Here's the scenario: I have two processes on my computer, named A and B. Both processes are monitored by the ESF, and both processes monitor the same ESF events, such as ES_EVENT_TYPE_AUTH_EXEC and ES_EVENT_TYPE_AUTH_OPEN.
I’m not sure I understand what you’re asking here. I think you’re saying that:
A and B are two independent programs.
They both use the Endpoint Security framework to monitor specific events.
Is that right?
Presuming that’s the case, let’s answer your questions:
If processes A and B run at the same time, will event conflict occur?
That depends on what you mean by “conflict”. ES supports multiple clients just fine. The behaviour you get depends on the event type:
Notification events (like ES_EVENT_TYPE_NOTIFY_EXEC) are delivered to each client. These are just notifications, so there’s no ordering guarantee [1].
Authorisation events (like ES_EVENT_TYPE_AUTH_EXEC) are alse delivered to each client. If any client denies the event, ES denies it. This means that ES has to wait for all clients to respond before allowing it.
In ESF event processing, is there any way to achieve full event listening and keep cpu usage low
That depends on what you mean by “full event listening”. If your ES client subscribes to every possible event then, yeah, performance is going to suffer. To get better performance:
Minimise the number of event types that you listen to.
Make good use of the ‘mute’ APIs to avoid events that you don’t care about.
If you’re getting started with ES, I recommend that you watch WWDC 2020 Session 10159 Build an Endpoint Security app, which is full of great hints and tips.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
[1] Other that each client will receive the notification some time after the event has happened. Sadly, ES is not able to predict the future (-: