Jump to content

Possibility to protect the settings with a pin


Recommended Posts

@treed I think it would be useful to be able to protect, as in the Windows version, the program settings (in particular the MY ACCOUNT tab where there is the license key) in general with a Pin so that they are not visible / modifiable by anyone accessing the Mac; being able to choose which tabs to protect would be ideal.

Link to post
Share on other sites

I am totally shocked that you would allow anybody with such intent be allowed to access your Mac. Recent innovation requiring a login password / TouchID / Facial Recognition / Apple Watch proximity in order to access should be more than enough to protect Malwarebytes settings. Clearly there is much more sensitive information that would be available to such an intruder than just harvesting my license key.

I would also strongly object to my having to perform an extra step in order to change a setting, something almost no other app require. Off the top of my head, I can only think of selected System Preferences and access to passwords in Keychain, Safari and most password management apps that require an extra step to simply observe or make changes.

Link to post
Share on other sites

In my specific case it doesn't happen that someone accesses my Mac.

I simply found it a useful thing since I was aware of its presence in the Windows version (where however limited access to users is not mandatory).

However, it would not seem so burdensome to unblock to view / change settings similar to the macOS system settings.

Then everyone thinks as he sees fit.

Link to post
Share on other sites

It is useful for cases where a single system is shared among multiple users, particularly in a household where perhaps children are allowed to use the PC but you want to ensure they aren't able to ignore/exclude something or disable protection to access something harmful that might then infect the device.  This is the main purpose for these functions in the Windows version and I think it makes sense for the Mac version as well.  I'm not so much concerned about licenses being stolen as I am devices being infected because someone who isn't very responsible decides it's worth the risk to run that thing they downloaded that Malwarebytes detected/blocked or to visit that website Malwarebytes blocked and ends up infecting the device in the process.

Link to post
Share on other sites

32 minutes ago, exile360 said:

I think it makes sense for the Mac version as well.  I'm not so much concerned about licenses being stolen as I am devices being infected because someone who isn't very responsible decides it's worth the risk to run that thing they downloaded that Malwarebytes detected/blocked or to visit that website Malwarebytes blocked and ends up infecting the device in the process.

My wife and all children have separate accounts on my Macs. There is also a restricted Guest account. If any were still under age, they would have parental controls imposed, which should provide protection against the situation you outlined. But I need to check to see exactly what those other users are able to do with Malwarebytes before passing judgement.

After checking the Guest Account, I see that I was able to change settings, View and Disable the License, etc., so it does appear that some added degree of protection should be added. But I would recommend that it be the standard Admin password that is used for System settings, etc., rather than a unique PIN of some sort.

Edited by alvarnell
Link to post
Share on other sites

3 hours ago, alvarnell said:

 Clearly there is much more sensitive information that would be available to such an intruder than just harvesting my license key.

JUST A CLARIFICATION

I would just like to add that the MY ACCOUNT TAB should be protected exclusively because the tab contains the DISABLE LICENSE key which, if pressed, automatically excludes the real time protection making the Mac less secure automatically and not because the LICENSE KEY can be copied.

AND WITHOUT OPENING MALWAREBYTES YOU WOULD NOT KNOW

 

Link to post
Share on other sites

3 hours ago, alvarnell said:

My wife and all children have separate accounts on my Macs. There is also a restricted Guest account. If any were still under age, they would have parental controls imposed, which should provide protection against the situation you outlined. But I need to check to see exactly what those other users are able to do with Malwarebytes before passing judgement.

After checking the Guest Account, I see that I was able to change settings, View and Disable the License, etc., so it does appear that some added degree of protection should be added. But I would recommend that it be the standard Admin password that is used for System settings, etc., rather than a unique PIN of some sort.

Right, and in the Windows version you can set the password to whatever you wish, so if you wanted to you could use the same password for Malwarebytes that you use for the admin account.  It doesn't need to be restricted to some unique PIN or anything like that (and in fact I'd argue that would be a bad idea since it greatly reduces the number of possible strings making cracking it far too easy, especially for automated brute force attacking tools).

1 hour ago, MAXBAR1 said:

JUST A CLARIFICATION

I would just like to add that the MY ACCOUNT TAB should be protected exclusively because the tab contains the DISABLE LICENSE key which, if pressed, automatically excludes the real time protection making the Mac less secure automatically and not because the LICENSE KEY can be copied.

Right, just as with the Windows version, there should be an ability to restrict access to all of the program's functions/tabs selectively, especially those affecting protection, whether that be through disabling protection or through deactivating the license key.

Link to post
Share on other sites

12 hours ago, exile360 said:

Right, and in the Windows version you can set the password to whatever you wish, so if you wanted to you could use the same password for Malwarebytes that you use for the admin account.

No, that's not really sufficient. My point was that only an Admin account should be able to change settings. macOS provides the appropriate API's necessary to implement such restrictions.

Edited by alvarnell
Link to post
Share on other sites

Oh, I see what you mean.  Yes, that's certainly an option, though I'd argue that such functionality might cross over more into the business/enterprise/AD/GP area more so than consumer (unless most software is very different on Mac compared to Windows with regards to permissions etc.).  In the Windows world applications don't generally work this way if they can avoid it simply because many users will deliberately run under non-admin accounts for their own security, yet they still want full access to and control over their security applications should they need it (one of the reasons Malwarebytes on Windows uses a service oriented architecture where the UI and tray are just front-ends with limited/user-mode privileges/permissions that communicate with the drivers/core components through the service (and the service runs with highest permissions of course), with the service allowing itself to be controlled by approved processes (i.e. Malwarebytes' own executables; this way malware can't take control of the service with this access)).

Of course some older security applications, especially early after the release of Vista, would either require themselves to be launched as admin to fully function, or they would throw a UAC prompt or have a button to relaunch the app as admin if the user attempted to do anything that required admin permissions (I believe Spybot version 2 actually still works this way, though I believe that has more to do with the fact that it treats each function of the program as a completely separate app/process and doesn't run a service in the background to allow full permissions/access to all functionality, at least in their free version (their paid version may be different, I'm not sure).

Anyway, if what you describe is the common standard for AV/AM applications on MacOS then I won't argue against it, however if it is atypical then I might argue that it may not be the best user experience or the expected functionality by the majority of users and therefore might not be the best option.

Link to post
Share on other sites

Yes, Mac world is much different. The default is that the first user is always the admin. A few users will establish a standard account for normal operations, but most don't know enough to do so. But even from a non-admin account, you can make admin changes by simply entering the admin login name and password in the presented dialog, assuming you know it. Other users of that Mac probably won't have that info.

Link to post
Share on other sites

Cool, and it's typical for security software to require admin credentials to change settings etc.?  For example, Kaspersky or Norton on a Mac would require the admin password to change their settings?  I'm asking because typically Malwarebytes will try to follow whatever the industry standard is, so if other AV/AM applications on Mac don't require root admin credentials to change settings, then Malwarebytes probably won't either (or at least they'll try not to; sometimes these things are unavoidable if Malwarebytes' implementation of things is too different from typical AV/AM apps).

Link to post
Share on other sites

It's been years since I've allowed any of the mainstream AV software on my computer and I don't really feel like paying for any of them today just to find out. 

I checked Sophos Home (free) just now and see that the preference panel is locked with admin access for all settings.

Switched to Standard user and all of the following allowed me to change preferences without a pin or password. Most had limited preferences (updates. scan schedules & action upon detection) without access to critical features. A few allowed whitelisting.

  • Bitdefender Virus Scanner
  • ClamXAV
  • DetectX Swift
  • Dr. Antivirus
  • Dr․Web Light
  • MacScan 2 (no longer supported)
  • VirusBarrier Scanner

A few of the above require registration which could be entered or updated by a Standard User, but none appeared to allow deactivation.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.