Can't say that I see this process on either of my test MACs. Sorry!
What you could try is: Open Activity Monitor and select the item and click the information icon. You should get a path to the file or some further details on it i.e. where it's located and what files it's reading
so xClient is an executable in /usr/local/bin. It isn't running when I've logged in. I suspecct its part of the login process.
Also, these alerts have died down - I wonder whether they trigger once when the new version of endpoint was deployed?? I'm very tempted to set an exclude for this alert, as I don't think its a bad thing happening.
Thanks for looping back on this. Installations do tend to trigger some of our rules, it obviously depends on what actions those installations take. It would be interesting to know why that process is trying to access our core files and folders! That is something only the vendor of xClient would be able to answer though. If you find out anything else, please feel free to share it here for others to see 🙂
If it isn't causing an issue on the local client, personally, I wouldn't add an exclusions purely because you don't know what it is doing and why it is trying to access our core files and folders. Avoid adding exclusions just because it is creating events. Minimal exclusions should be set otherwise the system is more vulnerable to attacks.
This is still happening, xClient is part of the OSX operating system. I'm surprised there is no mention of it out on the web, so I'd guess its something to do with our unique setup here.
It only seems to happen maybe once (and then not every time), when endpoint protection is first installed, so I'm not going to lose sleep over it.
I'll readdress this if anything starts going wrong as a result of this, but I'm happy to leave this as one of lifes great mysteries for now.