Cylance local protection seems a bit daft

25 Jul 2019 19:14 | macOS | security

On a mac if you set Cylance's "local protection" to "system" it seems to
disallow all filesystem access to the CylanceSvc service's launchd plist file:


This access is completely denied even to the root user. At first glance this
would appear to prevent all users, including root, from stopping the service.

However launchd does not look at the filename when processing one of these
files. You can have one called foo.plist and if it's Label key is set to the
same as the Cylance one, eg "com.cylance.agent_service", then it can be used to
stop the Cylance service.

So this local protection is fairly weak in terms of stopping the root user from
disabling Cylance. Also weirdly if I use a separate plist file to stop the
service when it's in this mode, after starting it back up again the original
plist is left accessible.

Reported both of these issues to Cylance, they seemed to already be aware of the
first one and just seemed to say it's a limitation of the operating system.
Presumably with SIP locking down all the system files there's only so much they
can do to interrupt things being done as root.