Hi guys, I'm debugging an issue where an application modifies several files and Endpoint Security System Extenison is receiving many ES_EVENT_TYPE_NOTIFY_CLOSE with modify flag set to 'true' for each file. There are other ES_EVENT_TYPE_NOTIFY_CLOSE events with modify=false, but those are caused by system processes md, mdsworker etc. which is expected. However I see very few ES_EVENT_TYPE_AUTH_OPEN events. For 1 file I see for example: 69 ES_EVENT_TYPE_NOTIFY_CLOSE modified=true and only 2 ES_EVENT_TYPE_AUTH_OPEN with flags=2 (which I think is FWRITE). I thought that for each ES_EVENT_TYPE_NOTIFY_CLOSE event I should have exactly 1 OPEN, CREATE, CLONE or any other relevant event. The documentation isn't very helpful, because it's probably only generated from the code. For ES_EVENT_TYPE_NOTIFY_CLOSE it says "An identifier for a process that notifies endpoint security that it is closing a file." https://developer.apple.com/documentation/endpointsecurity/es_event_type_t/es_event_type_notify_close When does ES_EVENT_TYPE_NOTIFY_CLOSE get triggered exactly? It doesn't look like it is fired only when closing a file. Is it possible that the application keeps file opened and performs seek operation and then writes a few bytes and after every write I get CLOSE event? Is it only an indication of the end of modification or is it indication of closed file? If the file is truly closed, why don't I see more OPEN events or to be exact why don't I see a sequence of events OPEN, CLOSE, OPEN, CLOSE...? Let's say that I need to scan file for viruses, when receiving ES_EVENT_TYPE_AUTH_OPEN I can block access to file, scan it and then allow access, but when receiving CLOSE notification with indication that file was modified, do I need to scan it again? If I receive CLOSE event with modify=true 50 times, do I need to scan the file every time to be sure that I capture modification with potentially dangerous content? Or is the modify flag set to true even if content does not change, and only file attributres are changed? Is there any documentation describing relation of ES_EVENT_* and dependencies between them? Thanks.

Hi guys,I have a firewall project, where I used SimpleFirewall as a template. I created the project from scratch and the firewall works, but during configuration of network filter, macOS shows popup"(null) Would Like to Filter Network Content"In SimpleFirewallSample this message shows"SimpleFirewall Would Like to Filter Network Content"Obviously name of the app is missing. I've done the following:* checked entitlements - setup correctly* nothing missing in Info.plist (Bundle Name, Bundle Dispaly Name, etc), filterManager.localizeDescription is set.* I went through dozens if not hundreds of build settings* I changed window title in the MainMenu.xib to precisely match App bundle name* I tried to set up filter configuration from App bundle instead of common framework I use (I thought perhaps NEFilterProviderConfiguration constructor or saveToPreferences() function perhaps checks which bundle calls it and then system checks code signing).* Tried localization for Base and EN* I verified that Filter config in System Preferences in Network uses name of our app and I checked that if I change filterManager.localizedDescription, it correctly changes in those system settings.* you name it - I have done itThe only clue I found in sysem log is this messagedefault15:22:56.895864+0200MyAppSaving configuration MyApp with existing signature (null)The only difference is that I implemented most of the firewall functionality in a framework, so that it could be reused and app bundle links to this framework. Currently I link against this framework from app bundle and system extension using "Embed & Sign". I cannot use other options, because in that case app cannot communicate with extension. Anyway I created clone of Apple's SimpleFirewall and modified it to use common framework with precise settings as in our project and that works correctly.Nothing appears to be working and I cannot get rid of "(nul)" in the popup message in our project.Does anybody know how from which source macOS popup loads this value?Thanks.Robert