Objective C API for Checking File Download from Browser on OSX

Question

I noticed with Sophos Anti-Virus for Mac OSX that when I download a file, it immediately scans it. This works without a browser plugin in any of the browsers I have installed and tested. Therefore, on OSX, what Objective C API does one use in an application to detect a file was downloaded from the browser? I noticed that people recommend the DTrace command (and derivative scripts), but El Capitan release of OSX broke that command.

Answer 1

I wasn't able to achieve something in Objective C alone, but I could probably have a /Library/LaunchDaemon that can use an Objective C application to run /usr/bin/fs_usage command to detect events, and then parse that, and then run the scan on the file. An Objective C script could use C's popen() API to open that command in a background task and then scan it for changes. This would have to run as root, which is why it's called from /Library/LaunchDaemon (one would have to know how to make a launchd plist file, of course). (Of course, you can also make a C/C++ or other means to launch this process and filter it too, including a Perl script, all called from /Library/LaunchDaemon.)

Here's an example I just ran to detect when I downloaded an example.txt from Google Chrome browser into my /Users/mike/Downloads/test folder. Note that there's only one open system call. So, you'd need to grep on mds, which stands for Apple's MetaData Service worker, and then look for the open call, which will occur only once on a file download from the browser, and then get the path name from that in order to scan that one file.

sh-3.2# fs_usage -w -f pathname | grep '/Users/mike/Downloads/test' | grep mds
14:26:08.424743  getattrlist                            /Users/mike/Downloads/test/example.txt                                                                                                  0.000023   mds.3432456
14:26:08.424750  open              F=20       (R_____)  /Users/mike/Downloads/test/example.txt                                                                                                  0.000007   mds.3432456
14:26:08.478919  getattrlist                            /Users/mike/Downloads/test/example.txt                                                                                                  0.000057   mds.3432457
14:26:08.504923  stat64                                 /Users/mike/Downloads/test/example.txt                                                                                                  0.000018   mds.3432457
14:26:08.504969  fsgetpath                              /Users/mike/Downloads/test/example.txt                                                                                                  0.000005   mds.3432457
14:26:08.505001  stat64                                 /Users/mike/Downloads/test/example.txt                                                                                                  0.000020   mds.3432457
14:26:08.505076  getattrlist                            /Users/mike/Downloads/test/example.txt                                                                                                  0.000021   mds.3432457
14:26:08.505126  listxattr                              /Users/mike/Downloads/test/example.txt                                                                                                  0.000032   mds.3432457