Defender ASR problems with mycli-manifest.exe,swift-package.exe, sourcekit-lsp.exe and swift-test.exe

sven007 · January 17, 2024, 7:58am

Question from a security admin here: Is there a way to make the Swift tooling on Windows to use a different folder than "C:\Users[username]\AppData\Local\Temp" to create executables?

Unknown executables that run in a predictable folder is exactly what I want to prevent using Defender Attack Surface Reduction. So currently, our developers need to use a dedicated vm without access to our company infrastructure to develop Swift programs (execution of unknown programs in "...\Temp" will be blocked). That's not really an optimal experience (neither not having access to company resources, nor developing swift on a vm).

Because we fully understand that a developer does create unknown executables (that's her/his job), we have a special path for development where we don't apply some of the security rules - but excluding the temp folder from blocking unknown executables to run (even with a specific name) is not an option for us.

compnerd · February 7, 2024, 10:13pm

Hi!

This is interesting. I assume that you are building with SPM and that is the concern? I believe that this is the default temporary path on Windows, and SPM will use that for the emission of temporary content.

CC: @NeoNacho @Max_Desiatov

NeoNacho · February 7, 2024, 10:51pm

We don't have a way to specifically change where temporary executables end up, but setting any of these overrides should allow relocating temporary files in general: swift-tools-support-core/Sources/TSCBasic/FileSystem.swift at main · apple/swift-tools-support-core · GitHub