Hello group,since there is a function called es_clear_cache() I was wondering which information the Endpint Security extension is caching, Are these results from AUTH responses or just internal housekeeping data?Frank FennSophos Inc.
Post
Replies
Boosts
Views
Activity
Hello all,I'm stuck, I have a ES client system extension installed which is misbehaving but not crashing. In its bad state it adds a 30 second delay to each file open call (AUTH_OPEN events) which make the system pretty much unresponsive.So I try to get rid of this extension, unfortunately with it running (SIP is disable) the system is unresponsive and attempts to use the systemextensionsctl command is impossible. With SIP turned on I can boot and log in normally, but now the systemextensionsctl tools is not available.Booting in recovery or single user mode I can see the extension in the SystemExtensions folder buit have no permissions to remove it.help is really appreciatedFrank
Hello communityso when my application (containing an Endpoint Security client system extension) launches for the first time,the user is asked to allow the extension, once done, the system wil load and run my extension communicatingwith my application nicely.When the application is restarted (let's say as result of a kill command) it will run at startup through the sameactivation request, which will of cource not prompt for any user interaction anymore and then the extensionreplacement callback is invoked (I guess because an extension is already active and running) where I reply with OSSystemExtensionReplacementActionReplace since there is only one version of the extension right now.At this point the runnig extension receives a SIG_TERM (15) and terminates but NOT reloaded!!!So for example after a reboot, the system extension starts running early, then the applciation is launched andis doing the things mentioned above resulting in a non-running extension until the app then is restarted again.Do I miss something here? Is tehre an API to find out if a extension is already runnign without trying to activate it?Frank FennSophos Inc.
Hello community,in our ES client running as a system extension we monitor AUTH_EXEC and AUTH_OPEN events.Some strange behaviour was seen with especially one application, the "Brave" inetrnet browser, but this might also be seen with other apps.For demonstration purposes I also monitored NOTIFY_EXEC1) 1st run of "Brave.app"2020-05-08 11:01:48.947 [3490:38296 TID:39168 sext] notify exec xpcproxy 36702020-05-08 11:01:48.953 [3490:38296 TID:40274 sext] auth exec Brave Browser2020-05-08 11:01:48.954 [TID:41429 sext] exec event Brave Browser with pid 3670 and category 192020-05-08 11:01:48.954 [3490:38296 TID:40274 sext] notify exec Brave Browser 3670the executable "Brave Browser" is seen in an AUTH_EXEC and NOTIFY_EXEC event2) the AUTH_EXEC event is responded with: es_respond_auth_result(client, messaage, ES_AUTH_RESULT_ALLOW, false);note: the cache flag is set to 'false'3) the "Brave.app" is launched the second time2020-05-08 11:02:55.312 [3490:38296 TID:42627 sext] notify exec xpcproxy 37342020-05-08 11:02:55.316 [3490:38296 TID:42626 sext] notify exec Brave Browser 3734note: no AUTH_EXEC event is beeing generated!!!4) triggering a cache reset with es_clear_cache(client);5) launching "Brava.app" again2020-05-08 11:03:54.505 [3490:38296 TID:43395 sext] notify exec xpcproxy 37902020-05-08 11:03:54.510 [3490:38296 TID:43243 sext] auth exec Brave Browser2020-05-08 11:03:54.510 [3487:38171 TID:41098 sext] exec event Brave Browser with pid 3790 and category 192020-05-08 11:03:54.510 [3490:38296 TID:43243 sext] notify exec Brave Browser 3790note: an AUTH_EXEC event is generated again.Other browser apps, like Safari, Chrome, FireFox do not show this behaviour. What is so special about the Brave.app?puzzled...Frank FennSophos Inc.
Hello,
we have an application running as root daemon style process. This process is linking against and using a framework which contains a stripped down version of python. Functions within the framework might want to delete files via a python script.
Under 10.15 it was enough to give the as root running App Full Disk Access rights to the function within the framework so it was able to delete files.
Under macOS Big Sur this seems no longer be the case. Both, framework and app, are properly signed and not sandboxed. Are there any additional steps to be taken?
Frank Fenn
Hello,
when FDA rights are given in macOS Monterey, the TCC entry reflects this and the process using ES Client works as expected.
entry as follows: kTCCServiceSystemPolicyAllFiles|com.sophos.endpoint.scanextension|...
after migrating the OS to Ventura beta 11 with the ES Client using process installed, the TCC entries read as follows:
kTCCServiceSystemPolicyAllFiles|com.sophos.endpoint.scanextension|...
kTCCServiceEndpointSecurityClient|com.sophos.endpoint.scanextension|...
The old entry is still present, causing our software to report that the precondition of FDA is still valid. But internally the ES Client will report an error when being created, since the newly introduced entry does not reflect the FDA permissions granted.
It can be manually solved by removing the executable from the FDA list in System preferences and re-adding it but this is not the ideal solution.
Is this a know problem?
Frank Fenn
Sophos Inc.
When installing our properly signed System Extension using ES Client on macOS Ventura RC we get the usual entry in the Full Disk Access panel of the System Settings as expected.
But, there is also now an entry fro the same system extension under the Developer Tools section in System Settings which can not be deleted or that status changed from on to off. But the enabled slider is magically linked to the enabled slider for the same extension in the Full Disk Access group of the settings.
Is this a bug or wanted behaviour?
Frank Fenn
Sophos Inc.
Hello, we are running a LaunchDaemon by creating a symlink into a .bundle which contains the plist.
On 13.0 the LaunchDaemon was added to the "Allow In the Background" list within "Login Items". After upgrading to 13.1 beta (and the 1st reboot) the item disappears from the list. A log message indicates the error: kLSNotAnApplicationErr. After the next reboot, our LaunchDaemon is no longer running, rendering our installation nonfunctional.
Do background applications (or the plist they reference to) need to be .app bundles from now on?
Frank Fenn
Sophos Inc.
Hello community
we have been using an Endpoint Security client within a system extension for quite a while now. After some users updated macOS to Sonoma, we got complaints about slower performance when using MS Office on Mac. The product features work as expected, and our system extension is loaded and delivers events.
Upon inspection of the log files, we found the following (but not on all machines):
[com.apple.TCC:access] Failed to create LSApplicationRecord for file:///Library/SystemExtensions/0062566E-9869-4CC4-A666-F641F5C011CD/com.sophos.endpoint.scanextension.systemextension/: 'The operation couldn’t be completed. (OSStatus error -10811.)'
and
[com.apple.TCC:access] -[TCCDAccessIdentity staticCode]: static code for: identifier com.sophos.endpoint.scanextension, type: 0: 0x7fb63da318c0 at /Library/SystemExtensions/0062566E-9869-4CC4-A666-F641F5C011CD/com.sophos.endpoint.scanextension.systemextension
for almost each event delivered. We are using XPC from the system extension to a non-priviliged daemon process to process file content.
A feedback has already been filed: FB13174804
An additional code-level support was returnd woithout any explanation.
Signing checks of the system extension and the containing app (daemon) on Sonoma turn up without any errros.
Any idea, whats going on here?
Frank Fenn
Sophos Inc.