Hands Off! introduction

Overview

The following provides an introduction to Hands Off!. We will cover the following topics:

  1. Requirements
    Prerequisites to successfully complete this tutorial.
  2. Notifications
    Explaining the information and options present in Hands Off! notifications.
  3. Configuration Application
    Explaining the information and preferences present in the Hands Off! configuration application.

Requirements

Before starting this tutorial, make sure you have the following items available:

  • Latest version of Hands Off!
  • Mac OS X 10.9.5 or higher

Notifications

To keep you and your computer secure, Hands Off! silently monitors all operations performed by the applications running on your computer. As soon as an application tries to perform an operation for which there is no rule defined, a Hands Off! notification will appear. The notification contains all the relevant information about the operation to allow you to make an informed decision. Moreover, until you answer the notification, the operation is safely blocked and Hands Off! keeps you protected.

Two types of Hands Off! notifications exist: preset and operation. Preset notifications are used to associate a default security preset to an application. Operation notifications are used to inform you of the occurence of an operation for which there is no rule defined, so you can decide if you want to allow or deny it.

Preset Notifications

Hands Off! presets define the default security policy of applications. Therefore, if an application for which you do not have a Hands Off! preset defined is launched or tries to perform an operation which would trigger an operation notification, a preset notification will be displayed.

When creating an application security preset you need to define the policy for Network Usage and File Writing. The following options are offered:

Allow
Allow all operations for this application without further displaying notifications.
Deny
Deny all operations for this application without further displaying notifications.
Ask
When this application tries to perform an operation for which there is no rule defined, a Hands Off! notification will appear.
Always allow in temporary folders
Allow all file writing in temporary folders for this application. The selected File Writing policy still applies to file writing for other folders.

Note: Your choice creates a default security preset only for the particular application that prompted the notification.

To reduce the number of notifications and ensure the smooth running of your activities while maintaining top security, Hands Off! comes with default rules and automatically adjusts the default selection in the preset notification for commonly used applications. Therefore, simply using the default selection is always safe. Moreover, when the Use default set of rules checkbox is available in the preset notification it means that Hands Off! has a set of default rules for this application and leaving the checkbox selected will inform Hands Off! to use them.

Tip: You can review or edit the default rules created using the Hands Off! configuration application.

Operation Notifications

When an application tries to perform an operation for which there is no rule defined, a Hands Off! notification will appear. Hands Off! monitors file reading and writing operations, domain name resolving, and network incoming and outgoing connections.

Tip: In the notification, you can click on the Magnifying Glass icon to access further details.

Regardless of the type of operation, the following duration options are offered:

Always
Allow or deny this operation type permanently. This creates a permanent rule.
Until Quit
Allow or deny such operations until the specified application terminates. This creates a temporary rule.
Until Reboot
Allow or deny such operations until the computer is rebooted. This creates a non-persistent rule.
Once
Allow or deny only this particular occurence.

The other options offered depend on the type of operation Hands Off! intercepts.

For file reading and writing operations, the following options are offered:

All read and write operations
All read operations
All write operations
Apply to all files and folders.
Only in parent folder and subfolders
Apply to the parent folder of the current file or folder and recursively to subfolders.
Only in this folder and subfolders (folder only)
Apply to the current folder and recursively to subfolders.
Only in parent folder (file only)
Apply to the content of the parent folder of the current file.
Only in this folder (folder only)
Apply to the content of this folder.
Only in this file (file only)
Apply to the current file only.

For domain name resolving the following options are offered:

All domain resolving
Apply to the resolving of all domain names.
All domain resolving and outgoing connections
Apply to the resolving of all domain names and all subsequent outgoing network connections.
Only
Apply to the resolving of the specified domain.
Only and its outgoing connections
Apply to the resolving of the specified domain and all its subsequent outgoing network connections.

Note: Domain name resolving is the operation of converting a human-understandable domain name, such as www.oneperiodic.com, to an IP address, such as 192.168.1.1, which is used by computers to communicate. It is important to monitor these operations to avoid information leakage.

For network incoming and outgoing connections the following options are offered:

All incoming connections
All outgoing connections
Apply to all connections.
Only port ()
Apply to connections on the specified port.
Only protocol
Apply to connections using the specified protocol.
Only
Apply to connections to the specified domain name or IP address.
Only and port ()
Apply to connections to the specified domain name or IP address and port.
Only and protocol
Apply to connections to the specified domain name or IP address and protocol.

Once your selection is made, click on the Allow or Deny button to either continue or abort the operation respectively. If you chose Always, Until Quit or Until Reboot, a rule is created.

Tip: You can review or edit the rules created using the Hands Off! configuration application.

Keyboard Shortcuts

The notification options can be selected quickly using the keyboard. The Left and Right arrow keys enable you to navigate through the different duration options while the Up and Down arrow keys enable you to navigate through the other options.

The Return and Escape keys respectively select Allow and Deny in the notifications (if enabled in the Preferences). You may also use ⌘-Return and ⌥-Return to respectively choose Allow and Deny.

Preferences

Various options of the notification can be configured in the Hands Off! Preferences which can be accessed through the Hands Off! configuration application.

When an application does not have an associated default security preset
This option allows to choose the default behavior for the preset notificiation. If you choose Ask for a preset, a preset notification will be displayed when required and you will be able to select and confirm the preset to use for a particular application. If you choose Use this preset, preset notifications will not be displayed and applications will automatically be assigned the preset defined in the Preferences.
Default selection for rule duration in notifications
This option allows to choose the default rule duration selection to better match your personal preference, so you do not need to adjust it every time a notification is displayed.
Monitor system process network connections
Turn on this option to be notified about system process network connections. Only the administrators will be notified about these events and only they can control this option.
Confirm with Return and Escape
Activating this option enables to use the Return and Escape keys to respectively choose Allow and Deny in the notifications. If you do not wish to use this option but still want to use the keyboard you may instead use ⌘-Return and ⌥-Return to respectively choose Allow and Deny.

Configuration Application

Hands Off! controls the permissions of all applications on your computer using a set of rules. The Hands Off! configuration application allows you to review and edit those rules. It also allows you to customize the behavior of Hands Off! and the notifications through the various configuration options available in the Preferences.

Rules Window

The rules window allows the addition, deletion, edition and review of the rules. The Toolbar in the rules window includes the following elements:

Add
Create a new rule.
Remove
Delete the rule currently selected.
Edit
Modify the rule currently selected.
Enable/Disable rules
Enable or disable the use of the rules.
Preferences
Hide or show the preferences window.
Show
Filter the rule list to only visualize a given type of rules.
Search
Search the rule list for given words. The search field searches in the Application and Rule columns.
Rules List
List of the rules defined. See Rules List for detailed information.

Rules List

The rules list has the following columns:

Application
Shows the icon and name of the application to which the rule applies. An icon indicates that the rule refers to an application that is no longer present at the specified location.
User
An icon indicates that the rule applies to all users of the computer. No icon indicates that the rule applies only to you.
Protected
An icon indicates that the rule is protected and cannot be edited since it is essential for proper working of your computer or created by an administrator.
On
A check-box that indicates if the rule is currently enabled.
Network
An icon indicates that this rule allows some network operations. An icon indicates that this rule denies some network operations. An icon indicates that this rule will cause a notification to appear for some network operations. No icon indicates that this rule does not affect network operations.
File
An icon indicates that this rule allows some file operations. An icon indicates that this rule denies some file operations. An icon indicates that this rule will cause a notification to appear for some file operations. No icon indicates that this rule does not affect file operations.
Rule
Plain text description of the rule. Gray text color indicates a disabled rule.

Rule Editor Window

When adding or editing a rule you will use the rule editor window which will let you adjust the rule parameters through the following elements:

Application icon
Icon of the application to which the rule applies. An icon indicates that the rule refers to an application that is no longer present at the specified location. Click on the Application icon to reveal some actions.
Application name
Name of the application to which the rule applies or All Applications if this rule applies to all applications. Type the name of the application and Hands Off! will look on your computer to find its location.
Application path
Location of the application to which the rule applies.
Type
A rule can either be a preset or allow, deny or ask the user for a particular operation.
Class of operation
A rule can either target a file or network operation. See below for parameters specific to each class.
Type of operation
Rules for file operations can either be for reading, writing or both. Rules for network operations can either be for domain name resolving, incoming connections, outgoing connections or a combination.
Enabled
Indicates if the rule is currently enabled.
Global
Indicates that the rule applies to all users of the computer.
Until Reboot
Indicates that the rule is non-persistent and will be deleted upon reboot.
Until Quit
Indicates that the rule is temporary and will be deleted when the application quits.

A rule that applies for file operations has the following parameters:

Path
Path of the file or folder the rule applies to.
Apply to Subfolders (folder only)
Indicates if the rule only applies to the content of the folder or also recursively to the content of its subfolders.

A rule that applies for network operations has the following parameters:

Server
Destination server of the connection. The rule applies to connections to the specified source or destination only. Server can either be Any Server, a specific host indentified using a Hostname or IP Address or a predefined set of addresses, such as your Local Network.
Port
Port of the connection. When specified, only connections to the designated port are affected by this rule. It can either be defined using a port number such as 80, using a service name such as http or using Any if the rule applies to any port.
Protocol
Protocol of the connection. When specified, only connections to the designated protocol are affected by this rule. It can either be defined using a protocol number such as 6, using a protocol name such TCP or using Any if the rule applies to any protocol.

Tip: Advanced users can specifiy a range of IP addresses using the CIDR notation (e.g. 192.168.1.0/24). The start and end IP addresses of the range are always displayed below the server field.