hi, all
I subscribe AUTH_SIGNAL event with ESF.
and test if it can prevent Activity Monitor from killing processes in the list below.
I can stop "Force Quit"(sigkill) to all five processes, but "Quit"(sigterm?) to four processes except "Typora".
I'm pretty sure that I didn't get a signal event when I used Activity Monitor to "Quit" typora.
how Activity Monitor "Quit" the "Typora"?
it looks like the Activity Monitor "Quit" the App Process with a different way(not through sending signal).
I'm pretty sure that I didn't get a signal event when I used Activity Monitor to "Quit" typora. how Activity Monitor "Quit" the "Typora"?
it looks like the Activity Monitor "Quit" the App Process with a different way(not through sending signal).
I get the reason, it's through Apple Event.
Just to clear up the detail of this, it is sending an AppleEvent and that also isn't something you'd generally need/want to interfere with from the Endpoint Security layer. AppleEvents are a messaging format/system and are basically all "cooperative". That is, what "Typora" actually received was basically a "Quit request". It did not HAVE to quit and, in fact, the quit event is what triggers the "Are you sure you want to Quit?"/Unsaved work warning/etc. you see in apps. If you had some security sensitive app that should not be quit, then you'd implement that by simply... not having the app quit.
__
Kevin Elliott
DTS Engineer, CoreOS/Hardware