Hi, I was wondering if there is a way to monitor if a certificate is exported from the keychain. Either by using some of the apis Endpoint Security provides or using another method. Thanks.

Hi, we have an app that has been in development since Catalina and ever since Sonoma came out we noticed that when executing our pkg installer the application is installed correctly but the postinstall script is not executed. The weird thing is that if I run the pkg for the first time the postinstall does not execute BUT if I run it again then it DOES!! Looking through the logs I found these ones that confirm the execution of the script is being blocked. We haven't changed anything in the way we build the installer so I'm not quite sure how to fix this. 2024-04-25 16:29:51.570662-0300 0x1c62 Error 0x0 308 0 syspolicyd: [com.apple.syspolicy.exec:default] Unable (errno: 2) to read file at <private> for pid: 784 process path: <private> library path: (null) 2024-04-25 16:29:51.570662-0300 0x1c62 Error 0x0 308 0 syspolicyd: [com.apple.syspolicy.exec:default] Terminating process due to Malware rejection: 784, <private> 2024-04-25 16:29:51.570679-0300 0x1d13 Default 0x0 0 0 kernel: (AppleSystemPolicy) ASP: Sleep interrupted, signal 0x100 2024-04-25 16:29:51.570682-0300 0x1d13 Default 0x0 0 0 kernel: (AppleSystemPolicy) ASP: Security policy would not allow process: 784, /private/tmp/PKInstallSandbox.m5Av3O/Scripts/com.mycompany.myapp.pkg.BSOjtt/postinstall The app as well as the installer are both signed, notarized and stapled. Here you can see the script which just simply executes the app. #!/bin/bash echo "Running postinstall" /Applications/myapp.app/Contents/MacOS/myapp --load-system-extension & exit 0 Any help would be much appreciated. Thanks!

Hi, in my ES application I am trying to ignore execution events of apple processes. I think the way to do this is to check for the is_platform_binary attribute of es_message_t but i found that when executing Xcode this attribute is false, is it because I downloaded it from the app store? Also would checking for the "com.apple" prefix of the signing id be a good way to identify apple signed processes?

Hi, I have an endpoint security app and I was wondering what is the best way to check if a process was signed by a specific Developer ID certificate. Lets say im subscribed to auth_exec events and wanted to deny execution of processes signed with Developer ID Application: Adobe Inc. Would obtaining the common names of the certificate with SecCertificateCopyCommonName and then comparing strings be the right way or am I missing something?

Hi, I am currently dealing with a crash when converting UnsafePointer<CChar>!to String in Swift. The pointer comes from the type es_string_token_t which my app receives from the Endpoint Security framework. This is what my code looks like: extension es_string_token_t {   var description: String {     if self.data != nil && self.length > 0 {       return String(cString: self.data)     }     return ""   } } And it produces the following crash: Thread 4 Crashed:: Dispatch queue: com.apple.root.default-qos 0 libsystem_platform.dylib 0x18bd44864 _platform_strlen + 4 1 libswiftCore.dylib 0x198f3a3c0 String.init(cString:) + 32 2 com.company.app.App 0x10456aac0 0x104564000 + 27328 3 com.company.app.App 0x10456f768 0x104564000 + 46952 4 com.company.app.App 0x1045793d8 0x104564000 + 87000 5 com.company.app.App 0x10457e8f8 0x104564000 + 108792 6 com.company.app.App 0x10458758c 0x104564000 + 144780 7 libdispatch.dylib 0x18bb6a5f0 _dispatch_call_block_and_release + 32 8 libdispatch.dylib 0x18bb6c1b4 _dispatch_client_callout + 20 9 libdispatch.dylib 0x18bb7da04 _dispatch_root_queue_drain + 680 10 libdispatch.dylib 0x18bb7e104 _dispatch_worker_thread2 + 164 11 libsystem_pthread.dylib 0x18bd2c324 _pthread_wqthread + 228 12 libsystem_pthread.dylib 0x18bd2b080 start_wqthread + 8 My app is deployed on arround 13k macs and only some of them experience this crash which I havent been able to reproduce. Any help would be appreciated.

Hi, how could I get the command line arguments of a process given its audit token. My app is a Content Filter Network Extension written in swift. I can obtain the audit token from NEFilterFlow but I can't figure out how to get the process arguments, I was able to get the pid from the audit token using audit_token_to_pid.