Using EndPointSecurity Extension

Question

Folks,I have been looking for an xcode workspace that gives me form and structure about the 10.16 ( upcoming) OS's EndPoint Security Infra structure. Found some online code that tries to execute ( i.e. starting or loading the EndPoint Security framework - that I included in the work space like other framework.Now if I try to debug ( or run ), I get the message Starting EndPoint Security ... Then it fails. MY ASSUMPTION HERE IS THAT THERE IS A SYSTEM LEVEL SERVICE THAT WOULD BE LAUNCHED AS A PROCESS FOR SECURITY EXTENSION ( server ).It fails at the call to es_new_client(...)Since the doc says add an entry like the following in entitlement file --&lt;key&gt;com.apple.developer.endpoint-security.client&lt;/key&gt;    &lt;true/&gt;Adding it does not even load the program, crashed with Crashed Thread:        0Exception Type:        EXC_CRASH (Code Signature Invalid).   &lt;----------------------------Exception Codes:       0x0000000000000000, 0x0000000000000000Exception Note:        EXC_CORPSE_NOTIFYDOES IT REALLY MEAN THAT THE ID I AM USING TO SIGN AUTOMATICALLY DOES NOT HAVE THE PERMISSION ????KEY CHAIN SHOWS ALL ARE VALID ID.THANKS MUCH ProkashFYI ... not important !!!kernel messages:VM Regions Near 0 (cr2):--&gt;    __TEXT                 0000000100000000-0000000100004000 [   16K] r-x/r-x SM=COW Thread 0 Crashed:0                                 0x000000010000e000 _dyld_start + 0Thread 0 crashed with X86 Thread State (64-bit):  rax: 0x0000000000000000  rbx: 0x0000000000000000  rcx: 0x0000000000000000  rdx: 0x0000000000000000  rdi: 0x0000000000000000  rsi: 0x0000000000000000  rbp: 0x0000000000000000  rsp: 0x00007ffeefbff6b0   r8: 0x0000000000000000   r9: 0x0000000000000000  r10: 0x0000000000000000  r11: 0x0000000000000000  r12: 0x0000000000000000  r13: 0x0000000000000000  r14: 0x0000000000000000  r15: 0x0000000000000000  rip: 0x000000010000e000  rfl: 0x0000000000000200  cr2: 0x0000000000000000Logical CPU:     0Error Code:      0x00000000Trap Number:     0Binary Images:       0x100000000 -        0x100003ff7 + (0) &lt;540848E4-D991-3FD4-92F9-0E59DCF11C72&gt;       0x10000d000 -        0x10009b877 + (731.4) &lt;C047D601-10E5-3D0A-BA98-87E22679F354&gt;External Modification Summary:  Calls made by other processes targeting this process:    task_for_pid: 0    thread_create: 0    thread_set_state: 0  Calls made by this process:    task_for_pid: 0    thread_create: 0    thread_set_state: 0  Calls made by all processes on this machine:    task_for_pid: 179896339    thread_create: 0    thread_set_state: 598VM Region Summary:ReadOnly portion of Libraries: Total=836K resident=0K(0%) swapped_out_or_unallocated=836K(100%)Writable regions: Total=8404K written=0K(0%) resident=0K(0%) swapped_out=0K(0%) unallocated=8404K(100%)

RobHDt · Answer

I&#x27;m having exactly the same issue here. Would really like some help

robrcyber · Answer

I am having the same problem also.

RobHDt · Answer

Has anyone here solved this ?

prokash · Answer

Well, Apple seems to have another push of binaries ( that includes Xcode 11 updates ). Intial beta that we all had did have some problems...At any rate, please make sure that there is no more updates, by clicking the preferences and Software Updates. After that, if there is any Xcode update, it should kick a Message Box to ask for updating additional tools !Once all of them are checked, make sure to reboot.Finally to debug ( if any of you made a CommandLine APP and copied the EP sec github code ( by Oakrum !) launch Xcode from command line ( kill any previous running instances of them ), then open the App workspace. Otherwise you use command line LLDB using root permission.So I&#x27;m able to debug thru, and it is working in the sense that if you don&#x27;t set breakpoints in and around handler, you should be fine. The reason is that most any AUTH events seems to have deadline of ~ 0sec.What I still don&#x27;t understand is even if you bring just FILE_OPEN AUTH event into your set of events to observe and handle, the systems hangs ( as if there are too many such events getting into the Queue ) or there are some problem in the implementation. I commented out any place where the new code is trying to sleep for sometime.Hope it helps!Prokash

RobHDt · Answer

For anyone finding this - please see this post for the answerhttps://forums.developer.apple.com/message/403168#403168