VMware Carbon Black Cloud 3.6.2.110 | 17 MAR 2022 | Build 3.6.2.110 Check for additions and updates to these release notes. |
VMware Carbon Black Cloud 3.6.2.110 | 17 MAR 2022 | Build 3.6.2.110 Check for additions and updates to these release notes. |
VMware Carbon Black Cloud macOS Sensor 3.6.2.110 includes improvements and bug fixes.
Important notes
System Extension sensor upgrades should not be performed while the sensor is in bypass mode. Upgrading the sensor in System Extensions mode while in bypass disables the sensor until a reboot is performed on the endpoint.
This release supports macOS 10.15 - 12.X. Please refer to the macOS support link under Resources for more details.
Sensor version 3.8.0 and future sensor versions no longer support Kernel Extension approval as well as macOS11 and prior Operating Systems. Customers must use System Extension approval.
Resources
Release checksums
3.6.2.110 DMG SHA256 Checksum |
b3c67cc508e61c91a56c230ab12dd2307620b17f0901ce6e60851b4a645127f8 |
3.6.2.110 PKG SHA256 Checksum |
abd5b14a1c07762f4bb28d853539ee11c1b8df5a8001ed2868678ab4424afeee |
macOS 12.3 support
Due to a compatibility-related change Apple has made in version 12.3 with regards to their internal protocols, all sensor versions prior to 3.6.2 will not support macOS 12.3.
Systems that upgrade to macOS version 12.3 before installing the 3.6.2 sensor will incorrectly display the sensor as active from the console; however the sensor will be in a bypass state causing a lapse in endpoint protection.
To maintain endpoint protection, install the 3.6.2 sensor before upgrading to macOS 12.3.
Please see these KB articles for more information:
macOS Monterey support
Sensor version 3.6.2.110 supports operation on macOS Monterey via System Extensions. Legacy Kernel Extension mode operation is not supported on macOS 12 Monterey. For customers who plan to upgrade macOS 11 Big Sur endpoints running the Kernel Extension to Monterey, we recommend using a management tool like Workspace ONE, Jamf or similar MDM solution, to deploy the 3.6 sensor. Cloud upgrade does not support Kernel Extension mode upgrades from macOS 11 to macOS 12.
As always, to ensure full sensor enablement we recommend that endpoints are preconfigured with System Extension pre-approval via MDM before deployment of the sensor.
Supported operating modes
Supported Operating System |
Supported Modes and Architectures |
---|---|
macOS 10.15 (Catalina) |
Kernel Extension (Intel only) |
macOS 11 (Big Sur) |
Kernel Extension (Intel only) System Extension (Intel, Apple Silicon) |
macOS 12 (Monterey) |
System Extension (Intel, Apple Silicon) |
The following issues were fixed in this version of the software.
DSEN-17915: Fixed an issue with sensor upgrade failing in rare instances while performing integrity verification
DSEN-17966: Fixed an issue due to a compatibility change Apple has made in macOS 12.3 with regards to their internal protocols: all sensor versions prior to 3.6.2 will not support macOS 12.3
The following issues are known to affect the software. Each lists the sensor version when the issue was first reported. Issues are removed after they are resolved.
Network Connectivity Symptoms
-Network is slow or disconnects entirely when MacOS is connected to Ethernet Adapter
-Connections to servers are slow or timing out
-Putting the Sensor in Bypass does not resolve the issue
Carbon Black is investigating this issue further with Apple to confirm if this is a bug in the Operating System or if there is an interoperability issue with other software which needs to be resolved.
Please check this KB article for additional information and updates: https://community.carbonblack.com/t5/Knowledge-Base/Carbon-Black-Cloud-Network-is-Slow-or-Disconnects-after-Sensor/ta-p/109745
Limited LiveOps support on Apple Silicon devices
In the current release, LiveOps functionality on Apple Silicon devices is limited to endpoints that have Rosetta preinstalled. Due to current limitations of the OSQuery engine, not all queries work fully on Apple Silicon chipsets, even with Rosetta.If Rosetta is not installed on the Apple Silicon devices, LiveOps queries will not run and will display a “Environment Not Supported” console message for the affected endpoints.
The LiveOps Apple Silicon limitations will be addressed in future sensor releases that will provide full native Apple Silicon/Apple Silicon OSQuery support.
Kernel Extension approval pop-up
If a Kernel Extension sensor is installed in macOS Catalina, and an OS upgrade to Big Sur occurs, users might see an extraneous Kernel Extension approval pop-up, despite the Kernel Extension already being approved.
Users can safely re-approve the Kernel Extension or safely ignore the pop-up. Users should re-approve Kernel Extension upon any future sensor upgrades.
Apple Silicon chip set
3.6.1.10 was the first GA version supporting the Apple Silicon chipset. Sensor downgrade to 3.5.x versions prior to 3.6.1.10 is therefore not officially supported on Apple Silicon machines. Doing so would bring the sensor to a version that does not officially support Apple Silicon, causing the sensor to run in emulation mode.
Note that downgrade behavior/expectations on Intel machines does not change.
We are aware that some customers are utilizing the 3.5.x versions for emulated support of the sensor on Apple Silicon chip sets.
The recommended downgrade path from Apple Silicon native sensors (any 3.6.x+ sensor) to any Apple Silicon pre-native sensor (any sensor prior to 3.6.x) is via uninstall of the native sensor and installation of the pre-native emulated version
Utilizing standard downgrade behaviors is unsupported and can lead to undefined behavior.
Migrating data from Intel to an Apple Silicon machine
Including the sensor as part of migrating data from Intel to an Apple Silicon machine (i.e. Migration Assistant) is not a supported workflow.
The recommended workflow is to uninstall the sensor before migration or exclude the sensor during migration and install it on the target machine.
DSEN-15839: Report message is displaying the translocated path
When notifying users of XProtect blocks, it was identified that the report message is displaying the translocated path rather than the execution path.
DSEN-16229: System Extension install and Kernel Extension install on macOS 11+
System Extension install and Kernel Extension install on macOS 11+ with the “-d off” flag doesn’t install into bypass mode. This issue was recently discovered and impacts the 3.5 and 3.6 sensor.
The recommended workaround is to put the sensor into bypass mode after installation through other methods such as the Carbon Black Cloud Console or the endpoint user interface.
DSEN-3669: (CB Defense) Old canary files, specifically with variable or random file names, are not always properly cleaned up by the sensor (sensor version found: 3.4.1.7)
This can cause ransomware false positives.
DSEN-3740: When a device is removed from an AD domain, the sensor is still reflected within that domain in the Endpoints page and remains in a sensor group (sensor version found: 3.4.1.7)
The sensor must be taken out of auto-assignment to make policy updates to that sensor.
As a workaround, you can manually remove the sensor from the AD group and assign a policy (click into the device, turn off auto-assign, and change the policy).
DSEN-2543: The unattended install script does not accept multiple long options (sensor version found: 3.4.1.7)
The workaround is to always provide a value (such as 0 or 1) next to every long option following = character; for example: --downgrade=1 --skip-kext-approval-check=1.
DSEN-3702 & DSEN-8839: Malware Removal infrequently and inaccurately reports actions that were or were not taken (sensor version found: 3.4.1.7)
DSEN-8799: Rare issue where repmgr service crashes on shutdown in absence of network connectivity (sensor version found: 3.4.3.44)
The issue has no impact on end-user or product efficacy.
DSEN-7849: (Audit & Remediation) A sensor that is configured for Audit and Remediation-only does not block network connections when the endpoint is quarantined (sensor version found: 3.4.3.44)
If Full Disk Access is misconfigured, Live Response sessions display a generic error message when attempting to access ~/Desktop, ~/Documents, or ~/Downloads (sensor version found: 3.5.1.19)
The generic error returned in this case will be improved to be Full Disk Access-specific. See MDM documentation for instructions on how to give the sensor Full Disk Access. Learn more.
Per Apple, an MDM is required for KEXT installation and approval on macOS 11 (sensor version found: 3.5.1.19)
Installing the sensor into KEXT mode without an MDM will not work. Learn more.
Configure MDM KEXT pre-approval before installation, and use the custom RebuildKernelCache command or manually approve the KEXT and reboot OS after install. Learn more.
Prevention capability is not available with the macOS Big Sur sensor in System Extensions mode (sensor version found: 3.5.1.19)
Learn more.
Install the sensor in KEXT mode for prevention functionality. Full prevention functionality on the System Extension-enabled sensor will be available in future releases. Learn more.
Failing to approve the System Extension prompt will leave the sensor unable to check in with the backend until system extension is approved (sensor version found: 3.5.2.78)
Configure System Extension MDM approvals before install.
Pre-execution prevention capability is not available with the macOS Big Sur sensor in System Extensions mode (sensor version found: 3.5.2.78)
Applications are not blocked at launch. This release does support post-execution prevention. Learn more.
Install the sensor in KEXT mode for full prevention functionality. Learn more.
DSEN-14562: If a sensor exits bypass mode, device discovery events may not be generated for devices plugged in while the sensor was in bypass mode (sensor version found: 3.5.3.82)
System Extension sensor upgrade or uninstall can fail with error code 4096 in rare circumstances (sensor version found: 3.6.1.10)
For manual remediation steps, see: Carbon Black Cloud: Unable to upgrade or install due to existing system extension (macOS)
Including the sensor as part of migrating data from Intel to an Apple Silicon machine (i.e. Migration Assistant) is not a supported workflow (sensor version found: 3.6.1.10)
The recommended workflow is to uninstall the sensor before migration or exclude the sensor during migration and install it on the target machine.
3.6.1.10 is the first GA version supporting the Apple Silicon chipset (sensor version found: 3.6.1.10)
Sensor downgrade to versions prior to 3.6.1.10 is therefore not officially supported on Apple Silicon machines. Doing so would bring the sensor to a version that does not officially support Apple Silicon, causing the sensor to run in emulation mode.
Note that downgrade behavior/expectations on Intel machines does not change.
We are aware that some customers are utilizing the 3.5.x versions for emulated support of the sensor on Apple Silicon chip sets.
The recommended downgrade path from Apple Silicon native sensors (any 3.6.x+ sensor) to any Apple Silicon pre-native sensor (any sensor prior to 3.6.x) is via uninstall of the native sensor and installation of the pre-native emulated version
Utilizing standard downgrade behaviors is unsupported and can lead to undefined behavior.
If a Kernel Extension sensor is installed in macOS Catalina, and an OS upgrade to Big Sur occurs, users might see an extraneous Kernel Extension approval pop-up, despite the Kernel Extension already being approved (sensor version found: 3.6.1.10)
Users can safely re-approve the Kernel Extension or safely ignore the pop-up. Users should re-approve Kernel Extension upon any future sensor upgrades.
Limited LiveOps support on Apple Silicon devices (sensor version found: 3.6.1.10)
In the current release, LiveOps functionality on Apple Silicon devices is limited to endpoints that have Rosetta preinstalled. Due to current limitations of the OSQuery engine, not all queries work fully on Apple Silicon chipsets, even with Rosetta.If Rosetta is not installed on the Apple Silicon devices, LiveOps queries will not run and will display a “Environment Not Supported” console message for the affected endpoints.
The LiveOps Apple Silicon limitations will be addressed in future sensor releases that will provide full native Apple Silicon/Apple Silicon OSQuery support.