What is endpointsecurityd?

endpointsecurityd is a security process that arrived with macOS Catalina.

What is endpointsecurityd?

endpointsecurityd runs Apple's Endpoint Security framework. This framework lets security software (antivirus tools, threat detection products, and so on) watch what happens on your Mac in a safe, supported way.

Why does it exist?

Before this framework, security tools had to use kernel extensions to watch file access and program launches. Kernel extensions were risky. They could crash the whole system. Apple wanted to stop using them.

The Endpoint Security framework replaced kernel extensions with a safer method that runs outside the kernel. endpointsecurityd controls access to this framework.

What can it watch?

The framework can observe:

• Files being created, changed, or deleted
• Programs starting and stopping
• Network connections
• User logins
• Drives being mounted or removed

Security apps register with endpointsecurityd to get told about these events.

Is it linked to my antivirus software?

If you run security software like CrowdStrike, SentinelOne, or Carbon Black, it likely uses this framework. endpointsecurityd sits between macOS and those tools.

Does it slow down my Mac?

The framework itself is light. But if a security product scans every file operation heavily, you might notice slowdowns. That would be the security product's fault, not endpointsecurityd.

Should you worry?

No. It is a normal macOS security process. It gives security software a stable, safe way to protect your Mac.

Enjoyed this post?

Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.

Tags