Featuring a rules-based engine and customizable detection modules, our framework is designed to be seamlessly integrated into any macOS endpoint security solution.
Details:
DoubleYou.Framework (referred to as "the framework") is an OEM component designed to monitor, alert, and protect against malware threats on the macOS platform. It achieves this by collecting system activity events and applying predefined rules to generate actionable alerts or block malware in real-time.
It is designed specifically for integration into a larger EDR system, but the framework can be incorporated into any product that requires anti-malware features. The framework does not directly interact with end users; instead, it sends alerts and logs to the integrated product for processing and management.
Architecture:
The framework consists of three major subcomponent categories:
- Collectors:
Responsible for gathering information about events that occur on platform. - Rulesets:
Define the logic that determines actions, that can be to block, alert, or log. - Decision Engine:
Brings all of the data items in one place and executes defined rules.
Note:
The decision engine and the message passing system is designed such that collectors can be plugged in and out, at build time, depending on customer needs.
Integration:
To leverage
DoubleYou.Framework, it must be integrated (linked in) into a existing product. Then, to receive alerts, code in the integrator must subscribe to the framework's events. The subscription function will receive an object describing the alert as well as the data context that triggered it.
Here is a simple example, showing how an integrator could initialize the framework and then both subscribe to and process any alert events:
#import <DoubleYou/DoubleYou.h>
//set any additional configuration
NSData* config = [NSJSONSerialization dataWithJSONObject:@{...config...} options:0 error:nil];
//initialize framework
doubleyou_initialize(config, DOUBLEYOU_EMBEDDED_LICENSE);
//load rules
NSString* rules =[NSBundle.mainBundle pathForResource:@"general_rules" ofType:@"json"];
doubleyou_load_ruleset(rulesPath);
//subscribe & process alert events
doubleyou_subscribe_events(^BOOL(NSDictionary * event) {
//handle alert event
});
//set any additional configuration
NSData* config = [NSJSONSerialization dataWithJSONObject:@{...config...} options:0 error:nil];
//initialize framework
doubleyou_initialize(config, DOUBLEYOU_EMBEDDED_LICENSE);
//load rules
NSString* rules =[NSBundle.mainBundle pathForResource:@"general_rules" ofType:@"json"];
doubleyou_load_ruleset(rulesPath);
//subscribe & process alert events
doubleyou_subscribe_events(^BOOL(NSDictionary * event) {
//handle alert event
});