I wonder if macOS security extension has a capability to catch a file during copy operation (I guess it’s composed out of multiple basic ops like file read and file write).
The copy operation should ideally wait for a verdict but this will result in significant degradation for user-experience.
Alternatively, I’d like to somehow thwart the action and store the file on a quarantined temporal location waiting to be scanned.
So far, I’ve used the authorization capabilities of the security extension (to block/allow the operation). I wonder if there’s also an option to change the target location of a file being copied ?
So far, I was able to detect an high level operation such as filecopy from the endpoint security extension, and block/allow it … but I’d like to somehow trick the process think that the operation was successful where I actually blocked it, and instead wrote an empty file – to be filled when the scanning will be completed.
if (message->event_type == ES_EVENT_TYPE_AUTH_COPYFILE) {
es_event_copyfile_t copyfile = message->event.copyfile;
char targetPath[PATH_MAX] = {0};
strlcpy(targetPath, copyfile.target_dir.path.data,
copyfile.target_dir.path.length + 1);
if (strstr(targetPath, "/usb_dirver_path/") != NULL) {
return false; // but I want to fake it and initiate creation of empty file with the same name as the targetPath.
}
}
Thanks.