ES_EVENT_TYPE_NOTIFY_CREATE event for new zip file creation

Hi,

I am implementing a feature to detect whenever a new zip file created in folder with EndpointSecurity API event 
Code Block 
ES_EVENT_TYPE_NOTIFY_CREATE
however this event is not triggered when we compress a folder for "zip" file. It's captured in 
Code Block 
ES_EVENT_TYPE_NOTIFY_OPEN
but that also triggered when just select any existing zip file so we can not distinguish between new and existing if I use 
Code Block 
ES_EVENT_TYPE_NOTIFY_OPEN
.

Let's say I have folder "test" and inside it there are several files and once we compress the folder "test" using mouse right click >> Compress "test". It will create "test.zip" in the same directory where "test" folder resides.

test.zip file is new file created based on compression so it should be captured with 
Code Block 
ES_EVENT_TYPE_NOTIFY_CREATE
.


Please help me to detect the zip file creation event with EndPoint Security API. Any sample or reference would be helpful.
Up vote post of MohmadVasim Down vote post of MohmadVasim
846 views
Posted by
MohmadVasim
Reply
Add a Comment

Accepted Reply

test.zip file is new file created based on compression so it should
be captured with ES_EVENT_TYPE_NOTIFY_CREATE.

That’s not quite how things work. When you create an archive like this, the Finder passes the work off to a helper process, ArchiveService. That creates the zip archive in the temporary directory and then, once it’s done, moves it into place. At no point is a file call test.zip created because the ArchiveService doesn’t use that name for its temporary file.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Replies

test.zip file is new file created based on compression so it should
be captured with ES_EVENT_TYPE_NOTIFY_CREATE.

That’s not quite how things work. When you create an archive like this, the Finder passes the work off to a helper process, ArchiveService. That creates the zip archive in the temporary directory and then, once it’s done, moves it into place. At no point is a file call test.zip created because the ArchiveService doesn’t use that name for its temporary file.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment
Thanks for your provided help eskimo!
Posted by
MohmadVasim
Up vote reply of MohmadVasim Down vote reply of MohmadVasim
Add a Comment