Disable or Modify Tools × Forcepoint One Endpoint / DLP Endpoint for macOS

A publicly-reported instance of Disable or Modify Tools bypassing Forcepoint One Endpoint / DLP Endpoint for macOS, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Forcepoint One Endpoint / DLP Endpoint for macOS

Technique

Disable or Modify Tools

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

poc

Disclosed

2026-03-26

Config / version noted

Yes

Provenance

gist.github.com
disclosed 2026-03-26 · original source · via exa

Reported as

A standard user on macOS can bypass Forcepoint DLP Endpoint's content inspection by sending SIGSTOP to two user-owned browser helper processes.

Mechanism

Sending SIGSTOP to the Websense Endpoint Helper and SafariExtension processes (both running as the current user) suspends them, preventing any browser data from reaching the root-privileged classification daemon (wsdlpd) via XPC/IPC. Since SIGSTOP cannot be caught or handled by the process, and no watchdog or integrity protection exists for these helpers, all DLP enforcement is silently bypassed.

Detection & mitigation

Monitor for SIGSTOP signals sent to DLP-related processes (e.g., Websense Endpoint Helper, SafariExtension) using process monitoring tools like EDR or auditd. Deploy a watchdog process or launchd KeepAlive configuration to automatically restart suspended DLP helpers and generate alerts when they are stopped.

Disable or Modify Tools has also been recorded against

Avast Software Carbon Black Check Point CrowdStrike EasyAntiCheat Kaspersky Malwarebytes Microsoft multiple commercial EDR/AV vendors Palo Alto Palo Alto Networks Riot Games

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.