A common component of (many) security tools is a process and file monitor. As the name implies, these watch for various processes (start, terminate, etc.) and file (create, open, delete) events. Such monitors often extract “meta information” such as the process/file path, process arguments and process code-signing information.
Armed with a process and file monitor, security tools may be able detect anomalous or malicious activity such as:
- A malicious document that installs malware when opened
- A malicious website that infects a user system when visited
- A trojanized application that installs adware when a user is tricked into opening
- A persistent backdoor that steals keychain secrets on an infected system
On previous versions of macOS, it was rather difficult to comprehensively (and accurately) create a process or file monitor. The easiest way to perform these actions was from within the kernel.
With Apple rapidly moving to deprecate third-party kernel extensions (including those created by external security vendors), another solution is needed!
Good news! With macOS 10.15 (Catalina), Apple has introduced a new user-mode framework named “Endpoint Security”. With the introduction of this new capability, Apple is both recognizing the need for additional security mechanisms (i.e., defense in depth) as well as embracing third-party security vendors to fulfill this role! Learn More
Sniper systems is jamf reseller in Pune