Beginning in macOS 11, the Carbon Black Cloud macOS sensor (v3.5.1) operates by default in user-space using System Extensions (user-space) instead of Kernel Extensions (KEXTs) that are used in previous versions of the agent.
Therefore, there are some functional differences when using the sensor in System Extension mode on macOS 11 and later.
Using the sensor in KEXT mode achieves the same functionality on macOS 11 as it does on older operating systems.
Unless otherwise specified, documentation related to macOS functionality on the Carbon Black Cloud pertains to macOS 10.15 and earlier or to functionality delivered via the KEXT on macOS 11.
The following matrix outlines macOS functionality on the Carbon Black Cloud. The functionality detailed in the macOS 11+ column pertains to the sensor’s functionality in user space (System Extension) in the initial macOS 11-compatible sensor release (v3.5.1+). For functionality provided via the kernel extension, refer to the macOS 10.12 - 11+ column.
| Functionality | macOS10.12 - 11 (KEXT) | macOS 11+(user-space) |
|---|---|---|
| Behavioral EDR (analytics detection) | X | X |
| Behavior-based prevention (non-reputation policy rules) | X | X |
| Targeted Prevention (Terminate Process) | X | X |
| Targeted Prevention (Deny Process) | X | X |
| Reputation-based prevention (CB Analytics) | X | X |
| Banned-list based prevention (Deny List) | X | X |
| Approved-list allowances (hash) | All | X |
| Approved-list allowances (cert, IT tool) | X | X |
| Automatic Malware Removal | X | X |
| Script Detection | X | X |
| On-demand File Collection | X | X |
| On-demand File Deletion | X | X |
| On-demand - Endpoint Network Isolation (Quarantine) | X | X |
| Interactive Remote Shell Capability for Remediation (Live Response) | X | X |
| Behavior-based Ransomware Detection/Prevention (non-reputation) | X | X |
| Keylogger (CGEventTap) Detection | X | X |
| XProtect Block Event Collection | In Progress | X |
| Functionality | macOS10.12 - 11 (KEXT) | macOS 11+(user-space) |
|---|---|---|
| Audit & Remediation (enterprise-class Osquery) | X | X |
| Open APIs to Query All Endpoint Data | X | X |
| Open APIs to Invoke All Remediation Functions | X | X |
| Functionality | macOS10.12 - 11 (KEXT) | macOS 11+(user-space) |
|---|---|---|
| Continuous Endpoint Telemetry Data Collection: | X | X |
|
X | X |
|
X | X |
|
X | X |
|
X | X |
|
X | X |
|
X | X |
| 30 Day Data Retention (longer if associated with an alert) | X | X |
| Regex and Wildcard Search/Alert Query Language Support | X | X |
| Custom/Customer-created Alert Criteria | X | X |
| Support for Industry-standard Threat Feeds (STIX/TAXII) | X | X |
| Functionality | macOS10.12 - 11 (KEXT) | macOS 11+(user-space) |
|---|---|---|
| Sensor Uninstall Prevention (require unique code) | X | In Progress |
| Sensor Tamper Prevention | X | X |
| Industry Standard Installer (.msi/.dmg/tar) | X | X |
| Console Driven Sensor Upgrade | X | X |
| Policy Controlled Sensor Upgrade | X | X |
| Sensor Health Monitoring/Alerting | X | X |
