Carbon Black App Control 8.9.2 | 8 May 2024 | Build 8.9.2.528

Check for additions and updates to these release notes.

What's New

The 8.9.2 macOS Agent Release Notes provide information for users upgrading from previous versions as well as for users new to Carbon Black App Control.

Product security is our top priority for Carbon Black App Control. In this release, we have included several new enhancements to ensure that our product is prepared to keep you and your endpoints secure.

Important:

INSTALLATION INSTRUCTIONS: BEFORE upgrading to the new 8.9.2 mac agent, make sure rule installer 1.26 or later is installed. Then do an auto upgrade of the macOS agent from the server.

Features new to version 8.9.2 include:

  • Event Filtering (aka ABExclusions)

    The App Control agent tracks many operations such as file operations. Each and every operation generates an event that is stored in the local agent database as well as reported to the server. In some situations our Support team may recommend that customers apply event exclusions in order to reduce network traffic and/or load on the App Control server.

    Important:

    It is important to note that while the data is not sent to the server, the agent retains full visibility into the file operations on the endpoint.

    This is unlike a Kernel Exclusion which filters the operations at the kernel level and prevents the file operations from being tracked by the agent. 

    This functionality is currently available in the Windows agent. Inclusion in the Mac agent provides a level of parity between platforms.

  • Unauthenticated Agent Registration

    In conjunction with 8.10 Server, the Mac 8.9.2 Agent now supports the use of client registration codes. These codes improve security by helping to prevent other programs from impersonating Carbon Black App Control agents.

    You can generate client registration codes, and enable and disable them.

    • If you choose to enable this feature, you must provide the client registration code when you install a new agent that supports this feature or after installation by using the command line interface.

    • It’s worth noting, existing agents that have already connected to the server will remain connected, and will not need the registration code.

    For more information about using this feature, please refer to the Manage Client Registration Codes section of the 8.10 App Control Server User Guide.

    Important:

    IN order to register the agent at the server, admin needs to run the following command at the agent machines.

    ./b9cli –registercode “<registration code>”
  • Secure Communication via untrusted SSL channel

    You can secure server communication by populating the certificate list from the TrustedCertList.pem file present under /Library/Applications Support/com.bit9.Agent/Data directory.

    The keychain is now populated from Keychain.json file present under /Library/Applications Support/com.bit9.Agent/Data directory.

    • A new health check event reports issues around server communication using trusted certificate list.

    • The App Control client and server, starting with server v8.7, have made some significant improvements in protecting from man-in-the middle attack.

    • The App Control macOS client protects from man-in-the-middle attack by verifying encryption key against the list of trusted keys. If discrepancies detected, client encrypts messages using pre-defined communication key.

    Important:

    By default this feature is disabled.

    Add agent config “use_http_public_key_pinning_mac=1” to enable this feature.

    Below is the process to add agent_config:

    Navigate Agent_config modification page : https://<Server Hostname>/agent_config.php

    Click on “Add Agent Config’ and add a new config.

    NOTE: Enable this feature only after fresh installation of 8.9.2 agent or upgrade to 8.9.2 agent completion.

  • Library Updates

    • Boost upgraded to 1.83

    • wxWidgets upgraded to 3.2.1

    • Zlib upgraded to 1.2.13

    • SQLite upgraded to 3.44.2

    • Openssl upgraded to 3.1.4

Downloading the Software

You can access all Carbon Black App Control software by logging onto the Broadcom customer portal, navigating to the Downloads section, and searching for the software you need.

Important:

You can use this direct link for Carbon Black App Control macOS Sensor 8.9.2.528.

The SHA-256 for Carbon Black App Control macOS Sensor CB_App_Ctrl_Mac_8.9.2.528.zip is:

61910bae7e86b5bb6fdfd424f4983ed005d20c149923fd5974c7b8349e298738

Resolved Issues

  • EP-16781: Fixed an issue where a custom rule with a Write Action of Ignore (meaning do not track creation, modification, or deletion of a file matching this rule) was not working

  • EP-17367: AppC loader app has no CB icon like b9notifier

  • EP-18422: Fixed an issue where the agent database size would grow when the agent was moved into disabled mode and then back into an active policy (EA-23231)

  • EP-19338: Fixed an issue where the daemon failed to reconnect after issuing a b9cli --dump agent command on an M1 machine

  • EP-20000: Fixed an issue where the agent would generate an error when App Control Notifier logo was set to None (EA-23976)

  • EP-20704: Fixed an issue where macOS would kill the App Control System Extension because App Control file analysis was delaying the execution of Apps downloaded from the App Store (EA-24143)

Known Issues

  • EP-5821: Software RAID 0/1 device control status is always “Unapproved” and cannot be manipulated through device control

  • EP-13191: Changing the name of a policy after it is assigned to an agent, the updated policy name does not display on the details page of that agent

  • EP-14175: In the case of System Extensions, the first execution of process is always denied unless it is approved by the user

    In the case of a custom rule execution prompt, even if the user approves, App Control prompts the user with the termination of process. This is expected behavior.

  • EP-15277: kernelFileOpExclusions kernel exclusions configured on the server aren’t set on the mac agent side as they are not implemented for the mac agent

  • EP-15282: Agent prevents file to be modified unexpectedly in High Policy

    If agent is in high enforcement policy and existing script file is being modified, then b9notifier prompt is displayed and agent blocks the actions. It should be allowed to modify a given file, unless there's a rule that prevents to do so.

  • EP-15300: In medium enforcement, notifier freezes when multiple, unapproved, interesting files are executed on MacOS BigSur and higher

    This issue is on MacOS version 11.x and above. If file must be approved, you can create a path exclusion rule for that interesting file. 

  • EP-15323: KernelSupport and SystemProxy kexts are loaded after upgrading from Catalina to Monterey

    When agent version 8.7.2 is installed on an endpoint and the OS is upgraded from ‘Catalina or below’ to ‘Big Sur or above’, 2 kexts [com.bit9.KernelSupport, com.bit9.SystemProxy ] out of 4 are found still loaded.

  • EP-15398: App Control b9cli status returns nothing and does not work

    This is an intermittent issue. Sometimes the b9cli command line tool does not show the output.

  • EP-15747: Manually importing 'configlist.xml' from the server results in a disconnected agent, even after machine reboot.

  • EP-15756 :Ban Rule not applied to Mac Agent after Importing configlist.xml from Server

  • EP-16577: If a file rule is added with ban by name, the ban state of the file is not reflected in b9cli find command

  • EP-20764: Time Machine Volume should not undergo initialization process

check-circle-line exclamation-circle-line close-line
Scroll to top icon