I found a big problem. In Monterey, it does not wait for user acceptance requests. In Monterey, the user appears to fail by requesting deactivation before it is approved. Why are you requesting deactivation without waiting for a user approval request? As a result, deactivation fails. Our app is requesting deactivation based on GUI. I already asked through the feedback number below. (Follow-up: 774983090) However, I do not receive the appropriate response and post it to the Developer Forum. I'll compare it with a BigSur. First, it's BigSur. Step 1. The log pops up as shown below, and the user approval request is activated. 19:45:39.665971+0900 sysextd upgrading connection to nsxpc Step 2. If you approve the user, the log as below comes out. 19:45:43.298319+0900 authd Succeeded authorizing right 'com.apple.system-extensions.admin' by client '/System/Library/Frameworks/SystemExtensions.framework/Versions/A/Helpers/sysextd' [1303] for authorization created by '/Applications/AhnLab Solutions/v3mac/V3FltESApp.app' [3986] (0,0) (engine 243) Step 3. Once approved, a log appears requesting deactivation as shown below and success. 19:45:43.288928+0900 sysextd deactivation request received from: /Applications/AhnLab ... 19:45:44.349972+0900 sysextd deactivation succeeded for client: /Applications/AhnLab Solutions/v3mac/V3FltESApp.app/Contents/MacOS/V3FltESApp 19:45:44.350649+0900 sysextd client connection (pid 3986) invalidated However, within Monterey, a deactivation request is made prior to user approval. In other words, the user appears to fail by requesting deactivation before it is approved. 20:05:54.735224+0900 sysextd upgrading connection to nsxpc 20:05:54.741167+0900 sysextd deactivation request received from: /Applications/AhnLab Solutions/v3mac/V3FltESApp.app/Contents/MacOS/V3FltESApp ... 20:05:54.756362+0900 sysextd deactivation request for com.ahnlab.V3FltES failed authorization check, error: Error Domain=OSSystemExtensionErrorDomain Code=13 "(null)" 20:05:54.760648+0900 sysextd deactivation failed for client: /Applications/AhnLab Solutions/v3mac/V3FltESApp.app/Contents/MacOS/V3FltESApp, error: Error Domain=OSSystemExtensionErrorDomain Code=13 "(null)" ... Even if you subsequently allow a user approval request, the deactivation request has already failed. 20:06:25.244287+0900 authd Succeeded authorizing right 'com.apple.system-extensions.admin' by client '/System/Library/Frameworks/SystemExtensions.framework/Versions/A/Helpers/sysextd' [308] for authorization created by '/Applications/AhnLab Solutions/v3mac/V3FltESApp.app' [2573] (0,0) (engine 39) 20:06:25.250832+0900 sysextd deactivation failed for client: /Applications/AhnLab Solutions/v3mac/V3FltESApp.app/Contents/MacOS/V3FltESApp, error: Error Domain=OSSystemExtensionErrorDomain Code=4 "(null)"

I tried low level XPC API. Here is the sample code.  int main(int argc, char *argv[]) { init_dispatch_queue();  xpc_main(handler); es_client_t *client; es_new_client_result_t result = es_new_client(&client, ^(es_client_t *c, const es_message_t *msg) { handle_event(c, msg); }); if (result != ES_NEW_CLIENT_RESULT_SUCCESS) { os_log_error(OS_LOG_DEFAULT, "Failed to create the ES client: %d", result); return 1; } es_event_type_t events[] = { ES_EVENT_TYPE_AUTH_EXEC, ES_EVENT_TYPE_AUTH_OPEN }; if (es_subscribe(client, events, sizeof(events) / sizeof(events[0])) != ES_RETURN_SUCCESS) { es_delete_client(client); return 1; } dispatch_main(); }  xpc_main() function internally calls dispatch_main. Other extension code didn't execute. I added XPCService dict in info.plist and added RunLoopType as NSRunLoop as given in link. But it still don't work well.   NSXPConnection API that allows extension to function. I can't use these API as pyobjc do not support block calls.   Can we make low level xpc_main() to execute in second thread and not block extension.

Hi all, I have been using the endpoint system extension for some months now. Recently when I had checked the crash logs, I found that within an hour there were a lot crashes reported. I am not able to make sense from the log. Here is the crash report Process: com.test.xyz.EndpointSecurityExtension [2851] Path: /Library/SystemExtensions/*/com.test.xyz.EndpointSecurityExtension Identifier: com.test.xyz.EndpointSecurityExtension Version: 1.1.0 (4) Code Type: X86-64 (Native) Parent Process: launchd [1] Responsible: com.test.xyz.EndpointSecurityExtension [2851] User ID: 0 Date/Time: 2021-09-01 11:50:57.698 +0530 OS Version: macOS 11.5.2 (20G95) Report Version: 12 Anonymous UUID: 0F843683-C812-EEE7-668E-2DCAADAE35B6 Sleep/Wake UUID: C67D7ECA-22E6-451F-8766-CB2DCA3FC287 Time Awake Since Boot: 42000 seconds Time Since Wake: 5500 seconds System Integrity Protection: disabled Crashed Thread: 1 Dispatch queue: BBReaderQueue Exception Type: EXC_BAD_INSTRUCTION (SIGILL) Exception Codes: 0x0000000000000001, 0x0000000000000000 Exception Note: EXC_CORPSE_NOTIFY Termination Signal: Illegal instruction: 4 Termination Reason: Namespace SIGNAL, Code 0x4 Terminating Process: exc handler [2851] Thread 0: 0 libsystem_kernel.dylib 0x00007fff20381b0a __sigsuspend_nocancel + 10 1 libdispatch.dylib 0x00007fff202184e1 _dispatch_sigsuspend + 36 2 libdispatch.dylib 0x00007fff202184bd _dispatch_sig_thread + 53 Thread 1 Crashed:: Dispatch queue: BBReaderQueue 0 com.test.xyz.EndpointSecurityExtension 0x00000001006b836e closure #1 in + 8270 1 com.test.xyz.EndpointSecurityExtension 0x00000001006b8627 thunk for @escaping @callee_guaranteed (@unowned OpaquePointer, @unowned UnsafePointer<es_message_t>) -> () + 23 2 libEndpointSecurity.dylib 0x00007fff2fe2f52b __es_new_client_with_config_block_invoke + 43 3 libEndpointSecurity.dylib 0x00007fff2fe2ff92 BBReader<ESMessageReaderConfig>::handleItems() + 130 4 libEndpointSecurity.dylib 0x00007fff2fe2fe41 BBReader<ESMessageReaderConfig>::woke(void*) + 17 5 libdispatch.dylib 0x00007fff20207806 _dispatch_client_callout + 8 6 libdispatch.dylib 0x00007fff2020a1b0 _dispatch_continuation_pop + 423 7 libdispatch.dylib 0x00007fff2021a564 _dispatch_source_invoke + 2061 8 libdispatch.dylib 0x00007fff2020d493 _dispatch_lane_serial_drain + 263 9 libdispatch.dylib 0x00007fff2020e0e0 _dispatch_lane_invoke + 417 10 libdispatch.dylib 0x00007fff2020f318 _dispatch_workloop_invoke + 1784 11 libdispatch.dylib 0x00007fff20217c0d _dispatch_workloop_worker_thread + 811 12 libsystem_pthread.dylib 0x00007fff203ae45d _pthread_wqthread + 314 13 libsystem_pthread.dylib 0x00007fff203ad42f start_wqthread + 15 Thread 1 crashed with X86 Thread State (64-bit): rax: 0x0000000100743108 rbx: 0x0000000100743028 rcx: 0x0000000000000000 rdx: 0x00007fc6c07091c0 rdi: 0x0000000000000000 rsi: 0x0000000100743370 rbp: 0x000070000cee8690 rsp: 0x000070000cee7ed0 r8: 0x0000000000000515 r9: 0x0000000000000519 r10: 0x00000000fe1fffff r11: 0x00007fc5bffc5e90 r12: 0x000000020236c1a1 r13: 0x00000000000001f6 r14: 0x00000000000041ed r15: 0x0000000000000026 rip: 0x00000001006b836e rfl: 0x0000000000010246 cr2: 0x0000000110b5492e Logical CPU: 0 Error Code: 0x00000000 Trap Number: 6 Thread 1 instruction stream: 8b 70 10 31 ff 31 d2 e8-d6 08 00 00 e9 45 fd ff .p.1.1.......E.. ff 4c 8d 2d ca 71 00 00-48 8b 05 c3 71 00 00 48 .L.-.q..H...q..H 8b 70 10 48 ff c6 31 ff-ba 01 00 00 00 e8 b0 08 .p.H..1......... 00 00 e9 af e7 ff ff 4c-8d 2d a4 71 00 00 bf 01 .......L.-.q.... 00 00 00 4c 89 fe ba 01-00 00 00 e8 92 08 00 00 ...L............ 48 8b 05 8b 71 00 00 e9-a9 e7 ff ff 0f 0b 0f 0b H...q........... [0f]0b 0f 0b 66 2e 0f 1f-84 00 00 00 00 00 0f 1f ....f........... <== 40 00 55 48 89 e5 41 57-41 56 41 55 41 54 53 48 @.UH..AWAVAUATSH 83 ec 28 49 bc 13 00 00-00 00 00 00 d0 48 89 7d ..(I.........H.} b0 48 89 75 b8 48 c7 45-c0 2f 25 40 00 48 b8 00 .H.u.H.E./%@.H.. 00 00 00 00 00 00 e3 48-89 45 c8 48 8d 3d 30 70 .......H.E.H.=0p 00 00 e8 1b db ff ff 49-89 c7 be 48 00 00 00 ba .......I...H.... Thread 1 last branch register state not available. It restarts again, sometimes it crashes again and sometimes it starts working normally. Any idea on where I might have made a mistake? Because when i usually get crash reports it has the line, the function name and the file(eg main.swift) where I had made a mistake, but this is a bit confusing. Thanks in advanced

Invoking the es_delete_client causes intermittent crashes. I called es_delete_client in thread 1. By the way, a crash is occurring at thread 0. Is there a way to find out the cause? com.ahnlab.V3FltES_2021-09-07-145842_ahnlabui-MacBookPro-2.crash

I have logged in as an active directory domain user. When i lock the mac and unlock with Touch ID the following event is logged. <subject audit-uid="-1" uid="root" gid="wheel" ruid="root" rgid="wheel" pid="318" sid="100000" tid="0 0.0.0.0" /> <text>Touch ID authentication</text> <return errval="success" retval="0" /> <identity signer-type="1" signing-id="com.apple.biometrickitd" signing-id-truncated="no" team-id="" team-id-truncated="no" cdhash="0x8b061a4cd6a37b9228d5b894cc269aaa32ef8051" /> </record> This logs the subject as root rather than as the domain user through which i have logged in through. This is not the case when i use password log in.

Under macOS (and especially when using MDM), is it the case that a system extension (in particular, a Transparent Proxy Provider or Endpoint Security extension) must be embedded in an application bundle in /Applications? Or can they be located in some other location, or even directly installed into /Library/SystemExtensions and then activated via a LaunchDaemon? Does it matter whether it's distributed via the App Store or part of enterprise distribution? (Yes, my next step is to look into MDM, about which I know very little. 😄) This is a case of me being confused by the documentation, and looking at some existing products.

The system extension is loaded as it is already allowed as follows. 1309: 0x413c 17:21:14.310843+0900 taskgated-helper Checking profile: V3FltES_Provisioning1309: 0x413c 17:21:14.310843+0900 taskgated-helper Checking profile: V3FltES_Provisioning1309: 0x413c 17:21:14.311095+0900 taskgated-helper allowing entitlement(s) for com.ahnlab.V3FltES due to provisioning profile (isUPP: 1)1309: 0x413c 17:21:14.322742+0900 taskgated-helper Checking profile: V3FltES_Provisioning1309: 0x413c 17:21:14.322999+0900 taskgated-helper com.ahnlab.V3FltES: Unsatisfied entitlements: com.apple.security.application-groups1309: 0x413c 17:21:14.323045+0900 taskgated-helper Disallowing: com.ahnlab.V3FltES However, an unacceptable log is output as a warning message. Can you explain why?

Can we rely on an order of precedence for muting and unmute paths? For example, if I mute "/", then unmute "/tmp/testdir", can I reliably believe I'll get events for "/tmp/testdir"? I can test this, obviously, but it'd be great to be able to rely on a certain behavior here.

I am currently monitoring ES_EVENT_TYPE_AUTH_CLONE events in my Endpoint Security client, but it seems to only respond to file, not folder, copies from finder. Is there any existing event to allow notification of a copy of a folder in finder? If not, are there any future plans to include such an event in the ES event list? Thank you.

Hi, I am developing an Endpoint Security extension and I would like to get the full list of processes that ended up calling the process I receive in an event. For example if I receive a es_process_t I have this process audit token, I would like to get the parents audit token and then the parent's parent token and so on till I get the full list of processes. I hope i made myself clear :)

hello :) i tried to es_mute_process our company's all applications. check application to use team_id or signing_id in es_process_t. is this a good way? and can team_id and signing_id be forged?

Hi, I see these new ES event types   , ES_EVENT_TYPE_AUTH_REMOUNT   , ES_EVENT_TYPE_NOTIFY_REMOUNT I assuming it refers to a volume re-mount. I'm trying to make them trigger by doing: $ mount -o rdonly update force -t hfs -d /Volumes/MyDiskVol But the "mount" command is not successful. How/when are those ES events generated ? Thanks. How would

Hi, I have a ES Sysex working properly in BigSur. I run upgrade to Monterey. I check the behavior of the sysex in Monterey and I notice that is receiving events from processes that I have muted with "es_mute_path_prefix". It is as if the system upgrade process has affected the Sysex startup and some configurations, forced on start by calling "es_mute_path_prefix" are not taking into account. Should I take some special steps on SO upgrade scenarios, like reinforcing restart of my sysex ? Stop it before SO upgrade and restart it after upgrade ? Any known best practices on SO upgrades in general ? Thanks.

In case we copy file to finder using ctrl+c -&gt; ctrl+v we get "ES_EVENT_TYPE_AUTH_CLONE" event. In case we block that event, we get 2-3 times 'ES_EVENT_TYPE_AUTH_CLONE' event with same destination file name. Any idea how to avoid those extra 2-3 events of 'ES_EVENT_TYPE_AUTH_CLONE'?