F-Secure

XFENCE

TECHNICAL SUPPORT SUPPORT@F-SECURE.COM
WEBSITE HTTPS://WWW.F-SECURE.COM

INTRODUCTION 3
PURPOSE 3
TECHNICAL DESCRIPTION 3
SUPPORTED OPERATING SYSTEMS 4
COMPATIBILITY WARNINGS 4
FEATURES 4
TECHNICAL CAPABILITIES 5

INSTALLING F-SECURE XFENCE FOR MAC 5

VERIFYING AUTHENTICITY OF THE SOFTWARE 5
STEP 1: INSTALL THE F-SECURE XFENCE PACKAGE 6
STEP 2: LET F-SECURE XFENCE PROFILE YOUR SYSTEM 6

REVIEWING DEFAULTS 7
PREFERENCES 8
EAVESDROPPING NOTIFICATIONS 10
MISCELLANEOUS SETTINGS 10

REGISTERING F-SECURE XFENCE ERROR! BOOKMARK NOT DEFINED.

USING F-SECURE XFENCE 10

RESPONDING TO ACCESS PROMPTS 11
SIMPLE MODE VS. POWER USER MODE 11
GLOBAL ACCESS RULES 13
SHELL SCRIPTS AND UNIX COMMANDS 13
ANCESTRY 14
AUTO-DETECTED RULES 15
OVERRIDING RULES 16
HOT KEYS 16
EDITING RULES 16
TAGGING RULES 18
INVALID RULES 18
ADDING NEW USERS 18
F-SECURE XFENCE’S BEHAVIOR 19
EXPORTING RULES 19
THIRD PARTY APPLICATIONS 19
ADVANCED MONITORING 19
LEARNING MODE 21
DISABLING F-SECURE XFENCE 21

TROUBLESHOOTING 22

LIMITATIONS 23

PERSISTENT INTEGRITY PROTECTION 23

UNINSTALLING F-SECURE XFENCE 24

WHEN THINGS GO WRONG 24

FROM SAFE BOOT 24
FROM RECOVERY MODE 24

COMPATIBILITY ADDENDUM 25

KNOWN ISSUES 26
NEW ACCOUNT CREATION 26
PROVISIONING FROM ADMIN ACCOUNT 26

Introduction

F-Secure XFENCE for Mac is a security and privacy tool to help protect your personal data from
being deleted, ransomed, or stolen by malware, and to help detect system compromises or
applications that are not respecting your privacy. F-Secure XFENCE helps protect against
ransomware, spyware, misbehaving applications, and other threats to your data by requiring
that applications get your permission before reading or writing to your personal files.

But F-Secure XFENCE protects more than just your files. It also requires applications get your
permission before they can use your webcam, install new startup programs, take control of
other programs, eavesdrop on your Internet connection, and more. F-Secure XFENCE also
actively monitors for keyboard eavesdropping, microphone use, and other activities that can
affect your privacy.

Security should always be thought of in terms of layers. F-Secure XFENCE is one of many
solutions that, combined, can help to improve the security of your computer system.

Purpose

One of the worst parts about being compromised is not knowing it, and having your data stolen
or ransomed right out from under your nose. F-Secure XFENCE works with macOS’ built-in
security features to deliver a more secure environment for your data to live, and to notify users
when suspicious activities are occurring.

Between spyware, ransomware, trojans, misbehaving applications, back doored software,
government NITs, and other threats, detecting compromises can require extra layers of
security. F-Secure XFENCE increases the cost and time required of malware authors by
protecting your data at a level closely tied to the operating system.

Technical Description

In its most technical terms, F-Secure XFENCE is a programmable macOS extension that enforces
file access and system behavior policies using macOS's mandatory access control framework
(MACF). This framework began life in BSD many moons ago, and was later adopted into the
Darwin/XNU kernel; it's used by Apple to hook a number of tasks related to SIP and sandboxing
on macOS and iOS. This framework allows F-Secure XFENCE to preemptively intercept every file
operation, and a host of other types of activities on the system, and analyze them against a set
of policies that are programmed into the kernel at boot time. Even if malware should get root
on your system, F-Secure XFENCE continues to enforce the user's rules, and cannot be unloaded
from the operating system. F-Secure XFENCE also has its own form of integrity protection to
protect itself from being tampered with.

F-Secure XFENCE comes in three core pieces: the kernel extension, which contains a live copy of
all active rules, a helper daemon that programs the kernel module at boot time, and a user
space client that presents prompts to the user and a status bar to control F-Secure XFENCE. At a
kernel level, malware is prevented from tampering with any of these.

Supported Operating Systems

• El Capitan (macOS 10.11)

• Sierra (macOS 10.12)

Compatibility Warnings

F-Secure XFENCE presently has a compatibility addendum for the following software suites:

• ESET Cyber Security Suite
• McAfee Virus Scan
• McAfee Endpoint Protection
• Kaspersky Antivirus and Internet Security
• Hands Off!

Please see the addendum at the end of this document for these products.

Features
• Real-time, aggressive protection against unauthorized access to your files. Defend
against ransomware, spyware, trojans, back doors, or other malicious programs that
might attempt to steal, encrypt, or destroy your personal files
• Monitor applications to ensure they aren’t misbehaving, and are respecting your
personal privacy by staying out of areas they shouldn’t be in
• Protect your removable media (Time Machine drives, USB sticks, external hard disks,
and so on) from being accessed by applications without your permission
• Choose which applications are allowed to use your webcam, and which can’t, block it
completely, or require authorization for every use
• Block applications from eavesdropping on your Internet connection without your
permission
• Receive eavesdropping notifications when your microphone or webcam are in use, or
when an application is intercepting your keyboard presses or mouse clicks
• Prevent malware from taking control of other programs on your computer
• Prevent applications from installing persistent processes, or junk that runs at startup,
which can slow down your computer
• Prevent malware from running within your home directory
• Protect the pairing records your computer uses to talk wirelessly to your iPhone, iPad,
and other iOS devices
 • A user-friendly interface to manage F-Secure XFENCE, edit rules, and receive
notifications
• “Learning Mode” that can be used to train F-Secure XFENCE for new applications, if you
don’t want to click through initial popups
• Restrictive “parental controls” style options for non-admin users
• Simple mode for non-technical users
• Much more!

Technical Capabilities

• Full file access control based on user rules: read, write, create, and execute
• Local and network disk mount and access control
• AppleScript component access control
• Webcam component access control
• Berkeley Packet Filter device control
• Launch daemon, agent, and login item control
• Binary execution and signature validation control
• Attach and debugging control via task_for_pid
• Pairing record file access control
• CoreMediaIO and CoreAudio monitoring (microphone and webcam)
• Event Tap monitoring (keyboard and mouse loggers)
• NVRAM write control (advanced)
• Kernel extension load control (advanced)

Installing F-Secure XFENCE for Mac

Verifying Authenticity of the Software

The installer package (and all the code it contains) is signed with F-Secure’s signing certificates.
You can verify the authenticity of the installer package using the pkgutil command:

$ cd /Volumes/F-Secure\ XFENCE/
$ pkgutil --check-signature Install\ F-Secure\ XFENCE.pkg
Package "Install F-Secure XFENCE.pkg":
Status: signed by a certificate trusted by Mac OS X
Certificate Chain:
1. Developer ID Installer: F-Secure Corporation
SHA1 fingerprint: 6B 8A 26 62 64 D1 B4 5A 49 03 C2 69 3E 59 6D A0 63 80 74 C0
-----------------------------------------------------------------------------
2. Developer ID Certification Authority
SHA1 fingerprint: 3B 16 6C 3B 7D C4 B7 51 C9 FE 2A FA B9 13 56 41 E3 88 E1 86
-----------------------------------------------------------------------------
3. Apple Root CA
SHA1 fingerprint: 61 1E 5B 66 2C 59 3A 08 FF 58 D1 4A E2 24 52 D1 98 DF 6C 60


For more information about F-Secure code signing certificates, see:
https://community.f-secure.com/t5/Common-topics/F-Secure-code-signing/ta-p/77546

Step 1: Install the F-Secure XFENCE Package

To install, open the .dmg, then double-click the file named Install F-Secure XFENCE.pkg. As an
additional step of verifying the software's authenticity, you can click the lock in the upper-right
hand corner of the installer's menu bar to view the developer's code signing information.

If you are upgrading F-Secure XFENCE, be sure to first disable it first from the menu bar,
otherwise the installation will fail.

Follow the instructions as you are guided through the installation process. A reboot will be
required after installation. When the system reboots, you’ll see F-Secure XFENCE’s menu on
your status bar.

You must log into an admin account to finish the first run, and wait until first run mode exits.
See the instructions in this document for provisioning non-admin accounts.

Step 2: Let F-Secure XFENCE Profile Your System

The first time you log back in, you’ll be prompted to allow F-Secure XFENCE to analyze your
system. This is a one-time activity to learn all of your system’s startup processes and suggest
rules for them so that you’re not bombarded with popups out of the gate. During this period,
keep your system idle and don’t launch applications; wait until you are confident that your login
applications have finished loading, then click the button at the bottom. As a precaution, F-
Secure XFENCE will automatically time out this profiling mode after four minutes.

During the profiling period,

you’ll see a small light
bulb indicator appear next to
the F-Secure XFENCE icon.
The light bulb indicates that
F-Secure XFENCE is in
Learning Mode, and is
identifying all of your startup
processes. When you’ve
ended this process, the
indicator will disappear. If F-
Secure XFENCE detected any
startup applications, all of the activity that F-Secure XFENCE has learned will be presented to
you as a list of suggested rules. These are rules that F-Secure XFENCE has created based on
what runs at startup on your system.

Any rules learned during the first run, or whenever using Learning Mode, are only temporary
until the user imports them.

Review the rules and uncheck any that you don’t want. For example, a virus scanner may have
triggered a dozen or more rules, because it accesses everything on the system - but what you
really want to do is uncheck all of them, then add a rule later on to allow your virus scanner to
access “any” files. F-Secure XFENCE does its best to try and reduce redundant paths, but
sometimes this may require a bit of fine tuning.

When finished reviewing the suggestions, click Import to import them into your ruleset. When
you exit the rules editor, your rules will be automatically reloaded.

F-Secure XFENCE will go through a similar process if any program makes an unauthorized access
attempt during boot, and will prompt you with the new rule suggestions after you’ve finished
booting. This is called fail-safe mode, except during fail-safe mode, unauthorized applications
will be denied access instead of allowed.

Reviewing Defaults

By clicking Show System Rules in the rules editor, you can view all of the active system rules
that are preloaded into F-Secure XFENCE. These rules are read-only when viewed in the rules
editor, and cannot be directly altered. The default rules are designed to err on the side of
security, and most can be overridden by adding a counter-rule to your own rule set.

You can override system rules by creating a counter-rule in the rules editor. F-Secure XFENCE will
give your rule preference over an identical system rule.


Preferences

A number of settings can be changed in F-

Secure XFENCE’s preferences, accessible
from the menu bar.

Lock Screen Prompts
Prompts are presented while the system is
locked, and will be treated with the same
behavior as a non-admin user. If non-admin
users are allowed to create rules, then rules
can also be created on the lock screen. If
non-admin users are not allowed to create
rules, then any rules created on the lock
screen will first be presented to an
administrator before they’re made
permanent. If you don’t want to allow
prompts from the lock screen, uncheck the
box Allow screen prompts while locked or
logged out. Be warned, this means any
requests for access that occur on the lock
screen will automatically be denied. This can
include third party background applications,
remote ssh sessions, and other types of
activity that might otherwise need attention
from the lock screen. The default assumes that anyone with physical access to a machine can
probably be trusted to at least temporarily approve an access request. It is recommended that
you leave this feature turned on unless there is a valid reason to turn it off where you are both
1. Concerned about physical security and 2. Concerned about unauthorized users
acknowledging F-Secure XFENCE prompts from the console.

Non-Admin Users
By default, non-admin accounts will not be able to create permanent rules, but only
temporarily allow or deny operations. This allows for easy management of a typical parental-
control like setup, so that an administrator can create the initial rules for the system, leaving
other family members without the ability to make any permanent alterations. If you would like
to enable rules editing for non-admin users, check the box Allow non-admin users to create
rules.
By enabling non-admin rules editing, you're also allowing them to create rules outside of their
home folder, including rules that can affect your own home folder or the entire system. You can
restrict this by checking the box Restrict non-admin rules to the user’s home folder. Note that
you will then want to set up some basic rules for all users to make their lives easier, such as
Finder access and access for popular applications. When this restriction is enabled, users will
not be able to respond to prompts from outside their home directory, so be sure to account for
any such possibilities (such as /Volumes) in your admin user rules.

The Level of Detail menu allows you to choose the default level of detail a non-admin user sees
by default.

Monitoring Policies

By default, F-Secure XFENCE monitors a number of behaviors that affect your personal privacy,
over and above file access. F-Secure XFENCE will prompt you when any application is launched
that accesses the webcam, whenever an application attempts to install or change startup
programs (such as a launch daemon, agent, or login item), when a program attempts to execute
from inside your home directory (except for ~/Applications), and when a program tries to take
control of another program (by invoking task_for_pid, used by debuggers, cycript, and other
tools). If you wish to turn any of these monitors off, uncheck the box next to the corresponding
preference.

Whitelisting policies can also be changed from the policy section of the preferences window. By
default, preloaded Apple applications come with a set of rules used by F-Secure XFENCE to
allow basic access to application-specific content (such as Photos having access to your default
photo album). These can be disabled if you wish you manually approve access for these items.

Signed Applications

If you wish to allow signed binaries to execute from the home directory without a prompt,
check the box Allow all signed applications execute permission. This was designed for certain
advanced rulesets that can be imported, such as the System Execution Monitor; the two can be
used in tandem to monitor for unsigned execution from anywhere on the system.

Touch Bar
If you are concerned about malware controlling the mouse or keyboard of your system, and
your system is equipped with a Touch Bar, you can check the box Require Touch Bar to respond
to prompts. This is only necessary for highly secure (or highly paranoid) installations, and it’s a
good idea to enable this feature only after you’ve set up your initial application rules, for mere
sanity’s sake. You can also choose to require authentication in order to click allow for any
prompts; a feature you may wish to turn on after configuring F-Secure XFENCE.

Software Composed Keypresses and Mouse Clicks
By default, software composed keypresses and mouse clicks (that is, interaction that is
simulated by unprivileged software) is ignored. If you are using VNC remote desktop software,
or certain mouse or keyboard managers, click Allow software-composed mouse clicks and
keypresses to allow these applications to respond to prompts. Note that this somewhat
compromises security by allowing malware to also control your mouse and keyboard; in most
cases, such behavior is visible to the user.

Authentication
As a final means of screen security, you can require authentication either by password or Touch
ID for every "allow" prompt by checking the box Require authentication to approve prompts.

Eavesdropping Notifications

F-Secure XFENCE includes several live activity monitors that notify you of eavesdropping activity
on your system, such as programs that intercept keyboard presses, or when your microphone
becomes active. Some applications have a legitimate need to monitor keystrokes, such as
virtual machines. Other tools, such as Adobe Photoshop, have legitimate cause to monitor
mouse clicks. Obviously, applications such as Facetime have a legitimate reason to activate the
microphone and webcam. Use your best judgment in discerning whether the warning poses an
actual threat.

If one particular application performs heavy switching of monitoring, clicking the Ignore button
will present a menu allowing you to ignore the application until a restart or forever. Each
individual live monitor can be enabled or disabled directly from the Live Monitoring menu on
the F-Secure XFENCE menu bar.

Miscellaneous Settings

By default, the user guide is opened
whenever F-Secure XFENCE is installed or updated. If you would like to prevent this for future
updates, disable F-Secure XFENCE, run the following command, and then re-enable it.

defaults write \
"/Users/Shared/F-Secure XFENCE/com.fsecure.XFENCE.preferences.plist" \
ui.postinstall.manual -integer 2

We've buried this in the user guide to ensure you've read it.

Using F-Secure XFENCE

Using F-Secure XFENCE should be a pleasant experience. The user interfaces provide content
whenever an unauthorized access takes place. Once rules have been initially set up, F-Secure
XFENCE should be relatively quiet until it’s needed. This section will help you to configure F-
Secure XFENCE in a way that you are not bothered very often.

Responding to Access Prompts

When an application attempts to access content that you’ve not previously granted access to,
you'll be prompted with a drop-down menu displaying the possible directory paths you can
choose to allow or deny. For best results, choose the shortest path specific to the application;
for example, ~/Library/Application Support/Adobe/ would be a good choice to
allow Adobe applications, so that you're confining the application to subfolders specifically for
Adobe software. This will avoid being prompted more often for folders inside the Adobe folder,
which is unnecessary. F-Secure XFENCE will make initial recommendations when possible, by
highlighting the default that it thinks is most suitable. It may not always be the best option,
however, and you are free to override this.

You will also be able to select how long a rule should take effect for.

• Once: You'll be prompted the next time the application needs access
• Until Quit: The application will be allowed access until it quits
• Until Restart: The application is allowed access until you restart your computer, reload
your rules, or disable and re-enable F-Secure XFENCE.
• Forever: A rule will be added to your rules file and access is perpetual unless deleted

Simple Mode vs. Power User Mode

F-Secure XFENCE allows you to switch between two modes from the menu bar: Simple Mode
and Power User Mode.

Simple Mode presents you with minimal
details, and is ideal for non-technical users
or users who don’t need as much control
over applications. Simple Mode will
typically only present you with the top-
level folder that the application is
requesting access to, such as your
Documents folder, for example. This can
be much more convenient for those who
don’t need to create complex policies.

The downside to this is that you’re granting much broader access rights to applications.
What you gain in having a much simpler interface, you lose in the ability to see some of the
finer grained activities going on in your system.

In Simple mode, F-Secure XFENCE can’t provide as strong protection as it can when in its default
standard mode, however it provides what many would consider “good enough” protection.

In contrast to Simple Mode, the default standard mode gives the user much more control over
access rights, and much more information about what the application is going.

In this mode, process and parent information is presented to the user, along with details about
the file being accessed. The user may also select from a dropdown of paths on a dropdown list.
By clicking the process name, new rules can be created for a variety of different process
spawning configurations, or you can even grant a broad permission to every application at
once. This mode also includes a Once option, allowing the user to grant access to the resource
only once.

The checkbox Apply to software updates, when checked, will allow the software to be updated
and will apply this rule so long as the original developer's code signing team still matches. This
is a convenient way to trust the software manufacturer as a whole, rather than just the one
version of software. Unchecking this checkbox will, instead of relying on the developer's code
signature, take a SHA256 hash of the binary and invalidate the rule should the binary change.
This is also done for any unsigned binaries. Using a hash is more secure, in that any change to
the binary will invalidate the rule. This can often be inconvenient, however, as it prevents
updates without recreating the rule. If the binary being executed is in an Apple SIP-protected
folder, this checkbox will not be displayed at all; F-Secure XFENCE works with macOS and allows
SIP to protect components of the operating system it has authority over.

If any of the information fields are truncated, hover over the field to display a tooltip containing
the longer path.

Global Access Rules

Some applications tend to function better with global access to your system; for example,
antivirus applications that scan the entire hard drive may continually prompt you every time
they try and access a new folder. Presuming you fully trust these applications, you may consider
granting them access to Any Files, an option on the dropdown of every prompt.

When you do this, you’re granting the application carte blanche access to your computer, so it is
only recommended that you grant such broad permissions for applications that you fully trust.

Shell Scripts and Unix Commands

In many cases, you may need to allow anything executed by a shell script or a particular Unix
command to have certain access rights. To do this, click the program title at the top of the
prompt window. A dropdown window will appear, giving you a list of parent/child relationships
to choose from.



In the above example, selecting any process via buildpkg.sh will apply the rule to anything that
is directly executed by the script buildpkg.sh. Selecting any process parent buildpkg.sh will apply
the rule to anything whose parent process is the program; similar, but slightly different.

This same menu can be used to selectively apply rules to programs that are executed by a
number of other different Unix programs. For example, when using Xcode, you may encounter
a prompt to allow ld via clang as the default. This gives you the following options:
1. Make the rule apply to ld regardless of what calls it: select ld from the menu (with no via
clang)
2. Make the rule apply to anything run by clang: select any process via clang from the
menu
3. Make the rule apply only to ld when run by clang; this is the default

Ancestry

If a program was launched by another application, which was launched by another application,
you may see some ancestry options presented to you from the program title menu.


Ancestry rules are particularly useful in development environments, where various tools run
scripts or other tools, which invoke other tools, and so on. In the example above, the compiler
is calling itself, and so is not a direct child of Xcode, but rather of clang, which is, itself, a child of
Xcode. Rather than granting permission to every single script or tool in your build process,
selecting any with ancestor Xcode allows the rule to apply to any process that is a descendent
Xcode. This is different than the option any process via Xcode, which requires that Xcode be the
process' direct parent; using any with ancestor applies to any process having Xcode anywhere
in its ancestry. In this example, the user is choosing to allow any process to be executed from
the folder specified, so long as it was directly or indirectly kicked off by Xcode.

Ancestry rules are slightly more expensive than other rules, and so you should only use them
when necessary. For example, if you have only one or two scripts or tools included in your build
process, you may consider selecting the tool by name instead.

Auto-detected Rules

F-Secure XFENCE includes a small library of preprogrammed rules that will be presented to the
user the first time a matching application needs permission to access a resource. You'll receive
a notification in the upper-right hand corner of your screen prompting you to import
preconfigured rules. By clicking Import, the rules will be automatically loaded and tagged into
your ruleset, and will immediately take effect. The current window will be dismissed, and re-
evaluated against the new rule changes. If you click ignore, or allow the window to time out, F-
Secure XFENCE won't prompt you again about this particular application, however you can
always import the rulesets later on by using the import option of the rules editor. If you would
like to be prompted next time you launch the application, click on the content of the
notification and it will remember to ask you again later.

Overriding Rules

When overriding rules, keep in mind that F-Secure XFENCE uses a basic path complexity
algorithm to determine which rule should take precedence. For example, if the folder
~/Documents is denied to a program, but you also have created a rule allowing
~/Documents/Private/, then the second rule will take precedence whenever a file in that folder
is accessed, because that rule has a longer path.

Keep this in mind when overriding system rules, especially. If, for example, a particular folder or
file is allowed, you will need to override it with a path of the same or greater length in order to
deny it.

Hot Keys

The following hot keys can be used during a permissions prompt:

• Command-Return: Allow
• Escape: Deny
• Command-O or Command-1: Select Once
• Command-Q or Command-2: Select Until Quit
• Command-R or Command-3: Select Until Restart
• Command-F or Command-4: Select Forever
• Left/Right Arrow Keys: Change Path Pop-Up Menu
• Up/Down Arrow Keys: Change Process Selection Pop-Up Menu

Editing Rules

F-Secure XFENCE includes a policy editor. Select Rules… from the menu bar, or double click on
the F-Secure XFENCE Configuration application inside the Applications folder. Here, you can
review all of the rules you’ve created and add, modify, or delete them, or even create new
ones.

A few things to note about the rules editor:
• Rules that may no longer be valid will appear in red; for example, if a path to a file or
folder, or to an application, no longer exists. These include rules that may still be valid,
but apply to a volume that is not currently mounted.
• Redundant rules will appear in orange, and are usually safe to delete.
• Rules created within the last 24 hours display a pencil icon in the field next to the
application name.
• When viewing system rules, system rules are distinguished by a gear icon in the field
next to the application name.

To edit a rule, simply double-click on it, and a window will appear.

From here, you can change information about the rule. A few things to note:
• You may use a prefix of ~/ to denote your home folder in both the application and file
path fields.
• The "Team ID" or "SHA256" field will update its label depending on whether a 64-byte
sha256 hash is provided, or a different value.
• The application field can be truncated to a folder name, and so long as it has a trailing
slash (/), will be treated as a wildcard. This is a good way to whitelist an entire folder
hierarchy. The "Team ID" or "Hash" you supply will still be a constraint for this rule, and
so only files in that folder matching the team id or hash will be granted the rule's
permissions.
• When running sandboxed applications, the path may be translocated in
/private/var/folders/; due to the behavior of sandboxed applications, you can
truncate the path leaving the trailing period before unique filenames, and F-Secure
XFENCE will treat this as a wildcard as well. If this was an application downloaded from
the Internet, you may also choose to remove the quarantine bit so that it can run out of
a normal directory structure.
• You may delete the contents of the "Team ID" or "Hash" field entirely if you don't want
to enforce any kind of code signing or hash checking for this rule. Be advised, this means
that anything replacing the binary at this path will be granted the same permissions. If
this is necessary, you may wish to add a "watch" rule to the path as well, so that you'll
need to authorize any updates to the binary.

You may also double click on any system rule, however will not be able to modify them.

There are two ways to create new rules. Clicking the New Rule button on the toolbar will create
a new, empty rule. If you wish to create a rule for an
application that you’ve already added to your rules
file, right-click on any rule for that application and
select New Rule. This will create a new rule based
on the application you’ve selected; creating a rule
this way will cause the new rule to inherit many of
the characteristics of the old rule.

When you exit the rules editor, your rules will automatically be reloaded if you've made
any changes.

Tagging Rules

Tags can be created ad-hoc for each rule, allowing you to easily identify the purpose of certain
groups of rules. You can also sort by rule tags. To change a tag, double click the rule's tag field,
or press enter. Tags are treated entirely as user data, intended to help you sort and organize
your rules.

Invalid Rules

F-Secure XFENCE keeps track of the applications for your rules, and monitors them for changes.
If an application is updated, the rules corresponding with that application become invalidated.
This is an added security mechanism to prevent malware from replacing a trusted binary with
one of its own. When a rule becomes invalid, the application will be highlighted in red in F-
Secure XFENCE Configuration. This feature can be turned off in Preferences.

Because of this security mechanism, you may encounter what might first appear as repeat
prompts when upgrading an application. F-Secure XFENCE treats the update as if it were a
completely different application, and therefore will prompt you again for access permissions.

Rules can also appear in red if the application no longer exists, or if the path specified by a rule
does not exist. In some cases, rules may exist for mounted volumes, such as external disk drives
or usb sticks; when they are not mounted, the rule will appear in red. In these cases, the red
warning highlight can be ignored, as the rule is still valid whenever the device is connected.

Adding New Users

Whenever new users are added to the system, you’ll need to either reload rules or reboot
before logging into the account, so that F-Secure XFENCE can apply the necessary rules to the
user’s home folder. This can be done from the Advanced Options menu from the F-Secure
XFENCE menu bar icon.

F-Secure XFENCE’s Behavior

• F-Secure XFENCE protects access to file content, but does not restrict directory access;
file names and hierarchies are still subject to whatever the Unix permissions or ACLs
permit. Don't name files after your social security number.
• F-Secure XFENCE's default rules allow access to application-generated caches and other
temporary content, which could contain cached copies of personal data; for example,
Adobe Bridge caches photos from folders you have browsed. Spotlight caches metadata
from your address book and other sources. Malware does not typically target cached
files that may or may not exist, and they are useless to ransomware, so this was a
reasonable tradeoff for usability. You may choose to change this behavior by overriding
some of the default rules; bear in mind that you will be prompted more often for access.
This can be better managed by clearing your caches often.
• F-Secure XFENCE does not, by default, protect your keychain or address book, as
applications are expected to access these resources; this, too, you can change by
overriding the default configuration if you wish to harden up the system, but at the
expense of more popups. The keychain’s encryption already incorporates a reasonable
level of security, and many applications will malfunction without access to your
contacts.
• Spotlight and Suggestions are both allowed by default, which gives them access to cache
your calendar and other similar personal information; while misbehaving applications
and low budget malware won't be able to access these files directly, but software that
talks to Spotlight and Suggestions will. See the default rules file for information about
hardening this if you are worried about it.

Exporting Rules

The F-Secure XFENCE Configuration app allows you to edit, import, or export rules. Export your
rules to back them up to a .XFENCE file. Use the import tool to restore a backup of your own
rules.

Third Party Applications

A number of rules have been included with F-Secure XFENCE to support popular applications
(such as Xcode), or to extend the functionality of F-Secure XFENCE with more advanced rules.
You can import these preloaded rulesets by pressing Command-I, which will drop you into the
F-Secure XFENCE Extras folder in /Users/Shared.

Advanced Monitoring

F-Secure XFENCE can perform advanced monitoring of various system-level operations, and
allow fine granular control over. These are not enabled by default, and should be considered
experimental, and for advanced users only.

The following standalone features can be enabled to perform advanced system monitoring for
advanced users.

• Block Spotlight: Blocks Spotlight and suggestions from accessing basic index content,
such as your address book
• NVRAM Monitor: Monitors processes writing to non-volatile ram (NVRAM)
• Kernel Module Load Monitor: Monitors dynamic loading of third-party kernel modules*
• System Execution Monitor: Monitors non-SIP protected areas for process execution**

All of these allow for advanced anti-malware detection, but come with some risks, and so they
haven’t been enabled by default. If you are an expert user, you may choose to load any of these
three modules from the Advanced Rulesets folder located inside the extras folder. Setting these
up requires a little more finesse than you’d typically need for installing new rule sets:

1. Start F-Secure XFENCE Configuration and select File > Import
2. Navigate to the Advanced Rulesets folder inside the F-Secure XFENCE Extras folder
3. Load the monitoring ruleset(s) you’d like to enable
4. Place F-Secure XFENCE into Learning Mode
5. Reboot the system in learning mode, so that F-Secure XFENCE can learn the behavior of
your third-party applications
6. Disable learning mode and review the new rule suggestions

Many third-party applications load their own kernel modules, and so it’s important to reboot
while in learning mode when first setting up these rules, as well as whenever installing a new
application that may include drivers or kernel modules. Otherwise, startup behavior will be
altered by F-Secure XFENCE, and the new application may fail to load, or cause a hang.

Once logged in, any attempt to write to NVRAM, load an unauthorized kernel module, or launch
an unauthorized executable will result in a prompt, allowing you to review and allow or deny
this activity.

*
The kernel module load monitor only protects against dynamically loaded modules, and does
not detect modules loaded in the pre-linked cache.

**
When using the System Execution Monitor, it is strongly advised you also go into Preferences
and place a checkbox in the box titled Allow all signed applications execute permission;
otherwise, you will potentially block any third-party software installed in the future, which could
lead to problems including system hangs.
Learning Mode

Learning mode allows you to generate new rule suggestions for large applications that may
otherwise generate a lot of popups on their first use. Xcode is a good example of such an
application (although there is a ruleset for Xcode that you can import). Adobe Photoshop, on
the other hand, only presents one or two popups. After you’ve installed an application, turn on
Learning Mode from the Advanced Options menu, and then use the application. Once finished,
turn off Learning Mode, and F-Secure XFENCE will present any new suggestions to you for
import. While Learning Mode is active, you will see a small light bulb appear next to the F-
Secure XFENCE icon, indicating it is in this mode.

Learning Mode persists across a reboot, so that you can train applications that include boot
components. Be sure to turn it off when you are finished training.

While Learning Mode is enabled, F-Secure XFENCE is not protecting your system, because it is
learning. You should only enable learning mode on a system you believe to be secured.
Learning Mode is merely a convenience feature, and is not mandatory to use F-Secure XFENCE.
On highly secured systems, you may choose not to use Learning Mode. While malware could
potentially access content during learning mode, you should at least learn of it when reviewing
the suggested rules, which will show the application in question and the folders it accessed.

Disabling F-Secure XFENCE

If you have any problems with F-Secure XFENCE, it can be temporarily disabled from the menu
bar. When you disable F-Secure XFENCE, its protection ceases, which allows potentially lurking
malware to take advantage of the opportunity to access your system components or content. It
is not recommended that you disable F-Secure XFENCE if you suspect your system may have
been compromised at any point. Depending on how concerned you are about this, you may
choose to temporarily disable network access during such periods, to reduce the likelihood of
exfiltration or introduction of other threats.

Complex operations, such as large software installs, may produce a lot of popups. Temporarily
disabling F-Secure XFENCE for these can avoid some hassle, but also increases your exposure to
potential malware either by the software installer itself, or anything lurking on your system.
Only install software that you trust, and if you’re concerned about persistent malware, consider
also installing a persistence monitoring tool such as BlockBlock by Objective-See Development.

Disabling F-Secure XFENCE does not persist across reboots, for security reasons. If you wish to
permanently disable F-Secure XFENCE, you’ll need to uninstall it.

Whenever possible, try to keep F-Secure XFENCE enabled, and when you do disable it, ensure
that it hasn’t been tampered with, and comes back online after the next reboot.
Troubleshooting

Q. F-Secure XFENCE causes a hang if I shut down or restart

A. Try to train F-Secure XFENCE when you shut down using Learning Mode:

1. Boot up your computer
2. Activate Learning Mode from the Advanced Options menu
3. Reboot your computer
4. Deactivate Learning Mode
5. F-Secure XFENCE should recommend new rules to import that were missing

Q. An application doesn’t work anymore since installing F-Secure XFENCE

A. It’s possible there are startup processes or other things going on in the background that
F-Secure XFENCE thinks are malicious. Try the following to train F-Secure XFENCE on
your application:

1. Activate Learning Mode from the Advanced Options menu
2. Reboot your computer
3. Run the application you’re having problems with and use it for a while
4. When you are finished, deactivate Learning Mode
5. You may be prompted to import suggested rules that F-Secure XFENCE has learned

Q. I can’t click “Allow” or “Deny” with my third-party pointing device

A. Some third-party human interface devices (HIDs) “simulate” mouse clicks, which F-
Secure XFENCE ignores for security (to prevent malware from simulating similar mouse
clicks). If you experience problems using your input device to respond to prompts, and
can’t use the keyboard or factory hardware, enable the checkbox Allow software-
composed mouse clicks and keypresses in Preferences.

Q. I can’t click “Allow” or “Deny” with VNC, MagicPrefs, or other mouse/keyboard software
simulators
A. F-Secure XFENCE ignores simulated mouse clicks and keypresses for security, to prevent
malware from approving prompts. If you need to use software such as VNC, or
mouse/keyboard management software such as MagicPrefs, you can turn this security
feature off by checking the checkbox Allow software-composed mouse clicks and
keypresses in Preferences.

This will cause F-Secure XFENCE to allow simulated mouse clicks and key presses to approve
prompts; be advised that this configuration allows malware to also use the same facilities to
approve prompts. Consider also enabling "Require authentication to approve prompts".

Q. F-Secure XFENCE is just too complicated for me

A. Consider turning on Simple Mode by clicking the F-Secure XFENCE menu on the menu
bar, and selecting Enable Simple Mode. This will cause the popups to become much less
complicated, and grant broader level permissions geared for novice users.

Limitations

The default rules and the user's whitelist can allow a number of trusted services, but just like
any security tool, F-Secure XFENCE has its limitations. By choosing to trust an application,
you're granting potentially broad permissions not only to the binary, but to anything that is
capable of attacking it.

F-Secure XFENCE does a great job of protecting your system from common malware,
ransomware, misbehaving applications, and other potential threats, but imparting "trust"
implies that you (the user) are choosing to trust those applications and their runtimes. The
extent to which you trust them is up to you; your word processor doesn't need access to your
private photos, so don't grant it access; and if it suddenly starts asking for access to them, then
you know something is wrong.

The moral of the story is this: Be very careful what applications you choose to impart trust to,
and the extent of that trust on the system, because F-Secure XFENCE will honor those requests.
The default rules strike a good balance between security and usability, but if you're interested
in hardening your system even further, you may wish to override them.

F-Secure XFENCE is not a silver bullet. It will, however, do its part to block and alert you to
unauthorized attempts to access your data or tamper with it, and if it can’t stop an attack, you
should at least know about it by the time it happens. Security is not a state; it is a
measurement: a measurement of time and cost. F-Secure XFENCE’s goal is to increase both
time and cost to a degree that effectively protects the user as much as possible.

Persistent Integrity Protection

F-Secure XFENCE's kernel module incorporates its own integrity protection, using the same
techniques that Apple implements SIP with, to prevent deletion or overwriting of core files, or
tampering of any components that could compromise F-Secure XFENCE, should malware
attempt to attack it. It's also been balanced with an easy way to allow the user to remove it
with little effort.

F-Secure XFENCE's data and executable files are protected from modification, and its daemon
process is protected against being killed. The goal of F-Secure XFENCE's integrity protection is to
provide a protected execution environment for F-Secure XFENCE from a boot sequence that is
presumed trusted (and is protected by Apple's own security). It’s designed to be a real pain to
remove, unless it’s done properly with user interaction to disable it first.

The user interface has a convenient menu option to temporarily disable F-Secure XFENCE (and
its protection mode functions) so that F-Secure XFENCE can be removed or upgraded without
booting into recovery mode. This requires user interaction, providing a reasonable compromise
between security and usability.

Uninstalling F-Secure XFENCE

To uninstall F-Secure XFENCE, first disable it from the menu bar, and then run the following
command:

sudo bash /Library/XFENCE/uninstall.sh

Once you’ve run this, reboot the computer. Note that you cannot perform this operation unless
F-Secure XFENCE has been disabled, for obvious reasons. You may also wish to delete your rules
on the system, which can be found in /Users/Shared/F-Secure XFENCE/.

When Things Go Wrong

Problems with F-Secure XFENCE are very rare, but if something does go wrong and you are
unable to uninstall using the above methods, you can also uninstall F-Secure XFENCE from safe
boot or recovery mode. In the unlikely chance that you find your system hung and will not boot,
or other irrecoverable situations, perform the following steps to forcefully disable F-Secure
XFENCE:

From Safe Boot

1. Boot into safe mode by holding in shift when you hear the boot chime
2. Verify that your menu bar reads Safe Mode in bold red text after logging in
3. Execute the following command:

sudo bash /Library/XFENCE/uninstall.sh

4. Reboot the computer, and F-Secure XFENCE will no longer appear

From Recovery Mode

1. Boot into recovery mode using Command-R when you hear the boot chime
2. If your disk is File Vault protected, launch Disk Utility; select your disk and then select
File > Mount. You'll be prompted for your account password to unlock the volume. Once
unlocked, quit Disk Utility and return to the main recovery screen.
 3. Select Utilities > Terminal to launch a terminal session
4. Run the following commands to delete the F-Secure XFENCE kernel extension and
rebuild the cache:

rm -rf "/Volumes/Macintosh HD/Library/Extensions/XFENCE.kext”

kextcache –u /Volumes/Macintosh\ HD

5. Reboot the computer, and then run the F-Secure XFENCE uninstall script to clean up

Compatibility Addendum

Hands Off!

Running F-Secure XFENCE and Hands Off! together can result in system instability. After a full
analysis, we believe the problem to be related to how Hands Off! patches symbols in kernel
memory that are crucial to the operating system's correct operation. Hands Off! tampers with
the operating system in a way that causes a kernel panic in some instances when F-Secure
XFENCE attempts to use functions that Hands Off! has patched. There is presently no
workaround other than to uninstall the Hands Off! software.

ESET Cyber Security Suite

McAfee Virus Scan
McAfee Endpoint Protection
Kaspersky Antivirus and Internet Security

F-Secure XFENCE will automatically detect the software packages listed above and install the
appropriate whitelist rules to function alongside it without compatibility problems. You
shouldn’t have to do anything special to make F-Secure XFENCE co-exist so long as these tools
are already installed on your system when you install F-Secure XFENCE.

If you are installing any of these software packages after F-Secure XFENCE has been installed,
the instructions below should be applied before installing them to avoid compatibility issues.

Import the appropriate rules prior to installing these packages to avoid compatibility issues. A
separate ruleset is included with F-Secure XFENCE for these packages. To import, follow these
steps:

1. Select Rules… from the F-Secure XFENCE menu to load F-Secure XFENCE Configuration
2. In F-Secure XFENCE Configuration, select File > Import Rules…
3. A file dialog will appear. Select the .XFENCE file corresponding to the product you are
installing, then click Open.
 4. You’ll be presented with a set of import rules. Click the import button to import all of
the rules
5. Upon exiting the rules editor, your rules will be reloaded

You may now safely install the software package.

Known Issues

F-Secure XFENCE is always being improved upon, however software development always sees
areas in which further improvement is needed. Below are some known issues that are being
addressed, and their workarounds.

New Account Creation
F-Secure XFENCE creates rules for users on boot, and so when a new account is added to the
system, you will need to either reboot or reload rules before logging into it, so that F-Secure
XFENCE can create default rules. Otherwise, the new user will receive an overwhelming number
of prompts for system operations that are normally covered by the default rules.

Due to a bug in macOS, the new user setup program does not properly set the console user to
the new user's identity after running, and as a result, F-Secure XFENCE will think that the user
_mbsetupuser is logged in. In order for F-Secure XFENCE to run correctly, you will also need to
log out and log back in as soon as the new user setup is complete. This bug has been reported
to Apple.

To summarize, you'll need to 1. reboot after adding a new user, then 2. log in as the new user,
complete the new user setup, then either reboot a second time or log out and back in.

Provisioning from Admin Account
F-Secure XFENCE must be initially set up and registered from an admin account. The software
itself can be installed from a non-admin account; however, you'll need to complete the
installation after a reboot by logging into your admin account to end first run mode.