TCPBlock is a lightweight and fast application firewall for OS X 10.6 or later developed by Jo Delantis. The OS X firewall protects you from connections Mac Apps Download. TCPBlock is a lightweight and fast application firewall you can prevent selected applications on your computer from opening connections to the network. TCPBlock is free and can be downloaded from MacUpdate, however TCPBlock doesn't appear to work with El Capitan and is no longer being updated.
Malware installs itself persistently to ensure it's automatically (re)executed.BlockBlock monitors common persistence locations and alerts whenever a persistent component is added.
Current version: 1.1.0 (change log)
Zip's SHA-1: F473FD17AF2092299FCA1C2AA5C968E3B5D4BE65
Looking for an older version (compatible with older versions of macOS)?
Download: BlockBlock (v0.9.9.4)
After downloading the latest version, run 'BlockBlock Installer.app' and press the 'Install' button:
Because BlockBlock utilizes Apple's new Endpoint Security Framework (to monitor for persistence), it requires system privileges. As such, during installation the OS will display an authorization prompt:
Another perquisite of using the Endpoint Security Framework (leveraged by Apple) is 'Full Disk Access'. The first time you install
BlockBlockTcpblock For Mac Catalina
will instruct you how to manually give BlockBlock such disk access:- Click the 'Open System Preference' button
- In System Preferences, click the 🔒 icon (bottom left) and re-authenticate
- In the 'Full Disk Access' table, select the check box next to BlockBlock
Uninstalling BlockBlock
To uninstall BlockBlock, simply re-run the
Tcpblock Mac Tutorial
'BlockBlock Installer.app'. Click 'Uninstall' to completely remove BlockBlock:Once installed, BlockBlock
Tcpblock For Mac Pro
will begin running and will be automatically started any time your computer is restarted, thus providing continual protection. If anything installs a persistent piece of software, BlockBlock aims to detect this and will display an informative alert:The alert contains information such as:
- The process responsible for the action:
The alerts contains the process name, pid, path, and arguments. There are also clickable elements on the alert to show the process's code signing information, VirusTotal detections, and process ancestry. - The persistent item that was installed:
The alert shows both the file that was modified to achieve persistence as well as the persistent item that was added.
BlockBlock will remove the item from the file system, blocking the persistence. The 'rule scope' option allow you inform how to apply the rule. Via the drop down, you can decide if the rule should match any combo of the process, the persistence file, and persistence item.
All alert responses, are logged to: /Library/Objective-See/BlockBlock/BlockBlock.log.
Using BlockBlock (Rules)
Persistence events are either allowed or blocked, based on user input ...which are then turn into BlockBlock's rules. To open the rules window, click on 'Rules' in BlockBlock's status bar menu:
The rules window displays these rules, as well as allows one to manually delete rules:
BlockBlock can be configured via its preferences pane. To open this pane, click on 'Preferences' in BlockBlock's status bar menu:
There are preference options to control various aspects of BlockBlock including its alerting mode, icon mode, and to disable automatic update checks:
FAQs
Not necessarily! By design BlockBlock stives to alert you anytime it detects a persistent component has been added to the system. There are many legitimate reasons why something would be benign persisted. For example BlockBlock persistently installs itself so it can provide continual protection!
Of course malware persists as well. And as such, you should closely examine and understand any alerts, especially before approving it!
Of course malware persists as well. And as such, you should closely examine and understand any alerts, especially before approving it!