An application is generating incidents after being whitelisted in Global Application Monitoring on macOS Endpoints
search cancel

An application is generating incidents after being whitelisted in Global Application Monitoring on macOS Endpoints

book

Article ID: 261690

calendar_today

Updated On:

Products

Data Loss Prevention Cloud Service for Email

Issue/Introduction

In this example, the configuration of xattr is correct and no conflicts exist within existing Agent Configurations.

Example of whitelisting xattr:

Environment

Release : 15.8

Cause

While the process to whitelist an application, more often than not, allows for use of that application without issue, in some cases, the whitelisted application may be a child process.

 

 

Resolution

For macOS Endpoint Configurations, set the value of MONITOR_ APPLICATION_CHILD_ PROCESS_FILE_ACCESS to 0 within the Agent Configuration assigned to the macOS Endpoints.

 

Additional Information

Advanced agent settings > FileSystem.MONITOR_ APPLICATION_CHILD_ PROCESS_FILE_ACCESS

Default Setting in 15.8:

FileSystem.MONITOR_ APPLICATION_CHILD_ PROCESS_FILE_ACCESS.INT
 
 
1 This setting allows the user to enable or disable the Application File Access feature that monitors child processes. Enter
to enable or enter
to disable.