Hi guys,
is there a way to detect if es_message_t reports an event where a process is trying to access file in sandbox? Is there a way to mute this type of event? I know it is possible to mute a process, but that process might still access other location than just sandbox.
For example Apple's installd needs access to: /Library/InstallerSandboxes/.PKInstallSandboxManager/DE149785-B407-4C06-9571-5A2AA81D061E.activeSandbox
Extracting file:///var/folders/rw/spcsf6q91wvdp7306_4fw9mh0000gn/C/com.apple.appstoreagent/com.apple.appstore/F566BEB3-D9FA-4C14-8ABF-1C2ED22FC90A/mzps15464275679007221414.pkg#OneNote.pkg (destination=/Library/InstallerSandboxes/.PKInstallSandboxManager/DE149785-B407-4C06-9571-5A2AA81D061E.activeSandbox/Root/Applications, uid=0)
I would like to ignore this event. For example es_process_t has isPlatformBinary flag. Is there a similar flag for sandbox in es_message_t or es_file_t, e.g. isSandboxed?
Thanks, Robert