Hi, I was wondering if it was possible to intercept requests of any app running on my mac and modify the headers or even add new ones. Can this be achieved using NEAppProxyProvider or the new NETransparentProxyProvider. Also, what is the difference between those two classes?

Hi, i was wondering about the remoteHostname property of NEFilterSocketFlow that is available on macOS 11.0+. I have been doing some tests and I can never seem to get a value, it is always nil. I am looking at all flows from all apps. In what cases will this property show up?

Hi, I want to get all domain names that my mac queries. I think that NEDNSProxyProvider might be useful but I don't want to handle the flows and redirect them I only want the domain names for logging purposes. Can this be done?

Hi, how could I get the command line arguments of a process given its audit token. My app is a Content Filter Network Extension written in swift. I can obtain the audit token from NEFilterFlow but I can't figure out how to get the process arguments, I was able to get the pid from the audit token using audit_token_to_pid.

Hi how could I tell in my OSSystemExtensionRequestDelegate if the request I receive is either an activation request or a deactivation one.    func request(_ request: OSSystemExtensionRequest, didFinishWithResult result: OSSystemExtensionRequest.Result) {     guard result == .completed else {       return     } // Take different actions depending on activation/deactivation   }

Hi, I want some advice on how to handle the OSSystemExtensionRequest.Result.willCompleteAfterReboot on my app. I have noticed that on some users macs when they update and the new System Extension is loaded the old one is deactivated and the new one is activated but does not start. I will only start after a reboot. Is there a way to avoid this so I don't have to force dozens of users in my organization to reboot after every update to my system extension? When i execute the command to list the extensions this is what I see. The new one is activated but it does not boot. --- com.apple.system_extension.network_extension enabled active teamID bundleID (version) name [state] 1231231231 com.organization.app.MyApp (2.0/1) MyApp [terminated waiting to uninstall on reboot] * * 1231231231 com.organization.app.MyApp (2.1/1) MyApp [activated enabled]

Hi I am trying to implement XPC between my helper app and my network extension. It is giving me this error when I try to get the remoteObjectProxyWithErrorHandler Error Domain=NSCocoaErrorDomain Code=4097 "connection to service on pid 0 named 9A48B11J6J.com.myapp.app.Extension" UserInfo={NSDebugDescription=connection to service on pid 0 named 9A48B11J6J.com.myapp.app.Extension} Why could this be happening?

I have developed a Content Filter NE and I am seeing some flows that I don't understand so I wanted to see check if I am interpreting them correctly. # Example Flow bundle id: com.apple.opendirectoryd localEndpoint.hostname: My mac's IP localEndpoint.port: 55408 remoteEndpoint.hostname: Domain controller IP remoteEndpoint.port: 389 direction: inbound Looking at that flow what I understand is that the Domain Controller is generating traffic to my mac. Is this correct? I ask this because I thought DCs couldn't directly initiate a connection to a mac. I get this flow when trying to join my mac to the AD.

Hi, I a developing Network Extension for macos that runs constantly on my system. When I have a new update to release the extension downloads the pkg installer into the /tmp directory and executes it with sudo installer -pkg /tmp/installer.pkg -target / I have noticed that on some systems, mainly Catalina, when the installer is executed the extension is replaced and activated but the process never launches and after this happens I can't find a way to launch it aside from having the users reboot. --- com.apple.system_extension.network_extension enabled active teamID bundleID (version) name [state] 9A63A32J6B com.company.myapp.Agent (2.0/1) Agent [terminated waiting to uninstall on reboot] * * 9A63A32J6B com.company.myapp.Agent (2.1/1) Agent [activated enabled] As you can see it does say enabled and activated so I do not know what could be happening.

Hi, I am developing an Endpoint Security extension and I would like to get the full list of processes that ended up calling the process I receive in an event. For example if I receive a es_process_t I have this process audit token, I would like to get the parents audit token and then the parent's parent token and so on till I get the full list of processes. I hope i made myself clear :)

Hi, in my ES application I am trying to ignore execution events of apple processes. I think the way to do this is to check for the is_platform_binary attribute of es_message_t but i found that when executing Xcode this attribute is false, is it because I downloaded it from the app store? Also would checking for the "com.apple" prefix of the signing id be a good way to identify apple signed processes?

Hi I was wondering how I could get the code directory hash string of an app given its audit token. I would like to do this in Swift. Thanks.

Hi, could someone help me convert the cdhash property from es_process_t to a String in Swift. Thanks. var cdhash: (UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8)

Hi, I have an endpoint security app and I was wondering what is the best way to check if a process was signed by a specific Developer ID certificate. Lets say im subscribed to auth_exec events and wanted to deny execution of processes signed with Developer ID Application: Adobe Inc. Would obtaining the common names of the certificate with SecCertificateCopyCommonName and then comparing strings be the right way or am I missing something?

Hi, I was wondering if there is a way to monitor if a certificate is exported from the keychain. Either by using some of the apis Endpoint Security provides or using another method. Thanks.