Hello community we have been using an Endpoint Security client within a system extension for quite a while now. After some users updated macOS to Sonoma, we got complaints about slower performance when using MS Office on Mac. The product features work as expected, and our system extension is loaded and delivers events. Upon inspection of the log files, we found the following (but not on all machines): [com.apple.TCC:access] Failed to create LSApplicationRecord for file:///Library/SystemExtensions/0062566E-9869-4CC4-A666-F641F5C011CD/com.sophos.endpoint.scanextension.systemextension/: 'The operation couldn’t be completed. (OSStatus error -10811.)' and [com.apple.TCC:access] -[TCCDAccessIdentity staticCode]: static code for: identifier com.sophos.endpoint.scanextension, type: 0: 0x7fb63da318c0 at /Library/SystemExtensions/0062566E-9869-4CC4-A666-F641F5C011CD/com.sophos.endpoint.scanextension.systemextension for almost each event delivered. We are using XPC from the system extension to a non-priviliged daemon process to process file content. A feedback has already been filed: FB13174804 An additional code-level support was returnd woithout any explanation. Signing checks of the system extension and the containing app (daemon) on Sonoma turn up without any errros. Any idea, whats going on here? Frank Fenn Sophos Inc.

Hello, we are running a LaunchDaemon by creating a symlink into a .bundle which contains the plist. On 13.0 the LaunchDaemon was added to the "Allow In the Background" list within "Login Items". After upgrading to 13.1 beta (and the 1st reboot) the item disappears from the list. A log message indicates the error: kLSNotAnApplicationErr. After the next reboot, our LaunchDaemon is no longer running, rendering our installation nonfunctional. Do background applications (or the plist they reference to) need to be .app bundles from now on? Frank Fenn Sophos Inc.

When installing our properly signed System Extension using ES Client on macOS Ventura RC we get the usual entry in the Full Disk Access panel of the System Settings as expected. But, there is also now an entry fro the same system extension under the Developer Tools section in System Settings which can not be deleted or that status changed from on to off. But the enabled slider is magically linked to the enabled slider for the same extension in the Full Disk Access group of the settings. Is this a bug or wanted behaviour? Frank Fenn Sophos Inc.

Hello, when FDA rights are given in macOS Monterey, the TCC entry reflects this and the process using ES Client works as expected. entry as follows: kTCCServiceSystemPolicyAllFiles|com.sophos.endpoint.scanextension|... after migrating the OS to Ventura beta 11 with the ES Client using process installed, the TCC entries read as follows: kTCCServiceSystemPolicyAllFiles|com.sophos.endpoint.scanextension|... kTCCServiceEndpointSecurityClient|com.sophos.endpoint.scanextension|... The old entry is still present, causing our software to report that the precondition of FDA is still valid. But internally the ES Client will report an error when being created, since the newly introduced entry does not reflect the FDA permissions granted. It can be manually solved by removing the executable from the FDA list in System preferences and re-adding it but this is not the ideal solution. Is this a know problem? Frank Fenn Sophos Inc.

Hello, we have an application running as root daemon style process. This process is linking against and using a framework which contains a stripped down version of python. Functions within the framework might want to delete files via a python script. Under 10.15 it was enough to give the as root running App Full Disk Access rights to the function within the framework so it was able to delete files. Under macOS Big Sur this seems no longer be the case. Both, framework and app, are properly signed and not sandboxed. Are there any additional steps to be taken? Frank Fenn

Hello group,since there is a function called es_clear_cache() I was wondering which information the Endpint Security extension is caching, Are these results from AUTH responses or just internal housekeeping data?Frank FennSophos Inc.