Hello, Starting with macOS 26 beta 4, I’ve noticed that the fflag field in es_event_open_t sometimes contains O_SEARCH instead of the expected FREAD or FWRITE values. According to the documentation, fflag should represent the kernel-applied flags (e.g., FREAD, FWRITE), not the open(2) oflag values. However, in my tests, when intercepting ES_EVENT_TYPE_AUTH_OPEN events, the value appears to match O_SEARCH in certain cases. Is this an intentional change in macOS 26, or could it be a bug in the current beta? If this is expected behavior, could you clarify under what conditions O_SEARCH or some oflag are returned? Environment: macOS 26 beta 4 Endpoint Security Framework Thanks in advance for any clarification!

I am using es_new_client and es_subscribe in SystemExtension and EndpointSecurity. I tested it on M3, and it is working. It also works on M1 versions 12, 13, and 14. Additionally, ES_EVENT_TYPE_NOTIFY_KEXTUNLOAD is functioning correctly. However, there is a bug on M1 Big Sur where es_new_client's es_handler_block_t cannot receive ES_EVENT_TYPE_NOTIFY_KEXTLOAD. The tested command is: sudo kextload /System/Library/Extensions/msdosfs.kext sudo kextload /System/Library/Extensions/*.kext Is this intended behavior or a bug? Are there any plans to fix it?

Hello, I Use NetworkExtension NEFilterSocketFlow description. I received it to String, or UsafeMutableBufferPointer etc ... It always has memory leak. So, I just call it NEFilterSocketFlow.description or description.utf8String, and It was not received as any variable. But, It also has memoryleak. What do I do for?

DisplayPort(DP) to USB-C Monitor is not Working in iMAC 2019 Intel after update macOS14 Sonoma I used it before update. It was completly ok. but after update OS. 13 to 14. It never work.

I want to make API return the defined version in static library. How I get defined current library version on xcode "Build Setting - linking or versioning"? like VERSION : Clang version. some preprocessor macro? or static char was defined? If anyone knows, please share.

Hello, I have an issue when I develop NetworkExtension in Monterey and Safari. I want find a caller process name when metadata that sourceAppAuditToken is not exist. I compare blocked content with process fd information using IP:PORT. // 0. Input blockedSrc, blockedDest if([[blockedPacket metadata] sourceAppAuditToken] == nil ) { // 1. get a list of process pid. sysctl( procList ... ); kinfo_proc proc = procList[procIdx]; // 2. get process fd Information proc_pidinfo(proc.kp_proc.p_pid, PROC_PIDLISTFDS, socketInfo, ...); // 3. get IP, Port in process information. srcIP = (struct in_addr *)&socketInfo.psi.soi_proto.pri_tcp.tcpsi_ini.insi_laddr.ina_46.i46a_addr4; srcPort = (int)socketInfo.psi.soi_proto.pri_tcp.tcpsi_ini.insi_lport;  destIP = (struct in_addr *)&socketInfo.psi.soi_proto.pri_tcp.tcpsi_ini.insi_faddr.ina_46.i46a_addr4;     destPort = (int)socketInfo.psi.soi_proto.pri_tcp.tcpsi_ini.insi_fport; ... // 4. compare blocked content with information using srcIP:Port and destIP:Port if( blockedSrc == src && blockedDest == dest ) { // 5. found process name proc_pidpath(proc.kp_proc.p_pid, pathBuffer, sizeof(pathBuffer)-1); } } In BigSur Chrome, Safari and Monterey Chrome is working same routine. and In these case, I can found list of process that open TCP using terminal("lsof -i -P") But it is not works when use Safari in Monterey. So, I have checked a list of process that open TCP in Monterey. I have couldn't found it. How can I found caller process name in Monterey when Safari web is blocking? Thank you for reading.