Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: On OSX, exclude Time Machine volumes

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
CSI

This thread has been marked as locked.
atlauren On OSX, exclude Time Machine volumes
Member 17th May, 2014 08:51
Ranking: 0
Posts: 6
User Since: 21st Jan, 2014
System Score: N/A
Location: US
Hi all,

As we've deployed the CSI Agent to OS X clients, we found that older applications from users' Time Machine volumes are polluting the site's records. Given the unusual usecase of a Time Machine volume, it strikes me there should be a way to exclude them as search/reporting paths from the agent.

[1] Is there a way to have the agent (or site) exclude certain paths?
[2] Any thoughts on how the agent could be instructed on such paths?

Time Machine volumes have a "tmbootpicker.efi" file at their root. I've thought of writing a script that checks for this file, but then I'd need to feed that volume to the agent as an exclude.

Have others run into the issue? Any thoughts?

Thank you,
Andrew

aamjohns RE: On OSX, exclude Time Machine volumes
Member 19th May, 2014 16:23
Score: 0
Posts: 3
User Since: 19th May 2014
System Score: N/A
Location: US
I am having the same problem. And from the documentation is says that whitelists\blacklists and ignore rules are not supported on Mac.

Whitelists/Blacklists:
*This feature is not applicable to Mac OS X, RHEL or PSI.

Ignore Rules:
*Please note that Ignore Rules do not apply to Apple Mac or RHEL devices.


Was this reply relevant?
+0
-0
atlauren RE: On OSX, exclude Time Machine volumes
Member 19th May, 2014 19:54
Score: 0
Posts: 6
User Since: 21st Jan 2014
System Score: N/A
Location: US
Good to know we're not alone.

-Andrew
Was this reply relevant?
+0
-0
r.danailov RE: On OSX, exclude Time Machine volumes
Secunia Official 20th May, 2014 13:32
Score: 25
Posts: 169
User Since: 3rd Jan 2012
System Score: N/A
Location: Copenhagen, DK
Hi,

Secunia CSI 7.0.0.3 (and above versions) cover path Blacklisting / White-listing for MAC OS X.
Unless you are running Secunia CSI 6.x or below versions, you shall be able to use this feature.
Please let us know if you are running CSI 7.x and the feature is not working for you.

Kind regards / Stay Secure
Rosen Danailov / Security+
Secunia Customer Support
aamjohns RE: On OSX, exclude Time Machine volumes
Member 20th May, 2014 13:34
Score: 0
Posts: 3
User Since: 19th May 2014
System Score: N/A
Location: US
That is great news to hear support for that feature has been added. Unfortunately, we run what the University provides, which is version 6 right now. I'll let the University know, but I don't know that they will upgrade just because I asked :)

Thank you, good to know that it is there to use eventually.

AJ.
Was this reply relevant?
+0
-0
r.danailov RE: On OSX, exclude Time Machine volumes
Secunia Official 20th May, 2014 13:55
Score: 25
Posts: 169
User Since: 3rd Jan 2012
System Score: N/A
Location: Copenhagen, DK
Last edited on 20th May, 2014 13:56
Dear aamjohns,

Unfortunately, this feature will not be ported to Secunia CSI 6.x. Therefore, please contact your account manager (or Secunia partner in your region) and research the possibility of an upgrade to the latest version. Secunia CSI 7.x is much more flexible with much more features than CSI 6.x, and it supports easy handling of cases like the one pointed here.

Kind regards / Stay Secure
Rosen Danailov / Security+
Secunia Customer Support
aamjohns RE: On OSX, exclude Time Machine volumes
Member 20th May, 2014 13:58
Score: 0
Posts: 3
User Since: 19th May 2014
System Score: N/A
Location: US
Thank you. I have sent an email to that team and made them aware. Thanks! AJ.
Was this reply relevant?
+0
-0
atlauren RE: On OSX, exclude Time Machine volumes
Member 20th May, 2014 23:24
Score: 0
Posts: 6
User Since: 21st Jan 2014
System Score: N/A
Location: US
Last edited on 21st May, 2014 01:53
Sorry, but where does one find the location Black/White List? I don't see that in my site, nor as a configuration option in the agent.

Edit: Never mind. I see now that it's under Scanning -> Filter Scan Results -> Scan Paths.

I didn't realize that the text "Add Whitelist/Blacklist Rule" was a button. On my site with 7.0.0.6, there are no borders on the text, so it doesn't appear as a button.

Thanks,
Andrew
Was this reply relevant?
+0
-0
atlauren RE: On OSX, exclude Time Machine volumes
Member 21st May, 2014 06:56
Score: 0
Posts: 6
User Since: 21st Jan 2014
System Score: N/A
Location: US
Can blacklist paths include wildcards? In the case of Time Machine volumes:

/Volumes/*/*.backupdb
Was this reply relevant?
+0
-0
r.danailov RE: On OSX, exclude Time Machine volumes
Secunia Official 22nd May, 2014 09:28
Score: 25
Posts: 169
User Since: 3rd Jan 2012
System Score: N/A
Location: Copenhagen, DK
Hi,

I am not sure whether your particular example would work just as you intended it in your comment, because you may end up filtering everything after the first wildcard. It would be much better to test yourself though. If it hasn't worked well for you, I would advice you to add the full path, it's one time exercise anyway.

In general, wildcards are supported within this functionality though.

Kind regards / Stay Secure
Rosen Danailov / Security+
Secunia Customer Support

r.danailov RE: On OSX, exclude Time Machine volumes
Secunia Official 22nd May, 2014 09:28
Score: 25
Posts: 169
User Since: 3rd Jan 2012
System Score: N/A
Location: Copenhagen, DK
Hi,

I am not sure whether your particular example would work just as you intended it in your comment, because you may end up filtering everything after the first wildcard. It would be much better to test yourself though. If it hasn't worked well for you, I would advice you to add the full path, it's one time exercise anyway.

In general, wildcards are supported within this functionality though.

Kind regards / Stay Secure
Rosen Danailov / Security+
Secunia Customer Support

atlauren RE: On OSX, exclude Time Machine volumes
Member 22nd May, 2014 18:37
Score: 0
Posts: 6
User Since: 21st Jan 2014
System Score: N/A
Location: US
Thank you, I'll keep an eye on it.

Given the unique usecase of Time Machine volumes, putting in blacklists for each individual user's volumes won't be a scalable solution. Please log a feature request to handle this in the agent, and have an "Exclude Time Machine" option in the site configurations.

Thank you,
Andrew
Was this reply relevant?
+0
-0
r.danailov RE: On OSX, exclude Time Machine volumes
Secunia Official 23rd May, 2014 13:08
Score: 25
Posts: 169
User Since: 3rd Jan 2012
System Score: N/A
Location: Copenhagen, DK
Hi Andrew,

I will test this first early next week, and if it doesn't work as you asked to use it, I will go ahead and submit the enhancement request right after my tests. I will inform you on the result sometime next week.

Kind regards / Stay Secure
Rosen Danailov / Security+
Secunia Customer Support

r.danailov RE: On OSX, exclude Time Machine volumes
Secunia Official 30th May, 2014 14:50
Score: 25
Posts: 169
User Since: 3rd Jan 2012
System Score: N/A
Location: Copenhagen, DK
Hi,

We have submitted an enhancement request with our Development team for the functionality that was requested here. We do not yet have an ETA for the implementation of this change though.

Kind regards / Stay Secure
Rosen Danailov / Security+
Secunia Customer Support

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability