User Profile

Post marked as solved

3 Replies

684 Views

Post marked as solved with 3 replies, 684 views

Endpoint security es_copy_message deprecated

The es\_copy\_message function is deprecated and there are no alternatives provided. https://developer.apple.com/documentation/endpointsecurity/3228861-es_copy_message Currently, we copy incoming messages so that we can respond to messages later on a different dispatch queue/thread. Is there a change in ownership of incoming messages or is there something that I am missing here?

• Endpoint Security

Posted

by vishalps.

Last updated

.

Post not yet marked as solved

2 Replies

360 Views

Post marked as unsolved with 2 replies, 360 views

On macOS 11 copyfile API called from EndpointSecurity open auth callback results in deadlock on network shares

Hi, Our product in some cases requires taking snapshot of files being opened (especially in write mode). With endpoint security we are observing deadlock on macOS 11 open a file from smb share using Finder in application, in open auth callback use copyfile api with COPYFILE\_ALL flag this copyfile api is stuck until the open auth callback is not responded to. spindump shows copyfile stuck in kernel in smbfs stack. copyfile with COPYFILE\_METADATA i.e. just metadata seems to work fine. we are seeing more such issues on smb/nfs network shares. The same code works well on macOS 10.15. Is anyone else seeing similar issues? Are there significant changes in network shares in macOS 11? Thanks.

• macOS
• Endpoint Security

Posted

by vishalps.

Last updated

.

Post marked as solved

11 Replies

1.2k Views

Post marked as solved with 11 replies, 1,245 views

es_mute_process fails intermittently

Hi, I am monitoring ES_EVENT_TYPE_AUTH_OPEN events, however I am interested in only a few processes (list is not hardcoded, it is configurable). So I am using es_mute_process to mute most of the processes from ES_EVENT_TYPE_AUTH_OPEN event callback. After some time, es_mute_process calls start failing. On checking currently muted process count using es_muted_processes, it is always 255. Is there an upper limit on number of processes that can be muted? If there is a limit but if I keep on trying to mute processes even after the limit, as slots might become available if some of the processes exit, would that cause any impact on performance? Am I supposed to detect the error and may be stop muting processes for some time?

• macOS
• Endpoint Security

Posted

by vishalps.

Last updated

.

Post not yet marked as solved

2 Replies

439 Views

Post marked as unsolved with 2 replies, 439 views

Unable to set change_time using vnode_setattr in kernel extension

Hi,We have a scenario where we take backups of a file. User can select the version to restore from.We have a kernel extension which while restoring the file, restores all the file attributes.Code looks like this struct vnode_attr va; VATTR_INIT(&va); SET_VATTR_IF_SUPPORTED(&va, vaFrom, vaDestination, va_change_time); ... other attributes vnode_setattr(vnode, &vaDestination, context);This used to work upto macOS 10.13.On macOS 10.14 onwords, change_time is not set to the given value but to the current timestamp.Is this expected behavior? Is there any documetation around this?The reason we restore all attributes is so that other backup softwares don't think that the file was modified.

• Kernel

Posted

by vishalps.

Last updated

.