VMware Carbon Black EDR macOS Sensor 7.3.0 | 29 JAN 2024 | Build 7.3.0.90028

Check for additions and updates to these release notes.

What's New

This document provides change information for VMware Carbon Black EDR macOS Sensor 7.3.0.

VMware Carbon Black EDR macOS sensor 7.3.0 is a Minor release that delivers:

  • IPv6 support

    This release delivers the ability to run the Carbon Black EDR macOS Sensor on an endpoint with an IPv6 address.*

    Note:*This release delivers IPv6 Support; however, complementary backend changes are required to run the Carbon Black EDR macOS Sensor on an endpoint that has an IPv6 address and connect it with Carbon Black EDR Server. Backend support of IPv6 communication is planned for an upcoming release of Carbon Black EDR Server. When backend support of IPv6 becomes available, you can run the Carbon Black EDR macOS Sensor on an IPv4 or IPv6 endpoint and connect it with a Carbon Black EDR Server using IPv4 or IPv6.

Each release of VMware Carbon Black EDR macOS Sensor software is cumulative and includes changes and fixes from all previous releases.

This document provides information for users who are upgrading to VMware Carbon Black EDR macOS Sensor 7.3.0 from previous versions, and for users who are new to VMware Carbon Black EDR and are installing the macOS Sensor for the first time.

Server Compatibility

VMware Carbon Black EDR sensors included with server releases are compatible with all server releases going forward. It is always recommended to use the latest server release with our latest sensors to utilize the full feature capabilities of our product; however, using earlier server versions with the latest sensor should not impact core product functionality.

Sensor Operating Systems

VMware Carbon Black EDR sensors interoperate with multiple operating systems. For the most up-to-date list of supported operating systems for VMware Carbon Black EDR macOS sensors, refer to Supported Operating Systems and Sensors.

Documentation

This document supplements other VMware Carbon Black EDR documentation. Click here to search the full library of VMware Carbon Black EDR user documentation on VMware Docs.

Technical Support

VMware Carbon Black EDR server and sensor update releases are covered under the Customer Maintenance Agreement. Technical Support is available to assist with any issues that might develop during the installation or upgrade process. Our Professional Services organization is also available to assist to ensure a smooth and efficient upgrade or installation.

Note: Before performing an upgrade, VMware Carbon Black recommends reviewing content in the VMware Carbon Black EDR section of VMware Docs for the latest information that supplements the information contained in this document.

Installation Instructions

To install the new sensor, please follow the steps below. For unattended installs using a Mobile Device Management (MDM) solution, use the following inputs to create profiles for preventing endpoint user prompts. More information can be found here.

  • Plug-in ID: com.carbonblack.es-loader

  • System Extension Bundle ID: com.carbonblack.es-loader.es-extension

  • Application Bundle ID: com.carbonblack.CbOsxSensorService

  • Apple Team ID: 7AGZNQ2S2T

To install the sensors on to your server, perform the following procedure:

  1. Ensure your VMW CB EDR YUM repo is set appropriately:

    1. The VMW CB EDR repository file to modify is /etc/yum.repos.d/CarbonBlack.repo

    2. Baseurl = https://yum.distro.carbonblack.io/enterprise/stable/$releasever/$basearch/

  2. On the VMW CB EDR server, clear the YUM cache by running the following command: yum clean all

  3. After the YUM cache has been cleared, download the sensor install package by running the following command: Run yum install --downloadonly --downloaddir=<package local download directory> <package>

    Note: <package local download directory> is a directory of your choice

    <package> is replaced by cb-osx-sensor-7.3.0.90028

  4. Install the new sensor package on the VMware Carbon Black EDR server by running the following command: rpm -i --force <package>

  5. Make the new installation package available in the VMware Carbon Black EDR server console by running the following command: /usr/share/cb/cbcheck sensor-builds --update

    Note: If your groups have Automatic Update enabled, the sensors in that group will start to automatically update.

This new sensor version will now be available in the VMware Carbon Black EDR server console. For any issues, please contact VMware Carbon Black Technical Support.

Resolved Issues

  • CB-40325: Sensor fails to connect with IPv6-only EDR server

  • CB-40013: Not filtering stat(1) system calls are being reported as modloads

  • CB-34358: Optimize UpdateProcessCacheWithDatagram() in daemon

  • CB-38779: Process inot suppressed when Retention field was marked as "Recommended"

  • CB-40114: Mac sensor did not report SensorTimeAsGMT

  • CB-40209: Stat(1) system calls reported as modloads

  • CB-40901: Mac M1 Ultra chip removed the Ethernet IP address

  • CB-41613: pid_version field missing in the proc_details structure

  • CB-41618: pid_version support missing in ProcessInformation

  • CB-41902: Events wrongly reported because of same timestamp

  • CB-41903 : Inconsistent modload event report

    Modload event report was not consistent in case of exec-exec and Suppression level set to recommend

  • CB-41913: SHA-256 and command line missing for process block event

  • CB-41937: Parent node missing for executed process

    In case of exec-exec, parent was reported after application exit. Because of this behavior, parent node was missing for executed process; it showed top as parent.

  • CB-41944: Empty modload event details

    Modload event details were blank for processes that had a name using special (Chinese) characters

  • CB-42034: pid_version missing in event types

  • CB-42804: Processes were not getting enumerated after PID and pid_version process tracking changes

  • CB-42888: After machine reboot, some processes showed top as parent like kmutil

  • CB-42903: Exec event was treated as fork if fork event missed

  • CB-42920: Missing source ip and port information for FilterDataProvider flows routed through VPN

  • CB-33262: Fork, exec and forkexec showed incorrect reports

  • CB-33588: ln for soft link generated only 1 filemod instead of 2

  • CB-17875: Banned processes started before daemon starts were not banned

  • CB-14678: Banning was not applied to paths that were not in kernel cache

  • EA-23328: Incorrect parent details on Process Analysis page

    Process Analysis page displayed the incorrect parent process even though the raw document was correct

  • EA-22527: ES-loader performance issues with 7.2.2 macOS sensor

  • EA-21345: Sensor using excessive memory - 98G

  • EA-21183: PID/GUID collisions

    PID/GUID collisions resulting in broken process trees within the Carbon Black EDR console

  • EA-12460: cb-event-forwarder

    cb-event-forwarder was sending ingress.event.procstart messages together with an incorrect cmdline (not correct for reported process)

Known Issues

  • Sensor version downgrade fails when downgrading to version 7.2.2 or earlier releases

    Sensor downgrades from version 7.2.3 or later to 7.2.2 or lower are expected to fail because of the change in sensor version from 1.0 to 7.2.x to address EA-19820. All sensor version downgrades to 7.2.3 or later versions are supported.

    To revert to the previous sensor version, first uninstall the 7.2.3 sensor and then install the previous sensor version. Make sure that the Upgrade Policy setting is set to No automatic upgrades for the sensor group on the VMware Carbon Black EDR Server UI.

  • CB-32640: When content filters are installed and enabled or uninstalled and disabled, existing connections are terminated

    This is by design per Apple.

    Important:

    Uninstallation of the sensor should be done via the Server

    Manual uninstallation through Terminal requires the user password. This is by design per Apple.

  • CB-37032: Network events are not captured when using a VPN under Big Sur and Monterey

  • CB-41466: Data is missing for childproc event of type posix_exec on server

    PID, Command line, Username and Activity fields are missing for the posix_exec childproc event on the VMware Carbon Black EDR server.

Contacting Technical Support

Carbon Black EDR server and sensor update releases are covered under the Customer Maintenance Agreement. Technical Support is available to assist with any issues that might develop during the installation or upgrade process. Our Professional Services organization is also available to assist to ensure a smooth and efficient upgrade or installation.

Use one of the following channels to request support or ask support questions:

Reporting Problems

When contacting Carbon Black Technical Support, provide the following required information:

  • Contact: Your name, company name, telephone number, and email address

  • Product version: Product name (Carbon Black EDR server and sensor versions)

  • Hardware configuration: Hardware configuration of the Carbon Black EDR server (processor, memory, and RAM)

  • Document version: For documentation issues, specify the version and/or date of the manual or document you are using

  • Problem: Action causing the problem, the error message returned, and event log output (as appropriate)

  • Problem Severity: Critical, serious, minor, or enhancement request

check-circle-line exclamation-circle-line close-line
Scroll to top icon