I'm not sure how to trigger dest type new path with create notification events.
I only ever see existing file. If I write a simple C program that creates a new file in a directory, I don't get ES_DESTINATION_TYPE_NEW_PATH, but instead get existing file but the file didn't exist prior. I don't mind the behaviour at all, since I get stat as part of existing file -- which is not available with the new path destination type.
I'm just wondering, under what circumstances would a destination type be ES_DESTINATION_TYPE_NEW_PATH with the event ES_EVENT_TYPE_NOTIFY_CREATE?
This seems to be pretty well covered by the doc comments in
<EndpointSecurity/ESMessage.h>ES_DESTINATION_TYPE_NEW_PATHShare and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"