Hi eskimo, Thank you very much! I find the description : DEPRECATION NOTICE The audit(4) subsystem has been deprecated since macOS 11.0, disabled since macOS 14.0, and WILL BE REMOVED in a future version of macOS. Applications that require a security event stream should use the EndpointSecurity(7) API instead. On this version of macOS, you can re-enable audit(4) by renaming or copying /etc/security/audit_control.example to /etc/security/audit_control, re- enabling the system/com.apple.auditd service by running launchctl enable system/com.apple.auditd as root, and rebooting. But I want to confirm: with Audit Log, I can get the AUE_LISTEN/AUE_BIND event. I think these events should not be covered by EndpointSecurity, is it right? Will Network Extension cover these events? Thank you!

Hi eskimo, Thank you for your response. I do these steps : Use leaks command to get the memory graph Use footprint command to info: `Dirty      Clean  Reclaimable    Regions    Category     ---        ---          ---        ---    ---  925 MB        0 B          0 B      14012    Accounts framework` Use vmmap command to list the vm info, then vm info show addresses `Accounts framework          130e45000-130e56000    [   68K     0K     0K    68K] r--/r-- SM=SHM   Accounts framework          130e56000-130e67000    [   68K     0K     0K    68K] r--/r-- SM=SHM   Accounts framework          130e67000-130e78000    [   68K     0K     0K    68K] r--/r-- SM=SHM   Accounts framework          130e78000-130e89000    [   68K     0K     0K    68K] r--/r-- SM=SHM   Accounts framework          130e89000-130e9a000    [   68K     0K     0K    68K] r--/r-- SM=SHM   Accounts framework          130e9a000-130eab000    [   68K     0K     0K    68K] r--/r-- SM=SHM  ` Then get above traceTrees with the address

Like this?    3 Region Accounts framework region + 0 0x121ff0000     2 0x7fcc3d023a00 [1536] +1341: 0x7fcc3d023f3d --> offset 65536     + 1 Region __DATA_DIRTY /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation __DATA_DIRTY __data: '__CFRuntimeClassTable' + 2224 0x7fff80292090     + 1 Region __DATA_DIRTY /System/Library/Frameworks/Security.framework/Versions/A/Security __DATA_DIRTY __bss: 'Security::KeychainCore::gTypes()::nexus' 0x7fff803182a0     1 0x7fcc3be10650 [784] +477: 0x7fcc3be1082d --> offset 65663      1 <icu::SharedDateFormatSymbols 0x7fcc3d02c000> [1536] +128: 0x7fcc3d02c080 --> offset 8       1 0x7fcc3c813200 [3072] +2480: 0x7fcc3c813bb0        1 0x7fcc3bf056a0 [80]  +0: 0x7fcc3bf056a0         1 <icu::UnifiedCache 0x7fcc3bf05660> [64]  +8: 0x7fcc3bf05668          1 Region __DATA_DIRTY /usr/lib/libicucore.A.dylib __DATA_DIRTY __bss + 3552 0x7fff8081cf30   2 VM: Accounts framework 0x112bb2000-0x112bc3000 [V=68K] r--/r--     2 Region Accounts framework region + 0 0x110ff0000     2 0x7fcc3be06ea0 [432] +197: 0x7fcc3be06f65 --> offset 65663      1 Region __DATA_DIRTY /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation __DATA_DIRTY __data: '__CFRuntimeClassTable' + 2176 0x7fff80292060      1 Region __DATA_DIRTY /System/Library/Frameworks/Security.framework/Versions/A/Security __DATA_DIRTY __bss: 'Security::CodeSigning::gCFObjects' 0x7fff803180d8

Hi @meaton I filled a report:FB8931220, and attached the panic-full-2020-12-03-170845.0003.ips panic report. Please help to check, thank you!

Hi guys and @eskimo, We are also having the exact same problem with a growing number of our users. For the recent customer, his macOS is 10.14.6, SIP enabled, our KEXT is notarized and can be loaded after customer reinstall 10.14.6. Customer mentioned that he apply mac security update "2020-005" before issue occurred. But from the release note, it should not be related to missing "restricted" flag. Do you have any idea? Thank you!

I am also facing the same problem. Is it possible to whitelist uninstalling system extension by MDM? Any one can help?

Hi Eskimo, Thank you for your nice reply! But I want to confirm is there a feature list comparison? For example, with Audit log, there are Authentication and authorization (aa) and Login/Logout (lo) events, but there seems be no such events with Endpoint Security now. Is there any suggestion for such parts? Thank you very much!

Hi guys, I checked this and it can be reproduced on Big Sur(beta), too.