santa ☆

« Back to VersTracker

Description:
Binary authorization system

Type: Cask | Latest Version: 2026.2@0 | Tracked Since: Dec 17, 2025

Links: Homepage | formulae.brew.sh

Category: Security

Tags: security macos binary-authorization endpoint-security malware-prevention

Install: brew install --cask santa

About:
Santa is a binary authorization system for macOS that monitors and controls process execution using a rule-based approach. It can operate in a monitor-only mode to log execution events or in a block mode to prevent unauthorized binaries from running. This tool provides a robust security layer for detecting and preventing malware execution.

Key Features:

Kernel-level process monitoring via EndpointSecurity API
Flexible rule system (allowlist, blocklist, and certificate rules)
Event logging for forensic analysis
Support for both monitor and block modes
Integration with system extensions for enhanced security

Use Cases:

Preventing execution of known malware or unauthorized applications
Auditing process execution across an enterprise fleet
Enforcing compliance by blocking non-approved software
Investigating security incidents through execution logs

Alternatives:

BlockBlock – Focuses on persistent threat monitoring rather than real-time execution control
KnockKnock – Primarily for persistence enumeration, not live process blocking

Version History

Detected	Version	Change	Commit
Mar 3, 2026 10:46pm	2026.2	VERSION_BUMP	a8591e39
Jan 29, 2026 10:36pm	2026.1	VERSION_BUMP	10db69c1
Dec 18, 2025 7:39pm	2025.12	VERSION_BUMP	c6462c52
Dec 17, 2025 7:45pm	2025.11	VERSION_BUMP	14fd910b
Aug 28, 2025 7:50pm	2025.8	VERSION_BUMP	22fba37e
Jul 31, 2025 4:18pm	2025.7	VERSION_BUMP	e3133f18
Aug 7, 2024 3:54pm	2024.7	VERSION_BUMP	76691200
Jul 26, 2024 3:52pm	2024.6	VERSION_BUMP	0d342c12
Dec 24, 2023 9:24am	2023.10	VERSION_BUMP	9c677338
Nov 14, 2023 10:10am	2023.9	VERSION_BUMP	60c1dac6