This site will be decommissioned on January 30th 2025. After that date content will be available at techdocs.broadcom.com.

What's New

VMware Carbon Black EDR macOS 7.2.3 is a Maintenance release that delivers bug fixes. For details, see Resolved Issues.

Each release of VMware Carbon Black EDR macOS Sensor software is cumulative and includes changes and fixes from all previous releases.

This document provides information for users who are upgrading to VMware Carbon Black EDR macOS Sensor 7.2.3 from previous versions, and for users who are new to VMware Carbon Black EDR and are installing the macOS Sensor for the first time.

Note: There are a limited number of features that are not available in this version, but that are intended for future development outside the kernel. These features include and are limited to: Proxy address reporting.

Server Compatibility

VMware Carbon Black EDR sensors included with server releases are compatible with all server releases going forward. It is always recommended to use the latest server release with our latest sensors to utilize the full feature capabilities of our product; however, using earlier server versions with the latest sensor should not impact core product functionality.

Sensor Operating Systems

VMware Carbon Black EDR sensors interoperate with multiple operating systems. For the most up-to-date list of supported operating systems for VMware Carbon Black EDR macOS Sensors, refer to Supported Operating Systems and Sensors.

Documentation

This document supplements other VMware Carbon Black EDR documentation. Click here to search the full library of VMware Carbon Black EDR user documentation on VMware Docs.

Technical Support

VMware Carbon Black EDR server and sensor update releases are covered under the Customer Maintenance Agreement. Technical Support is available to assist with any issues that might develop during the installation or upgrade process. Our Professional Services organization is also available to assist to ensure a smooth and efficient upgrade or installation.

Note: Before performing an upgrade, VMware Carbon Black recommends reviewing content in the VMware Carbon Black EDR section of VMware Docs for the latest information that supplements the information contained in this document.

Installation Instructions

To install the new sensor, please follow the steps below. For unattended installs using a Mobile Device Management (MDM) solution, use the following inputs to create profiles for preventing endpoint user prompts. More information can be found here.

  • Plug-in ID: com.carbonblack.es-loader

  • System Extension Bundle ID: com.carbonblack.es-loader.es-extension

  • Application Bundle ID: com.carbonblack.CbOsxSensorService

  • Apple Team ID: 7AGZNQ2S2T

To install the sensors on to your server, perform the following procedure:

  1. Ensure your VMW CB EDR YUM repo is set appropriately:

    1. The VMW CB EDR repository file to modify is /etc/yum.repos.d/CarbonBlack.repo

    2. Baseurl = https://yum.distro.carbonblack.io/enterprise/stable/$releasever/$basearch/

  2. On the VMW CB EDR server, clear the YUM cache by running the following command: yum clean all

  3. After the YUM cache has been cleared, download the sensor install package by running the following command: Run yum install --downloadonly --downloaddir=<package local download directory> <package>

    Note: <package local download directory> is a directory of your choice

    <package> is replaced by cb-osx-sensor-7.2.3.90160

  4. Install the new sensor package on the VMware Carbon Black EDR server by running the following command: rpm -i --force <package>

  5. Make the new installation package available in the VMware Carbon Black EDR server console by running the following command: /usr/share/cb/cbcheck sensor-builds --update

    Note: If your groups have Automatic Update enabled, the sensors in that group will start to automatically update.

This new sensor version will now be available in the VMware Carbon Black EDR server console. For any issues, please contact VMware Carbon Black Technical Support.

Resolved Issues

  • EA-19225, EA-17569, CB-33159, CB-41887: The Process Analysis tree can fail to present correct information in some cases

  • EA-19820, CB-35338: VMware Carbon Black EDR sensor app and CFBundleShortVersionString in info.plist showed version as 1.0

    Updated the version of VMware Carbon Black EDR sensor app file from 1.0 to 7.2.3.

  • EA-21165: Multiple macOS exclusions

    Includes CB-36309, CB-39067, CB-31681, and CB-37441.

    When multiple macOS exclusions are active, some exclusions can fail to preclude event reporting.

  • EA-22325, CB-33581, CB-40941: Banned processes for macOS recorded incorrect timestamps

  • EA-22866, CB-39654, CB-41655: Fixed an issue where users would experience system crashes on Mac M1

Known Issues

  • Sensor version downgrade fails when downgrading to version 7.2.2 or earlier releases

    Sensor downgrades from version 7.2.3 or later to 7.2.2 or lower are expected to fail because of the change in sensor version from 1.0 to 7.2.x to address EA-19820. All sensor version downgrades to 7.2.3 or later versions are supported.

    To revert to the previous sensor version, first uninstall the 7.2.3 sensor and then install the previous sensor version. Make sure that the Upgrade Policy setting is set to No automatic upgrades for the sensor group on the VMware Carbon Black EDR Server UI.

  • CB-32640: When content filters are installed and enabled or uninstalled and disabled, existing connections are terminated

    This is by design per Apple.

    Important:

    Uninstallation of the sensor should be done via the Server

    Manual uninstallation through Terminal requires the user password. This is by design per Apple.

  • CB-37032: Network events are not captured when using a VPN under Big Sur and Monterey

  • CB-38251: Sensor does not filter known dylibs on macOS Monterey

  • CB-38779: All childproc events are reported to the server even when Retention Maximization is enabled

  • CB-41466: Data is missing for childproc event of type posix_exec on server

    PID, Command line, Username and Activity fields are missing for the posix_exec childproc event on the VMware Carbon Black EDR server.

  • CB-41902: Creation time might be incorrectly reported under child node

    In some cases, events happening close to child process creation time might be incorrectly reported under child node.

  • CB-41903: Modload event report is inconsistent

    Modload event report is inconsistent in case of exec-exec when suppression level is set to recommend.

    Set Suppression level to minimum. Perform the following steps in the VMware Carbon Black EDR server console to change the Suppression level value:

    1. Edit Sensor Group -> Advanced -> Retention Maximization -> Select Minimum Retention from dropdown menu.

    2. Save Group.

    For more details, see the  Advanced Settings section in the VMware Carbon Black EDR User Guide.

  • CB-41913: SHA-256, Command line are not reported for Process block event

  • CB-41937: Parent node is incorrectly reported as 'top' process

    In certain cases with Retention level set to recommend, Parent node is incorrectly reported as 'top' for processes executed using exec system call until application exits.

    Set Suppression level to minimum. Perform the following steps in the VMware Carbon Black EDR server console to change the Suppression level value:

    1. Edit Sensor Group -> Advanced -> Retention Maximization -> Select Minimum Retention from dropdown menu.

    2. Save Group.

    For more details, see the  Advanced Settings section in the VMware Carbon Black EDR User Guide.

  • CB-41944: Modload event data is not reported correctly for paths with multibyte encoded characters

Contacting Technical Support

Carbon Black EDR server and sensor update releases are covered under the Customer Maintenance Agreement. Technical Support is available to assist with any issues that might develop during the installation or upgrade process. Our Professional Services organization is also available to assist to ensure a smooth and efficient upgrade or installation.

Use one of the following channels to request support or ask support questions:

Reporting Problems

When contacting Carbon Black Technical Support, provide the following required information:

  • Contact: Your name, company name, telephone number, and email address

  • Product version: Product name (Carbon Black EDR server and sensor versions)

  • Hardware configuration: Hardware configuration of the Carbon Black EDR server (processor, memory, and RAM)

  • Document version: For documentation issues, specify the version and/or date of the manual or document you are using

  • Problem: Action causing the problem, the error message returned, and event log output (as appropriate)

  • Problem Severity: Critical, serious, minor, or enhancement request

check-circle-line exclamation-circle-line close-line
Scroll to top icon