Endpoint Security event muting issue

Question

Created Oct ’23

Replies 5

Boosts 0

Participants 3

Recently we've discovered an issue affecting our products in regards to using the Monterey+ provided new api calls to selectively mute events.

Specifically, whenever using es_mute_process_events or es_mute_path_events, the ES_EVENT_TYPE_NOTIFY_OPEN event is ignored for muting (meaning the call will return success, but the event will keep coming).

This is true only for this event as far as I can tell, its AUTH counterpart stays muted (along lots of other processes: clone, rename, close, unlink, fork etc). It fails if either the event is in a list of events or if the event is singled out in 1 sized vector of events.

When using a dedicated client for this event and using the previous api, es_mute_process or es_mute_path muting works as intended.

Tested on ventura 13.5 and 13.6. Is there something that can be done to prevent dedicated clients or is this a known issue?

Boost

Answer 1

DTS Engineer OP

Apple

Oct ’23

the ES_EVENT_TYPE_NOTIFY_OPEN event is ignored for muting

I’m not 100% sure what’s going on here, but this definitely sounds like a bug. Do you still see it on the just-released macOS 14. If so, I recommend that you file a bug about it. Please post your bug number, just for the record.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

dionita OP

Oct ’23

Hi,

Thanks for the answer. Yes, we're seeing the same behavior in Sonoma as well.

For now we'll use a dedicated client for this particular event.

0

Answer 3

dionita OP

Oct ’23

I've reported bug FB13245019 for further reference.

0

Answer 4

smudireddy OP

Mar ’24

@dionita - Any workaround/solution you found for the issue you reported to Apple ?

Thanks in advance.

M.Suresh

0

Answer 5

DTS Engineer OP

Apple

Mar ’24

If you’re able to reproduce this, I encourage you to file your own bug with:

A small test project that shows the issue.
A sysdiagnose log taken shortly after reproduce it.

Feel free to reference FB13245019, but be clear that your bug should not be treated as a dup of that.

Please post your bug number, just for the record.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0