fpr: Revolt, Bearly, user executables, melange

This commit is contained in:
Thomas Stromberg 2023-07-13 19:43:35 -04:00
parent 82cd9bc7ff
commit 485f69a61c
12 changed files with 77 additions and 26 deletions

View File

@ -132,6 +132,7 @@ WHERE
'500,6,4318,Code Helper (Plugin),Code Helper (Plugin),Developer ID Application: Microsoft Corporation (UBF8T346G9),com.github.Electron.helper',
'500,6,5091,ZoomPhone,ZoomPhone,Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3),us.zoom.ZoomPhone',
'500,6,5222,Telegram,Telegram,Apple Mac OS Application Signing,ru.keepcoder.Telegram',
'500,6,5053,bridge,bridge,Developer ID Application: Proton Technologies AG (6UN54H93QT),bridge',
'500,6,5223,KakaoTalk,KakaoTalk,Apple Mac OS Application Signing,com.kakao.KakaoTalkMac',
'500,6,5228,Clay,Clay,Developer ID Application: Clay Software, Inc. (C68GA48KN3),com.clay.mac',
'500,6,8009,Spotify Helper,Spotify Helper,Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client.helper',

View File

@ -47,6 +47,7 @@ WHERE
AND NOT f.directory LIKE '%/.bin'
AND NOT f.directory LIKE '%/.bin-unwrapped'
AND NOT f.directory LIKE '%/.cargo/bin'
AND NOT f.directory LIKE '%/.fig/bin'
AND NOT f.directory LIKE '%/.config/nvm/%/bin'
AND NOT f.directory LIKE '%/.provisio/bin/%'
AND NOT f.directory LIKE '%/.local/%'

View File

@ -48,6 +48,8 @@ WHERE
'~/Library/Application Support/1Password',
'~/Library/Application Support/Adobe',
'~/Library/Application Support/Beeper',
'~/Library/Application Support/CleanMyMac X',
'~/Library/Application Support/CleanMyMac X Menu',
'~/Library/Application Support/Code',
'~/Library/Application Support/com.apple.spotlight',
'~/Library/Application Support/com.bohemiancoding.sketch3',
@ -60,7 +62,6 @@ WHERE
'~/Library/Application Support/DropboxElectron',
'~/Library/Application Support/GitHub Desktop',
'~/Library/Application Support/Jabra Direct',
'~/Library/Application Support/CleanMyMac X Menu',
'~/Library/Application Support/Keybase',
'~/Library/Application Support/Lens',
'~/Library/Application Support/lghub',

View File

@ -36,7 +36,7 @@ WHERE
)
AND f.path NOT LIKE '/home/%'
AND f.path NOT LIKE '/snap/%'
AND f.path NOT LIKE '/tmp/go-build%/exe/%'
AND f.path NOT LIKE '/tmp/%go-build%/exe/%'
AND f.path NOT LIKE '/usr/local/bin/%'
AND f.path NOT LIKE '/usr/local/aws-cli/%/dist/aws'
AND f.path NOT LIKE '/usr/local/kolide-k2/bin/%-updates/%'

View File

@ -49,8 +49,10 @@ WHERE
AND file.filename NOT NULL
AND exception_key NOT IN (
',a.out,/opt/homebrew/Caskroom/google-cloud-sdk/latest/google-cloud-sdk/bin/kubectl,501',
',a.out,/opt/homebrew/Cellar/go/1.20.4/libexec/pkg/tool/darwin_arm64/trace,501',
'Apple Mac OS Application Signing,com.anydo.mac,/Applications/Anydo.app/,0',
'Apple Mac OS Application Signing,com.apple.garageband10,/Applications/GarageBand.app/,0',
'Apple Mac OS Application Signing,com.joeallen.teleprompter.mac,/Applications/Teleprompter.app/,0',
'Apple Mac OS Application Signing,com.utmapp.QEMULauncher,/Applications/UTM.app/Contents/XPCServices/QEMUHelper.xpc/Contents/MacOS/QEMULauncher.app/,0',
'Apple Mac OS Application Signing,io.tailscale.ipn.macos.network-extension,/Applications/Tailscale.app/Contents/PlugIns/IPNExtension.appex/,0',
',,/Applications/Google%20Chrome.app/,',
@ -58,6 +60,7 @@ WHERE
',,/Applications/ProtonMail%20Bridge.app/,',
',,/Applications/Visual%20Studio%20Code.app/,',
',,/Applications/Visual%20Studio%20Code.app/Contents/Frameworks/Code%20Helper.app/,',
'Developer ID Application: Bearly Inc (NK6K4BACCF),com.bearly.app,/Applications/Bearly.app/,501',
'Developer ID Application: Bohemian Coding (WUGMZZ5K46),com.bohemiancoding.sketch3,/Applications/Sketch.app/,501',
'Developer ID Application: Bohemian Coding (WUGMZZ5K46),com.bohemiancoding.SketchMirrorHelper,/Applications/Sketch.app/Contents/XPCServices/SketchMirrorHelper.xpc/,501',
'Developer ID Application: Brother Industries, LTD. (5HCL85FLGW),com.brother.utility.WorkflowAppControlServer,/Library/Printers/Brother/Utilities/Server/WorkflowAppControl.app/,0',
@ -66,7 +69,6 @@ WHERE
'Developer ID Application: Dropbox, Inc. (G7HH3F8CAK),com.getdropbox.dropbox,/Applications/Dropbox.app/,501',
'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.goland,/Applications/GoLand.app/,501',
'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.pycharm,/Applications/PyCharm.app/,501',
'Apple Mac OS Application Signing,com.joeallen.teleprompter.mac,/Applications/Teleprompter.app/,0',
'Developer ID Application: Opentest, Inc. (QGD2ZPXZZG),com.loom.desktop,/Applications/Loom.app/,501',
'Developer ID Application: RescueTime, Inc (FSY4RB8H39),com.rescuetime.RescueTime,/Applications/RescueTime.app/,0',
'Developer ID Application: Sonos, Inc. (2G4LW83Q3E),com.sonos.macController,/Applications/Sonos.app/,501',
@ -75,7 +77,6 @@ WHERE
'Developer ID Application: VNG ONLINE CO.,LTD (CVB6BX97VM),com.vng.zalo,/Applications/Zalo.app/,501',
'Developer ID Application: Voicemod Sociedad Limitada. (S2MC4XQDSM),net.voicemod.desktop,/Applications/Voicemod.app/,0',
',dnsmasq,/opt/homebrew/Cellar/dnsmasq/2.88/sbin/dnsmasq,0',
',a.out,/opt/homebrew/Cellar/go/1.20.4/libexec/pkg/tool/darwin_arm64/trace,501',
',iodined-55554944d1ffcb236a84363d9b667be6a1742a17,/usr/local/sbin/iodined,501',
',java,/opt/homebrew/Cellar/openjdk/19/libexec/openjdk.jdk/Contents/Home/bin/java,501',
',org.python.python,/opt/homebrew/Cellar/python@3.10/3.10.9/Frameworks/Python.framework/Versions/3.10/Resources/Python.app/,501',
@ -116,6 +117,10 @@ WHERE
signature.identifier = 'syncthing'
AND ae.path LIKE '/nix/store/%-syncthing-%/bin/syncthing'
)
AND NOT (
signature.identifier = 'nix'
AND ae.path LIKE '/nix/store/%-nix-%/bin/nix'
)
AND NOT (
ae.path LIKE '/Users/%/Library/Application%20Support/Steam/Steam.AppBundle/Steam/'
)
@ -135,6 +140,10 @@ WHERE
OR file.directory LIKE '/Users/%/bin'
OR file.directory LIKE '/Users/%/code/%'
OR file.directory LIKE '/Users/%/src/%'
OR file.directory LIKE '/Users/%/gh/%'
OR file.directory LIKE '/Users/%/debug/%'
OR file.directory LIKE '/Users/%/target/%'
OR file.directory LIKE '/Users/%/tmp/%'
OR file.directory LIKE '/Users/%/sigstore/%'
OR file.directory LIKE '/Users/%/node_modules/.bin/%'
OR file.directory LIKE '/Users/%/git/%'

View File

@ -49,7 +49,9 @@ WHERE
AND extension NOT IN (
'1',
'2',
'basic',
'real',
'AppImage',
'ext'
)
AND NOT basename LIKE 'python3.%'

View File

@ -92,7 +92,10 @@ WHERE -- Optimization: don't join things until we have a whittled down list of f
'goreleaser'
)
)
) -- Nix
)
-- Melange
AND NOT file.directory LIKE '/tmp/melange-guest-%'
-- Nix
AND NOT (
file.directory LIKE '/tmp/tmp%'
AND gid = 0

View File

@ -80,23 +80,24 @@ WHERE
-- Prevent weird recursion
AND NOT path LIKE '%/../%'
AND NOT path LIKE '%/./%' -- Exclude very temporary files
AND NOT directory LIKE '/Users/%/Library/Mobile Documents/com~apple~shoebox/%'
AND NOT directory LIKE '/Users/%/Library/Containers/%'
AND NOT directory LIKE '/Users/%/.Trash/'
AND NOT directory LIKE '/Users/%/.go/bin/'
AND NOT directory LIKE '/Users/%/.bin/'
AND NOT directory LIKE '/Users/%/.local/bin/'
AND NOT directory LIKE '/Users/%/.cargo/bin/'
AND NOT directory LIKE '/Users/%/.vim/backup/'
AND NOT directory LIKE '/Users/%/.go/bin/'
AND NOT directory LIKE '/Users/%/Library/Application Support/AutoFirma/certutil/'
AND NOT directory LIKE '/Users/%/Library/Caches/chainctl/'
AND NOT directory LIKE '/Users/%/Library/Containers/%'
AND NOT directory LIKE '/Users/%/Library/Daemon Containers/%'
AND NOT directory LIKE '/Users/%/Library/Mobile Documents/com~apple~shoebox/%'
AND NOT directory LIKE '/Users/%/.local/bin/'
AND NOT directory LIKE '/Users/%/.minikube/bin/'
AND NOT directory LIKE '/Users/Shared/LGHUB/depots/%'
AND NOT directory LIKE '/Users/Shared/LogiOptionsPlus/depots/%'
AND NOT directory LIKE '/Users/%/Library/Application Support/AutoFirma/certutil'
AND NOT directory LIKE '/Users/%/Library/Caches/chainctl'
AND NOT directory LIKE '/Users/%/.Trash/%'
AND NOT directory LIKE '/Users/%/.vim/backup/'
AND NOT directory IN (
'/Users/Shared/LogiOptionsPlus/cache',
'/Users/Shared/logitune',
'/Users/Shared/Red Giant/Uninstall'
'/Users/Shared/LogiOptionsPlus/cache/',
'/Users/Shared/logitune/',
'/Users/Shared/Red Giant/Uninstall/'
)
AND NOT (strftime('%s', 'now') - ctime) < 60 -- Only executable files
)
@ -113,6 +114,39 @@ WHERE
magic.data IS NOT NULL
AND magic.data LIKE "0420 Alliant virtual executable%"
)
AND NOT homedir LIKE '~/%/bin'
AND NOT homedir LIKE '~/%/shims'
AND NOT homedir LIKE '~/%/plugins'
AND NOT homedir IN (
'~/.bin',
'~/.fzf',
'~/.fzf/bin',
'~/.venv/bin',
'~/.fig/bin',
'~/.zed/gopls',
'~/.config/kn',
'~/.asdf/shims',
'~/.amplify/bin',
'~/.emacs.d/backups',
'~/.rbenv/shims',
'~/.config/nvim.bak',
'~/.bazel/bin',
'~/.pulumi-dev/bin',
'~/.gvm/bin',
'~/.emacs.d.bak/bin',
'~/.docker/cli-plugins',
'~/.zsh_snap/zsh-autocomplete',
'~/.cache/gitstatus',
'~/.wrangler/bin',
'~/.provisio',
'~/.pyenv/shims',
'~/Library/ApplicationSupport/iTerm2',
'~/.kn/plugins',
'~/.kuberlr/darwin-amd64',
'/Users/Shared/logitune',
'~/.oh-my-zsh/tools',
'~/Library/Dropbox/DropboxMacUpdate.app/Contents/MacOS'
)
AND NOT top2_homedir IN (
'~/Library/Application Support',
'/Users/Shared/LGHUB/cache',
@ -132,10 +166,5 @@ WHERE
'~/.magefile',
'~/.nvm'
)
AND NOT homedir IN (
'~/.bin',
'~/.fzf',
'~/Library/Dropbox/DropboxMacUpdate.app/Contents/MacOS'
)
GROUP BY
f.path

View File

@ -223,6 +223,7 @@ WHERE
'/opt/X11/libexec',
'~/projects/go/bin',
'/run/current-system/sw/bin',
'/tmp/bin',
'/sbin',
'/usr/bin',
'/usr/lib',
@ -270,6 +271,7 @@ WHERE
AND dir NOT LIKE '/opt/%/bin'
AND dir NOT LIKE '/private/tmp/%.app/Contents/MacOS'
AND dir NOT LIKE '/private/tmp/go-build%/exe'
AND dir NOT LIKE '%/go/bin'
AND dir NOT LIKE '/private/tmp/KSInstallAction.%/Install Google Software Update.app/Contents/Helpers'
AND dir NOT LIKE '/private/tmp/nix-build-%'
AND dir NOT LIKE '/private/var/folders/%/T/cargo-install%'

View File

@ -107,6 +107,7 @@ WHERE
)
AND NOT exception_key IN (
'system_profiler,500,Google Drive,launchd',
'system_profiler,500,bash,launchd',
'system_profiler,0,launcher,launchd'
)
AND NOT p0_cmd LIKE '/usr/libexec/security_authtrampoline /Library/Application Support/Adobe/Adobe Desktop Common/ElevationManager/Adobe Installer auth%'

View File

@ -128,6 +128,7 @@ WHERE
'presenting.app',
'adoptium.net',
'balsamiq.com',
'bearly.ai',
'brave.com',
'cron.com',
'discord.com',

View File

@ -59,16 +59,17 @@ WHERE
)
AND pmm.path LIKE "%.dylib"
AND exception_key NOT IN (
'500,Slack,/Applications/Slack.app/Contents/MacOS/Slack',
'500,Bitwarden,/Applications/Bitwarden.app/Contents/MacOS/Bitwarden',
'500,J8RPQ294UB.com.skitch.SkitchHelper,/Applications/Skitch.app/Contents/Library/LoginItems/J8RPQ294UB.com.skitch.SkitchHelper.app/Contents/MacOS/J8RPQ294UB.com.skitch.SkitchHelper',
'500,Revolt,/Applications/Revolt.app/Contents/MacOS/Revolt',
'500,Revolt Helper,/Applications/Revolt.app/Contents/Frameworks/Revolt Helper.app/Contents/MacOS/Revolt Helper',
'500,Revolt Helper (GPU),/Applications/Revolt.app/Contents/Frameworks/Revolt Helper (GPU).app/Contents/MacOS/Revolt Helper (GPU)',
'500,Slack,/Applications/Slack.app/Contents/MacOS/Slack',
'500,Slack Helper (GPU),/Applications/Slack.app/Contents/Frameworks/Slack Helper (GPU).app/Contents/MacOS/Slack Helper (GPU)',
'500,Slack Helper (Renderer),/Applications/Slack.app/Contents/Frameworks/Slack Helper (Renderer).app/Contents/MacOS/Slack Helper (Renderer)',
'500,Snagit 2020,/Applications/Snagit 2020.app/Contents/MacOS/Snagit 2020',
'500,Bitwarden,/Applications/Bitwarden.app/Contents/MacOS/Bitwarden',
'500,Revolt Helper (GPU),/Applications/Revolt.app/Contents/Frameworks/Revolt Helper (GPU).app/Contents/MacOS/Revolt Helper (GPU)',
'500,Revolt,/Applications/Revolt.app/Contents/MacOS/Revolt',
'500,Steam Helper,/Users/kaniini/Library/Application Support/Steam/Steam.AppBundle/Steam/Contents/MacOS/Frameworks/Steam Helper.app/Contents/MacOS/Steam Helper',
'500,SnagitHelper2020,/Applications/Snagit 2020.app/Contents/Library/LoginItems/SnagitHelper2020.app/Contents/MacOS/SnagitHelper2020',
'500,Steam Helper,/Users/kaniini/Library/Application Support/Steam/Steam.AppBundle/Steam/Contents/MacOS/Frameworks/Steam Helper.app/Contents/MacOS/Steam Helper',
'500,Todoist,/Applications/Todoist.app/Contents/MacOS/Todoist',
'500,WhatsApp Helper (GPU),/Applications/WhatsApp.app/Contents/Frameworks/WhatsApp Helper (GPU).app/Contents/MacOS/WhatsApp Helper (GPU)'
)