[plausibility]

One thing I learned from using Little Snitch is that a lot of Apple apps are seemingly immune from these types of firewalls, due to Apple shenanigans around k-ext signing etc [0].

Ref also [1]: > In Big Sur Apple decided to exempt many of its apps from being routed thru the frameworks they now require 3rd-party firewalls to use (LuLu, Little Snitch, etc.) > Q: Could this be (ab)used by malware to also bypass such firewalls? > A: Apparently yes, and trivially so

[0] https://x.com/patrickwardle/status/1318437929497235457 [1] https://x.com/patrickwardle/status/1327726496203476992

[lapcat]

Apple removed the exclusion list: https://obdev.at/blog/a-wall-without-a-hole/

[plausibility]

Huh, that was a pretty quick turn around for Apple, glad to know.

Now if only they'd stop trying to get me to enable iCloud Drive just because I use an iPhone for work.

[Sporktacular]

This is not longer the case.

But another way around is the way VMWare Fusion let you set up networking in Bridged mode. Any traffic from the VM went through without a peep from Little Snitch running on the host. No reason malware couldn't be designed in the same way.

[jasomill]

VMware Fusion isn't sandboxed and installs daemons running as root (which requires Gatekeeper approval or bypass to run, followed by an admin password to install the daemons).

AFAIK, XProtect is the only remaining line of defense against malware installed in this way.

[Sporktacular]

So, Little Snitch helps unless your adversary is either really good at what they do or really rich. Maybe nothing can be done in those cases, but I'd like to see the limitations of such software placed on the box.