EndpointSecurity ES_EVENT_TYPE_AUTH_OPEN event deadline

Question

chrilarc OP

Created May ’21

Replies 2

Boosts 0

Views 1.2k

Participants 2

Hello,

I would like to intercept the open event on a file in order to load it from a cloud. I am trying to use an EndpointSecurity extension but I don't know how to manage the "deadline" timeout.

I subscribed to the ES_EVENT_TYPE_AUTH_OPEN event. When I'm able to fetch the file before the event deadline, I call es_respond_flags_result with authorized_flags = 0xffffffff to accept, else I call it with authorized_flags = 0 to deny.

In the latter case, it is not satisfactory as the open process fails. How could I solve this issue?

Boost

Answer 1

OmarIkram OP

May ’21

Hi,

The only way to deal with the deadline is to either have your ES Client perform the required action within the deadline; or deny the Auth Event (without caching the result) and have your ES Client perform the action, in the background, so that it is ready to allow/deny the Auth Event the next time it occurs.

An Apple Security Engineer has previously posted about managing the deadline: https://developer.apple.com/forums/thread/649552?answerId=615802022#615802022

Unfortunately, I doubt it's the answer you're looking for. Although I'm not sure that Endpoint Security is the best method for loading files from the cloud. A couple of alternatives come to mind:

Using a VFS plug-in (not deprecated at the moment, but the way things are going you know it will eventually happen). I've done this before on a 'Dropbox' like product.
Apple has recently made the File Provider framework available for macOS (docs says macOS 10.15+, but the required NSFileProviderReplicatedExtension protocol is only available from macOS 11.0): https://developer.apple.com/documentation/fileprovider/macos_support

Hope that's of some help,

Omar

0

Answer 2

chrilarc OP

May ’21

Thank you Omarlkram. FileProvider seems to be the solution of the future, but it is not easy to find an example of use. I will try to use it.

0