Skip to main content

vast limits GmbH and uberAgent are now part of Citrix, a business unit of Cloud Software Group. Learn more at


esmat: New Free macOS Endpoint Security Message Analysis Tool

  • by Helge Klein
  • February 2, 2022

We’re happy to announce the public release of esmat, a new free & open-source tool. esmat is a command-line app for macOS that allows you to explore the behavior of Apple’s Endpoint Security framework.

What Is the Apple Endpoint Security Framework?

Apple introduced the Endpoint Security framework (ESF) with macOS 10.15 (Catalina). Endpoint Security is an API for monitoring system events that may indicate malicious activity, such as process execution. The framework’s event types cover file system and process activity, memory mapping, interprocess communication, and changes to users/groups, to name a few.

Authorization vs. Notification

Endpoint Security can operate in two modes: authorization and notification. Authorization events are synchronous and can be used to block operations (e.g., the execution of a process). Notification events are asynchronous and can only be used to observe, not to block. The es_event_type_t enumeration lists all available authorization and notification event types.

What Does Esmat Do?

Esmat subscribes to Endpoint Security event types specified by the user. Once started, it works like a stopwatch: every time you press Ctrl+T, it prints statistics about monitored executables and event types. The above screenshot shows an excerpt from the statistics printout.

Use Cases

Esmat has two primary use cases:

  1. Investigate process behavior and child process creation.
  2. Analyze the capabilities of the Endpoint Security framework (ESF).

Download and Documentation

Head over to esmat’s GitHub repository for the documentation, and download esmat from the releases page.

About uberAgent

The uberAgent product family offers innovative digital employee experience monitoring and endpoint security analytics for Windows and macOS.

uberAgent UXM highlights include detailed information about boot and logon duration, application unresponsiveness detection, network reliability drill-downs, process startup duration, application usage metering, browser performance, web app metrics, and Citrix insights. All these varied aspects of system performance and reliability are smartly brought together in the Experience Score dashboard.

uberAgent ESA excels with a sophisticated Threat Detection Engine, endpoint security & compliance rating, the uAQL query language, detection of risky activity, DNS query monitoring, hash calculation, registry monitoring, and Authenticode signature verification. uberAgent ESA comes with Sysmon and Sigma rule converters, a graphical rule editor, and uses a simple yet powerful query language instead of XML.

About vast limits

vast limits GmbH is the company behind uberAgent, the innovative digital employee experience monitoring and endpoint security analytics product. vast limits’ customer list includes organizations from industries like finance, healthcare, professional services, and education, ranging from medium-sized businesses to global enterprises. vast limits’ network of qualified solution partners ensures best-in-class service and support anywhere in the world.


Your email address will not be published. Required fields are marked *