Hi guys, I'm debugging an issue where an application modifies several files and Endpoint Security System Extenison is receiving many ES_EVENT_TYPE_NOTIFY_CLOSE with modify flag set to 'true' for each file. There are other ES_EVENT_TYPE_NOTIFY_CLOSE events with modify=false, but those are caused by system processes md, mdsworker etc. which is expected. However I see very few ES_EVENT_TYPE_AUTH_OPEN events.
For 1 file I see for example: 69 ES_EVENT_TYPE_NOTIFY_CLOSE modified=true and only 2 ES_EVENT_TYPE_AUTH_OPEN with flags=2 (which I think is FWRITE).
I thought that for each ES_EVENT_TYPE_NOTIFY_CLOSE event I should have exactly 1 OPEN, CREATE, CLONE or any other relevant event.
The documentation isn't very helpful, because it's probably only generated from the code. For ES_EVENT_TYPE_NOTIFY_CLOSE it says "An identifier for a process that notifies endpoint security that it is closing a file." https://developer.apple.com/documentation/endpointsecurity/es_event_type_t/es_event_type_notify_close
When does ES_EVENT_TYPE_NOTIFY_CLOSE get triggered exactly? It doesn't look like it is fired only when closing a file. Is it possible that the application keeps file opened and performs seek operation and then writes a few bytes and after every write I get CLOSE event? Is it only an indication of the end of modification or is it indication of closed file? If the file is truly closed, why don't I see more OPEN events or to be exact why don't I see a sequence of events OPEN, CLOSE, OPEN, CLOSE...?
Let's say that I need to scan file for viruses, when receiving ES_EVENT_TYPE_AUTH_OPEN I can block access to file, scan it and then allow access, but when receiving CLOSE notification with indication that file was modified, do I need to scan it again? If I receive CLOSE event with modify=true 50 times, do I need to scan the file every time to be sure that I capture modification with potentially dangerous content? Or is the modify flag set to true even if content does not change, and only file attributres are changed?
Is there any documentation describing relation of ES_EVENT_* and dependencies between them?
Thanks.