Endpoint Security: How to reliably report file deletion

Question

Created 22h

Replies 2

Boosts 0

Participants 3

This post is from the WWDC26 Privacy & Security Q&A.

I have an ES client that tracks file activity on the system. Was I'm finding is that es_event_unlink_t events are sent when some process attempts to delete a file, but such attempts can fail, of course, due to permissions or any number of other reasons.

Can you suggest ways for my client program to determine reliably whether a file was actually deleted? I suppose I could schedule a stat() or something, and assume the file was deleted if it doesn't exist (and wasn't re-created in the meantime), but it seems a bit fiddly. Am I missing anything?

Answer 1

Security Engineer OP

Apple

21h

This is broadly the nature of all ES events. syscalls can fail after they are authorised, they can even be retried (resulting in multiple ES events for a single syscall).

While it is true that an ES event being DENIED means it definitely will not happen it's not the case that ALLOWing an operation means it definitely will happen.

ES is just not intended to solve this problem.

Answer 2

dverevkin OP

21h

I think you can rely on the corresponding Endpoint Security notification event that arrives right after the auth event. In particular, for an unlink operation, you should look at the corresponding es_message_t where action_type is ES_ACTION_TYPE_NOTIFY and action.notify.result_type is ES_RESULT_TYPE_AUTH. In that message, action.auth.result will tell you whether the operation was allowed, and you should check that it is ES_AUTH_RESULT_ALLOW.