Endpoint Security event muting issue

Recently we've discovered an issue affecting our products in regards to using the Monterey+ provided new api calls to selectively mute events.

Specifically, whenever using es_mute_process_events or es_mute_path_events, the ES_EVENT_TYPE_NOTIFY_OPEN event is ignored for muting (meaning the call will return success, but the event will keep coming).

This is true only for this event as far as I can tell, its AUTH counterpart stays muted (along lots of other processes: clone, rename, close, unlink, fork etc). It fails if either the event is in a list of events or if the event is singled out in 1 sized vector of events.

When using a dedicated client for this event and using the previous api, es_mute_process or es_mute_path muting works as intended.

Tested on ventura 13.5 and 13.6. Is there something that can be done to prevent dedicated clients or is this a known issue?

Up vote post of dionita Down vote post of dionita
566 views
Posted by
dionita
Reply
Add a Comment

Replies

the ES_EVENT_TYPE_NOTIFY_OPEN event is ignored for muting

I’m not 100% sure what’s going on here, but this definitely sounds like a bug. Do you still see it on the just-released macOS 14. If so, I recommend that you file a bug about it. Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Hi,

Thanks for the answer. Yes, we're seeing the same behavior in Sonoma as well.

For now we'll use a dedicated client for this particular event.

Posted by
dionita
Up vote reply of dionita Down vote reply of dionita
Add a Comment

I've reported bug FB13245019 for further reference.

Posted by
dionita
Up vote reply of dionita Down vote reply of dionita
Add a Comment

@dionita - Any workaround/solution you found for the issue you reported to Apple ?

Thanks in advance.

M.Suresh

Posted by
smudireddy
Up vote reply of smudireddy Down vote reply of smudireddy
Add a Comment

If you’re able to reproduce this, I encourage you to file your own bug with:

  • A small test project that shows the issue.

  • A sysdiagnose log taken shortly after reproduce it.

Feel free to reference FB13245019, but be clear that your bug should not be treated as a dup of that.

Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment