Hello,
My application monitors ES_EVENT_TYPE_NOTIFY_CLOSE. If a file is dragged to another location in Finder, the Endpoint Security reports the event ES_EVENT_TYPE_NOTIFY_CLOSE was performed by '/usr/libexec/xpcproxy'. So, xpcproxy is the process that performed ES_EVENT_TYPE_NOTIFY_CLOSE.
Looks like the dragged file is copied by some XPC service.
I have found the audit user id is equal to user who dragged a file.
Can audit user id be used to identify a user who triggers copy file action in this case? If no, are there any way to define such info?
Thank you in advance!
Post
Replies
Boosts
Views
Activity
Hello,
I am facing with misunderstanding how to read usb device properties correctly.
The notification 'kIOTerminatedNotification' is delivered after an IOService has been terminated. Can I use IORegistryEntryCreateCFProperties() to get properties of terminated device?
I am asking because I/O Registry is a dynamic database that captures the connections of all driver and nub objects currently active. Howerver, can we say that terminated device is still active?
If IORegistryEntryCreateCFProperties() can not be used, are there any other way? (e.g. using Device Interface)
Thank you in advance!
Hello,
I am working on app which must prevent attaching any USB devices to Mac due to security.
Unfortunately I have not found any direct way to implement such blocking:
Looks like IOKit does not allow to block USB (at least in user space)
ES_EVENT_TYPE_AUTH_IOKIT_OPEN (Endpoint Security) does not prevent using USB device if I send response ES_AUTH_RESULT_DENY for "AppleUSBHostDeviceUserClient"
I have found several similar problems on forum but no any solution:
https://developer.apple.com/forums/thread/671193
(https://developer.apple.com/forums/thread/756573
https://developer.apple.com/forums/thread/741051
What is the easiest way to implement such blocking?
Thank you in advance!
Hello,
I am trying to get value of InterfaceClass for particular USB Device. I modified matching dictionary and added the property locationID property.
CFMutableDictionaryRef matchingDictionary = IOServiceMatching(kIOUSBInterfaceClassName);
if (!matchingDictionary)
{
return -1;
}
int32_t locationID = 0xffff;
CFNumberRef cfLocationID = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &locationID);
CFDictionaryAddValue(matchingDictionary, CFSTR(kUSBHostPropertyLocationID), cfLocationID);
CFRelease(cfLocationID);
io_service_t ioService = IOServiceGetMatchingService(kIOMasterPortDefault, matchingDictionary);
if (!ioService)
{
return -1;
}
CFNumberRef cfInterfaceClass = (CFNumberRef)IORegistryEntrySearchCFProperty(ioService, kIOServicePlane, CFSTR(kUSBHostMatchingPropertyInterfaceClass), kCFAllocatorDefault, kNilOptions);
...
Unfortunately nothing is found and ioService is NULL. What can be wrong here?
Thank you in advance!
Time to time I see the error 'FAILED TO REGISTER PROCESS WITH CPS/CoreGraphics in WindowServer' if CGImageForProposedRect is called immediately after start:
https://developer.apple.com/documentation/appkit/nsimage/1519861-cgimageforproposedrect
_RegisterApplication(), FAILED TO REGISTER PROCESS WITH CPS/CoreGraphics in WindowServer, err=-50
This error appears only one time during start. What does this error mean?
Thank you in advance!
I need to get image icon of running applications in daemon.
I have found the method iconForFile.
[[NSWorkspace sharedWorkspace] iconForFile: bundlePath];
However, as far as I know, the framework AppKit is not daemon-safe.
https://developer.apple.com/library/archive/technotes/tn2083/_index.html
So, the only way which I see is to get icon file path via parsing Info.plist.
However, the icon is not defined for some system app, e.g.:
/System/Applications/Calendar.app
/System/Applications/System Settings.app
Are there any way to get icons of system application in daemon code?
Is it safe to use NSBundle in daemon code?
Thank you in advance.
Hello,
I need to implement filtering network data which is based on Network Extension (network content filter)
Let's say I have rule which leads to monitoring several data flows in parallel.
Are there any way to handle each data flow in separate thread? (number of threads is equal to number of analyzed flow)
If one flow is paused by pauseVerdict, will the filter data provider recieve new data chunks in handleInboundDataFromFlow for other flows?
Are there any possibility to change data flow on a fly?
Thank you in advance.
Hello,
Are there any way to get IDs of all active user sessions in system?
If I understand correctly, SessionGetInfo() returns only caller's session info but what about other sessions? Are there any way to get list of all currently active sessions (I need sessionID, not userId) in daemon?
Thank you in advance!
Hello,
Documentation says CGDisplayCreateImage() is deprecated.
Are there any equivalent which can be used instead of CGDisplayCreateImage()? (any function which implements the same functionality)
Thank you for the help,
Pavel
Hello,
I am trying to get a notification about change visible (top) window on Desktop. I am using NSWorkspaceDidActivateApplicationNotification notification and it works fine except situation of minimize current active application.
Nothing is posted in notification center if active window is minimized.
Are there any way to get some notification about change top window which is currently displayed on Desktop?
Thank you in advance for your help!
Hello,
I am developing launch agent which sets signal handler for SIGTERM.
I am calling CFRunLoopRun() in main thread.
Is it safe to call CFRunLoopStop(CFRunLoopGetMain()) in SIGTERM signal handler?
Thank you for your help!
Hello,
I am going to use endpoint security framework in my application. Unfortunately, I have not found any clear cut explanation about how to use endpoint security in multithread applications.
Can we say the handler block (es_handler_block_t), which is the parameter of es_new_client(), is running in separate thread?
Does es_new_client() create new thread?
Should I synchronize a handler block and the code which calls es_delete_client()? Should I protect the handler block by mutex?
Thank you in advance.