Beginning in macOS 11, the Carbon Black Cloud macOS sensor (v3.5.1) operates by default in user-space using System Extensions (user-space) instead of Kernel Extensions (KEXTs) that are used in previous versions of the agent.

Therefore, there are some functional differences when using the sensor in System Extension mode on macOS 11 and later.

Using the sensor in KEXT mode achieves the same functionality on macOS 11 as it does on older operating systems.

Unless otherwise specified, documentation related to macOS functionality on the Carbon Black Cloud pertains to macOS 10.15 and earlier or to functionality delivered via the KEXT on macOS 11.

The following matrix outlines macOS functionality on the Carbon Black Cloud. The functionality detailed in the macOS 11+ column pertains to the sensor’s functionality in user space (System Extension) in the initial macOS 11-compatible sensor release (v3.5.1+). For functionality provided via the kernel extension, refer to the macOS 10.12 - 11+ column.

Table 1. macOS User Space Functionality in Endpoint Standard
Functionality macOS10.12 - 11 (KEXT) macOS 11+(user-space)
Behavioral EDR (analytics detection) X X
Behavior-based prevention (non-reputation policy rules) X X
Targeted Prevention (Terminate Process) X X
Targeted Prevention (Deny Process) X X
Reputation-based prevention (CB Analytics) X X
Banned-list based prevention (Deny List) X X
Approved-list allowances (hash) All X
Approved-list allowances (cert, IT tool) X X
Automatic Malware Removal X X
Script Detection X X
On-demand File Collection X X
On-demand File Deletion X X
On-demand - Endpoint Network Isolation (Quarantine) X X
Interactive Remote Shell Capability for Remediation (Live Response) X X
Behavior-based Ransomware Detection/Prevention (non-reputation) X X
Keylogger (CGEventTap) Detection X X
XProtect Block Event Collection In Progress X
Table 2. macOS User Space Functionality in Audit and Remediation and Integrations
Functionality macOS10.12 - 11 (KEXT) macOS 11+(user-space)
Audit & Remediation (enterprise-class Osquery) X X
Open APIs to Query All Endpoint Data X X
Open APIs to Invoke All Remediation Functions X X
Table 3. macOS User Space Functionality in Enterprise EDR
Functionality macOS10.12 - 11 (KEXT) macOS 11+(user-space)
Continuous Endpoint Telemetry Data Collection: X X
  • Process Start/Stop/Parent/Source binary, etc.
X X
  • In/Outbound Network Connections
X X
  • File Modifications (RWCD)
X X
  • Cross Process Memory Injection/Scraping
X X
  • Module Loads
X X
  • Script Loads
X X
30 Day Data Retention (longer if associated with an alert) X X
Regex and Wildcard Search/Alert Query Language Support X X
Custom/Customer-created Alert Criteria X X
Support for Industry-standard Threat Feeds (STIX/TAXII) X X
Table 4. macOS User Space Functionality in Operations
Functionality macOS10.12 - 11 (KEXT) macOS 11+(user-space)
Sensor Uninstall Prevention (require unique code) X In Progress
Sensor Tamper Prevention X X
Industry Standard Installer (.msi/.dmg/tar) X X
Console Driven Sensor Upgrade X X
Policy Controlled Sensor Upgrade X X
Sensor Health Monitoring/Alerting X X