Subscribing for auth open event of endpoint security framework hangs Catalina macOS?

Subscribed ES_EVENT_TYPE_AUTH_OPEN event in MacOS Endpoint Security library. As soon as application starts monitoring, macOS system hangs. I tried to dispatch it on other threads. I also tried to stop monitoring for some processes using es_mute_process but all efforts in vain.


Please help me understand how can we monitor and control auth open events for desired process and files only.

Let me know how to filter open events so that it does not slow down the system.

Replies

The release notes for macOS Catalina 10.15 beta 4 include this item: "The es_mute_process interface doesn't mute processes. (53017708)". That may explain the behavior you're seeing. I would file a bug report so that Apple knows that you've encountered this issue as well; just be prepared for it to be closed as a duplicate.


As for the ES_EVENT_TYPE_AUTH_OPEN hang, I would suggest trying again with beta 4 and filing a bug if the problem persists.


Based on the release notes and other reports, the new functionality in Catalina seems to be a work in progress at the moment; now is the time to let Apple know where to focus their efforts. Don't be too surprised when things don't work as documented in a beta release. Good luck.

ES_EVENT_TYPE_AUTH_OPEN requires responding with es_respond_flags_result(), not

es_respond_auth_result() shown in the Message docs example. Are you doing that?