''' 2025/07/21,13:38:35, EVENT, RTS, Auth_open(msg:), eventType: AUTH_OPEN filePath: /Library/Application Support/ahnlab/auth/ procPath: /bin/cp open fflag: 1074790400(0x4010000) // #define O_SEARCH (O_EXEC | O_DIRECTORY) /* open directory for search only */ ''' Hello, Thnak you for your answer, Starting with macOS 26 beta 4, I’ve noticed a change in AUTH_OPEN event behavior. Previously (macOS 15 and earlier), when performing operation copy files, the es_event_open_t events were only triggered for the source file and target file, with fflag values such as FWRITE or FREAD. However, on macOS 26 beta 4, before the file events occur, additional AUTH_OPEN events are triggered for the source and target directories, and in those cases, the fflag field contains O_SEARCH (e.g., 0x4010000) instead of the expected FREAD/FWRITE. The documentation states that fflag should represent the kernel-applied mask, not the open(2) oflag values. Is this an intentional change in macOS 26? Should we now expect directory AUTH_OPEN events before file events? If so, should fflag still be interpreted as before, or does it now represent oflag values in some cases? Environment: macOS 26 beta 4 Endpoint Security Framework Observed during file copy operations (/bin/cp) Thanks for any clarification!

NSString * version = [[NSBundle mainBundle] objectForInfoDictionaryKey: @"CFBundleShortVersionString"]; is not working correctly in static library.