What's New

Resolved Issues

• DSEN-17915: Fixed an issue with sensor upgrade failing in rare instances while performing integrity verification

• DSEN-17966: Fixed an issue due to a compatibility change Apple has made in macOS 12.3 with regards to their internal protocols: all sensor versions prior to 3.6.2 will not support macOS 12.3

Known Issues

• Network Connectivity Symptoms

  -Network is slow or disconnects entirely when MacOS is connected to Ethernet Adapter

  -Connections to servers are slow or timing out

  -Putting the Sensor in Bypass does not resolve the issue

  Carbon Black is investigating this issue further with Apple to confirm if this is a bug in the Operating System or if there is an interoperability issue with other software which needs to be resolved.

  Please check this KB article for additional information and updates: https://community.carbonblack.com/t5/Knowledge-Base/Carbon-Black-Cloud-Network-is-Slow-or-Disconnects-after-Sensor/ta-p/109745

• Limited LiveOps support on Apple Silicon devices

  In the current release, LiveOps functionality on Apple Silicon devices is limited to endpoints that have Rosetta preinstalled. Due to current limitations of the OSQuery engine, not all queries work fully on Apple Silicon chipsets, even with Rosetta.If Rosetta is not installed on the Apple Silicon devices, LiveOps queries will not run and will display a “Environment Not Supported” console message for the affected endpoints.

  The LiveOps Apple Silicon limitations will be addressed in future sensor releases that will provide full native Apple Silicon/Apple Silicon OSQuery support.

• Kernel Extension approval pop-up

  If a Kernel Extension sensor is installed in macOS Catalina, and an OS upgrade to Big Sur occurs, users might see an extraneous Kernel Extension approval pop-up, despite the Kernel Extension already being approved.

  Users can safely re-approve the Kernel Extension or safely ignore the pop-up. Users should re-approve Kernel Extension upon any future sensor upgrades.

• Apple Silicon chip set

  3.6.1.10 was the first GA version supporting the Apple Silicon chipset. Sensor downgrade to 3.5.x versions prior to 3.6.1.10 is therefore not officially supported on Apple Silicon machines. Doing so would bring the sensor to a version that does not officially support Apple Silicon, causing the sensor to run in emulation mode. 

  Note that downgrade behavior/expectations on Intel machines does not change.

  We are aware that some customers are utilizing the 3.5.x versions for emulated support of the sensor on Apple Silicon chip sets. 

  The recommended downgrade path from Apple Silicon native sensors (any 3.6.x+ sensor) to any Apple Silicon pre-native sensor (any sensor prior to 3.6.x) is via uninstall of the native sensor and installation of the pre-native emulated version

  Utilizing standard downgrade behaviors is unsupported and can lead to undefined behavior.

• Migrating data from Intel to an Apple Silicon machine

  Including the sensor as part of migrating data from Intel to an Apple Silicon machine (i.e. Migration Assistant) is not a supported workflow.

  The recommended workflow is to uninstall the sensor before migration or exclude the sensor during migration and install it on the target machine.

• DSEN-15839: Report message is displaying the translocated path

  When notifying users of XProtect blocks, it was identified that the report message is displaying the translocated path rather than the execution path.

• DSEN-16229: System Extension install and Kernel Extension install on macOS 11+

  System Extension install and Kernel Extension install on macOS 11+ with the “-d off” flag doesn’t install into bypass mode. This issue was recently discovered and impacts the 3.5 and 3.6 sensor.

  The recommended workaround is to put the sensor into bypass mode after installation through other methods such as the Carbon Black Cloud Console or the endpoint user interface.

• DSEN-3669: (CB Defense) Old canary files, specifically with variable or random file names, are not always properly cleaned up by the sensor (sensor version found: 3.4.1.7)

  This can cause ransomware false positives.

• DSEN-3740: When a device is removed from an AD domain, the sensor is still reflected within that domain in the Endpoints page and remains in a sensor group (sensor version found: 3.4.1.7)

  The sensor must be taken out of auto-assignment to make policy updates to that sensor.

  As a workaround, you can manually remove the sensor from the AD group and assign a policy (click into the device, turn off auto-assign, and change the policy).

• DSEN-2543: The unattended install script does not accept multiple long options (sensor version found: 3.4.1.7)

  The workaround is to always provide a value (such as 0 or 1) next to every long option following = character; for example: --downgrade=1 --skip-kext-approval-check=1.

• DSEN-3702 & DSEN-8839: Malware Removal infrequently and inaccurately reports actions that were or were not taken (sensor version found: 3.4.1.7)

• DSEN-8799: Rare issue where repmgr service crashes on shutdown in absence of network connectivity (sensor version found: 3.4.3.44)

  The issue has no impact on end-user or product efficacy.

• DSEN-7849: (Audit & Remediation) A sensor that is configured for Audit and Remediation-only does not block network connections when the endpoint is quarantined (sensor version found: 3.4.3.44)

• If Full Disk Access is misconfigured, Live Response sessions display a generic error message when attempting to access ~/Desktop, ~/Documents, or ~/Downloads (sensor version found: 3.5.1.19)

  The generic error returned in this case will be improved to be Full Disk Access-specific. See MDM documentation for instructions on how to give the sensor Full Disk Access. Learn more.

• Per Apple, an MDM is required for KEXT installation and approval on macOS 11 (sensor version found: 3.5.1.19)

  Installing the sensor into KEXT mode without an MDM will not work. Learn more.

  Configure MDM KEXT pre-approval before installation, and use the custom RebuildKernelCache command or manually approve the KEXT and reboot OS after install. Learn more.

• Prevention capability is not available with the macOS Big Sur sensor in System Extensions mode (sensor version found: 3.5.1.19)

  Learn more.

  Install the sensor in KEXT mode for prevention functionality. Full prevention functionality on the System Extension-enabled sensor will be available in future releases. Learn more.

• Failing to approve the System Extension prompt will leave the sensor unable to check in with the backend until system extension is approved (sensor version found: 3.5.2.78)

  Configure System Extension MDM approvals before install.

• Pre-execution prevention capability is not available with the macOS Big Sur sensor in System Extensions mode (sensor version found: 3.5.2.78)

  Applications are not blocked at launch. This release does support post-execution prevention. Learn more.

  Install the sensor in KEXT mode for full prevention functionality. Learn more.

• DSEN-14562: If a sensor exits bypass mode, device discovery events may not be generated for devices plugged in while the sensor was in bypass mode (sensor version found: 3.5.3.82)

• System Extension sensor upgrade or uninstall can fail with error code 4096 in rare circumstances (sensor version found: 3.6.1.10)

  For manual remediation steps, see: Carbon Black Cloud: Unable to upgrade or install due to existing system extension (macOS)

• Including the sensor as part of migrating data from Intel to an Apple Silicon machine (i.e. Migration Assistant) is not a supported workflow (sensor version found: 3.6.1.10)

  The recommended workflow is to uninstall the sensor before migration or exclude the sensor during migration and install it on the target machine.

• 3.6.1.10 is the first GA version supporting the Apple Silicon chipset (sensor version found: 3.6.1.10)

  Sensor downgrade to versions prior to 3.6.1.10 is therefore not officially supported on Apple Silicon machines. Doing so would bring the sensor to a version that does not officially support Apple Silicon, causing the sensor to run in emulation mode.

  Note that downgrade behavior/expectations on Intel machines does not change.

  We are aware that some customers are utilizing the 3.5.x versions for emulated support of the sensor on Apple Silicon chip sets.

  The recommended downgrade path from Apple Silicon native sensors (any 3.6.x+ sensor) to any Apple Silicon pre-native sensor (any sensor prior to 3.6.x) is via uninstall of the native sensor and installation of the pre-native emulated version

  Utilizing standard downgrade behaviors is unsupported and can lead to undefined behavior.

• If a Kernel Extension sensor is installed in macOS Catalina, and an OS upgrade to Big Sur occurs, users might see an extraneous Kernel Extension approval pop-up, despite the Kernel Extension already being approved (sensor version found: 3.6.1.10)

  Users can safely re-approve the Kernel Extension or safely ignore the pop-up. Users should re-approve Kernel Extension upon any future sensor upgrades.

• Limited LiveOps support on Apple Silicon devices (sensor version found: 3.6.1.10)

  In the current release, LiveOps functionality on Apple Silicon devices is limited to endpoints that have Rosetta preinstalled. Due to current limitations of the OSQuery engine, not all queries work fully on Apple Silicon chipsets, even with Rosetta.If Rosetta is not installed on the Apple Silicon devices, LiveOps queries will not run and will display a “Environment Not Supported” console message for the affected endpoints.

  The LiveOps Apple Silicon limitations will be addressed in future sensor releases that will provide full native Apple Silicon/Apple Silicon OSQuery support.