Why “ini” files and "DS_Store” files are excluded from the Fpolicy monitoring
Applies to
- MacOS Desktop
- Global File Cache
- Fpolicy
Answer
The engineering team have confirmed that the .ini and the DS_Store file types are specifically designed to be excluded. And they have been excluded since the beginning of workload security.
- The reason there is a difference between the files excluded in the fpolicy scope, and what you see as “allowed” in workload security is because the behavior is fundamentally different.
- With the fpolicy scope exclusions, ONTAP will not generate any kind of event for those file types and therefore will not send anything to workload security.
- With the allowed file types from Workload Security, any file types in that list, ONTAP will still generate events for those file types, but Workload Security will ignore them and therefore not create an alert for them.
- At this time there is not a way to include the .ini and .DS_Store file types in workload security, simply removing them from the exclusion list in the fpolicy-scope will not alter the behavior in workload security as the system is designed to not receive those types of files.
If you wish to be able to see those file types in workload security, we can create a Feature Request and potentially our Engineering team can make it possible to monitor those file types in a future release.
Additional Information
- https://support.apple.com/en-us/102064 Your Mac determines how each window and its contents should appear by collecting file information such as labels, tags, and other forms of metadata.In macOS Sierra 10.12 and earlier,
- Your Mac gathers all metadata for the files in a folder, compares it to the folder's .DS_Store file, and then displays the folder's contents.
- In macOS High Sierra 10.13 and later, this behavior is changed slightly: If a folder is sorted alphanumerically, the contents are displayed immediately, then the Finder collects and compares the rest of the folder's metadata.
