8 Replies
      Latest reply on Feb 14, 2020 7:28 AM by mdolan
      mdolan Level 1 Level 1 (10 points)

        Hi all (especially Quinn if you watching),

         

        Using everyone's favorite Endpoint Security demo code to narrow down a problem I've been seeing in my code, https://gist.github.com/Omar-Ikram/8e6721d8e83a3da69b31d4c2612a68ba (thank you, Omar), I've been able to reproduce a kill of the ES process.

         

        If I subscribe to either the ES_EVENT_TYPE_AUTH_OPEN or ES_EVENT_TYPE_AUTH_MMAP event, when I run a leaks command on the process, it hangs, then eventually dies with a Killed: 9 message. Those are the only 2 events I've found that do this, though my search hasn't been exhaustive. I am also guessing that there are other commands besides leaks that will do this, but I can reproduce this 100% of the time with leaks.

         

        I've tried using the async dispatch to make sure I'm not totally blocking the kernel, I've tried shortcutting the code to always just return ES_AUTH_RESULT_ALLOW to es_respond_auth_result without doing anything else, I've even considered consulting a witch doctor, but thought I'd ask here first.

         

        Is this a known issue? I hope it's not by design, this would give malware a way to kill an EndpointSecurity process so it could try to gain a foothold before the EndpointSecurity process could restart.

         

        If this is a problem, I'll write up a RADAR ticket and post the number here. If not, what is the suggested work-around?

         

        Thanks!

        Mike