An application is generating incidents after being whitelisted in Global Application Monitoring on macOS Endpoints

search cancel

An application is generating incidents after being whitelisted in Global Application Monitoring on macOS Endpoints

book

Article ID: 261690

calendar_today

Updated On:

Products

Data Loss Prevention Data Loss Prevention Endpoint Prevent

Issue/Introduction

In this example, the configuration of xattr is correct and no conflicts exist within existing Agent Configurations.

Cause

While the process to whitelist an application, more often than not, allows for use of that application without issue, in some cases, the whitelisted application may be a child process.

Resolution

For macOS Endpoint Configurations, set the value of MONITOR_ APPLICATION_CHILD_ PROCESS_FILE_ACCESS to 0 within the Agent Configuration assigned to the macOS Endpoints.

Additional Information

Advanced agent settings > FileSystem.MONITOR_ APPLICATION_CHILD_ PROCESS_FILE_ACCESS

Default Setting:

FileSystem.MONITOR_ APPLICATION_CHILD_ PROCESS_FILE_ACCESS.INT

This setting allows the user to enable or disable the Application File Access feature that monitors child processes. Enter

to enable or enter

to disable.

Feedback

thumb_up Yes

thumb_down No