Optimize recently-created-executables-macos

This commit is contained in:
Thomas Stromberg 2023-02-24 17:24:09 -05:00
parent 4150b1ee7c
commit 12a5507907
Failed to extract signature
1 changed files with 14 additions and 18 deletions

View File

@ -52,26 +52,26 @@ WHERE
start_time > 0
AND start_time > (strftime('%s', 'now') - 7200)
AND pid > 0
AND REGEX_MATCH (
path,
"^(/System|/usr/libexec/|/usr/sbin/|/usr/local/Cellar/|/opt/homebrew/|/nix/store/|/usr/bin/|/usr/lib/|/bin/|/Applications|/Library/Apple/|/sbin/|/usr/local/kolide-k2)",
1
) IS NULL
AND path != ""
AND NOT path LIKE '/Applications/%.app/%'
AND NOT path LIKE '/Applications/%'
AND NOT path LIKE '%-go-build%'
AND NOT path LIKE '/Library/Apple/%'
AND NOT path LIKE '/Library/Application Support/Adobe/Adobe Desktop Common/%'
AND NOT path LIKE '%/Library/Application Support/com.elgato.StreamDeck%' -- Known parent processes, typically GUI shells and updaters
AND NOT path LIKE '%/Library/Application Support/com.elgato.StreamDeck%'
AND NOT path LIKE '/Library/Application Support/Logitech.localized/%'
AND NOT path LIKE '/nix/store/%'
AND NOT path LIKE '/opt/homebrew/%'
AND NOT path LIKE '/private/tmp/%/Creative Cloud Installer.app/Contents/MacOS/Install'
AND NOT path LIKE '/private/tmp/go-%'
AND NOT path LIKE '/private/tmp/nix-build-%'
AND NOT path LIKE '/private/var/db/com.apple.xpc.roleaccountd.staging/%'
AND NOT path LIKE '/private/var/folders/%/bin/%'
AND NOT path LIKE '/private/var/folders/%/d/Wrapper/%.app/%'
AND NOT path LIKE '/private/var/folders/%/go-build%'
AND NOT path LIKE '/private/var/folders/%/GoLand/%'
AND NOT path LIKE '/private/var/folders/%/T/download/ARMDCHammer'
AND NOT path LIKE '/private/var/folders/%/T/pulumi-go.%'
AND NOT path LIKE '/System/%'
AND NOT path LIKE '/Users/%/Applications (Parallels)/%/Contents/MacOS/WinAppHelper'
AND NOT path LIKE '/Users/%/bin/%'
AND NOT path LIKE '/Users/%/code/%'
@ -80,27 +80,23 @@ WHERE
AND NOT path LIKE '/Users/%/Library/Application Support/iTerm2/iTermServer-%'
AND NOT path LIKE '/Users/%/Library/Caches/%/Contents/MacOS/%'
AND NOT path LIKE '/Users/%/Library/Caches/snyk/%/snyk-macos'
AND NOT path LIKE '/Users/%/Library/Developer/Xcode/UserData/Previews/Simulator Devices/%/data/Containers/Bundle/Application/%'
AND NOT path LIKE '/Users/%/Library/Google/%.bundle/Contents/Helpers/%'
AND NOT path LIKE '/Users/%/Library/Mobile Documents/%/Contents/Frameworks%'
AND NOT path LIKE '/Users/%/.local/share/nvim/mason/packages/%'
AND NOT path LIKE '/Users/%/node_modules/.bin/%'
AND NOT path LIKE '/Users/%/node_modules/.pnpm/%'
AND NOT path LIKE '/Users/%/Parallels/%/Contents/MacOS/WinAppHelper'
AND NOT path LIKE '/Users/%/src/%'
AND NOT path LIKE '/Users/%/terraform-provider-%'
AND NOT path LIKE '/Users/%/%.test'
AND NOT path LIKE '/Users/%/Library/Developer/Xcode/UserData/Previews/Simulator Devices/%/data/Containers/Bundle/Application/%'
AND NOT path LIKE '/Users/%/.local/share/nvim/mason/packages/%'
AND NOT path LIKE '/Users/%/node_modules/.pnpm/%'
AND NOT path LIKE '/Users/%/node_modules/.bin/%'
AND NOT path LIKE '/usr/local/Cellar/%'
AND NOT path LIKE '/usr/sbin/%'
AND NOT path LIKE '/usr/local/kolide-k2/%'
AND NOT path LIKE '%/.vscode/extensions/%'
AND NOT (
path LIKE '/private/var/folders/%/d/Wrapper/%.app/%'
AND s.authority = 'TestFlight Beta Distribution'
)
GROUP BY path
)
AND (p0.start_time - MAX(f.ctime, f.btime)) < 120
AND f.ctime > 0
AND (p0.start_time - MAX(f.ctime, f.btime)) < 180
AND p0.start_time >= MAX(f.ctime, f.ctime)
AND s.authority NOT IN (
'Apple Mac OS Application Signing',
'Apple iPhone OS Application Signing',