Which system events cause an increase in the pidversion of a running process?

Question

Created Jul ’24

Replies 3

Boosts 1

Participants 2

The pidversion of a process with the same pid can increase during its lifetime. Which events, other than exec calls, can cause this increase in the pidversion? In other words, to what Endpoint Security events, other than fork, exec and exit, do I have to subscribe to get a process's complete and traceable pidversion history?

Answered by wriker in 796809022

Thanks for your help Quinn. I figured out what the problem was. As documented, exec events increase the pidversion. But what's not documented is that even attempted execs are also increasing the pidversion. So if another ES client is denying an exec, this still increases the pidversion for that process. Accounting for this edge case, I was able to fix the traceability chain.

Boost

Answer 1

DTS Engineer OP

Apple

Jul ’24

The pidversion of a process with the same pid can increase during its lifetime.

The doc comments for es_process_t in <EndpointSecurity/ESMessage.h> seems pretty clear about the circumstances where the pid version changes.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

1

Answer 2

wriker OP

Jul ’24

Accepted Answer

Recommended

Thanks for your help Quinn. I figured out what the problem was. As documented, exec events increase the pidversion. But what's not documented is that even attempted execs are also increasing the pidversion. So if another ES client is denying an exec, this still increases the pidversion for that process. Accounting for this edge case, I was able to fix the traceability chain.

0

Answer 3

DTS Engineer OP

Apple

Jul ’24

Oh, that’s an interesting edge case. Thanks for sharing!

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

2