Beginning in macOS 11, the Carbon Black Cloud macOS sensor (v3.5.1) operates by default in user-space via System Extensions (user-space) instead of Kernel Extensions (KEXTs) that are used in prior versions of the agent. Therefore, there are some functional differences when using the sensor in System Extension mode on macOS 11 and later.
Using the sensor in KEXT mode achieves the same functionality on macOS 11 as it does on older operating systems.
Unless otherwise specified, documentation related to macOS functionality on the Carbon Black Cloud pertains to macOS 10.15 and earlier or to functionality delivered via the KEXT on macOS 11.
The following matrix outlines macOS functionality on the Carbon Black Cloud. The functionality detailed in the macOS 11+ column pertains to the sensor’s functionality in user space (System Extension) in the initial macOS 11-compatible sensor release (v3.5.1+). For functionality provided via the kernel extension, refer to the macOS 10.12 - 11+ column.
| Functionality | macOS10.12 - 11 (KEXT) | macOS 11+(user-space) |
|---|---|---|
| Behavioral EDR (analytics detection) | X | X |
| Behavior-based prevention (non-reputation policy rules) | X | In Progress |
| Targeted Prevention (Terminate Process) | X | X |
| Targeted Prevention (Deny Process) | X | In Progress |
| Reputation-based prevention (CB Analytics) | X | X |
| Banned-list based prevention (Deny List) | X | X |
| Approved-list allowances (hash, cert, IT tool) | All | Hash only |
| Automatic Malware Removal | X | X |
| Script Detection | X | X |
| On-demand File Collection | X | X |
| On-demand File Deletion | X | X |
| On-demand - Endpoint Network Isolation (Quarantine) | X | X |
| Interactive Remote Shell Capability for Remediation (Live Response) | X | X |
| Behavior-based Ransomware Detection/Prevention (non-reputation) | X | In Process |
| Keylogger (CGEventTap) Detection | X | In Process |
| XProtect Block Event Collection | X |
