Question about Endpoint Security

App & System Services Drivers
Bill_Chui OP
Created Jan ’20
Replies 1
Boosts 0
Views 499
Participants 2

Hi, I'm trying to create a file monitor with endpoint security, and use ES_EVENT_TYPE_NOTIFY_CREATE to monitor newly created files or folders. I found that ES_EVENT_TYPE_NOTIFY_CREATE doesn't get called when generate a .zip file by compressing, or new file&folder generated by decompressing a .zip file.

1.Is this a bug or I'm using the wrong notify event?


When I replied ES_AUTH_RESULT_DENY for the auth events, system will show alert saying "The operation can’t be completed because you don’t have permission to access some of the items."

2. Is it possible to customize this alert text or not showing it at all?

Replies  1
Boosts  0
Views  499
Participants  2
DTS Engineer OP
Apple
Jan ’20

Let’s start with the easy one:

2. Is it possible to customize this alert text or not showing it at all?

No.

1. Is this a bug or I'm using the wrong notify event?

I’m confused. You said you want to monitor for file creation, in which case an 

ES_EVENT_TYPE_NOTIFY_***
event is correct, but then you also mentioned that you tried denying the event, in which case you should be using at an 
ES_EVENT_TYPE_AUTH_***
event.

Regardless, my suggestion is that you try all four likely operations (

ES_EVENT_TYPE_AUTH_OPEN
, 
ES_EVENT_TYPE_NOTIFY_OPEN
, 
ES_EVENT_TYPE_AUTH_CREATE
, 
ES_EVENT_TYPE_NOTIFY_CREATE
) to see which come through in this case.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
0
Question about Endpoint Security
First post date Last post date
 
 
Q