Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Understanding macOS SCP: Under the hood

Internal Only
Do not share with customers without approval

 

This article offers a quick overview of macOS SCP processes and how they redirect traffic to a proxy. By understanding these processes, you'll gain insight into the path traffic takes from applications to the proxy, as well as the SCP's decision-making for redirecting or bypassing traffic.

 

Key Components

There are two key components that are responsible for intercepting and redirecting traffic from the web applications to the configured proxy:

 

  1. Trellix System Extension TransProxy: This user-level extension acts as a network filter. It intercepts outbound TCP traffic, primarily on ports 80 (HTTP) and 443 (HTTPS), but can be configured to monitor additional TCP ports based on your SCP policy. Intercepted traffic is then redirected to the scpd.

  2. Skyhigh Client Proxy daemon (scpd): The scpd is a user-level process responsible for traffic routing decisions. It has two primary actions:

  • Proxy Redirection: The scpd can forward traffic to a configured proxy server within the SCP policy. In this case, it injects "X-SWEB" headers containing additional metadata.
  • SCP Bypass: Based on the SCP policy, the scpd can instruct the Trellix Extension to release traffic directly to its destination, this is referred as “bypassing SCP”.

Bypass Mechanisms

  • Trellix System Extension Bypass: The Trellix System Extension is responsible for bypassing IP-based bypass lists configured in the SCP policy. It performs this action independently of the scpd.
  • scpd Bypass: The scpd is required to enforce bypass rules based on domains, processes, or ports since the Trellix System Extension lacks visibility into these details.

Important Considerations

  • Scope: SCP primarily focuses on TCP traffic. UDP traffic is NOT supported. 
  • Policy-Driven: The behavior of SCP is tightly coupled to the configuration defined within the SCP policy.

 

TLDR:

The Trellix System Extension operates as a user-level network filter, capable of monitoring and intercepting outbound TCP traffic. Intercepted traffic is routed to the scpd component. Traffic is then either forwarded to the configured proxy (with X-SWEB headers added) or returned to the Trellix System Extension for SCP bypassing.

 

Analyzing Logs

To troubleshoot connections or review how SCP handles traffic, you can analyze network logs and SCP-specific logs. 

 

As an example, we'll analyze requests to two websites:

 

We are using HTTP sites as traffic is in plaintext, simplifying analysis. All HTTPS traffic will be encrypted, making it a tiny bit more . This example demonstrates the logging differences between bypassed and proxied sites.

 

Resolving DNS

It’s recommended to collect a packet capture using Wireshark to analyze DNS traffic.  Use it to record DNS queries and responses, paying attention to the IP addresses involved. You can then compare these IP addresses with the Trellix System Extension logs

 

 

 

Reviewing Trellix System Extension Logs

  • Logs located under: /McAfeeMERTool-SCP/tmp/ScpMER/SystemExtensionLogs
  • 4-system_extension.log - Logs outbound TCP traffic over port 80 and 443 (and other configured ports within the SCP policy). 
  • 5-SubSystemPassThroughProxyLogs.log - Filtered version of the 4-system_extension.log. Logs entries of traffic that is being redirected or bypassed (clearer).

 

Example: Trellix Extension Bypassed Traffic

  • Log Description: The Trellix System Extension detected a new TCP connection intended for 146.190.62.39:80 (httpforever.com). After consulting the SCP policy, the Trellix Extension determined that the traffic should be bypassed due to the destination IP/Domain being on the SCP bypass list. The request was released to the kernel for direct transmission, bypassing SCP. 
  • 5-SubSystemPassThroughProxyLogs.log:
2024-03-23 17:52:55.758504-0500 0x3329     Info        0x0                  984    0    com.trellix.CMF.networkextension: [com.trellix.dev.PassThroughProxy:providerCore] PassThroughProviderCore::supportedFlowForFlow:  provider core will check for new TCP conn: 146.190.62.39:80, flow: 0x6000039d19c0
2024-03-23 17:52:55.758583-0500 0x3329     Default     0x0                  984    0    com.trellix.CMF.networkextension: [com.trellix.dev.PassThroughProxy:providerCore] checkPolicyForRedirection: Bypassing. Not redirecting traffic to Proxy. Original dest: 146.190.62.39:80 cookie: 952, processPath: /Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/123.0.6312.59/Helpers/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper
2024-03-23 17:52:55.758586-0500 0x3329     Info        0x0                  984    0    com.trellix.CMF.networkextension: [com.trellix.dev.PassThroughProxy:providerCore] PassThroughProviderCore::handleNewTCPFlow: Proxy Policy decided not to redirect this conn: [146.190.62.39:80], flow: 0x6000039d19c0 will be return to kernel to bypass
2024-03-23 17:52:55.758697-0500 0x3329     Info        0x0                  984    0    com.trellix.CMF.networkextension: [com.trellix.dev.PassThroughProxy:providerCore] PassThroughProviderCore::isIpv6Protocol checking for ip <private>

 

Example: Trellix Extension Redirecting Traffic

  • The Trellix System Extension detected a new TCP connection intended for 18.236.36.28:80. The traffic was redirected to the scpd (Skyhigh Client Proxy daemon) for redirection to the proxy. Refer to Example: SCP Redirecting Traffic below
  • 5-SubSystemPassThroughProxyLogs.log:
2024-03-23 17:52:53.296210-0500 0x3329     Info        0x0                  984    0    com.trellix.CMF.networkextension: [com.trellix.dev.PassThroughProxy:providerCore] PassThroughProviderCore::supportedFlowForFlow:  provider core will check for new TCP conn: 18.236.36.28:80, flow: 0x6000039d8bc0
2024-03-23 17:52:53.299088-0500 0x3329     Default     0x0                  984    0    com.trellix.CMF.networkextension: [com.trellix.dev.PassThroughProxy:providerCore] checkPolicyForRedirection: Reaction: [0x80-0x80-0x80]. Redirecting traffic proxy dest: 127.0.0.1:49655, actual dest: 18.236.36.28:80, cookie: 946, processPath: /Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/123.0.6312.59/Helpers/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper
2024-03-23 17:52:53.299154-0500 0x2d83     Info        0x0                  984    0    com.trellix.CMF.networkextension: [com.trellix.dev.PassThroughProxy:providerCore] PassThroughProviderCore::handleNewSupportedFlow: provider core will handle new TCP flow: 0x6000039d8bc0, dest: 18.236.36.28

 

Reviewing Skyhigh Client Proxy Logs

  • Logs located under: /McAfeeMERTool-SCP/usr/local/McAfee/Scp/logs
  • All_<DATE>_<TIME>.log - Logs traffic received by the Trellix Extension, injection of HTTP headers, and connections established to the configured proxy.

 

Example: SCP Redirecting Traffic

  • The Trellix Extension will forward the traffic to SCP, refer to Example: Trellix Extension Redirecting Traffic
  • SCP accepts the redirected connection from the System Extension and performs a connectivity check to the configured proxy(.wgcs.skyhigh.cloud:8080, IP resolved: 161.69.54.147)
[2024-03-23 17:52:53.295397] (0x000000016dffb000) (861:7784) [Info]  <AcceptSession_946>: AcceptSession::handleAccept: System Extension Connected. IP: 127.0.0.1:49656. Listen port for this connection: 49655
[2024-03-23 17:52:53.295449] (0x000000016d6af000) (861:9962) [Info]  <ConnectivityChecker>: ConnectivityChecker::startRedirectionServer: cookie: 947, OriginalIp: 18.236.36.28, Proxy To: ip4-4673ecfe.wgcs.skyhigh.cloud:8080(AlternateProxy:false), Hostname from SysExtn: , for PID: 1046, ExePath: /Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/123.0.6312.59/Helpers/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper
…
2024-03-23 17:52:53.295776] (0x000000016d6af000) (861:9962) [Info]  <ConnectSession_947>: ConnectSession::connectToRemoteHost: Try to Async TCP Connect to Host(Proxy): ip4-4673ecfe.wgcs.skyhigh.cloud:8080, with timeout: 10. secureChannel: false
[2024-03-23 17:52:53.296500] (0x000000016d6af000) (861:9962) [Info]  <ConnectSession_947>: ConnectSession::connectToRemoteHost: Ip: 161.69.54.147
  • Once SCP has established a connection with the proxy, the X-SWEB headers are injected.
  • Connection is then disconnected once traffic is sent. 
GET http://www.testingmcafeesites.com/testrep_yellow.html HTTP/1.1
Host: www.testingmcafeesites.com
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
X-SWEB-AuthVersion: 3
X-SWEB-OriginalDestinationIP: 18.236.36.28
X-SWEB-AuthCustID: 1199589255
X-SWEB-AuthUser: CUgYUpi0Z9Wl/4JZnjglHSovedvg1pO3kxtI53wuogduwDlXdryrHz8a766EiG7+0/jPP4t1VNCymw==
X-SWEB-ClientIP: pnkAY82e1BikUQ+kzcLf4NahnMFevXsbOfw=
…(more)
[2024-03-23 17:52:53.574205] (0x000000016e22b000) (861:7788) [Info]  <ConnectSession_483>: ConnectSession::handle_read: Error category:asio.miscbytes_transfered : 0
[2024-03-23 17:52:53.574468] (0x000000016e22b000) (861:7788) [Info]  <ConnectSession_483>: ConnectSession::handle_read: ConnectSocket Disconnected (End of file), local port: 49443, remote port:8080

 

Summary

In summary, the macOS SCP system acts as a sophisticated gatekeeper for outbound network traffic. The Trellix System Extension, working in tandem with the scpd, enforces policies that protect data and guide traffic towards designated proxies. By understanding the flow of traffic and the decision points within the SCP process, users can troubleshoot issues, monitor network activity, and gain a deeper appreciation for the mechanisms that safeguard their online interactions.

  • Was this article helpful?