The enhanced protections secure the sensor services, processes and communication channels against tampering by an external malicious actor or an endpoint user attempting to circumvent the uninstall protections.

Tamper Protection policy is built-in. Tamper attempt blocks are exposed with MODIFY_SENSOR TTP tagging the corresponding events.

Please check the Known Issues section for the current limitation around the Sensor Tamper Protection.

The 3.7.3 sensor introduces blocking for the “Communicates over the network” policy operation. This policy enables the ability to block a connection attempt (Deny operation) or terminate specified applications (Terminate process) that attempts to communicate over the network, per the application reputation or the application path. 

Related Documentation:

• Set Blocking and Isolation Policy Rules

• KB: How to Block Applications from Communicating over the Internet

This release adds support for scanning, detection and pre-execution prevention of potentially malicious DYLD (dynamically linked library) files.

1. Malicious reputation based DYLD pre-load prevention.DYLD files categorized by reputation as “on company banned list”, “Known malware”, “Suspect”, or “Adware or PUP” are prevented with the standard “Runs or is running” operation policy rule:

2. Behavioral DYLD code injection prevention. DYLD files with the “Unknown” or “Not listed” reputation, that are loaded into a running process using one of suspicious code injection techniques used to override the standard macOS DYLD libraries, are prevented with “Injects code” operation policy rule:

This release enables the Certificate Allowlisting feature for signed files and processes running signed code. Certificate Allowlisting can be configured on Reputation page by Signing Authority. Cert AllowList in this release does not include trust propagation to files bundled within signed PKG installer packages (planned for future release).

The common use-cases for this feature are macOS and 3rd party software updates for signed and sanctioned software in the customer environment. When combined with advanced prevention policies, the feature helps improve interoperability and lower false positives.

The release fully enables IT Tools Allow list feature. IT Tools can be configured on Reputation page by path of IT tool:

Common use-case for IT Tools on Mac is to improve performance and reduce false positives for software mass deploy tools and developer tools common in the user environments that act as frequent code droppers.

The release improves the efficacy of behavioral Ransomware Prevention to better prevent against the following attacks:

• Leveraging operating system binaries.

• Persistant ransomware.

The release enhances cross-process reporting and detections for the following cross-process behaviors:

The release provides additional visibility into effective Sensor Status.

1. Sensor Bypass reporting due to SysEXT initialization error: In the event of an unexpected internal SysEXT initialization error, such as when caused by an unexpected and unhandled MDM configuration issue, the sensor automatically enters internal bypass state, followed by subsequent re-initialization retries. This state can be queried as follows:

   1. repcli status command: General Info -> System Extension: and Sensor State: State: entries.  

   2. Carbon Black Cloud Console:

      1. Inventory->Endpoints page, Last Check-in column: Error (extension error).  

      2. Device->Protection Mode: DRIVER_INIT_ERROR. 

2. Network Extension Status. This additional sensor state info can be useful when:

   1. Troubleshooting the effective MDM policy.

   2. Identifying and re-configuring devices with previously disabled Network Extension.

   3. The Network Extension status can be queried as follows:

      1. repcli status command: General Info -> System Extension -> Network Extension.

      2. CBC Console: Device->Protection Mode: NETWORK_DRIVER_LOAD_NOT_GRANTED and NETWORK_DRIVER_DISABLED.

Related KB articles:

• How to disable and re-enable CBC network extension on MacOS

• Improving Network Extension after Sensor Installation

Sensor versions 3.7.2 and later are “macOS 14 - ready” and will be enabled for  macOS 14 by default. These sensor versions will be announced as officially “macOS 14 supported” if passing the macOS 14 Beta and GM qualification process, unless compatibility issues are identified during the process.

Sensor versions 3.7.3 supports macOS 13 Ventura. 

For customers who plan to upgrade macOS 11 Big Sur endpoints running the Kernel Extension to macOS Ventura, we recommend using a management tool like Workspace ONE, Jamf, or similar MDM solution to deploy the 3.7.3 sensor. Cloud upgrade does not support Kernel Extension mode.

to ensure full sensor enablement, preconfigure endpoints with System Extension pre-approval through MDM before deployment of the sensor.

Supported operating modes

* Official support will be announced after macOS 14 GM, not recommended for production deployment until then. For more information, see the UEX forum.

.

Please refer to this KB article for the workaround and updated script announcement.

Associated with: EA-22114.

The change will be visible when cloud upgrade is triggered from 3.7.3 to future sensor versions.

Associated with: EA-22365.

Associated with: EA-22012.

Unattended installer option --disable-sysext-network-extension is now supported on sensor upgrade and reinstall. This is an alternative mechanism to toggle Network Extension on and off, in addition to sensor fresh install and RepCLI. 

Please refer to the following KBs on Network Extension troubleshooting:

• Disable the Carbon Black Cloud network extension: How to disable and re-enable CBC network extension on MacOS

• Improving Network Extension after Sensor Installation