Custom prevent lists allow you to block processes and quarantine files on computers based on file hashes and Apple-specific signing information.
With custom prevent lists, you can block processes using the following identifiers:
- File hashes in the following format:
SHA1
SHA256
- Apple-specific signing information in the following formats:
- Team IDs
- A developer signing certificate issued by Apple. Team IDs are formatted alphanumerically, such as "526FTYP998". Blocking a team ID allows you to block all applications from a specific, possibly untrusted, vendor.
- Code directory hash (CDHash)
- The executing binary's code section. CDHashes identify the code section of a signed binary, represented as a SHA1 hash. To obtain the CDHash for an executing binary, execute the following command:
codesign -dvvv /path/to/binaryFind the SHA1 hash value, and then copy and paste it into a prevent list.
- Signing ID
- An application's identifier, such as
com.apple.calculator. Adding a signing ID to a prevent list allows you to block all versions of a specific application, including copies of the application that evade process name and path restrictions. To obtain the signing ID of any signed binary, execute the following command:codesign -dv /path/to/binaryThe
Identifiervalue will be the signing ID, which you can copy and paste into a prevent list.