EndpointSecurity System Extension … | Apple Developer Forums

EndpointSecurity System Extension gets killed randomly

Hi. I'm developing System Extensions that utilizes EndpointSecurity API.

The problem is, the Extension gets killed due to unknown reason by different processes:

Code Block Nov 24 11:12:44 myMac com.apple.xpc.launchd[1] (MYTEAM.com.my.Extension[940]): Service exited due to SIGKILL | sent by nsurlsessiond[420]
Nov 24 11:31:26 myMac com.apple.xpc.launchd[1] (MYTEAM.com.my.Extension[936]): Service exited due to SIGKILL | sent by xpcproxy[1152]
Nov 24 11:39:37 myMac com.apple.xpc.launchd[1] (MYTEAM.com.my.Extension[1155]): Service exited due to SIGKILL | sent by xpcproxy[1232]
Nov 24 12:29:59 myMac com.apple.xpc.launchd[1] (MYTEAM.com.my.Extension[929]): Service exited due to SIGKILL | sent by sandboxd[1129]
Nov 24 12:29:59 myMac com.apple.xpc.launchd[1] (MYTEAM.com.my.Extension[929]): Service exited due to SIGKILL | sent by sandboxd[1129]
Nov 24 18:45:14 myMac com.apple.xpc.launchd[1] (MYTEAM.com.my.Extension[961]): Service exited due to SIGKILL | sent by log[1045]
Nov 24 19:31:33 myMac com.apple.xpc.launchd[1] (MYTEAM.com.my.Extension[937]): Service exited due to SIGKILL | sent by sandboxd[1029]
Nov 24 23:17:45 myMac com.apple.xpc.launchd[1] (MYTEAM.com.my.Extension[930]): Service exited due to SIGKILL | sent by sandboxd[1004]
Nov 24 23:32:10 myMac com.apple.xpc.launchd[1] (MYTEAM.com.my.Extension[1011]): Service exited due to SIGKILL | sent by helpd[928]

Code Block
Nov 24 11:12:44 myMac com.apple.xpc.launchd[1] (MYTEAM.com.my.Extension[940]): Service exited due to SIGKILL \| sent by nsurlsessiond[420]

Nov 24 11:31:26 myMac com.apple.xpc.launchd[1] (MYTEAM.com.my.Extension[936]): Service exited due to SIGKILL \| sent by xpcproxy[1152]

Nov 24 11:39:37 myMac com.apple.xpc.launchd[1] (MYTEAM.com.my.Extension[1155]): Service exited due to SIGKILL \| sent by xpcproxy[1232]

Nov 24 12:29:59 myMac com.apple.xpc.launchd[1] (MYTEAM.com.my.Extension[929]): Service exited due to SIGKILL \| sent by sandboxd[1129]

Nov 24 12:29:59 myMac com.apple.xpc.launchd[1] (MYTEAM.com.my.Extension[929]): Service exited due to SIGKILL \| sent by sandboxd[1129]

Nov 24 18:45:14 myMac com.apple.xpc.launchd[1] (MYTEAM.com.my.Extension[961]): Service exited due to SIGKILL \| sent by log[1045]

Nov 24 19:31:33 myMac com.apple.xpc.launchd[1] (MYTEAM.com.my.Extension[937]): Service exited due to SIGKILL \| sent by sandboxd[1029]

Nov 24 23:17:45 myMac com.apple.xpc.launchd[1] (MYTEAM.com.my.Extension[930]): Service exited due to SIGKILL \| sent by sandboxd[1004]

Nov 24 23:32:10 myMac com.apple.xpc.launchd[1] (MYTEAM.com.my.Extension[1011]): Service exited due to SIGKILL \| sent by helpd[928]

Before termination, I see such logs:

Code Block 2020-11-24 23:19:27.560609+0200 0x2b00     Error       0x0                  0      0    kernel: (EndpointSecurity) Client did not respond in appropriate amount of time (client pid: 930)
2020-11-24 23:19:27.560673+0200 0x297b     Error       0x0                  0      0    kernel: (EndpointSecurity) Client did not respond in appropriate amount of time (client pid: 930)

Code Block
2020-11-24 23:19:27.560609+0200 0x2b00 Error 0x0 0 0 kernel: (EndpointSecurity) Client did not respond in appropriate amount of time (client pid: 930)

2020-11-24 23:19:27.560673+0200 0x297b Error 0x0 0 0 kernel: (EndpointSecurity) Client did not respond in appropriate amount of time (client pid: 930)

and then:

Code Block 2020-11-24 23:19:27.781038+0200 0x2ae4     Info        0x0                  929    0    endpointsecurityd: (CoreAnalytics) [com.apple.CoreAnalytics:client] Dropping com.apple.endpointsecurity.timeout as it isn't used in any transform (not in the config or budgeted?)

Code Block
2020-11-24 23:19:27.781038+0200 0x2ae4 Info 0x0 929 0 endpointsecurityd: (CoreAnalytics) [com.apple.CoreAnalytics:client] Dropping com.apple.endpointsecurity.timeout as it isn't used in any transform (not in the config or budgeted?)

I've checked sequence number of every type of es_message, nothing looks dropped.

Could it be connected to the fact the Extension was installed and started running on VM, then snapshot was done, and it continued after VM being restored from snapshot?

Please help, thanks a lot!