Hello community,
in our ES client running as a system extension we monitor AUTH_EXEC and AUTH_OPEN events.
Some strange behaviour was seen with especially one application, the "Brave" inetrnet browser, but this might also be seen with other apps.
For demonstration purposes I also monitored NOTIFY_EXEC
1) 1st run of "Brave.app"
2020-05-08 11:01:48.947 [3490:38296 TID:39168 sext] notify exec xpcproxy 3670
2020-05-08 11:01:48.953 [3490:38296 TID:40274 sext] auth exec Brave Browser
2020-05-08 11:01:48.954 [TID:41429 sext] exec event Brave Browser with pid 3670 and category 19
2020-05-08 11:01:48.954 [3490:38296 TID:40274 sext] notify exec Brave Browser 3670
the executable "Brave Browser" is seen in an AUTH_EXEC and NOTIFY_EXEC event
2) the AUTH_EXEC event is responded with: es_respond_auth_result(client, messaage, ES_AUTH_RESULT_ALLOW, false);
note: the cache flag is set to 'false'
3) the "Brave.app" is launched the second time
2020-05-08 11:02:55.312 [3490:38296 TID:42627 sext] notify exec xpcproxy 3734
2020-05-08 11:02:55.316 [3490:38296 TID:42626 sext] notify exec Brave Browser 3734
note: no AUTH_EXEC event is beeing generated!!!
4) triggering a cache reset with es_clear_cache(client);
5) launching "Brava.app" again
2020-05-08 11:03:54.505 [3490:38296 TID:43395 sext] notify exec xpcproxy 3790
2020-05-08 11:03:54.510 [3490:38296 TID:43243 sext] auth exec Brave Browser
2020-05-08 11:03:54.510 [3487:38171 TID:41098 sext] exec event Brave Browser with pid 3790 and category 19
2020-05-08 11:03:54.510 [3490:38296 TID:43243 sext] notify exec Brave Browser 3790
note: an AUTH_EXEC event is generated again.
Other browser apps, like Safari, Chrome, FireFox do not show this behaviour. What is so special about the Brave.app?
puzzled...
Frank Fenn
Sophos Inc.
