Endpoint Security deadline and sleeping

When an Endpoint Security client gets an auth message, one of the fields in that message is the deadline, as described in the ESMessage.h file as so:


* @field deadline The Mach time before which an auth event must be responded to.
*        If a client fails to respond to auth events prior to the `deadline`, the client will be killed.


What happens if the client gets the message and either the machine is put to sleep or the VM is suspended until past the deadline time and the client can't repsond? Will the kernel still kill the client? Should it be smarter and understand sleeping / suspension?


I ask because I've seen many deaths upon waking my VM and seeing this dreaded message in the log.

"2020-03-10 10:50:08.284731-0700 0x430d Error 0x0 0 0 kernel: (EndpointSecurity) Client did not respond in appropriate amount of time (client pid: 773)"

Up vote post of mdolan Down vote post of mdolan
1.5k views
Posted by
mdolan
Reply
Add a Comment

Accepted Reply

So, it's not a clock time, but a run time?

I’m going to point you to the 

clock_gettime
man page, which explicitly documents the properties of 
CLOCK_UPTIME_RAW
and its correlation to Mach absolute time.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Replies

My experience is that Mach absolute time stops when the CPU sleeps.

ps Are you using a pre-release Xcode here. My copy of 

<EndpointSecurity/ESMessage.h>
doesn’t have that comment.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Hi Quinn,


Yes, Xcode 11.4 beta 3 (11N132i), running on 10.15.4 Beta (19E258a)


So, it's not a clock time, but a run time? I.e., it starts ticking on boot and pauses when it's asleep. I use the deadline and mach_time values to calculate a timeout value that I use to make sure we answer in time. Already had a timeout check, just updated it to use the MIN of this value (minus 1 second for a cushion) and our normal timeout value. But still occasionally see the above error message in the log after wakeup or resuming the VM after suspending it. Just made me wonder and post this question.


Thanks

Posted by
mdolan
Up vote reply of mdolan Down vote reply of mdolan
Add a Comment

So, it's not a clock time, but a run time?

I’m going to point you to the 

clock_gettime
man page, which explicitly documents the properties of 
CLOCK_UPTIME_RAW
and its correlation to Mach absolute time.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Thank you, Quinn.

Posted by
mdolan
Up vote reply of mdolan Down vote reply of mdolan
Add a Comment
since iOS14, machabsolutetime()/CLOCKUPTIMERAW don't seem to stop while device is asleep. has anyone else seen this behavior? any other clock to read to get the intended behavior of a clock that stops while asleep?
Posted by
itayb
Up vote reply of itayb Down vote reply of itayb
Add a Comment
Hi, @mdolan. So, what was the reason of the message? Because I also receive such messages after restoring from snapshots, and then Extension gets killed, every time by different processes - CVMCompiler, xpcproxy, mdworker_shared.
Posted by
idot123
Up vote reply of idot123 Down vote reply of idot123
Add a Comment