es_event_cs_invalidated_t
A type for an event that indicates the invalidation of a process’ code signing status.
Declaration
struct es_event_cs_invalidated_tOverview
Endpoint Security generates this event as a result of removing the CS_VALID bit from a process’s CS flags. This occurs in the following situations:
An invalid page for a process with an otherwise-valid code signature pages in.
A call to
csops(CS_OPS_MARKINVALID)explicitly invalidates the process.
Endpoint Security doesn’t generate this event if CS_HARD is set, since CS_HARD by design prevents the process from becoming invalid.