I am currently monitoring ES_EVENT_TYPE_AUTH_CLONE events in my Endpoint Security client, but it seems to only respond to file, not folder, copies from finder. Is there any existing event to allow notification of a copy of a folder in finder? If not, are there any future plans to include such an event in the ES event list? Thank you.

Can we rely on an order of precedence for muting and unmute paths? For example, if I mute "/", then unmute "/tmp/testdir", can I reliably believe I'll get events for "/tmp/testdir"? I can test this, obviously, but it'd be great to be able to rely on a certain behavior here.

The system extension is loaded as it is already allowed as follows. 1309: 0x413c 17:21:14.310843+0900 taskgated-helper Checking profile: V3FltES_Provisioning1309: 0x413c 17:21:14.310843+0900 taskgated-helper Checking profile: V3FltES_Provisioning1309: 0x413c 17:21:14.311095+0900 taskgated-helper allowing entitlement(s) for com.ahnlab.V3FltES due to provisioning profile (isUPP: 1)1309: 0x413c 17:21:14.322742+0900 taskgated-helper Checking profile: V3FltES_Provisioning1309: 0x413c 17:21:14.322999+0900 taskgated-helper com.ahnlab.V3FltES: Unsatisfied entitlements: com.apple.security.application-groups1309: 0x413c 17:21:14.323045+0900 taskgated-helper Disallowing: com.ahnlab.V3FltES However, an unacceptable log is output as a warning message. Can you explain why?

Under macOS (and especially when using MDM), is it the case that a system extension (in particular, a Transparent Proxy Provider or Endpoint Security extension) must be embedded in an application bundle in /Applications? Or can they be located in some other location, or even directly installed into /Library/SystemExtensions and then activated via a LaunchDaemon? Does it matter whether it's distributed via the App Store or part of enterprise distribution? (Yes, my next step is to look into MDM, about which I know very little. 😄) This is a case of me being confused by the documentation, and looking at some existing products.

I have logged in as an active directory domain user. When i lock the mac and unlock with Touch ID the following event is logged. <subject audit-uid="-1" uid="root" gid="wheel" ruid="root" rgid="wheel" pid="318" sid="100000" tid="0 0.0.0.0" /> <text>Touch ID authentication</text> <return errval="success" retval="0" /> <identity signer-type="1" signing-id="com.apple.biometrickitd" signing-id-truncated="no" team-id="" team-id-truncated="no" cdhash="0x8b061a4cd6a37b9228d5b894cc269aaa32ef8051" /> </record> This logs the subject as root rather than as the domain user through which i have logged in through. This is not the case when i use password log in.

Invoking the es_delete_client causes intermittent crashes. I called es_delete_client in thread 1. By the way, a crash is occurring at thread 0. Is there a way to find out the cause? com.ahnlab.V3FltES_2021-09-07-145842_ahnlabui-MacBookPro-2.crash

Hi all, I have been using the endpoint system extension for some months now. Recently when I had checked the crash logs, I found that within an hour there were a lot crashes reported. I am not able to make sense from the log. Here is the crash report Process: com.test.xyz.EndpointSecurityExtension [2851] Path: /Library/SystemExtensions/*/com.test.xyz.EndpointSecurityExtension Identifier: com.test.xyz.EndpointSecurityExtension Version: 1.1.0 (4) Code Type: X86-64 (Native) Parent Process: launchd [1] Responsible: com.test.xyz.EndpointSecurityExtension [2851] User ID: 0 Date/Time: 2021-09-01 11:50:57.698 +0530 OS Version: macOS 11.5.2 (20G95) Report Version: 12 Anonymous UUID: 0F843683-C812-EEE7-668E-2DCAADAE35B6 Sleep/Wake UUID: C67D7ECA-22E6-451F-8766-CB2DCA3FC287 Time Awake Since Boot: 42000 seconds Time Since Wake: 5500 seconds System Integrity Protection: disabled Crashed Thread: 1 Dispatch queue: BBReaderQueue Exception Type: EXC_BAD_INSTRUCTION (SIGILL) Exception Codes: 0x0000000000000001, 0x0000000000000000 Exception Note: EXC_CORPSE_NOTIFY Termination Signal: Illegal instruction: 4 Termination Reason: Namespace SIGNAL, Code 0x4 Terminating Process: exc handler [2851] Thread 0: 0 libsystem_kernel.dylib 0x00007fff20381b0a __sigsuspend_nocancel + 10 1 libdispatch.dylib 0x00007fff202184e1 _dispatch_sigsuspend + 36 2 libdispatch.dylib 0x00007fff202184bd _dispatch_sig_thread + 53 Thread 1 Crashed:: Dispatch queue: BBReaderQueue 0 com.test.xyz.EndpointSecurityExtension 0x00000001006b836e closure #1 in + 8270 1 com.test.xyz.EndpointSecurityExtension 0x00000001006b8627 thunk for @escaping @callee_guaranteed (@unowned OpaquePointer, @unowned UnsafePointer<es_message_t>) -> () + 23 2 libEndpointSecurity.dylib 0x00007fff2fe2f52b __es_new_client_with_config_block_invoke + 43 3 libEndpointSecurity.dylib 0x00007fff2fe2ff92 BBReader<ESMessageReaderConfig>::handleItems() + 130 4 libEndpointSecurity.dylib 0x00007fff2fe2fe41 BBReader<ESMessageReaderConfig>::woke(void*) + 17 5 libdispatch.dylib 0x00007fff20207806 _dispatch_client_callout + 8 6 libdispatch.dylib 0x00007fff2020a1b0 _dispatch_continuation_pop + 423 7 libdispatch.dylib 0x00007fff2021a564 _dispatch_source_invoke + 2061 8 libdispatch.dylib 0x00007fff2020d493 _dispatch_lane_serial_drain + 263 9 libdispatch.dylib 0x00007fff2020e0e0 _dispatch_lane_invoke + 417 10 libdispatch.dylib 0x00007fff2020f318 _dispatch_workloop_invoke + 1784 11 libdispatch.dylib 0x00007fff20217c0d _dispatch_workloop_worker_thread + 811 12 libsystem_pthread.dylib 0x00007fff203ae45d _pthread_wqthread + 314 13 libsystem_pthread.dylib 0x00007fff203ad42f start_wqthread + 15 Thread 1 crashed with X86 Thread State (64-bit): rax: 0x0000000100743108 rbx: 0x0000000100743028 rcx: 0x0000000000000000 rdx: 0x00007fc6c07091c0 rdi: 0x0000000000000000 rsi: 0x0000000100743370 rbp: 0x000070000cee8690 rsp: 0x000070000cee7ed0 r8: 0x0000000000000515 r9: 0x0000000000000519 r10: 0x00000000fe1fffff r11: 0x00007fc5bffc5e90 r12: 0x000000020236c1a1 r13: 0x00000000000001f6 r14: 0x00000000000041ed r15: 0x0000000000000026 rip: 0x00000001006b836e rfl: 0x0000000000010246 cr2: 0x0000000110b5492e Logical CPU: 0 Error Code: 0x00000000 Trap Number: 6 Thread 1 instruction stream: 8b 70 10 31 ff 31 d2 e8-d6 08 00 00 e9 45 fd ff .p.1.1.......E.. ff 4c 8d 2d ca 71 00 00-48 8b 05 c3 71 00 00 48 .L.-.q..H...q..H 8b 70 10 48 ff c6 31 ff-ba 01 00 00 00 e8 b0 08 .p.H..1......... 00 00 e9 af e7 ff ff 4c-8d 2d a4 71 00 00 bf 01 .......L.-.q.... 00 00 00 4c 89 fe ba 01-00 00 00 e8 92 08 00 00 ...L............ 48 8b 05 8b 71 00 00 e9-a9 e7 ff ff 0f 0b 0f 0b H...q........... [0f]0b 0f 0b 66 2e 0f 1f-84 00 00 00 00 00 0f 1f ....f........... <== 40 00 55 48 89 e5 41 57-41 56 41 55 41 54 53 48 @.UH..AWAVAUATSH 83 ec 28 49 bc 13 00 00-00 00 00 00 d0 48 89 7d ..(I.........H.} b0 48 89 75 b8 48 c7 45-c0 2f 25 40 00 48 b8 00 .H.u.H.E./%@.H.. 00 00 00 00 00 00 e3 48-89 45 c8 48 8d 3d 30 70 .......H.E.H.=0p 00 00 e8 1b db ff ff 49-89 c7 be 48 00 00 00 ba .......I...H.... Thread 1 last branch register state not available. It restarts again, sometimes it crashes again and sometimes it starts working normally. Any idea on where I might have made a mistake? Because when i usually get crash reports it has the line, the function name and the file(eg main.swift) where I had made a mistake, but this is a bit confusing. Thanks in advanced

I tried low level XPC API. Here is the sample code.  int main(int argc, char *argv[]) { init_dispatch_queue();  xpc_main(handler); es_client_t *client; es_new_client_result_t result = es_new_client(&client, ^(es_client_t *c, const es_message_t *msg) { handle_event(c, msg); }); if (result != ES_NEW_CLIENT_RESULT_SUCCESS) { os_log_error(OS_LOG_DEFAULT, "Failed to create the ES client: %d", result); return 1; } es_event_type_t events[] = { ES_EVENT_TYPE_AUTH_EXEC, ES_EVENT_TYPE_AUTH_OPEN }; if (es_subscribe(client, events, sizeof(events) / sizeof(events[0])) != ES_RETURN_SUCCESS) { es_delete_client(client); return 1; } dispatch_main(); }  xpc_main() function internally calls dispatch_main. Other extension code didn't execute. I added XPCService dict in info.plist and added RunLoopType as NSRunLoop as given in link. But it still don't work well.   NSXPConnection API that allows extension to function. I can't use these API as pyobjc do not support block calls.   Can we make low level xpc_main() to execute in second thread and not block extension.

I found a big problem. In Monterey, it does not wait for user acceptance requests. In Monterey, the user appears to fail by requesting deactivation before it is approved. Why are you requesting deactivation without waiting for a user approval request? As a result, deactivation fails. Our app is requesting deactivation based on GUI. I already asked through the feedback number below. (Follow-up: 774983090) However, I do not receive the appropriate response and post it to the Developer Forum. I'll compare it with a BigSur. First, it's BigSur. Step 1. The log pops up as shown below, and the user approval request is activated. 19:45:39.665971+0900 sysextd upgrading connection to nsxpc Step 2. If you approve the user, the log as below comes out. 19:45:43.298319+0900 authd Succeeded authorizing right 'com.apple.system-extensions.admin' by client '/System/Library/Frameworks/SystemExtensions.framework/Versions/A/Helpers/sysextd' [1303] for authorization created by '/Applications/AhnLab Solutions/v3mac/V3FltESApp.app' [3986] (0,0) (engine 243) Step 3. Once approved, a log appears requesting deactivation as shown below and success. 19:45:43.288928+0900 sysextd deactivation request received from: /Applications/AhnLab ... 19:45:44.349972+0900 sysextd deactivation succeeded for client: /Applications/AhnLab Solutions/v3mac/V3FltESApp.app/Contents/MacOS/V3FltESApp 19:45:44.350649+0900 sysextd client connection (pid 3986) invalidated However, within Monterey, a deactivation request is made prior to user approval. In other words, the user appears to fail by requesting deactivation before it is approved. 20:05:54.735224+0900 sysextd upgrading connection to nsxpc 20:05:54.741167+0900 sysextd deactivation request received from: /Applications/AhnLab Solutions/v3mac/V3FltESApp.app/Contents/MacOS/V3FltESApp ... 20:05:54.756362+0900 sysextd deactivation request for com.ahnlab.V3FltES failed authorization check, error: Error Domain=OSSystemExtensionErrorDomain Code=13 "(null)" 20:05:54.760648+0900 sysextd deactivation failed for client: /Applications/AhnLab Solutions/v3mac/V3FltESApp.app/Contents/MacOS/V3FltESApp, error: Error Domain=OSSystemExtensionErrorDomain Code=13 "(null)" ... Even if you subsequently allow a user approval request, the deactivation request has already failed. 20:06:25.244287+0900 authd Succeeded authorizing right 'com.apple.system-extensions.admin' by client '/System/Library/Frameworks/SystemExtensions.framework/Versions/A/Helpers/sysextd' [308] for authorization created by '/Applications/AhnLab Solutions/v3mac/V3FltESApp.app' [2573] (0,0) (engine 39) 20:06:25.250832+0900 sysextd deactivation failed for client: /Applications/AhnLab Solutions/v3mac/V3FltESApp.app/Contents/MacOS/V3FltESApp, error: Error Domain=OSSystemExtensionErrorDomain Code=4 "(null)"

Just got a crash log from our QA testing on Monterey. The basic crash info is here, but I don't know what the termination reason means or how to look it up. Exception Type: EXC_CRASH (SIGKILL) Exception Codes: 0x0000000000000000, 0x0000000000000000 Exception Note: EXC_CORPSE_NOTIFY Termination Reason: Namespace ENDPOINTSECURITY, Code 2 The backtrace showed the crashing thread in a _pthread_cond_wait waiting for a signal that there is data to process. (This is for notify events, we queue them up for processing). We do retain the message, so I'm wondering if the queue is backing up (shouldn't be since the pthread_cond_wait only happens on an empty queue) and not releasing the messages quickly enough. But I don't know what Code 2 means to see if this idea is valid. Can someone point me to where I can look that up? Thanks

I'm working on an enterprise product and we need to be able to provide a meaningful mapping between processes and the session context they're running in. I know that we can get the asid of a process based on an exec event subscription via ES, but the asid is too detailed. Ultimately we want to be able to say process A is running in the system/console of user {a,b,c}/ssh session. One problem is that for what we would consider a system session (non interactive) there exist multiple asids. So we need to group all non user sessions a be able to distinguish them from user gui/ssh sessions. Is there a way to get more information about a process' session, maybe but querying its asid? Maybe based on bsm and the audit token? I was thinking along the lines of what launchctl procinfo provides under the section audit flags. There are flags like has_console_access,has_authenticated. But I haven't been able to find out where this information is coming from. There are related flags in the Security framework (SessionAttributeBits) but especially the two I mentioned are missing.

Hello, We have an endpoint security daemon which also uses some system extensions (network content filtering, file notifications). When building on debug with the correct entitlements (get-task-allow) we cannot attach with the debugger. More precisely, after attach, instead of displaying thread information, the daemon just stops (in logs appears a SIGKILL with no source). Before this happens, the system freezes for about 15-20 seconds, so I'm guessing it's some kind of watchdog that kills the app before the debugger can completely attach. The same happens with a custom built GDB, as well as various versions of LLDB. How can we find out what kills the daemon and maybe increase the timeout or some other solution like that?

I'm watching NOTIFY_LINK and NOTIFY_CREATE events and symlinks are oddly not reported as link events but as create events. The problem with this is that I cannot get the path linked from without doing a manual readlink. Am I missing something? Is this an intentional design decision in ES? With BSM we'd watch AUE_SYMLINK (which has its own issues with not reporting paths).