Post not yet marked as solved
Hello community
we have been using an Endpoint Security client within a system extension for quite a while now. After some users updated macOS to Sonoma, we got complaints about slower performance when using MS Office on Mac. The product features work as expected, and our system extension is loaded and delivers events.
Upon inspection of the log files, we found the following (but not on all machines):
[com.apple.TCC:access] Failed to create LSApplicationRecord for file:///Library/SystemExtensions/0062566E-9869-4CC4-A666-F641F5C011CD/com.sophos.endpoint.scanextension.systemextension/: 'The operation couldn’t be completed. (OSStatus error -10811.)'
and
[com.apple.TCC:access] -[TCCDAccessIdentity staticCode]: static code for: identifier com.sophos.endpoint.scanextension, type: 0: 0x7fb63da318c0 at /Library/SystemExtensions/0062566E-9869-4CC4-A666-F641F5C011CD/com.sophos.endpoint.scanextension.systemextension
for almost each event delivered. We are using XPC from the system extension to a non-priviliged daemon process to process file content.
A feedback has already been filed: FB13174804
An additional code-level support was returnd woithout any explanation.
Signing checks of the system extension and the containing app (daemon) on Sonoma turn up without any errros.
Any idea, whats going on here?
Frank Fenn
Sophos Inc.
Post not yet marked as solved
Hello,
when FDA rights are given in macOS Monterey, the TCC entry reflects this and the process using ES Client works as expected.
entry as follows: kTCCServiceSystemPolicyAllFiles|com.sophos.endpoint.scanextension|...
after migrating the OS to Ventura beta 11 with the ES Client using process installed, the TCC entries read as follows:
kTCCServiceSystemPolicyAllFiles|com.sophos.endpoint.scanextension|...
kTCCServiceEndpointSecurityClient|com.sophos.endpoint.scanextension|...
The old entry is still present, causing our software to report that the precondition of FDA is still valid. But internally the ES Client will report an error when being created, since the newly introduced entry does not reflect the FDA permissions granted.
It can be manually solved by removing the executable from the FDA list in System preferences and re-adding it but this is not the ideal solution.
Is this a know problem?
Frank Fenn
Sophos Inc.
Post not yet marked as solved
Hello, we are running a LaunchDaemon by creating a symlink into a .bundle which contains the plist.
On 13.0 the LaunchDaemon was added to the "Allow In the Background" list within "Login Items". After upgrading to 13.1 beta (and the 1st reboot) the item disappears from the list. A log message indicates the error: kLSNotAnApplicationErr. After the next reboot, our LaunchDaemon is no longer running, rendering our installation nonfunctional.
Do background applications (or the plist they reference to) need to be .app bundles from now on?
Frank Fenn
Sophos Inc.
Post not yet marked as solved
When installing our properly signed System Extension using ES Client on macOS Ventura RC we get the usual entry in the Full Disk Access panel of the System Settings as expected.
But, there is also now an entry fro the same system extension under the Developer Tools section in System Settings which can not be deleted or that status changed from on to off. But the enabled slider is magically linked to the enabled slider for the same extension in the Full Disk Access group of the settings.
Is this a bug or wanted behaviour?
Frank Fenn
Sophos Inc.
Post not yet marked as solved
Hello group,since there is a function called es_clear_cache() I was wondering which information the Endpint Security extension is caching, Are these results from AUTH responses or just internal housekeeping data?Frank FennSophos Inc.
Hello,
we have an application running as root daemon style process. This process is linking against and using a framework which contains a stripped down version of python. Functions within the framework might want to delete files via a python script.
Under 10.15 it was enough to give the as root running App Full Disk Access rights to the function within the framework so it was able to delete files.
Under macOS Big Sur this seems no longer be the case. Both, framework and app, are properly signed and not sandboxed. Are there any additional steps to be taken?
Frank Fenn
Post not yet marked as solved
Hello community,in our ES client running as a system extension we monitor AUTH_EXEC and AUTH_OPEN events.Some strange behaviour was seen with especially one application, the "Brave" inetrnet browser, but this might also be seen with other apps.For demonstration purposes I also monitored NOTIFY_EXEC1) 1st run of "Brave.app"2020-05-08 11:01:48.947 [3490:38296 TID:39168 sext] notify exec xpcproxy 36702020-05-08 11:01:48.953 [3490:38296 TID:40274 sext] auth exec Brave Browser2020-05-08 11:01:48.954 [TID:41429 sext] exec event Brave Browser with pid 3670 and category 192020-05-08 11:01:48.954 [3490:38296 TID:40274 sext] notify exec Brave Browser 3670the executable "Brave Browser" is seen in an AUTH_EXEC and NOTIFY_EXEC event2) the AUTH_EXEC event is responded with: es_respond_auth_result(client, messaage, ES_AUTH_RESULT_ALLOW, false);note: the cache flag is set to 'false'3) the "Brave.app" is launched the second time2020-05-08 11:02:55.312 [3490:38296 TID:42627 sext] notify exec xpcproxy 37342020-05-08 11:02:55.316 [3490:38296 TID:42626 sext] notify exec Brave Browser 3734note: no AUTH_EXEC event is beeing generated!!!4) triggering a cache reset with es_clear_cache(client);5) launching "Brava.app" again2020-05-08 11:03:54.505 [3490:38296 TID:43395 sext] notify exec xpcproxy 37902020-05-08 11:03:54.510 [3490:38296 TID:43243 sext] auth exec Brave Browser2020-05-08 11:03:54.510 [3487:38171 TID:41098 sext] exec event Brave Browser with pid 3790 and category 192020-05-08 11:03:54.510 [3490:38296 TID:43243 sext] notify exec Brave Browser 3790note: an AUTH_EXEC event is generated again.Other browser apps, like Safari, Chrome, FireFox do not show this behaviour. What is so special about the Brave.app?puzzled...Frank FennSophos Inc.
Post not yet marked as solved
Hello communityso when my application (containing an Endpoint Security client system extension) launches for the first time,the user is asked to allow the extension, once done, the system wil load and run my extension communicatingwith my application nicely.When the application is restarted (let's say as result of a kill command) it will run at startup through the sameactivation request, which will of cource not prompt for any user interaction anymore and then the extensionreplacement callback is invoked (I guess because an extension is already active and running) where I reply with OSSystemExtensionReplacementActionReplace since there is only one version of the extension right now.At this point the runnig extension receives a SIG_TERM (15) and terminates but NOT reloaded!!!So for example after a reboot, the system extension starts running early, then the applciation is launched andis doing the things mentioned above resulting in a non-running extension until the app then is restarted again.Do I miss something here? Is tehre an API to find out if a extension is already runnign without trying to activate it?Frank FennSophos Inc.
Post not yet marked as solved
Hello all,I'm stuck, I have a ES client system extension installed which is misbehaving but not crashing. In its bad state it adds a 30 second delay to each file open call (AUTH_OPEN events) which make the system pretty much unresponsive.So I try to get rid of this extension, unfortunately with it running (SIP is disable) the system is unresponsive and attempts to use the systemextensionsctl command is impossible. With SIP turned on I can boot and log in normally, but now the systemextensionsctl tools is not available.Booting in recovery or single user mode I can see the extension in the SystemExtensions folder buit have no permissions to remove it.help is really appreciatedFrank
Post not yet marked as solved
Hello,our prototype of the Endpoint Security client (currently as root with SIP disabled) running in a terminal environment performs verry well and so far satisfies or needs of dicision makeing on AUTH_EXEC and/or AUTH_OPEN events. Thanks Apple, great job so far.but...once in a while (especially after sleep or just before sleep, I can not pinpoint it down) the Endpoint Security client gets terminated by the system. just sais "killed". We make sure we respond to all events by the deadline set in the event. Q:Is there any way to find out, what the reason was for the system to terminate the client?Is there any debug logging that can be activated for these system extensions?Frank FennSophos Inc.
Post not yet marked as solved
can someon confirm that this is a bug or noton ES_EVENT_AUTH_EXEC I extract the signing_id and the team_id from the exec target. NSString *signid = esstring_to_nsstring(&msg->event.exec.target->signing_id); NSString *teamid = esstring_to_nsstring(&msg->event.exec.target->team_id);when inspected, it seemd that team_id has the same content as sign_id*** LAUNCH APP : PID 83135 BINARY Sophos Agent (signed signID: com.sophos.endpoint.SophosAgent teamID: com.sophos.endpoint.SophosAgentI would expect that team_id should contain the TeamIdentifier similar from the codesign output below...% codesign -dvvv -r- ...Identifier=com.sophos.endpoint.SophosAgentTeamIdentifier=2H5GFH3774Frank FennSophos Inc.
Post not yet marked as solved
hello all,while experimenting with the Endpoint Security demo code, especially the ES_EVENT_TYPE_AUTH_EXEC and ES_EVENT_TYPE_AUTHP_OPEN, I need some questions answered.(1) While blocking or allowing a process launch via es_respons_auth_resiult() it generated a nice "This Application ... can't be opened dialog" the es_response_flags_result() to prevent a file from being opened is not fully clear.The flags are not documented (or I haven't found it yet). If I respond with the original event flags the file is allowed, great. If I respond for example with a 0 to mask out the 1 (I guess open for read), the file open fails with input/output error. In the old KEXT world when deniying a file open, the system responded with a "access denied" error code. Is there anything in these flags to get the same response?(2) will the es client be able to open all files for which it receives event messages? with running as root and with SIP disabled it seems to work.also, is the es client allowed / enabled to open additional files without any deadlock?(3) with the proper entitlement, is the es client able to run as non-root user? can this be a lauch daemon?ThanksFrank FennSophos Inc.
frankfenn.