The Endpoint Security provides the ES_EVENT_TYPE_AUTH_OPEN event, I can specify that the process intercepts the open specified file es_respond_flags_result(client, msg, 0x0, true);.
However, WeChat (the chat app) intercepts the specified file the first time it is sent, and the second time it can be sent successfully, and the peer end can receive the file.
I can confirm that es_respond_flags_result(client, msg, 0x0, true); is called. So, which auth event should I use? Thx!
There’s no guarantee that there is an ES event associated with that second send.
You’re bumping into a fundamental design point of ES. macOS has a bunch of APIs that provide primitive operations: open a file, create a file, and so on. Apps use those APIs to construct a user-level operation, like uploading a file. ES lets you monitor the primitives but has no insight into the user-level operation. Apps have a lot of flexibility in that regard. For example, the app might:
Keep the file descriptor open
Cache a copy of the file in memory
Cache a copy of the file elsewhere
As an ES developer it’s best to try to avoid inferring a high-level operation from these primitive operations. But, if you have to do that, the onus is on you to come up with the relevant heuristics.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
OK, thank you. I output all the events about the file and found that WeChat first CLONE and then OPEN the new file. Which system call does this ES_EVENT_TYPE_AUTH_CLONE event correspond to? Can I call es_respond_flags_result(client, msg, 0x0, true); deny CLONE?
Auth Open and Auth Clone should be used in collaboration to solve this WeChat issue.