VMware Carbon Black Cloud macOS Sensor 3.6.1.10 Release Notes

VMware Carbon Black Cloud 3.6.1.10 \| 15 DEC 2021 \| Build 3.6.1.10 Check for additions and updates to these release notes.

VMware Carbon Black Cloud 3.6.1.10 | 15 DEC 2021 | Build 3.6.1.10

Check for additions and updates to these release notes.

What's New

VMware Carbon Black Cloud macOS Sensor 3.6.1.10 includes the following improvements:

Important notes

Sensor upgrades should not be performed while the sensor is in bypass mode while in System Extension mode. Upgrading the sensor in System Extensions mode while in bypass disables the sensor until a reboot is performed on the endpoint.
This release supports macOS 10.15 - 12. MacOS 10.14 is no longer supported.
Sensor version 3.8.0 and future sensor versions no longer support Kernel Extension approval as well as macOS11 and prior Operating Systems. Customers must use System Extension approval.

Resources

macOS Big Sur and Later Documentation Master List
Sensor Installation Guide
Installing the Sensor with Jamf Pro
Installing the Sensor with Workspace ONE

Release checksums


3.6.1.10 DMG SHA256 Checksum	9235ac4b3f147d7efc9458c87749a582b4a581462895c95dd60d72a6b94306e1
3.6.1.10 PKG SHA256 Checksum	e2f2fab3c488c90aefaa9ff565f545bc8ec23e97a89a3469f0eca771a9371afb

Apple Silicon support

The 3.6.1.10 Carbon Black Cloud sensor delivers native operation on Apple Silicon hardware, with the exception of the LiveOps (OSQuery engine) because there is no universal binary available yet. Rosetta will be necessary to leverage Audit & Remediation functionality until a universal OSQuery engine binary is available.

macOS Monterey support

Sensor version 3.6.1.10 supports operation on macOS Monterey via System Extensions. Legacy Kernel Extension mode operation is not supported on macOS 12 Monterey. For customers who plan to upgrade macOS11 Big Sur endpoints running the Kernel Extension to Monterey, we recommend using a management tool like Workspace ONE, Jamf, etc. to deploy the 3.6 sensor. Cloud upgrade does not support Kernel Extension mode upgrades from macOS 11 to macOS 12.

As always, to ensure full sensor enablement we recommend that endpoints are preconfigured with System Extension pre-approval via MDM before deployment of the sensor.

Supported operating modes

Supported Operating System	Supported Modes and Architectures
macOS 10.15 (Catalina)	Kernel Extension (Intel only)
macOS 11 (Big Sur)	Kernel Extension (Intel only) System Extension (Intel, Apple Silicon)
macOS 12 (Monterey)	System Extension (Intel, Apple Silicon)

Supported Operating System

Supported Modes and Architectures

macOS 10.15 (Catalina)

Kernel Extension (Intel only)

macOS 11 (Big Sur)

Kernel Extension (Intel only)

System Extension (Intel, Apple Silicon)

macOS 12 (Monterey)

System Extension (Intel, Apple Silicon)

Resolved Issues

The following issues were fixed in this version of the software.

DSEN-15228: Fixed rare repCLI reporting issue
DSEN-14761 & DSEN-14003: Improved sensor tamper protection efficacy for sensor operating in Kernel Extension mode
DSEN-14394: Improved recovery mechanism of sensor data files that, in rare circumstances, could occur after unexpected machine shutdown
DSEN-14892: Minor user interface enhancement
DSEN-14909: Log collection enhancements
DSEN-15597: Improved error handling when sensor downloads data files
DSEN-15782: Email address was incorrectly populated by a company code on < 1% of macOS sensors (EA-19673)
DSEN-15600: The CBCloudUI widget crashed when selecting About Carbon Black Cloud from the drop-down menu

Selecting Open failed to display the window showing protection events.
CBC-9429: Quality improvements made to configuration management
DSEN-15365 - Resolved an issue where NTFS-formatted USB devices were not being blocked (EA-19424)

Known Issues

The following issues are known to affect the software. Each lists the sensor version when the issue was first reported. Issues are removed after they are resolved.

Limited LiveOps support on Apple Silicon devices (sensor version found: 3.6.1.10)

In the current release, LiveOps functionality on Apple Silicon devices is limited to endpoints that have Rosetta preinstalled. Due to current limitations of the OSQuery engine, not all queries work fully on Apple Silicon chipsets, even with Rosetta.If Rosetta is not installed on the Apple Silicon devices, LiveOps queries will not run and will display a “Environment Not Supported” console message for the affected endpoints.

The LiveOps Apple Silicon limitations will be addressed in future sensor releases that will provide full native Apple Silicon/Apple Silicon OSQuery support.
If a Kernel Extension sensor is installed in macOS Catalina, and an OS upgrade to Big Sur occurs, users might see an extraneous Kernel Extension approval pop-up, despite the Kernel Extension already being approved (sensor version found: 3.6.1.10)

Users can safely re-approve the Kernel Extension or safely ignore the pop-up. Users should re-approve Kernel Extension upon any future sensor upgrades.
3.6.1.10 is the first GA version supporting the Apple Silicon chipset (sensor version found: 3.6.1.10)

Sensor downgrade to versions prior to 3.6.1.10 is therefore not officially supported on Apple Silicon machines. Doing so would bring the sensor to a version that does not officially support Apple Silicon, causing the sensor to run in emulation mode.

Note that downgrade behavior/expectations on Intel machines does not change.

We are aware that some customers are utilizing the 3.5.x versions for emulated support of the sensor on Apple Silicon chip sets.

The recommended downgrade path from Apple Silicon native sensors (any 3.6.x+ sensor) to any Apple Silicon pre-native sensor (any sensor prior to 3.6.x) is via uninstall of the native sensor and installation of the pre-native emulated version

Utilizing standard downgrade behaviors is unsupported and can lead to undefined behavior.
Including the sensor as part of migrating data from Intel to an Apple Silicon machine (i.e. Migration Assistant) is not a supported workflow (sensor version found: 3.6.1.10)

The recommended workflow is to uninstall the sensor before migration or exclude the sensor during migration and install it on the target machine.
System Extension sensor upgrade or uninstall can fail with error code 4096 in rare circumstances (sensor version found: 3.6.1.10)

For manual remediation steps, see: Carbon Black Cloud: Unable to upgrade or install due to existing system extension (macOS)
DSEN-14562: If a sensor exits bypass mode, device discovery events may not be generated for devices plugged in while the sensor was in bypass mode (sensor version found: 3.5.3.82)
Pre-execution prevention capability is not available with the macOS Big Sur sensor in System Extensions mode (sensor version found: 3.5.2.78)

Applications are not blocked at launch. This release does support post-execution prevention. Learn more.

Install the sensor in KEXT mode for full prevention functionality. Learn more.
Failing to approve the System Extension prompt will leave the sensor unable to check in with the backend until system extension is approved (sensor version found: 3.5.2.78)

Configure System Extension MDM approvals before install.
Prevention capability is not available with the macOS Big Sur sensor in System Extensions mode (sensor version found: 3.5.1.19)

Learn more.

Install the sensor in KEXT mode for prevention functionality. Full prevention functionality on the System Extension-enabled sensor will be available in future releases. Learn more.
Per Apple, an MDM is required for KEXT installation and approval on macOS 11 (sensor version found: 3.5.1.19)

Installing the sensor into KEXT mode without an MDM will not work. Learn more.

Configure MDM KEXT pre-approval before installation, and use the custom RebuildKernelCache command or manually approve the KEXT and reboot OS after install. Learn more.
If Full Disk Access is misconfigured, Live Response sessions display a generic error message when attempting to access ~/Desktop, ~/Documents, or ~/Downloads (sensor version found: 3.5.1.19)

The generic error returned in this case will be improved to be Full Disk Access-specific. See MDM documentation for instructions on how to give the sensor Full Disk Access. Learn more.
DSEN-7849: (Audit & Remediation) A sensor that is configured for Audit and Remediation-only does not block network connections when the endpoint is quarantined (sensor version found: 3.4.3.44)
DSEN-8799: Rare issue where repmgr service crashes on shutdown in absence of network connectivity (sensor version found: 3.4.3.44)

The issue has no impact on end-user or product efficacy.
DSEN-3702 & DSEN-8839: Malware Removal infrequently and inaccurately reports actions that were or were not taken (sensor version found: 3.4.1.7)
DSEN-2543: The unattended install script does not accept multiple long options (sensor version found: 3.4.1.7)

The workaround is to always provide a value (such as 0 or 1) next to every long option following = character; for example: --downgrade=1 --skip-kext-approval-check=1.
DSEN-3740: When a device is removed from an AD domain, the sensor is still reflected within that domain in the Endpoints page and remains in a sensor group (sensor version found: 3.4.1.7)

The sensor must be taken out of auto-assignment to make policy updates to that sensor.

As a workaround, you can manually remove the sensor from the AD group and assign a policy (click into the device, turn off auto-assign, and change the policy).
DSEN-3669: (CB Defense) Old canary files, specifically with variable or random file names, are not always properly cleaned up by the sensor (sensor version found: 3.4.1.7)

This can cause ransomware false positives.