Post

Replies

Boosts

Views

Activity

Endpoint Security event muting issue
Recently we've discovered an issue affecting our products in regards to using the Monterey+ provided new api calls to selectively mute events. Specifically, whenever using es_mute_process_events or es_mute_path_events, the ES_EVENT_TYPE_NOTIFY_OPEN event is ignored for muting (meaning the call will return success, but the event will keep coming). This is true only for this event as far as I can tell, its AUTH counterpart stays muted (along lots of other processes: clone, rename, close, unlink, fork etc). It fails if either the event is in a list of events or if the event is singled out in 1 sized vector of events. When using a dedicated client for this event and using the previous api, es_mute_process or es_mute_path muting works as intended. Tested on ventura 13.5 and 13.6. Is there something that can be done to prevent dedicated clients or is this a known issue?
5
0
941
Oct ’23
Debugging Endpoint Security Client daemon
Hello, We have an endpoint security daemon which also uses some system extensions (network content filtering, file notifications). When building on debug with the correct entitlements (get-task-allow) we cannot attach with the debugger. More precisely, after attach, instead of displaying thread information, the daemon just stops (in logs appears a SIGKILL with no source). Before this happens, the system freezes for about 15-20 seconds, so I'm guessing it's some kind of watchdog that kills the app before the debugger can completely attach. The same happens with a custom built GDB, as well as various versions of LLDB. How can we find out what kills the daemon and maybe increase the timeout or some other solution like that?
2
0
1.7k
Jul ’21