VMware Carbon Black Cloud 3.7.2.77 | 09 NOV 2022 | Build 3.7.2.77

Check for additions and updates to these release notes.

What's New

VMware Carbon Black Cloud macOS Sensor 3.7.2.77 includes new improvements and bug fixes.

Important notes

This release supports macOS 11 - 12 and is macOS13-compatible. Please refer to the macOS support link under Resources for more details.

This release does not support macOS 10.15.

Resources

Release checksums

3.7.2.77 DMG SHA256 Checksum

03a9ce9fdd3a55bcabffb80451efd5735a3c84c0fbabf2fb6e56c959ce7cb563

3.7.2.77 PKG SHA256 Checksum

7cd99a7347ceab8953d7b0cb3152e0030107fa7dee1bba5bce2c33cf305aed34

Supported operating modes

Supported Operating System

Supported Modes and Architectures

macOS 11 (Big Sur)

Kernel Extension (Intel only), System Extension (Intel, Apple Silicon)

macOS 12 (Monterey)

System Extension (Intel, Apple Silicon)

macOS 13 (Ventura) - ready

System Extension (Intel, Apple Silicon)

  • MDM Workaround

    Apple has announced a known issue with MacOS 13 that impacts third-party products in non-MDM deployments.

    All non-MDM Carbon Black customers should refer to Apple’s 13.1 Beta Release Notes Known Issue 100857507 for details and a workaround that our team has independently verified.

    macOS Ventura 13.1 Beta Release Notes | Apple Developer Documentation

  • macOS 13 Ventura-ready

    Sensor version 3.7.2 is macOS Ventura-ready via System Extensions. Legacy Kernel Extension mode operation is not supported on macOS Ventura.

    For customers who plan to upgrade macOS 11 Big Sur endpoints running the Kernel Extension to macOS Ventura, we recommend using a management tool such as Workspace ONE, Jamf, or similar MDM solution to deploy the 3.7.2 sensor. Carbon Black Cloud upgrade does not support Kernel Extension mode upgrades from macOS 11 to macOS 13.

    To ensure full sensor enablement, we recommend that endpoints are preconfigured with System Extension pre-approval using MDM before deployment of the sensor.

    macOS 13 Ventura added service management user interface, which allows admin users to disable essential background sensor services. Following MDM configuration is required to disable this user option.

    MDM configuration payload type : com.apple.servicemanagement

    RuleType : TeamIdentifier

    RuleValue : 7AGZNQ2S2T

    *Validated on macOS Ventura Beta

    Note: MDM product support is required to use new configuration payload type. VMware Workspace ONE "Custom Settings" supports configuration of new payload types.

  • Endpoint Standard: Antivirus Enhancements (SysEXT mode)

    This release adds two enhancements around known malware prevention capabilities for the SysEXT sensor with Endpoint Standard enabled.

    1. Script Engine improvements in classifying, blocking and alerting on execution of malicious scripts (by reputation) in additional execution contexts (on load, on access).

    2. File In-Place Quarantine feature that prevents access to files identified as malware, preventing malware spread across networks and external storage devices.

    These enhancements are automatically enabled by the presence of the base malware prevention rules on the Policy Page: (Known Malware | Suspect Malware | PUP) => Tries to Run => (Deny | Terminate).

  • Enterprise EDR: modload reporting events (SysEXT mode)

    This release completes the parity with the KEXT-based sensor around reporting modload (for dylds) and scriptload events for the Enterprise EDR product.

  • Improved macOS forward compatibility handling

    This release adds compatibility improvements that allow for a flexible handling of future macOS versions. The resulting approach reduces the number of sensor releases needed to maintain core sensor features across future major and minor macOS releases and reduces time to macOS major version support. This approach is also more aligned with the Apple SysEXT compatibility model.

  • Proxy server improvements and sensor downgrade

    macOS sensor 3.7.2 includes a change to improve proxy server information storage utilizing the latest macOS Keychain APIs.

    In the event of sensor downgrade from 3.7.2 (or newer) to 3.7.1 (or older): 

    As a result of the change, for sensors that require proxy credentials to connect to the CBC Cloud, proxy settings must be repopulated on downgrade. 

    • If macOS System Preferences was used for the proxy configuration, the sensor attempts to repopulate the proxy information after the sensor downgrade. 

    • If proxy configuration cannot be retrieved from the macOS System Preferences, the sensor unattended installer options -p PROXY_SERVER:PORT and -x PROXY_USER:PASSWORD must be used to repopulate the proxy settings during the sensor downgrade. 

  • Apple resolved SysEXT sensor network connectivity

    A previous issue with network connectivity symptoms on macOS 11 - macOS 12 with SysEXT sensor has been addressed by Apple in the macOS 12.4 release. Endpoints running any macOS12.4 - compatible sensor (3.6.2 or newer) can now be upgraded to macOS 12.4 to resolve the issue where the network becomes unresponsive using multiple network extensions or a network extension with an Ethernet adapter. See Apple’s macOS Monterey 12.4 release update and our article link regarding this issue for more information:

  • macOS 12.3, 12.4 support

    Due to a compatibility-related change Apple has made in version 12.3 with regards to their internal protocols, all sensor versions 3.6.1 or prior will not support macOS 12.3 or greater. 

    Systems that upgrade to macOS 12.3 or greater before installing the 3.6.2 sensor or later will incorrectly display the sensor as active from the console; however, the sensor will be in a bypass state causing a lapse in endpoint protection.

    To maintain endpoint protection, install sensor version 3.6.2 or later before upgrading to macOS 12.3 or greater.

    Please see these KB articles for more information:

Resolved Issues

The following issues were fixed in this version of the software.

Endpoint Standard and Enterprise EDR

Endpoint Standard, Enterprise EDR / SysEXT

Endpoint Standard

  • DSEN-18542: Network quarantine/isolation

    Fixed a reporting bug where pre-existing TCP connections before quarantine are properly reset after the quarantine but were not reported on the Investigate page.

LiveOps

  • DSEN-19708: LiveQuery queries in the newer OSquery engine

    Includes EA-21377.

    Fixed an issue with a small number of LiveQuery queries in the newer OSquery engine: query results with a warning now appear in the console. 

    Sometimes queries that threw a benign warning (such as “Failed to read the following manifest.json”), still returned the query results, but the results did not appear on the LiveQuery console.

Known Issues

The following issues are known to affect the software. Each lists the sensor version when the issue was first reported. Issues are removed after they are resolved.

  • Extraneous Kernel Extension approval

    If a Kernel Extension sensor is installed in macOS Catalina, and an OS upgrade to Big Sur occurs, users might see an extraneous Kernel Extension approval pop-up, despite the Kernel Extension already being approved.

    Users can safely re-approve the Kernel Extension or safely ignore the pop-up. Users should re-approve Kernel Extension upon any future sensor upgrades.

  • Command Line Uninstall Utility

    Running the command line uninstall utility from within a Carbon Black directory causes a crash (after successfully uninstalling the sensor).

    As a workaround, run the uninstall command from a user-owned directory.

  • Downgrading from 3.7.2

    If downgrading from 3.7.2 to 3.7.1 (or older) sensor and using proxy credentials to communicate with the Carbon Black Cloud backend, any existing proxy credentials will not persist to the downgraded sensor and must be resupplied

    Resupply proxy credentials using the -p and -x options when downgrading using the unattended installation script. Alternatively, use MacOS System Preferences to configure proxy and credentials.

  • Apple Silicon chip set

    3.6.1.10 was the first GA version supporting the Apple Silicon chipset. Sensor downgrade to 3.5.x versions prior to 3.6.1.10 is therefore not officially supported on Apple Silicon machines. Doing so would bring the sensor to a version that does not officially support Apple Silicon, causing the sensor to run in emulation mode. 

    Note that downgrade behavior/expectations on Intel machines does not change.

    We are aware that some customers are utilizing the 3.5.x versions for emulated support of the sensor on Apple Silicon chip sets. 

    The recommended downgrade path from Apple Silicon native sensors (any 3.6.x+ sensor) to any Apple Silicon pre-native sensor (any sensor prior to 3.6.x) is via uninstall of the native sensor and installation of the pre-native emulated version

    Utilizing standard downgrade behaviors is unsupported and can lead to undefined behavior.

  • Migrating data from Intel to an Apple Silicon machine

    Including the sensor as part of migrating data from Intel to an Apple Silicon machine (i.e. Migration Assistant) is not a supported workflow.

    The recommended workflow is to uninstall the sensor before migration or exclude the sensor during migration and install it on the target machine.

check-circle-line exclamation-circle-line close-line
Scroll to top icon