Having default detectors flag an unexpected process call is fine, but they obviously should be able to allow exceptions at a more granular level than the process name. And we can't detect the macOS version from within Word, so we need to switch to this method for all macOS versions. That's just not an acceptable user experience, so communicating via HTTP to localhost is the only option. macOS Sonoma makes app-sandboxing changes that prevent the previous Word-to-Zotero communication method from working without triggering a permissions prompt every single time you start Zotero, with no way to allow it permanently. Unfortunately we just don't currently have an alternative here. The flagging here has nothing to do with Apple. It concerns me that this is the way forward since it appears to be a method used by malware developers and Apple/AV view it as a I'm not sure what you mean by "Apple" viewing it as a risk - this is about false positives in AV software. I would suggest maybe revisiting the changes you have made to the way the plugin works. I could create a rule in our AV to exempt these alerts, but this would be for any alerts triggered by the curl command. We have stopped updating Zotero to this latest version due to these many alerts we receive multiple times per user on version 6.27. This analytic looks for some of the ones used frequently in attacks that do not occur regularly under the Office suite implying a malicious Office macro may have been executed.Ĭurl -s -o /dev/null -I -w %' -X GET ' command=addEditCitation&document=/Applications/Microsoft Word.app/&templateVersion Microsoft Office runs a number software child processes on the regular. I will post the information from our alerts here for context as to why it is being seen as a security risk: It looks like this new method is what is being deemed a risk by various AV products. I see you are now using Curl to make the http request between the plugin and the Zotero app. However we are receiving multiple email alerts every time someone is running Zotero 6.0.27. Jamf Protect isn't blocking the plugin like others have experienced on Cloud Strike since we haven't configured it to do this. I am an admin at my institution and we use Jamf protect for AV. Hi I just wanted to reignite this conversation.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |