VMware Carbon Black Cloud 3.7.4.53| 14 AUG 2023 | Build 3.7.4.53

Check for additions and updates to these release notes.

What's New

VMware Carbon Black Cloud macOS Sensor 3.7.4.53 release includes features, improvements and bug fixes that are addressed in more detail here.

Important notes:

  • This release supports macOS 11 - 14. Please refer to the macOS support link under resources for more details.

  • This sensor is compatible with macOS14 Sonoma Beta but we do not claim support until Apple's GA.

  • Sensor version 3.8.0 and future sensor versions no longer support Kernel Extension approval as well as macOS11 and prior Operating Systems. Customers must use System Extension approval.

Resources:

Release checksums

3.7.4.53 DMG SHA256 Checksum

5fee9d39d3a4960d179da2cd893d21440baa8993a8d144d92f0087d313dd61e9

3.7.4.53 PKG SHA256 Checksum

01a808a473f075ee03d0e01e1ee3db4691de073616dba5b5b2dc9ca1553a9ace

Endpoint Standard

  • Improved File On-Access Scanning

    This release improves file on-access scanning efficacy for interesting files types and vectors and completes the core Antivirus malware prevention functionality in the SysEXT sensor.

Blocking Policy

  • Invokes Cmd-Interpreter, Untrusted App, Fileless Script

    This release enables support for the following Behavioral Prevention Policy Operations in the SysEXT-based sensors:

    1. Invokes Cmd-Interpreter.

    2. Invokes Untrusted Application.

    3. Invokes Fileless Script.

Code Signing Certificate AllowList

  • PKG Installers

    This release delivers efficacy improvements to the Cert Allowlist feature for files dropped by signed and trusted macOS PKG installers to handle unique macOS AllowList use cases.

    Related Documentation:

Mac Device Name Reporting

  • Improved Consistent Predictable Mac Device Name Reporting

    This release brings highly requested improvements around more consistent predictable Mac device name reporting for Mac Admin use cases.

    The default sequence that sensor follows to get hostname is Computer Name, Local Host Name, Hostname, and kern.hostname. If there is no value found, it is under “localhost”.

    The console might show different device name format for older sensors compared to the newer sensors. This is resolved once all the devices are upgraded to sensor version 3.7.4. If all names for a given device, for example, hostname/computer name are the same, then there is no impact on sensor upgrade.

Major macOS Forward Compatibility Support

On the day of Apple’s major macOS release, Carbon Black will have at least one sensor compatible and in support. Since sensor versions 3.7.2 and onward, Carbon Black offers macOS forward compatibility handling for new major macOS releases. These sensor versions will be announced as officially in support on 0-day if passing the major macOS Beta and GM qualification process, unless compatibility issues are identified during the process. For example, Sensor 3.7.4 passed the qualification process with the currently latest macOS 14 Beta 4.

  • Supported operating modes and CPU architectures

    Supported Operating System

    Supported Modes and Archs

    macOS 11 (Big Sur)

    System Extension (Intel, Apple Silicon),Kernel Extension (Intel)

    macOS 12 (Monterey)

    System Extension (Intel, Apple Silicon)

    macOS 13 (Ventura) 

    System Extension (Intel, Apple Silicon)

    macOS 14 (Sonoma) - ready *

    System Extension (Intel, Apple Silicon)

    * Official support will be announced after macOS 14 GM. Not recommended for production deployment until then. Stay tuned for updates in Carbon Black's UEX forum.

  • MDM and Mass Deployment

    To ensure full sensor enablement at earliest during the mass deployment, Carbon Black recommends that endpoints are preconfigured with System Extension and FDA pre-approval through MDM, using the latest MDM recommendations for Carbon Black Cloud in the sensor release DMG docs folder. Carbon Black also advises that the MDM policy is verified using test devices before mass deployment of sensors.

Resolved Issues

Endpoint Standard

  • EA-22508: Fixed Time-of-check time-of-use (TOCTU) in SysEXT (se_agent) and improved interoperability with applications using pipes

    Associated with: DSEN-23164.

  • EA-21506: Improved detection of Mythic Apfell and Poseidon agents

    Associated with: DSEN-20307.

  • EA-20545: XProtect Alerting

    Improved XProtect Alerting to differentiate between XProtect and Gatekeeper - based blocks.

  • DSEN-23838: Improved Device Control reporting latency when deployed in the Endpoint Standard - only mode

Endpoint Standard and EEDR

  • CBC-26565: Improved performance and interoperability with the CBC Network Extension

  • DSEN-23815: General SysEXT (se_agent) performance improvements

  • DSEN-24470: Unattended installer option --disable-sysext-network-extension is now supported on sensor upgrade and reinstall

    This is an alternative mechanism to toggle Network Extension on and off, in addition to sensor fresh install and RepCLI. 

    Please refer to the following KBs on Network Extension troubleshooting:

  • Thirdparty library updates

LiveOps

  • DSEN-24541: Updated OSQuery engine to 5.8.2

Known Issues

The following issues are known to affect the software. Each lists the sensor version when the issue was first reported. Issues are removed after they are resolved.

  • Current Apple macOS limitation allows the end user to drag and uninstall SysEXT, circumventing the sensor Uninstall Protection

    Carbon Black is in contact with Apple Eng. to resolve the macOS limitation.

  • Device Quarantine limitation with VPN per-app tunnel

    Carbon Black is in contact with Apple Eng. to resolve the universal macOS limitation.

    Please refer to this KB article for a workaround.

  • Kernel Extension approval pop-up

    If a Kernel Extension sensor is installed in macOS Catalina, and an OS upgrade to Big Sur occurs, users might see an extraneous Kernel Extension approval pop-up, despite the Kernel Extension already being approved.

    Users can safely re-approve the Kernel Extension or safely ignore the pop-up. Re-approve Kernel Extension upon any future sensor upgrades.

  • Unsupported workflow for migrating data from Intel to an Apple Silicon machine

    Including the sensor as part of migrating data from Intel to an Apple Silicon machine (i.e. Migration Assistant) is not a supported workflow.

    The recommended workflow is to uninstall the sensor before migration or exclude the sensor during migration and install it on the target machine.

  • Running command line uninstall utility from within a Carbon Black directory causes crash after successfully uninstalling the sensor

    Run the uninstall command from a user-owned directory.

check-circle-line exclamation-circle-line close-line
Scroll to top icon