VMware Carbon Black EDR macOS Sensor 7.2.2 | 16 JUN 2022 | Build 7.2.2.16783

Check for additions and updates to these release notes.

What's New

VMware Carbon Black EDR macOS Sensor 7.2.2 delivers support for the latest releases of macOS 12 (Monterey), 12.3, and 12.4, and various bug fixes and stability improvements.

Each release of VMware Carbon Black EDR macOS Sensor software is cumulative and includes changes and fixes from all previous releases.

This document provides information for users who are upgrading to VMware Carbon Black EDR macOS Sensor 7.2.2 from previous versions, and for users who are new to VMware Carbon Black EDR and are installing the macOS Sensor for the first time.

Note: There are a limited number of features which are not available in this version, but which are intended for future development outside the kernel. These features include and are limited to: Proxy address reporting.

Server Compability

VMware Carbon Black EDR sensors included with server releases are compatible with all server releases going forward. It is always recommended to use the latest server release with our latest sensors to utilize the full feature capabilities of our product; however, using earlier server versions with the latest sensor should not impact core product functionality.

Sensor Operating Systems

VMware Carbon Black EDR sensors interoperate with multiple operating systems. For the most up-to-date list of supported operating systems for VMware Carbon Black EDR macOS Sensors, refer to Supported Operating Systems and Sensors.

Documentation

This document supplements other VMware Carbon Black EDR documentation. Click here to search the full library of VMware Carbon Black EDR user documentation on VMware Docs.

Technical Support

VMware Carbon Black EDR server and sensor update releases are covered under the Customer Maintenance Agreement. Technical Support is available to assist with any issues that might develop during the installation or upgrade process. Our Professional Services organization is also available to assist to ensure a smooth and efficient upgrade or installation.

Note: Before performing an upgrade, VMware Carbon Black recommends reviewing content in the VMware Carbon Black EDR section of VMware Docs for the latest information that supplements the information contained in this document.

Note: There are a limited number of features which are not available in this version, but which are intended for future development outside the kernel. These features include and are limited to: Proxy address reporting.

Installation Instructions

To install the new sensor, please follow the steps below. For unattended installs using a Mobile Device Management (MDM) solution, use the following inputs to create profiles for preventing endpoint user prompts. More information can be found here.

  • Plug-in ID: com.carbonblack.es-loader
  • System Extension Bundle ID: com.carbonblack.es-loader.es-extension
  • Application Bundle ID: com.carbonblack.CbOsxSensorService
  • Apple Team ID: 7AGZNQ2S2T

To install the sensors on to your server, perform the following procedure:

  1. Ensure your VMW CB EDR YUM repo is set appropriately:
    1. The VMW CB EDR repository file to modify is /etc/yum.repos.d/CarbonBlack.repo
    2. Baseurl = https://yum.distro.carbonblack.io/enterprise/stable/$releasever/$basearch/
  2. On the VMW CB EDR server, clear the YUM cache by running the following command: yum clean all
  3. After the YUM cache has been cleared, download the sensor install package by running the following command: Run yum install --downloadonly --downloaddir=<package local download directory> <package>

    Note: <package local download directory> is a directory of your choice

    <package> is replaced by cb-osx-sensor

  4. Install the new sensor package on the VMware Carbon Black EDR server by running the following command: rpm -i --force <package>
  5. Make the new installation package available in the VMware Carbon Black EDR server console by running the following command: /usr/share/cb/cbcheck sensor-builds --update

    Note: If your groups have Automatic Update enabled, the sensors in that group will start to automatically update.

This new sensor version will now be available in the VMware Carbon Black EDR server console. For any issues, please contact VMware Carbon Black Technical Support.

Resolved Issues

  • CB-35578, CB-39127: Resolved an issue where the CbOsxSensorService could be banned

  • CB-37201: NFS or SMB shares could not be unmounted while running the sensor

  • CB-14033: An internal sensor process, CbDigitalSignatureHelper, would continually be reported to the server

  • CB-36824: Internal sensor events from /var/lib/cb were reported to the server

  • CB-37225: Crash logs would be generated on server-initiated sensor upgrade or downgrade

  • CB-37631: The sensor would crash when computing a hash for binary upload

  • CB-37529: Filemods could not be disabled from the server UI when running the sensor as a system extension

  • CB-37989: Users were prompted for permission to allow the sensor to filter network content

  • CB-37729: Sensors not managed by an MDM solution did not have permission to filter network content

  • CB-36229: Users were not notified that a sensor was staged for execution but did not reach a running state

Known Issues

  • CB-32640: When content filters are installed and enabled or uninstalled and disabled, existing connections are terminated

    This is by design per Apple.

  • CB-32640: Uninstallation of the sensor should be done via the Server

    Manual uninstallation through Terminal will require the user password to be entered. This is by design per Apple.

  • CB-8908: The EDR macOS Sensor does not store Live Response activity in the sensor.log file by default

    Users can monitor Live Response activity using the live-response.log found under /var/log/cb/audit on the EDR server. Additionally, users can enable more verbose logging of the sensor.log file to capture Live Response activity on the Mac endpoint. Note that enabling verbose logging can quickly consume the specified sensor.log size and should be used cautiously, as enabling can lead to shorter retention of audit information. This verbose logging can be enabled by modifying the logging.config file under /var/lib/cb to to set the following parameters: minloglevel: 0V:0.

  • CB-37441: Filemods to /dev/dtracehelper and /dev/ttys000 are still reported even when an exclusion is in place

  • CB-38779: All childproc events are reported to the server even when Retention Maximization is enabled

  • CB-37032: Network events are not captured when using a VPN under Big Sur and Monterey

  • CB-37962: macOS Get Info command reports sensor version as 1.0

  • CB-38251: Sensor does not filter known dylibs on macOS Monterey

Contacting Technical Support

Carbon Black EDR server and sensor update releases are covered under the Customer Maintenance Agreement. Technical Support is available to assist with any issues that might develop during the installation or upgrade process. Our Professional Services organization is also available to assist to ensure a smooth and efficient upgrade or installation.

Use one of the following channels to request support or ask support questions:

Reporting Problems

When contacting Carbon Black Technical Support, provide the following required information:

  • Contact: Your name, company name, telephone number, and email address
  • Product version: Product name (Carbon Black EDR server and sensor versions)
  • Hardware configuration: Hardware configuration of the Carbon Black EDR server (processor, memory, and RAM)
  • Document version: For documentation issues, specify the version and/or date of the manual or document you are using
  • Problem: Action causing the problem, the error message returned, and event log output (as appropriate)
  • Problem Severity: Critical, serious, minor, or enhancement request

check-circle-line exclamation-circle-line close-line
Scroll to top icon