VMware Carbon Black Cloud macOS Sensor 220.127.116.11 | 15 DEC 2021 | Build 18.104.22.168
Check for additions and updates to these release notes.
VMware Carbon Black Cloud macOS Sensor 22.214.171.124 includes the following improvements:
|126.96.36.199 DMG SHA256 Checksum||9235ac4b3f147d7efc9458c87749a582b4a581462895c95dd60d72a6b94306e1|
|188.8.131.52 PKG SHA256 Checksum||e2f2fab3c488c90aefaa9ff565f545bc8ec23e97a89a3469f0eca771a9371afb|
Apple Silicon support
The 184.108.40.206 Carbon Black Cloud sensor delivers native operation on Apple Silicon hardware, with the exception of the LiveOps (OSQuery engine) because there is no universal binary available yet. Rosetta will be necessary to leverage Audit & Remediation functionality until a universal OSQuery engine binary is available.
macOS Monterey support
Sensor version 220.127.116.11 supports operation on macOS Monterey via System Extensions. Legacy Kernel Extension mode operation is not supported on macOS 12 Monterey. For customers who plan to upgrade macOS11 Big Sur endpoints running the Kernel Extension to Monterey, we recommend using a management tool like Workspace ONE, Jamf, etc. to deploy the 3.6 sensor. Cloud upgrade does not support Kernel Extension mode upgrades from macOS 11 to macOS 12.
As always, to ensure full sensor enablement we recommend that endpoints are preconfigured with System Extension pre-approval via MDM before deployment of the sensor.
Supported operating modes
|Supported Operating System||Supported Modes and Architectures|
|macOS 10.15 (Catalina)||Kernel Extension (Intel only)|
|macOS 11 (Big Sur)||Kernel Extension (Intel only)
System Extension (Intel, Apple Silicon)
|macOS 12 (Monterey)||System Extension (Intel, Apple Silicon)|
The following issues were fixed in this version of the software.
DSEN-15365 - Resolved an issue where NTFS-formatted USB devices were not being blocked (EA-19424)
CBC-9429: Quality improvements made to configuration management
DSEN-15600: The CBCloudUI widget crashed when selecting About Carbon Black Cloud from the drop-down menu
Selecting Open failed to display the window showing protection events.
DSEN-15782: Email address was incorrectly populated by a company code on < 1% of macOS sensors (EA-19673)
DSEN-15597: Improved error handling when sensor downloads data files
DSEN-14909: Log collection enhancements
DSEN-14892: Minor user interface enhancement
DSEN-14394: Improved recovery mechanism of sensor data files that, in rare circumstances, could occur after unexpected machine shutdown
DSEN-14761 & DSEN-14003: Improved sensor tamper protection efficacy for sensor operating in Kernel Extension mode
DSEN-15228: Fixed rare repCLI reporting issue
The following issues are known to affect the software. Each lists the sensor version when the issue was first reported. Issues are removed after they are resolved.
DSEN-3669: (CB Defense) Old canary files, specifically with variable or random file names, are not always properly cleaned up by the sensor (sensor version found: 18.104.22.168)
This can cause ransomware false positives.
DSEN-3740: When a device is removed from an AD domain, the sensor is still reflected within that domain in the Endpoints page and remains in a sensor group (sensor version found: 22.214.171.124)
The sensor must be taken out of auto-assignment to make policy updates to that sensor.
As a workaround, you can manually remove the sensor from the AD group and assign a policy (click into the device, turn off auto-assign, and change the policy).
DSEN-2543: The unattended install script does not accept multiple long options (sensor version found: 126.96.36.199)
The workaround is to always provide a value (such as 0 or 1) next to every long option following = character; for example: --downgrade=1 --skip-kext-approval-check=1.
DSEN-3702 & DSEN-8839: Malware Removal infrequently and inaccurately reports actions that were or were not taken (sensor version found: 188.8.131.52)
DSEN-8799: Rare issue where repmgr service crashes on shutdown in absence of network connectivity (sensor version found: 184.108.40.206)
The issue has no impact on end-user or product efficacy.
DSEN-7849: (Audit & Remediation) A sensor that is configured for Audit and Remediation-only does not block network connections when the endpoint is quarantined (sensor version found: 220.127.116.11)
If Full Disk Access is misconfigured, Live Response sessions display a generic error message when attempting to access ~/Desktop, ~/Documents, or ~/Downloads (sensor version found: 18.104.22.168)
The generic error returned in this case will be improved to be Full Disk Access-specific. See MDM documentation for instructions on how to give the sensor Full Disk Access. Learn more.
Per Apple, an MDM is required for KEXT installation and approval on macOS 11 (sensor version found: 22.214.171.124)
Installing the sensor into KEXT mode without an MDM will not work. Learn more.
Configure MDM KEXT pre-approval before installation, and use the custom RebuildKernelCache command or manually approve the KEXT and reboot OS after install. Learn more.
Prevention capability is not available with the macOS Big Sur sensor in System Extensions mode (sensor version found: 126.96.36.199)
Install the sensor in KEXT mode for prevention functionality. Full prevention functionality on the System Extension-enabled sensor will be available in future releases. Learn more.
Failing to approve the System Extension prompt will leave the sensor unable to check in with the backend until system extension is approved (sensor version found: 188.8.131.52)
Configure System Extension MDM approvals before install.
Pre-execution prevention capability is not available with the macOS Big Sur sensor in System Extensions mode (sensor version found: 184.108.40.206)
Applications are not blocked at launch. This release does support post-execution prevention. Learn more.
Install the sensor in KEXT mode for full prevention functionality. Learn more.
DSEN-14562: If a sensor exits bypass mode, device discovery events may not be generated for devices plugged in while the sensor was in bypass mode (sensor version found: 220.127.116.11)
System Extension sensor upgrade or uninstall can fail with error code 4096 in rare circumstances (sensor version found: 18.104.22.168)
For manual remediation steps, see: Carbon Black Cloud: Unable to upgrade or install due to existing system extension (macOS)
Including the sensor as part of migrating data from Intel to an Apple Silicon machine (i.e. Migration Assistant) is not a supported workflow (sensor version found: 22.214.171.124)
The recommended workflow is to uninstall the sensor before migration or exclude the sensor during migration and install it on the target machine.
126.96.36.199 is the first GA version supporting the Apple Silicon chipset (sensor version found: 188.8.131.52)
Sensor downgrade to versions prior to 184.108.40.206 is therefore not officially supported on Apple Silicon machines. Doing so would bring the sensor to a version that does not officially support Apple Silicon, causing the sensor to run in emulation mode.
Note that downgrade behavior/expectations on Intel machines does not change.
We are aware that some customers are utilizing the 3.5.x versions for emulated support of the sensor on Apple Silicon chip sets.
The recommended downgrade path from Apple Silicon native sensors (any 3.6.x+ sensor) to any Apple Silicon pre-native sensor (any sensor prior to 3.6.x) is via uninstall of the native sensor and installation of the pre-native emulated version
Utilizing standard downgrade behaviors is unsupported and can lead to undefined behavior.
If a Kernel Extension sensor is installed in macOS Catalina, and an OS upgrade to Big Sur occurs, users might see an extraneous Kernel Extension approval pop-up, despite the Kernel Extension already being approved (sensor version found: 220.127.116.11)
Users can safely re-approve the Kernel Extension or safely ignore the pop-up. Users should re-approve Kernel Extension upon any future sensor upgrades.
Limited LiveOps support on Apple Silicon devices (sensor version found: 18.104.22.168)
In the current release, LiveOps functionality on Apple Silicon devices is limited to endpoints that have Rosetta preinstalled. Due to current limitations of the OSQuery engine, not all queries work fully on Apple Silicon chipsets, even with Rosetta.If Rosetta is not installed on the Apple Silicon devices, LiveOps queries will not run and will display a “Environment Not Supported” console message for the affected endpoints.
The LiveOps Apple Silicon limitations will be addressed in future sensor releases that will provide full native Apple Silicon/Apple Silicon OSQuery support.