EndpointSecurity and events dropping

App & System Services Drivers
Oskarde OP
Created Jan ’24
Replies 0
Boosts 0
Views 559
Participants 1

Hi! There are two fields in ES message: global_seq_num and seq_num, which are described as a continuous number sequence unless the kernel is "dropping events" because "kernel generated more events than the client could handle." https://developer.apple.com/documentation/endpointsecurity/es_message_t/3684979-global_seq_num

https://developer.apple.com/documentation/endpointsecurity/es_message_t/3538607-seq_num

However, as we all know, system will kill ES client, if the message is not answered in (deadline) time.

I've a lot questions about this thing:

  1. What the "drop" actually is? The event is not provided to es client from the kernel?
  2. What does the "client could handle" means exactly? (I mean, es client will be already killed, if it can't respond to event in deadline)
  3. Are the dropped events responded by the system immediately, or they do wait something?
  4. Are only auth events could be dropped, or notify too?
  5. What is the system resolution for dropped auth events? (allow I guess)
  6. What I'm expected to do as a developer with these two fields - should I just log them and hope to find something out later, or can I react somehow during runtime if I met the break in *seq_num sequence?
Replies  0
Boosts  0
Views  559
Participants  1
EndpointSecurity and events dropping
First post date Last post date
 
 
Q