Hi, I develop an ES client applying rule-engine evaluating ES events (mostly File-system events).
It is a bit non-standard not being deployed as a System-Extension, but rather as a global daemon.
On some Macs, I sometimes see "crash reports" for the ES process, all sharing
Termination Reason: Namespace ENDPOINTSECURITY, Code 2 EndpointSecurity client terminated because it failed to respond to a message before its deadline
All of these happen not while normal Mac usage, but rather right at Mac wakeup time after sleep.
My guess is, some ES_AUTH events (with deadline) arrive when Mac goes to sleep, and somehow my high-priority dispatch_queue handling them is "put to sleep" mid processing them, so when the Mac wakes up - event handling continues long after the deadline passed, and MacOS decides to kick the process.
Questions:
- What is the recommended behavior with ES vs Sleep/Wake cycles? (we're not an antivirus, and we don't care much to clear events or go "blind" for such time)
- Can I specify somewhere in the info.plist of my bundle (this is built like an App) that my process should't be put to sleep, or that the OS should sleep it only when it becomes idle, or some other way tells the OS it is "ready for sleep" ?
- If not -- How do I observe the scenario so I can suspend my event handling IN TIME and resume on wake?
Thanks!