https://github.com/rommelfs/alod

automatic launch object detection for Mac OS X
https://github.com/rommelfs/alod

deprecated osx raw security-tools

Last synced: 8 months ago
JSON representation

automatic launch object detection for Mac OS X

• Host: GitHub
• URL: https://github.com/rommelfs/alod
• Owner: rommelfs
• License: other
• Created: 2017-08-25T15:12:54.000Z (almost 9 years ago)
• Default Branch: master
• Last Pushed: 2017-08-25T15:35:00.000Z (almost 9 years ago)
• Last Synced: 2025-05-04T21:29:13.459Z (about 1 year ago)
• Topics: deprecated, osx, raw, security-tools
• Size: 43.9 KB
• Stars: 6
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: License.rtf

Awesome Lists containing this project

README

          
# ALOD

automatic launch object detection for Mac OS X - doesn't seem to work on latest version of OS X.

For complete information about this project please be referred to https://www.circl.lu/pub/tr-08/

## Abstract

Current Mac OS X malware often persists and automatically starts by using the built-in launch system 1. This tool makes use of Automatic Folder Actions 2 in order to create a very basic but effective way of monitoring the addition of new launch objects to standard locations. In case a new object is placed in one of the monitored directories, a pop-up informs the user about the change, who then has in turn to decide if the change was legitimate or not. The new version is also monitoring locations where plug-ins are installed, for instance for common Internet browsers. The list of locations is displayed below. Besides displaying added files, this tool can also set up a log file where changes are recorded.

## Mode of operation

The tools enables Automatic Folder Actions on the system and monitors the following locations (depending if the respective software is installed):

~~~

/Library/LaunchAgents

/Library/LaunchDaemons

/System/Library/LaunchAgents

/System/Library/LaunchDaemons

~/Library/LaunchAgent

/Library/StartupItems

/System/Library/StartupItems

/Library/Internet Plug-Ins

~/Library/Safari/Extensions

~/Library/Application Support/Google/Chrome/Default/Extensions

~/Library/Application Support/Opera/widgets

~/Library/Internet Plug-Ins

~/Library/Containers/com.operasoftware.Opera/Data/Library/Internet Plug-Ins

~/Library/Containers/com.operasoftware.Opera/Data/Library/Application Support/Opera/widgets

~~~

If there is a file/folder added to any of theses locations, a notification script (which is included and copied to the User’s ‘Folder Actions Scripts’ folder) is executed which points to the change.