F-Secure XFENCEDaemon causing huge CPU spike on MacOS when using npm install

F-Secure recently purchased a MacOS app called Little Flocker, a tool that restricts apps and system processes access to files without permission. It has rebranded that app as XFence and with one of the latest F-Secure SAFE updates, this XFence automatically gets installed on MacOS (even though its in Beta).

One of the challenges you might face is that XFence can also block access to legitimate apps (such as npm or mongodb) that access several files.

I recently faced the issue while running “npm install”. This command would basically hang, and upon CPU inspection, it turns out a process called XFENCEDaemon was using over 90% CPU. You can try to kill this process, but F-Secure will automatically bring it back so its useless. It can literally block your development work.

I reached out to F-Secure and they suggested the below solution which worked fine. So after this fix, “npm install” worked fine and there no spike in CPU usage while running “npm install”.

Note: You might have to change the node installation directory path based on your local installation!

1) Open Terminal app
2) Type in the command below to open the file that contains custom rules for XFENCE (it will prompt for the customer’s admin password)

sudo nano "/Users/Shared/F-Secure XFENCE/local.xfence.rc"

3) Add the entire line below to the first line of that file. You can just copy the line below with Command+C key combination and paste it to that file with Command+V key combination. 
allow prefix "/Users/" "/usr/local/Cellar/node/12.12.0/bin/node" rwcx "" "95efcb05d535725ea1bf5ee4ee0cc0b80eedb2d3e5b3df83c8be6167b373d55e" "0"

4) Press Control+O key combination and "Enter" key to confirm changes to the file. And then Control+X key combination to exit from the file editing mode

5) Reboot the Mac to apply these changes.

After applying those changes, and rebooting Mac, “npm install” commands work perfectly fine.

If you are having similar issues (CPU spike because of XFENCEDaemon) while using MongDB, please add the below snippet (one line) to the ‘local.xfence.rc’ file mentioned above (taken from this F-Secure forum post) :

Note: Remember to modify mongodb installation path based on your local installation (not sure why “/Users/” part is missing in this, so you can try without it, but if still causes issue, add “/Users/” like in the above snippet for ‘node’). Both these snippets are provided by F-Secure backend support team.

allow prefix "" "/usr/local/Cellar/mongodb-community/4.2.8/bin/mongod" rwcx "" "0dbd339de14d0947837f5e904a7dde3f48c4e4932a0e44bb5ec0731e0254daf5" "0"

One would hope F-Secure would provide a more better way to manage these issues, and ideally have them documented in a proper way so anybody facing such issues can resolve them easily. There should be a support article from F-Secure to explain all those options (e.g., what is rwcx, the long random characters, and the ending “0”), so developers can use them to resolve similar issues themselves (e.g, if any other CLI tool results in similar issues).

See Macworld article about F-Secure XFence and its previous history.

Update: 21.12.2020

Note with the latest F-Secure SAFE version 17.10, you can manage this via the preference section of F-Secure SAFE app.