

Whenever new users are added to the system, you’ll need to either reload rules or reboot before logging into the account, so that F - Secure XFENCE can apply the necessary rules to the user’s home folder. This can be done from the Advanced Options menu from the F - Secure XFENCE menu bar icon .

F - Secure XFENCE ’s Behavior

F - Secure XFENCE protects access to file content, but does not restrict directory access; file names and hierarchies are still subject to whatever the Unix permissions or ACLs permit. Don't name files after your social security number.

F - Secure XFENCE 's default rules allow access to application - generated caches and other temporary content, which could contain cached copies of personal data; for example, Adobe Bridge caches photos from folders you have browsed. Spotlight caches metadata from your address book and other sources. Malware does not typically target cached files that may or may not exist, and they are useless to ransomware, so this was a reasonable tradeoff for usability. You may choose to change this behavior by overriding some of the default rules; bear in mind that you will be prompted more o ften for access. This can be better managed by clearing your caches often.

F - Secure XFENCE does not, by default, protect your keychain or address book, as applications are expected to access these resources; this, too, you can change by overriding the def ault configuration if you wish to harden up the system, but at the expense of more popups. The keychain ’s encryption already incorporates a reasonable level of security, and many applications will malfunction without access to your contacts.

S potlight and Suggestions are both allowed by default, which gives them access to cache your calendar and other similar personal information; while misbehaving applications and low budget malware won't be able to access these files directly, but software that talks to Spotlight and Suggestions will. See the default rules file for information about hardening this if you are worried about it.

Exporting Rules

The F - Secure XFENCE Configuration app allows you to edit, import, or export rules. Export your rules to back them up to a .XFENCE file. Use the import tool to restore a backup of your own rules.

Third Party Applications

A number of rules have been included with F - Secure XFENCE to support popular applications (such as Xcode), or to extend the functionality of F - Secu re XFENCE with more advanced rules. You can import these preloaded rulesets by pressing Command - I, which will drop you into the F - Secure XFENCE Extras folder in /Users/Shared.

Advanced Monitoring

F - Secure XFENCE can perform advanced monitoring of vario us system- level operations, and allow fine granular control over. These are not enabled by default, and should be considered experimental, and for advanced users only.

The following standalone features can be enabled to perform advanced system monitoring for advanced users.

Block Spotlight: Blocks Spotlight and suggestions from accessing basic index content, such as your address book

NVRAM Monitor: Monitors processes writing to non - volatile ram (NVRAM)

Kernel Module Load Monitor: Monitors dynamic loading of third - party kernel modules *

System Execution Monitor: Monitors non - SIP protected areas for process execution **

All of these allow for advanced anti - malware detection, but come with some risks, and so they haven’t been enabled by default. If you are an expert user, you may choose to load any of these three modules from the Advanced Rulesets folder located inside the extras folder. Setting these up requires a little more finesse than you’d typically need for installing new rule sets:

1. Start F- Secure XFENCE Configuration and select File > Import

2. Navigate to the Advanced Rulesets folder inside the F - Secure XFENCE Extras folder

3. Load the monitoring ruleset(s) you’d like to enable

4. Place F - Secure XFENCE into Learning Mode

5. Reboot the system in learning mode, so that F - Secure XFENCE can learn the behavior of your third - party applications

6. Disable learning mode and review the new rule suggestions

Many third - party applications load their own kernel modules, and so it’s important to reboot while in learning mode when first setting up these rules, as well as whenever installing a new application that may include drivers or kernel modules. Otherwise, startup behavior will be altered by F - Secure XFENCE , and the new application may fail to load, or cause a hang.

Once lo gged in, any attempt to write to NVRAM, load an unauthorized kernel module, or launch an unauthorized executable will result in a prompt, allowing you to review and allow or deny this activity.

* The kernel module load monitor only protects against dynamically loaded modules, and does not detect modules loaded in the pre- linked cache.

** When using the System Execution Monitor, it is strongly advised you also go into Preferences and place a checkbox in the box titled Allow all signed applications execute permission ; otherwise, you will potentially block any third - party software installed in the future, which could lead to problems including system hangs.

Learning Mode

Learning mode allows you to generate new rule suggestions for large applications that may otherwise generate a lot of popups on their first use. Xcode is a good example of such an application (although there is a ruleset for Xcode that you can import). Adobe Photoshop, on the other hand, only presents one or two popups. After you’ve install ed an application, turn on Learning Mode from the Advanced Options menu, and then use the application. Once finished, turn off Learning Mode, and F - Secure XFENCE will present any new suggestions to you for import. While Learning Mode is active, you will see a small light bulb appear next to the F - Secure XFENCE icon, indicating it is in this mode.

Learning Mode persists across a reboot, so that you can train applications that include boot components. Be sure to turn it off when you are finished training.

While Learning Mode is enabled, F - Secure XFENCE is not protecting your system, because it is learning. You should only enable learning mode on a system you believe to be secured. Learning Mode is merely a convenience feature, and is not mandatory to use F - Secure XFENCE . On highly secured systems, you may choose not to use Learning Mode. While malware could potentially access content during learning mode, you should at least learn of it when reviewing the suggested rules, which will show the application in question and the folders it accessed.

Disabling F - Secure XFENCE

If you have any problems with F - Secure XFENCE , it can be temporarily disabled from the menu bar. When you disable F - Secure XFENCE , its protection ceases, which allows potentially lurking malware to take advantage of the opportunity to access your system components or content. It is not recommended that you disable F - Secure XFENCE if you suspect your system may have been compromised at any point. Depending on how concerned you are about this, you may choose to temporarily disable network access during such periods, to reduce the likelihood of exfiltration or introduction of other threats.

Complex operations, such as large software installs, may produce a lot of popups . T emporarily disabling F - Secure XFENCE for these can avoid some hassle, but also increases your exposure to potential malware either by the software installer itself, or anything lurking on your system. Only install software that you trust, and if you’re concerned about persistent malware, consider also installing a persistence monitoring tool such as BlockBlock by Objective- See Development.

Disabling F - Secure XFENCE does not persist across reboots, for security reasons. If you wish to permanently disable F - Secure XFENCE , you’ll need to uninstall it.

Whenever possible, try to keep F - Secure XFENCE enabled, and when you do disable it, ensure that it hasn’t been tampered with, and comes back online after the next reboot.


Q .

F - Secure XFENCE causes a hang if I shut down or restart


Try to train F - Secure XFENCE when you shut down using Learning Mode:



Boot up your computer


Activate Learning Mode from the Advanced Options menu


Reboot your computer


Deactivate Learning Mode



- Secure XFENCE should recommend new rules t o import that were missing

Q .

An application doesn’t work anymore since installing F - Secure XFENCE


It’s possible there are startup processes or other things going on in the background that

- Secure XFENCE thinks are malicious. Try the following to train F - Secure XFENCE on your application:




Activate Learning Mode from the Advanced Options menu


Reboot your computer


Run the application you’re having problems with and use it for a while


When you are finished, deactivate Learning Mode


You may be prompted to import suggested rules that F - Secure XFENCE has learned



can’t click “Allow” or “Deny” with my third- party pointing device


Some third - party human interface devices (HIDs ) “simulate” mouse clicks, which F - Secure XFENCE ignores for security ( to prevent malware from simulating similar mouse clicks). If you experience problems using your input device to respond to prompts, and can’t u se the keyboard or factory hardware, enable the checkbox Allow software - composed mouse clicks and keypresses in Preferences.



can’t click “Allow” or “Deny” with VNC, MagicPrefs, or other mouse/keyboard software



- Secure XFENCE ignores simulated mouse clicks and keypresses for security, to prevent malware from approving prompts . If you need to use sof tware such as VNC, or


mouse/keyboard management software such as MagicPrefs, you can turn this security feature off by checki ng the checkbox Allow software- composed m ouse clicks and keypresses in Preferences.


This will cause F - Secure XFENCE to allow simul ated mouse clicks and key presses to approve prompts ; be advised that this configuration allows malware to also use the same facilities to approve prompts. Consider also enabling "Require authentication to approve prompts".



- Secure XFENCE is just too complicated for me

A. Consider turning on Simple Mode by clicking the F - Secure XFENCE menu on the menu bar, and selecting Enable Simple Mode. This will cause the popups to become much less complicated, and grant broader level permissions geared for novic e users.


The default rules and the user's whitelist can allow a number of trusted services, but just like any security tool, F - Secure XFENCE has its limitations. By choosing to trust an application, you're granting potentially broad permission s not only to the binary, but to anything that is capable of attacking it.

F - Secure XFENCE does a great job of protecting your system from common malware, ransomware, misbehaving applications, and other potential threats, but imparting "trust" implies that you (the user) are choosing to trust those applications and their runtimes. The extent to which you trust them is up to you; your word processor doesn't need access to your private photos , so don't grant it access; and if it suddenly starts asking for access to them, then you know something is wrong.

The moral of the story is this: Be very careful what applications you choose to impart trust to, and the extent of that trust on the system, because F - Secure XFENCE will honor those requests. The default rul es strike a good balance between security and usability, but if you're interested in hardening your system even further, you may wish to override them.

F - Secure XFENCE is not a silver bullet. It will, however, do its part to block and alert you to unautho rized attempts to access your data or tamper with it, and if it can’t stop an attack, you should at least know about it by the time it happens. Security is not a state; it is a measurement: a measurement of time and cost. F - Secure XFENCE ’s goal is to increase both time and cost to a degree that effectively protects the user as much as possible.

Persistent Integrity Protection

F - Secure XFENCE 's kernel module incorporates its own integrity protection, using the same techniques that Apple implements SIP with, to prevent deletion or overwriting of core files, or tampering of any components that could compromise F - Secure XFENCE , should malware attempt to attack it. It's also been balanced with an easy way to allow the user to remove it with little effort.

F - Secure XFENCE 's data and executable files are protected from modification, and its daemon process is protected against being killed. The goal of F - Secure XFENCE 's integrity protection is to provide a protected execution environment for F - Secure XFENCE from a boot sequence that is presumed trusted (and is protected by Apple's own security). It’s designed to be a real pain to remove, unless it’s done properly with user interaction to disable it first.

The user interface has a convenient menu option to temporarily disable F - Secure XFENCE (and its protection mode functions) so that F - Secure XFENCE can be removed or upgraded without booting into recovery mode. This requires user interaction, providing a reasonable compromise between security and usability.

Uninst alling F - Secure XFENCE

To uninstall F - Secure XFENCE , first disable it from the menu bar, and then run the following command :

sudo bash /Library/XFENCE/uninstall.sh

Once you’ve run this, reboot the computer. Note that you cannot perform this operation un less F - Secure XFENCE has been disabled, for obvious reasons. You may also wish to delete your rules on the system, which can be found in /Users/Shared/F-Secure XFENCE/ .

When Things Go Wrong

Problems with F - Secure XFENCE are very rare, but if something do es go wrong and you are unable to uninstall using the above methods, you can also uninstall F - Secure XFENCE from safe boot or recovery mode. In the unlikely chance that you find your system hung and will not boot, or other irrecoverable situations, perform the following steps to forcefully disable F - Secure XFENCE :

From Safe Boot

1. Boot into safe mode by holding in shift when you hear the boot chime

2. Verify that your menu bar read s Safe Mode in bold red text after logging in

3. Execute the following command:

sudo bash /Library/XFENCE/uninstall.sh

4. Reboot the computer, and F - Secure XFENCE will no longer appear

From Recovery Mode

1. Boot into recovery mode using Command - R when you hear the boot chime

2. If your disk is File Vault protected, launch Disk Utility ; select your disk and then select File > Mount. You'll be prompted for your account password to unlock the volume. Once unlocked, quit Disk Utility and return to the main recovery screen.


Select Utilities > Terminal to launch a terminal session

4. Run the following command s to delete the F - Secure XFENCE kernel extension and rebuild the cache:

rm -rf "/Volumes/Macintosh HD/Library/Extensions/XFENCE.kext” kextcache –u /Volumes/Macintosh\ HD

5. Reboot the computer, and then run the F - Secure XFENCE uninstall script to cl ean up

Compatibility Addendum

Hands Off!

Running F - Secure XFENCE and Hands Off! together can result in system instability. After a full analysis, we believe the problem to be related to how Hands Off! patches symbols in kernel memory that are crucial to the operating system's correct operation . Hands Off! tampers with the operating system in a way that causes a kernel panic in some instances when F - Secure XFENCE attempts to use functions that Hands Off! has patched. There is presently no workaround other than to uninstall the Hands Off! software.

ESET Cyber Security Suite McAfee Virus Scan McAfee Endpoint Protection Kaspersky Antivirus and Internet Security

F - Secure XFENCE will automatically detect the software packages listed above and install the appropriate whitelist rules to function alongside it without compatibility problems. You shouldn’t have to do anything special to make F - Secure XFENCE co - exist so long as these tools are already installed on your system when you install F - Secure XFENCE .

If yo u are installing any of these software packages after F - Secure XFENCE has been installed, the instructions below should be applied before installing them to avoid compatibility issues.

Import the appropriate rules prior to installing these packages to avo id compatibility issues. A separate ruleset is included with F - Secure XFENCE for these packages. To import, follow these steps:


Select Rulesfrom the F - Secure XFENCE menu to load F - Secure XFENCE Configuration


In F - Secure XFENCE Configuration, select File > Import Rules…


A file dialog will appear. Select the . XFENCE file corresponding to the product you are installing, then click Open .


You’ll be presented with a set of import rules. Click the import button to import all of the rules

5. Upon exiting the rules editor, your rules will be reloaded

You may now safely install the software package.

Known Issues

F - Secure XFENCE is always being improved upon, however software development always sees areas in which further improvement is needed. Below are some known issues that are being addressed, and their workarounds.

New Account Creation

F - Secure XFENCE creates rules for users on boot, and so when a new account is added to the system, you will need to either reboot or reload rules before logging into it, so that F - Secure XFENCE can create default rules. Otherwise, the new user will receive an overwhelming number of prompts for system operations that are normally covered by the default rules.

Due to a bug in macOS, the new user setup program does not properly set the console user to the new user's identity after running, and as a result, F - Secure XFENCE will think that the user _mbsetupuser is logged in. In order for F - Secure XFENCE to run correctly, you will also need to log out and log back in as soon as the new user setup is complete. This bug has been reported to Apple.

To summarize, you'll need to 1. reboot after adding a new user, then 2. log in as the new user, complete the new user setup, then either reboot a second time or log out and back in.

Provisio ning f rom Admin Account

F - Secure XFENCE must be initially set up and registered from an admin account. The software itself can be installed from a non - admin account; however, you'll need to complete the installation after a reboot by logging into your admi n account to end first run mode.