The Endpoint Security Event ES_EVENT_TYPE_NOTIFY_BTM_LAUNCH_ITEM_ADD notification appears to be broken in two ways.
Issue has also been submitted via Feedback Assistant: FB11812980
Background
The ES_EVENT_TYPE_NOTIFY_BTM_LAUNCH_ITEM_ADD Endpoint Security (ES) event is declared in the header file, ESTypes.h In ESMessage.h one find more info about its ES message type: es_event_btm_launch_item_add_t ...and a comment that says it is a:
"notification for launch item being made known to background task management. This includes launch agents and daemons as well as login items added by the user, via MDM or by an app"
This seem to be an ideal notification to detect persistence events (e.g. the installation of a launch or login item). Unfortunately at this time (on macOS 13.0.1 (22A400)) it appears to be broken.
Issues
1️⃣ First issue is that an ES_EVENT_TYPE_NOTIFY_BTM_LAUNCH_ITEM_ADD is delivered for every installed launch agent/daemon whenever a new launch agent/daemon is added (not just for the new launch item)
Steps to reproduce:
- From terminal run (via root/sudo):
eslogger btm_launch_item_add - Install a launch agent/daemon ...either run an installer creates a launch item or just manually copy an launch item plist:
% cp ~/Desktop/com.test.plist ~/LaunchAgents/com.test.plist - This will trigger a deluge of ES_EVENT_TYPE_NOTIFY_BTM_LAUNCH_ITEM_ADD notifications - one for every installed launch agent/daemon ...not just the one that was added 😅
2️⃣ The second issue is that an ES_EVENT_TYPE_NOTIFY_BTM_LAUNCH_ITEM_ADD is not delivered for login items.
Steps to reproduce:
- From terminal run (via root/sudo):
eslogger btm_launch_item_add - Install a login item ...for example run an installer that installs a login item
- Note that no
ES_EVENT_TYPE_NOTIFY_BTM_LAUNCH_ITEM_ADDnotification is delivered even though theESMessageheader file notes that a notification should be delivered for "...login items added by the user, via MDM or by an app"
Note macOS will detect the login item installation and generate an alert to the user. 🤷🏻♂️