User Profile

Sounds like you may want a packet filter instead of a socket/connection filter.

SYSEXTs don't run in a user session. So what you want to do is not possible, except maybe indirectly via launchctl asuser <UID> ... -- not sure if this would actually use the console session though. There's another indirect way too: launch agents, but then why not just have your main app be a launch agent?

I have this issue right now on my dev machine. It's like there's stale info in /Library/SystemExtensions/db.plist. I've seen clients have the issue too. On my machine the duplicate disabled extension has a lock icon. Edit: For me and our clients it's only DNS Proxy that shows a zombie, our Socket Filter never does. And they are both hosted in the same SYSEXT.

Hi Matt, yes if no other NSYSEXT is on the system then there are no problems. We are only seeing this issue with this particular client. So far no other client is using another NSYSEXT. In addition, we are not able to reproduce the issue internally (again with no other NSYSEXTs).

Thanks for the reply Matt, here are the logs from the client: 112022-06-13 12:48:20.573425-0400 0x3d35 Default 0x0 1166 0 com.uptycs.kringle.daemon: (NetworkExtension) [com.apple.networkextension:] (0): Creating a new flow director 122022-06-13 12:48:20.573623-0400 0x3d35 Default 0x0 1166 0 com.uptycs.kringle.daemon: (NetworkExtension) [com.apple.networkextension:] [Extension com.uptycs.kringle]: Calling startProxyWithOptions with options 0x0 132022-06-13 12:48:20.573639-0400 0x3d35 Default 0x0 1166 0 com.uptycs.kringle.daemon: [com.uptycs.kringle:dns-proxy] start 142022-06-13 12:48:20.576279-0400 0x3d35 Default 0x0 1166 0 com.uptycs.kringle.daemon: [com.uptycs.kringle:dns-proxy] ready ... 2022-06-13 12:48:28.222215-0400 0x3cfa Default 0x0 158 0 sysextd: [com.apple.sx:XPC] client activation request for com.cisco.anyconnect.macos.acsockext 172022-06-13 12:48:28.264605-0400 0x3dc4 Default 0x0 262 0 nesessionmanager: (NetworkExtension) [com.apple.networkextension:] Clearing 42C1466A-D643-4CCB-9B29-A0FDF2B57F03 from the loaded configurations 182022-06-13 12:48:28.275395-0400 0x3dc6 Default 0x0 262 0 nesessionmanager: [com.apple.networkextension:] <NESMServer: 0x7ff0b3d047b0>: Deregister DNS Proxy Session: NESMDNSProxySession[Primary Tunnel:Uptycs Protect DNS Proxy:42C1466A-D643-4CCB-9B29-A0FDF2B57F03:(null)] 192022-06-13 12:48:28.275411-0400 0x3bcc Default 0x0 262 0 nesessionmanager: [com.apple.networkextension:] Registering session NESMDNSProxySession[Primary Tunnel:Cisco AnyConnect Socket Filter:FA292875-ADE4-4304-9423-E4527401CBAA:(null)] 202022-06-13 12:48:28.276187-0400 0x3d6a Default 0x0 1166 0 com.uptycs.kringle.daemon: (NetworkExtension) [com.apple.networkextension:] [Extension com.uptycs.kringle]: Calling stopProxyWithReason because: Configuration was disabled 212022-06-13 12:48:28.276190-0400 0x3d6a Default 0x0 1166 0 com.uptycs.kringle.daemon: [com.uptycs.kringle:dns-proxy] stop: 9 You can see from the logs that our DNS Proxy (com.uptycs.kringle.daemon) is started and then ~8 seconds later the Cisco NSYSEXT is started and our Proxy is stopped with code 9 (NEProviderStopReasonConfigurationDisabled). The Cisco NSYSEXT contains a socket filter and a DNS proxy. Our SYSEXT also contains a socket filter and a DNS proxy and only the DNS proxy is being stopped.

Thanks Quinn, I understand symlinks are quite different and that there's no path validation on them but ES is a replacement for BSM and BSM reported symlink events. Seems like ES should too. Oh and ES should also support user login/logout events like BSM (FeedbackID:FB9103833).

Did you add the com.apple.developer.endpoint-security.client? You also have to disable AMFI or it will kill the daemon if not signed.