macOS endpoint extension – intercept copy file operation and change target

0

I wonder if macOS security extension has a capability to catch a file during copy operation (I guess it’s composed out of multiple basic ops like file read and file write).

The copy operation should ideally wait for a verdict but this will result in significant degradation for user-experience.

Alternatively, I’d like to somehow thwart the action and store the file on a quarantined temporal location waiting to be scanned.

So far, I’ve used the authorization capabilities of the security extension (to block/allow the operation). I wonder if there’s also an option to change the target location of a file being copied ?

So far, I was able to detect an high level operation such as filecopy from the endpoint security extension, and block/allow it … but I’d like to somehow trick the process think that the operation was successful where I actually blocked it, and instead wrote an empty file – to be filled when the scanning will be completed.

if (message->event_type == ES_EVENT_TYPE_AUTH_COPYFILE) {
    es_event_copyfile_t copyfile = message->event.copyfile;
        
    char targetPath[PATH_MAX] = {0};
    strlcpy(targetPath, copyfile.target_dir.path.data, 
                      copyfile.target_dir.path.length + 1);


    if (strstr(targetPath, "/usb_dirver_path/") != NULL) {
        return false; // but I want to fake it and initiate creation of empty file with the same name as the targetPath. 
    }
}

Thanks.