can't get a signal event while quiting process with Activity Monitor

hi, all

I subscribe AUTH_SIGNAL event with ESF.

and test if it can prevent Activity Monitor from killing processes in the list below.

I can stop "Force Quit"(sigkill) to all five processes, but "Quit"(sigterm?) to four processes except "Typora".

I'm pretty sure that I didn't get a signal event when I used Activity Monitor to "Quit" typora.

how Activity Monitor "Quit" the "Typora"?

it looks like the Activity Monitor "Quit" the App Process with a different way(not through sending signal).

Answered by DTS Engineer in 801261022

I'm pretty sure that I didn't get a signal event when I used Activity Monitor to "Quit" typora. how Activity Monitor "Quit" the "Typora"?

it looks like the Activity Monitor "Quit" the App Process with a different way(not through sending signal).

I get the reason, it's through Apple Event.

Just to clear up the detail of this, it is sending an AppleEvent and that also isn't something you'd generally need/want to interfere with from the Endpoint Security layer. AppleEvents are a messaging format/system and are basically all "cooperative". That is, what "Typora" actually received was basically a "Quit request". It did not HAVE to quit and, in fact, the quit event is what triggers the "Are you sure you want to Quit?"/Unsaved work warning/etc. you see in apps. If you had some security sensitive app that should not be quit, then you'd implement that by simply... not having the app quit.

__
Kevin Elliott
DTS Engineer, CoreOS/Hardware

I get the reason, it's through Apple Event.

Accepted Answer

I'm pretty sure that I didn't get a signal event when I used Activity Monitor to "Quit" typora. how Activity Monitor "Quit" the "Typora"?

it looks like the Activity Monitor "Quit" the App Process with a different way(not through sending signal).

I get the reason, it's through Apple Event.

Just to clear up the detail of this, it is sending an AppleEvent and that also isn't something you'd generally need/want to interfere with from the Endpoint Security layer. AppleEvents are a messaging format/system and are basically all "cooperative". That is, what "Typora" actually received was basically a "Quit request". It did not HAVE to quit and, in fact, the quit event is what triggers the "Are you sure you want to Quit?"/Unsaved work warning/etc. you see in apps. If you had some security sensitive app that should not be quit, then you'd implement that by simply... not having the app quit.

__
Kevin Elliott
DTS Engineer, CoreOS/Hardware

can't get a signal event while quiting process with Activity Monitor
 
 
Q