Carbon Black Cloud macOS Sensor Release Notes

Carbon Black Cloud macOS Sensor Release Notes

3.6.1.10

Carbon Black Cloud sensor version 3.6.1.10 is a generally available release for macOS only.

Important notes

  • Sensor upgrades should not be performed while the sensor is in bypass mode while in System Extension mode. Upgrading the sensor in System Extensions mode while in bypass disables the sensor until a reboot is performed on the endpoint.
  • This release supports macOS 10.15 - 12. MacOS 10.14 is no longer supported.

Resources

 
Release checksums
 
3.6.1.10 DMG SHA256 Checksum 9235ac4b3f147d7efc9458c87749a582b4a581462895c95dd60d72a6b94306e1

3.6.1.10 PKG SHA256 Checksum

e2f2fab3c488c90aefaa9ff565f545bc8ec23e97a89a3469f0eca771a9371afb

 

Apple Silicon support

The 3.6.1.10 Carbon Black Cloud sensor delivers native operation on Apple Silicon hardware, with the exception of the LiveOps (OSQuery engine) because there is no universal binary available yet. Rosetta will be necessary to leverage Audit & Remediation functionality until a universal OSQuery engine binary is available.

macOS Monterey support

Sensor version 3.6.1.10 supports operation on macOS Monterey via System Extensions. Legacy Kernel Extension mode operation is not supported on macOS 12 Monterey. For customers who plan to upgrade macOS11 Big Sur endpoints running the Kernel Extension to Monterey, we recommend using a management tool like Workspace ONE, Jamf, etc. to deploy the 3.6 sensor. Cloud upgrade does not support Kernel Extension mode upgrades from macOS 11 to macOS 12.

As always, to ensure full sensor enablement we recommend that endpoints are preconfigured with System Extension pre-approval via MDM before deployment of the sensor.

Supported operating modes

Supported Operating System Supported Modes and Architectures
macOS 10.15 (Catalina) Kernel Extension (Intel only)
macOS 11 (Big Sur)

Kernel Extension (Intel only)

System Extension (Intel, Apple Silicon)

macOS 12 (Monterey) System Extension (Intel, Apple Silicon)

 

3.5.3.82

Carbon Black Cloud sensor version 3.5.3.82 is a generally available release for macOS only.

Changes to the sensor approval process

VMware Carbon Black recommends using an MDM-compatible mass deploy solution to push the updates, pre-approve, and approve KEXT, System Extension, and Network Extension code signing certificates.

Sensor approvals on macOS Big Sur

Sensor version 3.5.3.82 supports both KEXT and System Extension operation on macOS Big Sur.

The process for approving KEXTs has changed on macOS Big Sur. Please review the following article for more information on the revised process: Changes to KEXT pre-approval on macOS Big Sur.

To avoid the need for user approval, the sensor’s System Extension and Network Extension should be approved via an MDM. Please review the following article for details on the approval process: Approving the macOS sensor’s System Extension and Network Extension.

Changes to Full Disk Access permissions since the 3.5.1 sensor

The 3.5.1 sensor was restructured; the Full Disk Access policy process has changed as a result. An updated profile is required for running 3.5.1+ on any supported version of macOS (10.12 - 11.2). Please review the following article for details on the revised process: Granting the macOS sensor Full Disk Access (v3.5.1+).

Current MDM instructions and payloads for configuring the installation are always available in the mounted DMG of the sensor installer in the docs folder.

Release checksums
 
3.5.3.82 DMG SHA256 Checksum 8f13dcde5429cc5f9b4fb49ef982a75077cbaa72061f6c395cc857f4de0de357

3.5.3.82 PKG SHA256 Checksum

769ddbbfc3c048eec762b63d714630c3be4becf68991b018ef20637c49982801

 

Ending support for macOS 10.12 and 10.13

Beginning with the 3.5.3.82 VMware Carbon Black Cloud sensor, macOS 10.12 (Sierra) and macOS 10.13 (High Sierra) are no longer officially supported. Apple is not issuing security patches for these operating systems. We recommend that before deploying the 3.5.3.82 sensor, you upgrade to macOS 10.14 (Mojave) or later.

10.12 and 10.13 are still supported for use with sensor versions 3.5.2.78 and older, which will remain in Standard or Extended support until May 2022.

See the macOS sensor compatibility guide.

Status of Apple Silicon M1 support

The 3.5.3.82 VMware Carbon Black Cloud sensor is not officially supported for use on Apple Silicon M1 hardware. Although installation on M1 machines is not blocked, performance while using Rosetta 2 emulation can deviate from expected performance and stability on Intel hardware. For this reason, we do not recommend deploying the sensor on production M1 machines.

Native support for the Apple Silicon architecture will be available in a future release.

Supported architectures for CBC 3.5.3 sensor and macOS Big Sur:

macOS/CPU architecture Intel x86-64 Apple Silicon/ARM
KEXT Supported

Not supported; see installation caveats

System Extension Supported Experimental, emulation mode

 

macOS Big Sur support

Sensor version 3.5.3.82 supports macOS Big Sur. This sensor enables a subset of VMware Carbon Black Cloud functionality via System Extensions; full functionality is available via Kernel Extensions (KEXTs). We recommend that all Endpoint Standard customers continue to use Kernel Extensions until notified that all functionality is available via System Extensions.

Before deploying this sensor to macOS Big Sur, please review this documentation on the functionality you can expect to receive with System Extensions vs. KEXTs: macOS Big Sur Functionality Overview.

USB device control for macOS

VMware Carbon Black introduced Device Control for USB storage devices on Windows in November 2020. This functionality is now extended to macOS 10.15 and 11+ with sensor version 3.5.3.82. 

Device Control lets you harden your security posture, control authorized usage, and prevent malware infiltration from USB storage devices. You can view, manage, approve, and implement blocking policies for USB storage devices that are connected to your endpoints. 

You will have access to the following functionality:

  • Policy-based USB Device Blocking: Gain an additional layer of protection and strengthen overall security posture with the ability to block mount operations on a per-policy basis.
  • Configurable Allowed USB Devices List: Allow designated external devices to be mounted by leveraging options for approving distinct USB devices, or approving broader manufacturer- or product-based permissions across your environment.
  • Alert on Block: Receive notifications of USB device blocks in your environment, and easily approve devices directly from the alert. Users also receive notifications when attempting to use blocked devices, thereby educating them on company policy.
  • USB Device Inventory: Gain visibility into all supported USB devices connected to your network with the ability to view, filter, search, and approve USB devices from the Inventory page.

See:


3.5.2.78

Carbon Black Cloud sensor version 3.5.2.78 is a generally available release for macOS only. Version 3.5.2.78 replaces 3.5.1.31. This sensor supports macOS Big Sur, introduces post-execution prevention, and other critical fixes.

Release checksums
 
3.5.2.78 DMG SHA256 Checksum 585abac9d0d87a6a3efd5a156fdabf0eab32063796c264b8d2551e5db1188fa4

3.5.2.78 PKG SHA256 Checksum

70f104398c8d1fb7c392700e6a88753c5d066a1d6777a959bb1c9fe0d97aba2a

 

Status of Apple Silicon M1 support

The 3.5.2.78 Carbon Black Cloud sensor is not officially supported for use on Apple Silicon M1 hardware. Although installation on M1 machines is not blocked, performance while using Rosetta 2 emulation can deviate from expected performance and stability on Intel hardware. For this reason, we do not recommend deploying the sensor on production M1 machines.

Native support for the Apple Silicon architecture will be available in a future release.

Supported architectures matrix for CBC 3.5.2 sensor and macOS BigSur:

macOS / CPU Archs.

Intel x86-64

Apple Silicon / ARM

KEXT

Supported

Not supported, see installation caveats

System Extension

Supported

Experimental, Rosetta 2 emulation, not officially supported

 

macOS Big Sur Support

Sensor version 3.5.2.78 supports macOS Big Sur. This sensor enables a subset of Carbon Black Cloud functionality via System Extensions, but full functionality is still available via Kernel Extensions (KEXTs). We recommend all Endpoint Standard customers continue to use Kernel Extensions until notified that all functionality is available via System Extensions.

Before deploying this sensor to macOS Big Sur, please review this documentation on the functionality you can expect to receive with System Extensions vs. KEXTs: macOS Big Sur Functionality Overview.

Introductory System Extension-based Prevention

The 3.5.2.78 System Extension sensor expands on the subset of Carbon Black Cloud functionality, but does not yet meet feature parity with the Kernel Extension sensor. 

This release introduces post-execution prevention, meaning policy enforcement occurs only after a process has already begun running. The system extension sensor does not yet provide pre-execution prevention (blocking malware before it has a chance to begin running.) The 3.5.2 release is a step towards complete SysEXT-based prevention. 

Rules regarding applications with unknown reputation are not enforced upon in this release. Applications with known malware, suspect malware, adware, PUP reputation or ban listed applications found currently running by the sensor will be terminated. Please note that this means that a termination from the sensor may be sent after the offending application has already finished executing on its own. 

For more information on functional differences between System Extensions and Kernel Extensions, please refer to this document.

 Local Sensor Administration via repCLI

The macOS 3.5.2.78 release extends the repCLI command line tool that enables local administration of the sensor. Please see the following Knowledge Base article for a list of available commands: RepCLI on macOS


3.5.1.31

Carbon Black Cloud sensor version 3.5.1.31 is a generally available release for macOS only. Version 3.5.1.31 replaces 3.5.1.23. This sensor is functionally identical to 3.5.1.23, with the addition of several critical fixes.

Changes to the sensor approval process

VMware Carbon Black recommends using an MDM-compatible mass deploy solution to push the updates, pre-approve, and approve KEXT, System Extension, and Network Extension code signing certificates.

Sensor approvals on macOS Big Sur

Sensor version 3.5.1.31 supports both KEXT and System Extension operation on macOS Big Sur.

The process for approving KEXTs has changed on macOS Big Sur. Please review this article for more information on the revised process: Changes to KEXT pre-approval on macOS Big Sur.

The sensor’s System Extension and Network Extension should be approved via an MDM to avoid the need for user approval. Please review this article for details on the approval process: Approving the macOS sensor’s System Extension and Network Extension.

Changes to Full Disk Access permissions in the 3.5.1 sensor

The 3.5.1 sensor has been restructured and the Full Disk Access policy process has changed as a result. An updated profile is required for running 3.5.1.31 on any supported version of macOS (10.12 - 11.2). Please review this article for details on the revised process: Granting the macOS sensor Full Disk Access (v3.5.1+).

The most up to date MDM instructions and payloads for configuring the installation is always available in the mounted DMG of the sensor installer, under the docs folder.

Release checksums
 
3.5.1.31 DMG SHA256 Checksum e60164d335378d12bed697ef52d2ba6aa994213c0ea94482ccfdbaf340f7add5
3.5.1.31 PKG SHA256 Checksum a308a3c4096c65fdd5df1fc371dd7b9c9d5cd6a6820caa7488021bb0f392b3c3

 

Apple Silicon M1 support

The 3.5.1.31 Carbon Black Cloud sensor is not officially supported for use on Apple Silicon M1 hardware. Although installation on M1 machines is not blocked, performance while using Rosetta 2 emulation can deviate from expected performance and stability on Intel hardware. For this reason, we do not recommend deploying the sensor on production M1 machines.

Native support for the Apple Silicon architecture will be available in a future release.

Supported architecture matrix for 3.5.1 sensor and macOS Big Sur:

macOS / CPU Arch. Intel x86-64 Apple Silicon / ARM
KEXT Supported Not supported, see installation caveats
System Extension Supported Experimental, emulation mode, not officially supported

3.5.1.23

Carbon Black Cloud sensor version 3.5.1.23 is a generally available release for macOS only. 3.5.1.23 replaces 3.5.1.19.

This sensor is functionally identical to 3.5.1.19. Please see the 3.5.1.19 release notes for more details.

Release checksums
 
3.5.1.23 DMG SHA256 Checksum d047c4bd69fb6bdba2b0474c8fc155dafce032000f4401567e01f6c402fd4478
3.5.1.23 PKG SHA256 Checksum a8247d9bea1adbea7b280790fa10a69382a5e7758a6450f2e8c7901285c5f248

 


3.5.1.19

Carbon Black Cloud sensor version 3.5.1.19 is a generally available release for macOS only.

Important Notes:

  • 3.4.4.51 is the only supported downgrade path from the 3.5.1.19 sensor.
  • This sensor provides initial support for macOS Big Sur. Please read these release notes carefully as some functionality and processes have changed.

Changes to the sensor approval process

VMware Carbon Black recommends using an MDM-compatible mass deploy solution to push the updates, pre-approve, and approve KEXT, System Extension, and Network Extension code signing certificates.

Sensor approvals on macOS Big Sur

Sensor version 3.5.1.19 supports both KEXT and System Extension operations on macOS Big Sur.

The process for approving KEXTs has changed on macOS Big Sur. See Changes to KEXT pre-approval on macOS Big Sur.

The sensor’s System Extension and Network Extension should be approved via an MDM to avoid the need for user approval. See Approving the macOS sensor’s System Extension and Network Extension.

Changes to Full Disk Access permissions in the 3.5.1 sensor

The 3.5.1 sensor has been restructured and the Full Disk Access policy process has changed as a result. An updated profile is required for running 3.5.1.19 on any supported version of macOS (10.12 - 11). See Granting the macOS sensor Full Disk Access (v3.5.1+).

Current MDM instructions and payloads for configuring the installation are available in the mounted DMG of the sensor installer, under the docs folder.

Release checksums
 
3.5.1.19 DMG SHA256 Checksum bea78b8e0870f45cd85aedb728676f687c2e522a48fba53bc9aa3fd39f90778c
3.5.1.19 PKG SHA256 Checksum 19bc75f8a7ff00bdc86f01bed06cc1ef024cb01aaa8d70b34f1a30efbdabf640

 

Ended support for macOS 10.11

The CBC 3.5.1.19 sensor release is only compatible with macOS versions 10.12 and newer. You cannot install this sensor version on older operating systems.

Note: The sensor will not allow an upgrade to 3.5.1 on macOS 10.11.

Apple Silicon M1 support

Sensor release 3.5.1.19 introduces experimental support for the Apple Silicon M1 using the non-native, emulation mode. Native support for the Apple Silicon architecture will be available in a future release.

The following table shows a supported architectures matrix for the CBC 3.5.1 sensor and macOS BigSur:

macOS / CPU Architectures Intel x86-64 Apple Silicon / ARM
KEXT Supported Not supported; see installation caveats
System Extension Supported Experimental, emulation mode

 

macOS Big Sur support

Sensor version 3.5.1.19 includes initial support for macOS Big Sur. This sensor enables a subset of Carbon Black Cloud functionality via System Extensions, but full functionality is still available via Kernel Extensions (KEXTs). We recommend all Endpoint Standard customers continue to use Kernel Extensions until you are notified that all functionality is available via System Extensions.

Before deploying this sensor to macOS Big Sur, review the functionality you can expect to receive with System Extensions vs. KEXTs: macOS Big Sur Functionality Overview.

Local administration via repCLI command line tool

The macOS 3.5.1.19 release introduces a command line tool that enables local administration of the sensor. See RepCLI on macOS for a list of available commands.

Sensor file system restructuring

The macOS 3.5.1.19 release introduces updated sensor file system install locations, thereby altering where the sensor stores its executables and resources. The change meets full compliance requirements with latest macOS versions and also concludes branding changes to VMware Carbon Black. This change can impact custom deploy and monitoring tools. See New macOS sensor file paths beginning in 3.5.1.19.

Installer TOCTOU security vulnerability fix

Carbon Black MacOS Sensor 3.5.1 addresses a file overwrite issue in the installer. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2020-4008 to this issue. This release addresses a security issue. See https://www.vmware.com/security/advisories/VMSA-2020-0028.html.

New administrative sensor states

This release adds new administrative sensor states. You can query them from the Endpoints page by using the sensorStates:STATE_STATE query or by using the RepCLI tool.

SENSOR_STATE Description
DRIVER_LOAD_NOT_GRANTED Sensor failed to load KEXT or System Extension. MDM or manual approval is required. Sensor is in bypass until the load is granted. This state coexists with DRIVER_KERNEL or DRIVER_USERSPACE.
DRIVER_INIT_REBOOT_REQUIRED KEXT or System Extension failed to initialize due to reboot requirement. Sensor is in bypass until after reboot.
DRIVER_INIT_ERROR KEXT or System Extension failed to initialize and load for any reason other than the missing grant or reboot. Sensor is in bypass mode.
DRIVER_KERNEL Sensor is in KEXT-enabled mode.
DRIVER_USERSPACE Sensor is in System Extension-enabled mode (macOS11+ only).
FULL_DISK_ACCESS_NOT_GRANTED Sensor does not have full disk access granted, which will reduce the efficacy of select features. MDM or manual approval is required.
DRIVER_OPTIONS_UPDATE_PENDING In 10.14 and 10.15 only. The repcli command to toggle between persistent/unloadable KEXT was acknowledged, but will require a reboot to complete.
DRIVER_OPTIONS_DEVELOPER_MODE
In 10.14 and 10.15 only. The machine has loaded the KEXT in a persistent manner and will require a reboot to successfully uninstall/upgrade.

3.4.4.51

Carbon Black Cloud sensor version 3.4.4.51 is for macOS only. This release is Generally Available. 

Important:

  • 3.4.4.51 is the only supported downgrade path from the 3.5 sensor family that is being released later in 2020.
  • This sensor version is not supported for macOS Big Sur. Installing this sensor on macOS Big Sur results in the sensor entering a Bypass state.

Certificate approval process

Devices that are upgrading to 3.4 from sensor versions 3.0 and older should have the new code signing certificate (Team ID 7AGZNQ2S2T) approved prior to the sensor upgrade. This procedure is required because of a Team ID change in the Carbon Black Cloud code signing certificate that was introduced in the 3.1 sensor release. See Known Issues.

VMware Carbon Black recommends using an MDM-compatible mass deploy solution to push the updates, pre-approve, and approve the KEXT code signing certificate.

See the following article about granting the sensor Full Disk Access as required by macOS 10.14+: macOS 10.14+ Privacy Changes and Granting the macOS Sensor Access.

Release checksums
 
3.4.4.51 DMG SHA256 Checksum 04959ea72c86778a5019cff6bb0f9c89faa0cae775681e12e67a17c3609c0fd7
3.4.4.51 PKG SHA256 Checksum  40138f87b7c8800e8199e384f26be076cb9e7c1afadf079904d4972d52c28397

 

Ended support for macOS 10.10

The macOS 3.4.4.51 sensor release is only compatible with macOS versions 10.11 and newer versions. Installation of this sensor version on older operating systems is not possible.

Note: The sensor will fail to upgrade from 3.4.3 to 3.4.4 on macOS 10.10.

Full Disk Access status reported in the console

Beginning with sensor version 3.4.4.51, the macOS sensor can now detect when it has not been granted Full Disk Access (FDA) on an endpoint. Full Disk Access can be granted manually on the endpoint or with a policy via MDM. To locate endpoints that do not have Full Disk Access enabled, search for the following string on the Endpoints page in the console:

sensorStates: FULL_DISK_ACCESS_NOT_GRANTED


3.4.3.44

Carbon Black Cloud sensor version 3.4.3.44 is for macOS only. This release is Generally Available. 

This release fixes bugs and performance issues. For more information about the cumulative changes in this sensor version, see the macOS 3.4.2.23 release notes.

Important: KEXT certificate approval process

Devices that are upgrading to 3.4 from sensor versions 3.0 and older must have the new code signing certificate (Team ID 7AGZNQ2S2T) approved prior to the sensor upgrade. This procedure is required because of a Team ID change in the Carbon Black Cloud code signing certificate that was introduced in the 3.1 sensor release. See Known Issues for details.
 
VMware Carbon Black recommends using an MDM-compatible mass deploy solution to push the updates, pre-approve, and allow the KEXT code signing certificate.
 
See macOS 10.14+ Privacy Changes and Granting the macOS Sensor Access about granting the sensor Full Disk Access as required by macOS 10.14+.
 
Release checksums
 
3.4.3.44 DMG SHA256 Checksum 0fe44079434904432b2a900e10320fdbf83ae4b29f0b4544f17ff1d9ab449c72
3.4.3.44 PKG SHA256 Checksum  1d0eccb24df75909177201fe4b4499b7107ab64049ba99d1a88416780117d6c0

3.4.2.23

Carbon Black Cloud sensor version 3.4.2.23 is for macOS only. This release is Generally Available.

Certificate whitelist process

Devices that are upgrading to 3.4 from sensor versions 3.0 and older should have the new code signing certificate (Team ID 7AGZNQ2S2T) whitelisted prior to the sensor upgrade. This procedure is required because of a Team ID change in the Carbon Black Cloud code signing certificate that was introduced in the 3.1 sensor release.
 
VMware Carbon Black recommends using an MDM-compatible mass deploy solution to push the updates, pre-approve, and whitelist the KEXT code signing certificate.
 
See the following User Exchange article about granting the sensor Full Disk Access as required by macOS 10.14+: macOS 10.14+ Privacy Changes and Granting the macOS Sensor Access.
 
Release checksums
 
3.4.2.23 DMG SHA256 Checksum f0799c663d45f68f6d4a44ef82c2adcf7196432fcf4e65e829738f701d10b0e9
3.4.2.23 PKG SHA256 Checksum bafb9e759a055c9cc3268eaaf0d1650b4bead91bac589f4c064df4fca8458fc9

3.4.1.7

Carbon Black Cloud sensor version 3.4.1.7 is for macOS only. This release is Generally Available. 

This release builds on work completed for the macOS sensor versions 3.3.3 and 3.3.4. For more information about the cumulative changes in this sensor version, see the macOS 3.3.3 and 3.3.4 release notes.

Certificate whitelist process

Devices that are upgrading to 3.4 from sensor versions 3.0 and older should have the new code signing certificate (Team ID 7AGZNQ2S2T) whitelisted prior to the sensor upgrade. This procedure is required because of a Team ID change in the Carbon Black Cloud code signing certificate that was introduced in the 3.1 sensor release.
 
VMware Carbon Black recommends using an MDM-compatible mass deploy solution to push the updates, pre-approve, and whitelist the KEXT code signing certificate.
 
See the following User Exchange article about granting the sensor Full Disk Access as required by macOS 10.14+: macOS 10.14+ Privacy Changes and Granting the macOS Sensor Access.
 
Release checksums
 
3.4.1.7 DMG SHA256 Checksum 9b505b56a9d909db5e2d27609ad6ed8a9eda620af1867ed4485b004da27391ea
3.4.1.7 PKG SHA256 Checksum 251a09e0bf2ce53b5899abd72126f6a6d1075e0f7d82c14bc5197e3b86cf187d

 

Enhanced investigations with CB ThreatHunter

CB ThreatHunter brings incident response capabilities to macOS on the Carbon Black Cloud, delivering endpoint visibility and enhanced search to our cloud platform. To enable a macOS endpoint to return CB ThreatHunter data, your organization must have purchased CB ThreatHunter and must have the macOS 3.4 or later sensor installed on the endpoint. The macOS 3.4 sensor supports CB ThreatHunter standalone, as well as any combination of CB Defense, CB LiveOps, and CB ThreatHunter. See https://community.carbonblack.com/t5/Cb-ThreatHunter/ct-p/CbThreatHunter.

VMware Workspace ONE on macOS

The Carbon Black Cloud console now reports the universally unique identifier (UUID) of macOS endpoints and shares that information with VMware Workspace ONE. This enables Workspace ONE macOS users, who are also Carbon Black users, to access the Carbon Black Cloud.

0 Kudos
Comments

The macOS 3.4.3.44 sensor release notes are updated.

The macOS 3.5.1.19 sensor release notes are published.

 

The macOS 3.5.1.23 sensor release notes are published.

The macOS 3.5.1.31 sensor release notes are published.

The macOS 3.5.2.78 sensor release notes are published.

The macOS 3.5.3.82 sensor release notes are published.

The macOS sensor version 3.6.1.10 release notes are published.

Article Information
Author:
Creation Date:
‎02-04-2020
Views:
591