Hi, I was wondering if it was possible to intercept requests of any app running on my mac and modify the headers or even add new ones. Can this be achieved using NEAppProxyProvider or the new NETransparentProxyProvider. Also, what is the difference between those two classes?

Hi, I am currently dealing with a crash when converting UnsafePointer<CChar>!to String in Swift. The pointer comes from the type es_string_token_t which my app receives from the Endpoint Security framework. This is what my code looks like: extension es_string_token_t {   var description: String {     if self.data != nil && self.length > 0 {       return String(cString: self.data)     }     return ""   } } And it produces the following crash: Thread 4 Crashed:: Dispatch queue: com.apple.root.default-qos 0 libsystem_platform.dylib 0x18bd44864 _platform_strlen + 4 1 libswiftCore.dylib 0x198f3a3c0 String.init(cString:) + 32 2 com.company.app.App 0x10456aac0 0x104564000 + 27328 3 com.company.app.App 0x10456f768 0x104564000 + 46952 4 com.company.app.App 0x1045793d8 0x104564000 + 87000 5 com.company.app.App 0x10457e8f8 0x104564000 + 108792 6 com.company.app.App 0x10458758c 0x104564000 + 144780 7 libdispatch.dylib 0x18bb6a5f0 _dispatch_call_block_and_release + 32 8 libdispatch.dylib 0x18bb6c1b4 _dispatch_client_callout + 20 9 libdispatch.dylib 0x18bb7da04 _dispatch_root_queue_drain + 680 10 libdispatch.dylib 0x18bb7e104 _dispatch_worker_thread2 + 164 11 libsystem_pthread.dylib 0x18bd2c324 _pthread_wqthread + 228 12 libsystem_pthread.dylib 0x18bd2b080 start_wqthread + 8 My app is deployed on arround 13k macs and only some of them experience this crash which I havent been able to reproduce. Any help would be appreciated.

Hi, I want to get all domain names that my mac queries. I think that NEDNSProxyProvider might be useful but I don't want to handle the flows and redirect them I only want the domain names for logging purposes. Can this be done?

Hi, how could I get the command line arguments of a process given its audit token. My app is a Content Filter Network Extension written in swift. I can obtain the audit token from NEFilterFlow but I can't figure out how to get the process arguments, I was able to get the pid from the audit token using audit_token_to_pid.

Hi, in my ES application I am trying to ignore execution events of apple processes. I think the way to do this is to check for the is_platform_binary attribute of es_message_t but i found that when executing Xcode this attribute is false, is it because I downloaded it from the app store? Also would checking for the "com.apple" prefix of the signing id be a good way to identify apple signed processes?

Hi, we have an app that has been in development since Catalina and ever since Sonoma came out we noticed that when executing our pkg installer the application is installed correctly but the postinstall script is not executed. The weird thing is that if I run the pkg for the first time the postinstall does not execute BUT if I run it again then it DOES!! Looking through the logs I found these ones that confirm the execution of the script is being blocked. We haven't changed anything in the way we build the installer so I'm not quite sure how to fix this. 2024-04-25 16:29:51.570662-0300 0x1c62 Error 0x0 308 0 syspolicyd: [com.apple.syspolicy.exec:default] Unable (errno: 2) to read file at &lt;private&gt; for pid: 784 process path: &lt;private&gt; library path: (null) 2024-04-25 16:29:51.570662-0300 0x1c62 Error 0x0 308 0 syspolicyd: [com.apple.syspolicy.exec:default] Terminating process due to Malware rejection: 784, &lt;private&gt; 2024-04-25 16:29:51.570679-0300 0x1d13 Default 0x0 0 0 kernel: (AppleSystemPolicy) ASP: Sleep interrupted, signal 0x100 2024-04-25 16:29:51.570682-0300 0x1d13 Default 0x0 0 0 kernel: (AppleSystemPolicy) ASP: Security policy would not allow process: 784, /private/tmp/PKInstallSandbox.m5Av3O/Scripts/com.mycompany.myapp.pkg.BSOjtt/postinstall The app as well as the installer are both signed, notarized and stapled. Here you can see the script which just simply executes the app. #!/bin/bash echo "Running postinstall" /Applications/myapp.app/Contents/MacOS/myapp --load-system-extension &amp; exit 0 Any help would be much appreciated. Thanks!

Hi, i was wondering about the remoteHostname property of NEFilterSocketFlow that is available on macOS 11.0+. I have been doing some tests and I can never seem to get a value, it is always nil. I am looking at all flows from all apps. In what cases will this property show up?

Hi, I want some advice on how to handle the OSSystemExtensionRequest.Result.willCompleteAfterReboot on my app. I have noticed that on some users macs when they update and the new System Extension is loaded the old one is deactivated and the new one is activated but does not start. I will only start after a reboot. Is there a way to avoid this so I don't have to force dozens of users in my organization to reboot after every update to my system extension? When i execute the command to list the extensions this is what I see. The new one is activated but it does not boot. --- com.apple.system_extension.network_extension enabled active teamID bundleID (version) name [state] 1231231231 com.organization.app.MyApp (2.0/1) MyApp [terminated waiting to uninstall on reboot] * * 1231231231 com.organization.app.MyApp (2.1/1) MyApp [activated enabled]

Hi, I a developing Network Extension for macos that runs constantly on my system. When I have a new update to release the extension downloads the pkg installer into the /tmp directory and executes it with sudo installer -pkg /tmp/installer.pkg -target / I have noticed that on some systems, mainly Catalina, when the installer is executed the extension is replaced and activated but the process never launches and after this happens I can't find a way to launch it aside from having the users reboot. --- com.apple.system_extension.network_extension enabled active teamID bundleID (version) name [state] 9A63A32J6B com.company.myapp.Agent (2.0/1) Agent [terminated waiting to uninstall on reboot] * * 9A63A32J6B com.company.myapp.Agent (2.1/1) Agent [activated enabled] As you can see it does say enabled and activated so I do not know what could be happening.

Hi how could I tell in my OSSystemExtensionRequestDelegate if the request I receive is either an activation request or a deactivation one.    func request(_ request: OSSystemExtensionRequest, didFinishWithResult result: OSSystemExtensionRequest.Result) {     guard result == .completed else {       return     } // Take different actions depending on activation/deactivation   }

I have developed a Content Filter NE and I am seeing some flows that I don't understand so I wanted to see check if I am interpreting them correctly. # Example Flow bundle id: com.apple.opendirectoryd localEndpoint.hostname: My mac's IP localEndpoint.port: 55408 remoteEndpoint.hostname: Domain controller IP remoteEndpoint.port: 389 direction: inbound Looking at that flow what I understand is that the Domain Controller is generating traffic to my mac. Is this correct? I ask this because I thought DCs couldn't directly initiate a connection to a mac. I get this flow when trying to join my mac to the AD.

Hi, could someone help me convert the cdhash property from es_process_t to a String in Swift. Thanks. var cdhash: (UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8, UInt8)

Hi, I was wondering if there is a way to monitor if a certificate is exported from the keychain. Either by using some of the apis Endpoint Security provides or using another method. Thanks.

Hello, I wanted to hear some opinions on this problem I want to tackle. Currently at my job we have an Endpoint Security sysext app (swift) deployed on 10k+ macs and we are using a custom rule engine we developed to run some rules on the events received by the app. These rules are downloaded by the app. This works great but we wanted to dive into the world of ML and try to use it to detect more complex malware that may be more difficult to detect using rules. We thought of two options to approach this: Periodically collect events from all macs and send them to an api to be stored somewhere and perform the training in the cloud. Somehow, maybe using the ML frameworks provided in Swift, train the model IN the device rather than in the cloud. I know this is a very broad question but I just wanted to hear some suggestions. Thanks in advance.

Hi I am trying to implement XPC between my helper app and my network extension. It is giving me this error when I try to get the remoteObjectProxyWithErrorHandler Error Domain=NSCocoaErrorDomain Code=4097 "connection to service on pid 0 named 9A48B11J6J.com.myapp.app.Extension" UserInfo={NSDebugDescription=connection to service on pid 0 named 9A48B11J6J.com.myapp.app.Extension} Why could this be happening?