Blocklist / Allowlist
Finova · App execution controls · AI-assisted classification
Blocklisted
24
apps restricted from running
Allowlisted
183
explicitly trusted apps
Watchlist
41
monitoring for behavior changes
✦
AI model precision (last 90 days):
96.2%
· 1 false positive out of 26 blocks
| App / Hash | Threat / AI Reason | Rule Type | Confidence | Added | Reviewed by | Actions |
|---|---|---|---|---|---|---|
|
npm: lightllm
sha256:a4f3...c91b · npm 0.2.1
AMOS / Banshee family
|
✦Supply chain — outbound 185.220.101.47 (Tor exit node), reads ~/.aws/credentials + ~/.ssh/
|
CEL | 97% | Apr 18 | J. Rodriguez | |
|
unknown-binary-a
sha256:7c2b...f034 · unsigned
AMOS infostealer candidate
|
✦Unsigned, no publisher cert — matches AMOS keychain dump + osascript password prompt patterns
|
Hash | 91% | Apr 17 | Auto-blocked | |
|
osascript-fake-prompt.sh
sha256:3f8d...a12c · unsigned script
Cthulhu / AMOS phishing
|
✦osascript fake password dialog injection — harvests macOS login credentials via social engineering prompt
|
CEL | 96% | Apr 16 | Auto-blocked | |
|
dscl-wrapper.sh
no hash · shell script
Banshee / AMOS credential dump
|
✦dscl -authonly flag detected — bypasses keychain to dump local account credentials (AMOS/Banshee technique)
|
CEL | 94% | Apr 15 | J. Rodriguez | |
|
xattr-strip.sh
sha256:b9c1...4e72 · shell script
Quarantine bypass
|
✦xattr -d com.apple.quarantine — strips Gatekeeper quarantine flag to allow unnotarized binary execution
|
CEL | 98% | Apr 12 | Auto-blocked | |
|
node-gyp-unofficial
unofficial build · TeamID unverified
Supply chain risk
|
✦Unofficial build, unverified TeamID — build provenance cannot be confirmed, code injection risk
|
TeamID | 88% | Apr 5 | J. Rodriguez | |
|
cron-helper.sh
sha256:e3c9...77f2
LaunchAgent persistence
|
✦LaunchAgent + cron-based persistence — writes to ~/Library/LaunchAgents/ for C2 beacon survival across reboots
|
PathRegex | 94% | Apr 3 | Auto-blocked | |
|
chrome-remote-debug.sh
no hash · shell script
Browser cookie theft
|
✦--remote-debugging-port flag — browser session theft via Chrome DevTools protocol; extracts cookies without decryption
|
CEL | 93% | Mar 29 | Auto-blocked |
| App / Publisher | Source | Trust Reason | Since | Actions |
|---|---|---|---|---|
|
1Password 8.x
AgileBits
|
App Store | Trusted publisher, signed | Mar 1 | |
|
Slack 4.x
Slack Technologies
|
App Store | Corporate tool | Mar 1 | |
|
Zoom 6.x
Zoom Video Communications
|
App Store | Corporate tool | Mar 1 | |
|
Google Chrome
Google LLC
|
App Store | Corporate browser | Mar 1 | |
|
Figma
Figma Inc
|
App Store | Design tool | Mar 5 | |
|
VS Code
Microsoft Corporation
|
Signed binary | Corporate IDE | Mar 1 | |
|
Docker Desktop
Docker Inc
|
Signed binary | Dev tooling, reviewed | Mar 8 | |
|
Postman
Postman Inc
|
Signed binary | API testing, reviewed | Mar 12 |
| App | Watch Reason | Events (7d) | Last Seen | Actions |
|---|---|---|---|---|
Homebrew 4.2.1 |
Elevated system path access | 347 | 2m ago | |
GitHub CLI 2.47 |
Accessing non-standard git remotes | 12 | 5m ago | |
pyenv / python3.12 |
Multiple interpreter versions installed | 8 | 1h ago | |
VS Code AWS Toolkit |
Fetching credentials from ~/.aws | 94 | 3h ago | |
iTerm2 3.5 |
Shell spawning unusual child processes | 23 | 1d ago | |
Raycast |
Plugin network access outside expected scope | 15 | 2d ago |