Though BlockBlock is conceptually simple, it is a rather complex piece of software.
BlockBlock is made up of two main components, a user-mode daemon running as root, and a user-mode agent running as the logged-in user (there can be multiple such agents if BlockBlock is installed for several users on the same system).
The daemon monitors various persistence locations to detect any new items.
Specifically it (currently) watches for new kexts, launch daemon & agents, and new login items via the fsevents device (/dev/fsevents).
Once installed, BlockBlock will begin running and will be automatically started any time your computer is restarted, thus providing continual protection. If anything installs a persistent piece of software, BlockBlock aims to detect this and will display an informative alert:
The alert contains information such as:
The process responsible for the action:
The alerts contains the process name, pid, path, and arguments. There are also clickable elements on the alert to show the process's code signing information, VirusTotal detections, and process ancestry.
The persistent item that was installed:
The alert shows both the file that was modified to achieve persistence as well as the persistent item that was added.
If the process and the persisted item is trusted, simply click 'Allow'. If not, click 'Block'. Both actions will create a rule to remember your selection (unless you selected the 'temporarily' checkbox). If you decide to block an item, BlockBlock will remove the item from the file system, blocking the persistence.
The 'rule scope' option allow you inform how to apply the rule. Via the drop down, you can decide if the rule should match any combo of the process, the persistence file, and persistence item.
Persistence events are either allowed or blocked, based on user input ...which are then turn into BlockBlock's rules. To open the rules window, click on 'Rules' in BlockBlock's status bar menu: