Since TCC is designed to protect these resources, it poses a challenge for malware that often tries to access them. Generally malware takes one of two approaches: exploiting TCC bugs, or obtaining explicit user permission access to the TCC protected item. The former is rather uncommon, while the latter is much more widespread as TCC can be trivially “circumvented” if the user acquiesces (sometimes as simply as clicking ‘Allow’ on a single TCC alert).
[…]
Since the majority of macOS malware circumvents TCC through explicit user approval, it would be incredibly helpful for any security tool to detect this — and possibly override the user’s risky decision. Until now the best (only?) option was to ingest log messages generated by the TCC subsystem.
[…]
In the macOS 15.4 SDK files, specifically
EndpointSecurity/ESTypes.hwe find a brand new Endpoint Security event:ES_EVENT_TYPE_NOTIFY_TCC_MODIFY[…]
This sounds good for anti-malware software, but I still think we need basic APIs for apps to query, request, and reset the permissions they need.
Previously:
