[formerly_proven]

Little snitch can block open(2)?

[TomaszZielinski]

I treat LS as a privacy/anti-telemetry/anti-accident tool, not as anti malware.

Obviously it can detect malware if there’s a connection to some weird site, but it’s more like a bonus than a reliable test.

If you need to block FS access, then per app containers or VMs are the way to go. The container/VM sandboxes your files, and Little Snitch can then manage externa connectivity (you might still want to allow connection to some legit domains—-but maybe not github.com as that can be use to upload your data. I meant something like updates.someapp.com)

[HSO]

Very, very good point

I got lazy

Time to crank the paranoidmeter up again

ty

[4ndrewl]

I believe they're saying it can open, it just can't send the data anywhere.

Seems a little excessive, but here we are.

[notpushkin]

It still can encrypt everything and demand you pay some ₿₿₿₿.

[lxgr]

If it can open and write any file on the OS, it's pretty much game over. Too many ways to exfiltrate data even without network/socket access.

[HSO]

Worse, what keeps this from editing the config files for Little Snitch (or similar blockers)?

[TomaszZielinski]

I believe LS has some protections against this. Never tried them, but there are config related security options, incl. protection against synthetic events. So they definitely put some thought into that.

[4ndrewl]

File system permissions?