diff --git a/Source/common/TestUtils.h b/Source/common/TestUtils.h
index 2996220d8..ed1bbcfdd 100644
--- a/Source/common/TestUtils.h
+++ b/Source/common/TestUtils.h
@@ -38,9 +38,12 @@
 // Pretty print C++ string match errors
 #define XCTAssertCppStringEqual(got, want) XCTAssertCStringEqual((got).c_str(), (want).c_str())
 
+// Note: Delta between local formatter and the one run on Github. Disable for now.
+// clang-format off
 #define XCTAssertSemaTrue(s, sec, m) \
   XCTAssertEqual(                    \
-    0, dispatch_semaphore_wait((s), dispatch_time(DISPATCH_TIME_NOW, (sec)*NSEC_PER_SEC)), m)
+    0, dispatch_semaphore_wait((s), dispatch_time(DISPATCH_TIME_NOW, (sec) * NSEC_PER_SEC)), m)
+// clang-format on
 
 // Helper to ensure at least `ms` milliseconds are slept, even if the sleep
 // function returns early due to interrupts.
diff --git a/Source/santad/BUILD b/Source/santad/BUILD
index 3923b98bf..19e8bc904 100644
--- a/Source/santad/BUILD
+++ b/Source/santad/BUILD
@@ -299,6 +299,7 @@ objc_library(
         "//Source/common:PrefixTree",
         "//Source/common:SNTConfigurator",
         "//Source/common:SNTLogging",
+        "//Source/common:String",
         "//Source/common:Unit",
     ],
 )
diff --git a/Source/santad/EventProviders/SNTEndpointSecurityRecorder.mm b/Source/santad/EventProviders/SNTEndpointSecurityRecorder.mm
index 8772a6d5b..04730b401 100644
--- a/Source/santad/EventProviders/SNTEndpointSecurityRecorder.mm
+++ b/Source/santad/EventProviders/SNTEndpointSecurityRecorder.mm
@@ -18,6 +18,7 @@
 
 #import "Source/common/SNTConfigurator.h"
 #import "Source/common/SNTLogging.h"
+#include "Source/common/String.h"
 #include "Source/santad/EventProviders/AuthResultCache.h"
 #include "Source/santad/EventProviders/EndpointSecurity/EnrichedTypes.h"
 #include "Source/santad/EventProviders/EndpointSecurity/Message.h"
@@ -86,7 +87,7 @@ - (void)handleMessage:(Message &&)esMsg
    recordEventMetrics:(void (^)(EventDisposition))recordEventMetrics {
   // Pre-enrichment processing
   switch (esMsg->event_type) {
-    case ES_EVENT_TYPE_NOTIFY_CLOSE:
+    case ES_EVENT_TYPE_NOTIFY_CLOSE: {
       // TODO(mlw): Once we move to building with the macOS 13 SDK, we should also check
       // the `was_mapped_writable` field
       if (esMsg->event.close.modified == false) {
@@ -100,10 +101,11 @@ - (void)handleMessage:(Message &&)esMsg
       self->_authResultCache->RemoveFromCache(esMsg->event.close.target);
 
       // Only log file changes that match the given regex
+      NSString *targetPath = santa::common::StringToNSString(esMsg->event.close.target->path.data);
       if (![[self.configurator fileChangesRegex]
-            numberOfMatchesInString:@(esMsg->event.close.target->path.data)
+            numberOfMatchesInString:targetPath
                             options:0
-                              range:NSMakeRange(0, esMsg->event.close.target->path.length)]) {
+                              range:NSMakeRange(0, targetPath.length)]) {
         // Note: Do not record metrics in this case. These are not considered "drops"
         // because this is not a failure case.
         // TODO(mlw): Consider changes to configuration that would allow muting paths
@@ -112,6 +114,8 @@ - (void)handleMessage:(Message &&)esMsg
       }
 
       break;
+    }
+
     default: break;
   }