What does Endpoint Security cache?

Can you explain more about the background to your question?

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hello,

a) I was just wondering why this function exists. es_clear_cache() seems to remove items the client did not store. So for example: I block the execution for a specific exectable during handling an AUTH_EXEC event. I want to make sure that none of the clients decision to allow or deny execution or a file open (in case of AUTH_OPEN) will be cached, so I will receive repetitive events for the same item and can make decisions again.

b) if something is cached for the es client, will that reflect on the memory usage of the cleint process?

Sincerely,

Frank Fenn

Sophos Inc.

I want to make sure that none of the clients decision to allow or deny execution or a file open … will be cached, so I will receive repetitive events for the same item and can make decisions again.

I suspect that sending every authentication event to your client would be prohibitively expensive. My recommendation is that you do nothing special with the cache right now and see whether you hit any problems in practice.

if something is cached for the es client, will that reflect on the memory usage of the client process?

No. These caches are deep within the kernel.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

I would like to know more about the caching behaviour. In the previously mentioned es_clear_cache() function documentation it says that it will clear the shared cache for all es_clients. This obviously raised a flag for me.

What if a user has a policy based solution installed that checks a black or whitelist and then allows execution. And additionally an Antivirus. If the policy based solution already set a response for some executable and cached it. Will a subsequent execution of this executable ever reach the es_client of the Antivirus, that in my example has not cached a response?

Also I'd like to know more about the caching behaviour for AUTH_OPEN events. Let's consider the following use-case:

Our Antivirus Application contains its own integrity protection. Our updater updates our Application. The Integrity Protection responds and allows the write, renames, unlinks, ... and caches the response. Does that mean that another Application is now also allowed to perform those operations as well? Or does the "key" that is used for the cache record contain the process informations of the accessing process as well?

I'm aware that I could easily test this behaviour, but I can't be sure that this is actually the intended behaviour unless it is documented. So please document this behaviour!

I don't want to open a ticket for these questions because I think that everybody should have access to these informations.

Best Regards

Timo Christ

Avira Operations

I'm aware that I could easily test this behaviour, but I can't be sure that this is actually the intended behaviour unless it is documented. So please document this behaviour!

That’s a perfectly reasonable request, and the best way to get it in front of the folks who have power to act on it is to file a bug against the ES documentation.

Please post your bug number, just for the record.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi eskimo

I updated my original bug report from June to include this example: FB6145147.

While you at it could you also please check my bug reports FB7403554 and FB5712897 because they prevent us from using the EndpointSecurity API.

Best Regards

Timo

I updated my original bug report from June to include this example: FB6145147.

You should put that info in a new bug report. Your bug report FB6145147 was marked as a duplicate of another bug (r. 51813266) that was closed months ago. You should be able to see that closed state in Feedback Assistant, right?

While you at it could you also please check my bug reports FB7403554 and FB5712897 because they prevent us from using the EndpointSecurity API.

Those two bugs are more-or-less duplicates. The first got kinda lost, and I’ll try to get it back on track. The second definitely landed in the right place.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

> You should put that info in a new bug report.
Ok I opened a new one: FB7429926

> You should be able to see that closed state in Feedback Assistant, right?

No, It says:

Recent Similar Reports: None

Resolution: Open

> Those two bugs are more-or-less duplicates.

Yes, the first one described the technical issue and the second one only highlighted the secuirty implication of it in regards to the ES framework.

Thank you for your help!

Timo

PS: How do you quote here in the forums?

Ok I opened a new one: FB7429926

Thanks.

No, It says:

Recent Similar Reports: None

Resolution: Open

Hmmm, that’s weird. I’m off to ask our bugs folks about this.

PS: How do you quote here in the forums?

Hmmm, that’s becoming a bit of a FAQ. The short answer is that I don’t use the standard editor but rather HTML mode. See this post for a more in-depth explanation.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Is there a plan to add documentation to it anytime soon?