EtreCheck: how enable full drive access?

The differences and details of what EtreCheck calls Full Disk and Full Drive access are described in the EtreCheck documentation, and in the I cannot get Full Drive Access to work? section if the EtreCheck FAQ.

If what’s described there doesn’t work—and Mojave further locks down access, particularly around backups—use the EtreCheck support email.

As for the lockdown? Not having random stuff poking at backups makes ransomware that much more difficult.

For yet more details...

"Well, it is just my opinion. If the system prevents certain files from being tampered with, then there is no point in EtreCheck needing access to check those files.. the fact that the app needs access to them raises a red flag. But, as I said.. just my opinion."

There is no tampering of any sort.

The system prevents files from being *accessed* if the application is not granted permission.

You, as the administrator of your mac can grant or revoke full disk access.

Note the explanation that appears right there in System Preferences:

Etrecheck is not "tampering" with anything. It provides information to you. If it is not allowed access to that information, then it cannot provide it.

macOS has certain safeties in place, such as preventing system files from being tampered with. The files that can't be tampered with don't really need to be checked by EtreCheck because malicious activity can't harm them anyway. If EtreCheck needs more than what you've done, I would consider removing it.. it's unsafe.

That's the first time I have ever seen anybody here (in hundreds of positive recommendations) call Etrecheck potentially "unsafe". Sure, my two year old niece wanted to get into a closet I didn't want her getting into but I don't think her presence in my house made her "unsafe". She just said, "I can't get into that closet," and I told her, "Correct."

Well, it is just my opinion. If the system prevents certain files from being tampered with, then there is no point in EtreCheck needing access to check those files.. the fact that the app needs access to them raises a red flag. But, as I said.. just my opinion.

I'm unsure, but perhaps contact the developer to ensure that your copy is indeed an unaltered copy of their software. People have been known to re-write popular software to add malicious code and then make it available to the public (anyone remember XcodeGhost?). Other than that, I wouldn't worry about it, the app still works.. although not as deeply as it wants to.

Ok, fair enough. Do you have any idea why Etrecheck still asks me to enable full drive access considering what I’ve already done to enable it?

FWIW, your internal drive permissions are correct and should not be changed. They are also protected so you can't change them. They have nothing to do with EtreCheck.

Make sure EtreCheck is actually checked in System Preferences > Security & Privacy > Privacy > Full Disk Access

FYI, the developer of etrecheck is one of our knowledgeable and long time contributors here, so I doubt very seriously Apple would allow his app being recommended here if he were altering his own app.

that has nothing at all to do with etrecheck and is completely irrelevant as I was referring to our hosts (moderators) here. If you have a problem with one of our volunteers or know for a fact that they are distributing malware, direct your comments to the hosts.

Full Drive Access has become a little complicated. Here’s the story...

The Mac App Store version of EtreCheck is limited by the Mac App Store sandbox. Many Mac App Store apps allow a partial escape from the sandbox by having the user save a reference to the root directory of the hard drive. Apple allows this, but does not encourage it. The command to access this needs to be hidden away in an app’s preferences. An app can’t demand it and has to provide functionality without it.

As of Mojave, Apple has extended the Mac App Store sandbox outside of the Mac App Store a little bit. Any apps running on Mojave need extra permissions to access certain protected directories.

So, if you are running the Mac App Store version of EtreCheck on Mojave, enabling Full Drive Access is a two-step process. Go to the EtreCheck menu and choose Preferences. Then choose the Privacy tab. There will be a button to enable Full Drive Access. If you click it, it will display a dialog with two Allow buttons. Click one button to allow EtreCheck to read the entire hard drive. Click the other button to open the Privacy pane in System Preferences and select Full Disk Access. You will have to manually add EtreCheck to the Full Disk Access list. Then, after quitting and restarting EtreCheck, it should have Full Drive Access enabled.

Note that EtreCheck uses the phrase Full Drive Access to account for this potentially two-step process to differentiate it from Mojave’s Full Disk Access. Confused yet?

None of this is related to permissions in the Finder or Time Machine.

And finally, there are some practicalities to worry about. Since an operating system function is required to make this happen, EtreCheck is dependent on the operating system functioning correctly. That doesn’t always happen. If you want to contact me using EtreCheck’s built-in support feature, there are a couple of tricks you can try to get it to work. There is even a Terminal command to reset it completely. It can be fixed, depending on how hard you want to work.

macOS has certain safeties in place, such as preventing system files from being tampered with. The files that can't be tampered with don't really need to be checked by EtreCheck because malicious activity can't harm them anyway. If EtreCheck needs more than what you've done, I would consider removing it.. it's unsafe.

EtreCheck doesn’t require Full Drive Access, but it can provide additional information if Full Drive Access is enabled. There is an About button next to the Full Drive Access checkbox that describes what information EtreCheck is looking for.

The biggest issue is Time Machine, and that is because I’m such a big stickler for users having a Time Machine backup. Unfortunately, Apple stuck the Time Machine preferences file in /Library/Preferences. That is one of the locations that Apple considers sensitive.

Another important location for EtreCheck is /Library/Logs/DiagnosticReports because this is where Apple stores high CPU usage reports, crash reports, and kernel panics. In addition to Full Drive Access, this information also requires an administrator user due to permissions.

And finally, Full Drive Access allows EtreCheck’s list of software installs to show all version numbers.

And that’s it. EtreCheck runs as a normal user process and does not have any write access to system locations. Even without Full Drive Access, EtreCheck can still read most system locations. In any event, tampering of system files is not a significant threat. Those files are protected by System Integrity Protection and/or system permissions.

Although EtreCheck does check for adware, that is not its primary function. EtreCheck’s adware detection capabilities are not related to the Full Drive Access feature in any way. Due to a quirk in Apple’s design of the launchd subsystem, EtreCheck is able to identify adware even if Full Drive Access is not provided. In most cases, Apple can even verify the signature of files that it can’t access. That’s just clever programming on my part. 😄

Enabling full disk access for Etrecheck in System Preferences->Security & Privacy ought to be enough.

I suggest you restart your mac, and try again.