A common component of (many) security tools is a process and file monitor. As the name implies, these watch for various processes (start, terminate, etc.) and file (create, open, delete) events. Such monitors often extract meta information such as the process/file path, process arguments and process code-signing information.
Armed with a process and file monitor, security tools may be able detect anomalous or malicious activity such as:
- A malicious document that installs malware when opened
- A malicious website that infects a user system when visited
- A trojanized application that installs adware when a user is tricked into opening
- A persistent backdoor that steals keychain secrets on an infected system
On previous versions of macOS, it was rather difficult to comprehensively (and accurately) create a process or file monitor. The easiest way to perform these actions was from within the kernel.
With Apple rapidly moving to deprecate third-party kernel extensions (including those created by external security vendors), another solution is needed.
Good news! With macOS 10.15 (Catalina), Apple has introduced a new user-mode framework named Endpoint Security. With the introduction of this new capability, Apple is both recognizing the need for additional security mechanisms (i.e., defense in depth) as well as embracing third-party security vendors to fulfill this role.
Though Apple's Endpoint Security subsystem and framework are brand new (and still in beta), by realizing its potential and its alignment to Jamf's commitment to day-zero kextless macOS security tools we've already jumped on board. Specifically, we are already internally developing comprehensive process and file monitors built exclusively on top of Apple's new Endpoint Security Framework. Such monitors are being seamlessly integrated into our upcoming macOS security tool, scheduled to be released shortly. Stay tuned for details.
In the meantime, I have published a multi-part deep dive into the technical details of Endpoint Security Framework, including how to create a process and file monitor.
These are found on my personal macOS security website, Objective-See:
Writing a Process Monitor with Apple's Endpoint Security Framework
Writing a File Monitor with Apple's Endpoint Security Framework
To stay current on Jamf’s future enterprise endpoint protection plans, go here.