Post

Replies

Boosts

Views

Activity

Use Endpoint Security framework can not obtain all events from DesktopServicesHelper
We build system extension with ES framework. And register AUTH_OPEN,AUTH_CREATE and other event types. After test, it can get file system events successfully. For example, we use system extension to monitor the Finder process, it will show us all the file operations we did by Finder App. But for the DesktopServicesHelper process, the ES seems can not get all file events which DesktopServiceHelper actually did: We paste 10 files to a directory, the ES can monitor 2 files AUTH_CREATE in the new folders, it lost 8 file events. Our Test Log: 默认 17:27:35.294079+0800 DesktopServicesHelper Read options: 1 -- URL: private -- purposeID: com.apple.desktopservices.copyengine -- claimID: 0709A049-AFEF-4618-8A61-3417F686ACDA 默认 17:27:35.298715+0800 DesktopServicesHelper Claim 0709A049-AFEF-4618-8A61-3417F686ACDA granted in client 默认 17:27:35.298743+0800 DesktopServicesHelper Claim 0709A049-AFEF-4618-8A61-3417F686ACDA invoked in client 默认 17:27:35.311764+0800 DesktopServicesHelper Read options: 1 -- URL: private -- purposeID: com.apple.desktopservices.copyengine -- claimID: 952CC31D-A23F-4C4D-8005-FD4245B29CFB 默认 17:27:35.318353+0800 DesktopServicesHelper Claim 952CC31D-A23F-4C4D-8005-FD4245B29CFB granted in client 默认 17:27:35.318423+0800 DesktopServicesHelper Claim 952CC31D-A23F-4C4D-8005-FD4245B29CFB invoked in client 默认 17:27:35.624607+0800 DesktopServicesHelper Read options: 1 -- URL: private -- purposeID: com.apple.desktopservices.copyengine -- claimID: A6AA8D96-2697-4D74-BD9C-3A0A1B0BC7FA 默认 17:27:35.625058+0800 DesktopServicesHelper Received claim A6AA8D96-2697-4D74-BD9C-3A0A1B0BC7FA 默认 17:27:35.625154+0800 DesktopServicesHelper Claim A6AA8D96-2697-4D74-BD9C-3A0A1B0BC7FA granted in server 默认 17:27:35.625638+0800 DesktopServicesHelper Claim A6AA8D96-2697-4D74-BD9C-3A0A1B0BC7FA invoked in client 默认 17:27:35.625833+0800 DesktopServicesHelper Claim A6AA8D96-2697-4D74-BD9C-3A0A1B0BC7FA was revoked 默认 17:27:35.626065+0800 DesktopServicesHelper Read options: 1 -- URL: private -- purposeID: com.apple.desktopservices.copyengine -- claimID: 5BD5A74D-35C2-4C02-A9A4-6ACE5780AFE1 默认 17:27:35.626308+0800 DesktopServicesHelper Received claim 5BD5A74D-35C2-4C02-A9A4-6ACE5780AFE1 默认 17:27:35.626526+0800 DesktopServicesHelper Claim 5BD5A74D-35C2-4C02-A9A4-6ACE5780AFE1 granted in server 默认 17:27:35.626739+0800 DesktopServicesHelper Claim 5BD5A74D-35C2-4C02-A9A4-6ACE5780AFE1 invoked in client 默认 17:27:35.626794+0800 DesktopServicesHelper Claim 5BD5A74D-35C2-4C02-A9A4-6ACE5780AFE1 was revoked 默认 17:27:35.627051+0800 DesktopServicesHelper Read options: 1 -- URL: private -- purposeID: com.apple.desktopservices.copyengine -- claimID: 5B93CA4D-3A8A-4A35-A322-9E83E861F4EE 默认 17:27:35.627577+0800 DesktopServicesHelper Received claim 5B93CA4D-3A8A-4A35-A322-9E83E861F4EE 默认 17:27:35.627657+0800 DesktopServicesHelper Claim 5B93CA4D-3A8A-4A35-A322-9E83E861F4EE granted in server 默认 17:27:35.627806+0800 DesktopServicesHelper Claim 5B93CA4D-3A8A-4A35-A322-9E83E861F4EE invoked in client 默认 17:27:35.627952+0800 DesktopServicesHelper Claim 5B93CA4D-3A8A-4A35-A322-9E83E861F4EE was revoked 默认 17:27:35.628140+0800 DesktopServicesHelper Read options: 1 -- URL: private -- purposeID: com.apple.desktopservices.copyengine -- claimID: F62C2FCE-F3F3-4C5B-8D2C-61B07E5C3300 默认 17:27:35.628437+0800 DesktopServicesHelper Received claim F62C2FCE-F3F3-4C5B-8D2C-61B07E5C3300 默认 17:27:35.628555+0800 DesktopServicesHelper Claim F62C2FCE-F3F3-4C5B-8D2C-61B07E5C3300 granted in server 默认 17:27:35.629003+0800 DesktopServicesHelper Claim F62C2FCE-F3F3-4C5B-8D2C-61B07E5C3300 invoked in client 默认 17:27:35.629106+0800 DesktopServicesHelper Claim F62C2FCE-F3F3-4C5B-8D2C-61B07E5C3300 was revoked 默认 17:27:35.630939+0800 DesktopServicesHelper Read options: 1 -- URL: private -- purposeID: com.apple.desktopservices.copyengine -- claimID: 62238E4D-9120-4846-834A-7EFA5C6E67D3 默认 17:27:35.631118+0800 DesktopServicesHelper Received claim 62238E4D-9120-4846-834A-7EFA5C6E67D3 默认 17:27:35.631212+0800 DesktopServicesHelper Claim 62238E4D-9120-4846-834A-7EFA5C6E67D3 granted in server 默认 17:27:35.631412+0800 DesktopServicesHelper Claim 62238E4D-9120-4846-834A-7EFA5C6E67D3 invoked in client 默认 17:27:35.631483+0800 DesktopServicesHelper Claim 62238E4D-9120-4846-834A-7EFA5C6E67D3 was revoked 默认 17:27:35.639940+0800 com.sangfor.dev.SfService.Extension [com.sangfor.dev.SfService.Extension] [D] [JUST FOR 2020] [-[MessageCommonHandler handleEvent:]] file: /Users/jiangsen/Desktop/test/20202020/destination/vmware_desktop 17.26.54/caches by process name: DesktopServicesHelper, process path: /System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/Resources/DesktopServicesHelper, Event is 44, pid is 64552, started pid is 0 默认 17:27:35.640408+0800 com.sangfor.dev.SfService.Extension [com.sangfor.dev.SfService.Extension] [D] [JUST FOR 2020] [-[MessageCommonHandler handleEvent:]] file: /Users/jiangsen/Desktop/test/20202020/destination/vmware_desktop 17.26.54/caches/screenshots by process name: DesktopServicesHelper, process path: /System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/Resources/DesktopServicesHelper, Event is 44, pid is 64552, started pid is 0 == Only last two events of DesktopServicesHelper was reported by ES system extension
0
0
1.2k
May ’21
macOS13 system make our process crash
Hi Team, We have build a developer ID level signed package with notarize successfully, we test the package on macOS12, it run succeed. But the same package we installed on macOS13, it failed and report our process named "XTService" crashed. The Crash log is: Library not loaded: @rpath/FMDB.framework/Versions/A/FMDB "/Applications/XTApp.app/Contents/Resources/bin/XTService.app/Contents/Frameworks/FMDB.framework/Versions/A/FMDB' (code signature invalid in <90A347C8-9899-351A-818A-20984EFD00B5> '/Applications/XTApp.app/Contents/Resources/bin/XTService.app/Contents/Frameworks/FMDB.framework/Versions/A/FMDB' (errno=1) sliceOffset=0x00034000, codeBlobOffset=0x00029420, codeBlobSize=0x00005050)" I use the codesign tool to check the FMDB file strictly, it shows it's valid on the disk. So I think the issue may in system level, and it have some relation with this thread https://developer.apple.com/forums/thread/128435 (which issue in IOS) PS: My Xcode was signed with paid account, and the package perform normal on macOS12 I use CocoaPods to manage the 3rd party libraries, and I ensure the signature is correct
2
0
722
Dec ’22