Attention: As of 28 February 2022, Carbon Black Cloud Release Notes are published on VMware Docs. This UEX site will remain but no longer be updated.
3.6.1.10
Carbon Black Cloud sensor version 3.6.1.10 is a generally available release for macOS only.
Important notes
- Sensor upgrades should not be performed while the sensor is in bypass mode while in System Extension mode. Upgrading the sensor in System Extensions mode while in bypass disables the sensor until a reboot is performed on the endpoint.
- This release supports macOS 10.15 - 12. MacOS 10.14 is no longer supported.
Resources
Release checksums
| 3.6.1.10 DMG SHA256 Checksum |
9235ac4b3f147d7efc9458c87749a582b4a581462895c95dd60d72a6b94306e1 |
|
3.6.1.10 PKG SHA256 Checksum
|
e2f2fab3c488c90aefaa9ff565f545bc8ec23e97a89a3469f0eca771a9371afb
|
Apple Silicon support
The 3.6.1.10 Carbon Black Cloud sensor delivers native operation on Apple Silicon hardware, with the exception of the LiveOps (OSQuery engine) because there is no universal binary available yet. Rosetta will be necessary to leverage Audit & Remediation functionality until a universal OSQuery engine binary is available.
macOS Monterey support
Sensor version 3.6.1.10 supports operation on macOS Monterey via System Extensions. Legacy Kernel Extension mode operation is not supported on macOS 12 Monterey. For customers who plan to upgrade macOS11 Big Sur endpoints running the Kernel Extension to Monterey, we recommend using a management tool like Workspace ONE, Jamf, etc. to deploy the 3.6 sensor. Cloud upgrade does not support Kernel Extension mode upgrades from macOS 11 to macOS 12.
As always, to ensure full sensor enablement we recommend that endpoints are preconfigured with System Extension pre-approval via MDM before deployment of the sensor.
Supported operating modes
| Supported Operating System |
Supported Modes and Architectures |
| macOS 10.15 (Catalina) |
Kernel Extension (Intel only) |
| macOS 11 (Big Sur) |
Kernel Extension (Intel only)
System Extension (Intel, Apple Silicon)
|
| macOS 12 (Monterey) |
System Extension (Intel, Apple Silicon) |
3.5.3.82
Carbon Black Cloud sensor version 3.5.3.82 is a generally available release for macOS only.
Changes to the sensor approval process
VMware Carbon Black recommends using an MDM-compatible mass deploy solution to push the updates, pre-approve, and approve KEXT, System Extension, and Network Extension code signing certificates.
Sensor approvals on macOS Big Sur
Sensor version 3.5.3.82 supports both KEXT and System Extension operation on macOS Big Sur.
The process for approving KEXTs has changed on macOS Big Sur. Please review the following article for more information on the revised process: Changes to KEXT pre-approval on macOS Big Sur.
To avoid the need for user approval, the sensor’s System Extension and Network Extension should be approved via an MDM. Please review the following article for details on the approval process: Approving the macOS sensor’s System Extension and Network Extension.
Changes to Full Disk Access permissions since the 3.5.1 sensor
The 3.5.1 sensor was restructured; the Full Disk Access policy process has changed as a result. An updated profile is required for running 3.5.1+ on any supported version of macOS (10.12 - 11.2). Please review the following article for details on the revised process: Granting the macOS sensor Full Disk Access (v3.5.1+).
Current MDM instructions and payloads for configuring the installation are always available in the mounted DMG of the sensor installer in the docs folder.
Release checksums
| 3.5.3.82 DMG SHA256 Checksum |
8f13dcde5429cc5f9b4fb49ef982a75077cbaa72061f6c395cc857f4de0de357 |
|
3.5.3.82 PKG SHA256 Checksum
|
769ddbbfc3c048eec762b63d714630c3be4becf68991b018ef20637c49982801
|
Ending support for macOS 10.12 and 10.13
Beginning with the 3.5.3.82 VMware Carbon Black Cloud sensor, macOS 10.12 (Sierra) and macOS 10.13 (High Sierra) are no longer officially supported. Apple is not issuing security patches for these operating systems. We recommend that before deploying the 3.5.3.82 sensor, you upgrade to macOS 10.14 (Mojave) or later.
10.12 and 10.13 are still supported for use with sensor versions 3.5.2.78 and older, which will remain in Standard or Extended support until May 2022.
See the macOS sensor compatibility guide.
Status of Apple Silicon M1 support
The 3.5.3.82 VMware Carbon Black Cloud sensor is not officially supported for use on Apple Silicon M1 hardware. Although installation on M1 machines is not blocked, performance while using Rosetta 2 emulation can deviate from expected performance and stability on Intel hardware. For this reason, we do not recommend deploying the sensor on production M1 machines.
Native support for the Apple Silicon architecture will be available in a future release.
Supported architectures for CBC 3.5.3 sensor and macOS Big Sur:
| macOS/CPU architecture |
Intel x86-64 |
Apple Silicon/ARM |
| KEXT |
Supported |
Not supported; see installation caveats
|
| System Extension |
Supported |
Experimental, emulation mode |
macOS Big Sur support
Sensor version 3.5.3.82 supports macOS Big Sur. This sensor enables a subset of VMware Carbon Black Cloud functionality via System Extensions; full functionality is available via Kernel Extensions (KEXTs). We recommend that all Endpoint Standard customers continue to use Kernel Extensions until notified that all functionality is available via System Extensions.
Before deploying this sensor to macOS Big Sur, please review this documentation on the functionality you can expect to receive with System Extensions vs. KEXTs: macOS Big Sur Functionality Overview.
USB device control for macOS
VMware Carbon Black introduced Device Control for USB storage devices on Windows in November 2020. This functionality is now extended to macOS 10.15 and 11+ with sensor version 3.5.3.82.
Device Control lets you harden your security posture, control authorized usage, and prevent malware infiltration from USB storage devices. You can view, manage, approve, and implement blocking policies for USB storage devices that are connected to your endpoints.
You will have access to the following functionality:
- Policy-based USB Device Blocking: Gain an additional layer of protection and strengthen overall security posture with the ability to block mount operations on a per-policy basis.
- Configurable Allowed USB Devices List: Allow designated external devices to be mounted by leveraging options for approving distinct USB devices, or approving broader manufacturer- or product-based permissions across your environment.
- Alert on Block: Receive notifications of USB device blocks in your environment, and easily approve devices directly from the alert. Users also receive notifications when attempting to use blocked devices, thereby educating them on company policy.
- USB Device Inventory: Gain visibility into all supported USB devices connected to your network with the ability to view, filter, search, and approve USB devices from the Inventory page.
See:
3.5.2.78
Carbon Black Cloud sensor version 3.5.2.78 is a generally available release for macOS only. Version 3.5.2.78 replaces 3.5.1.31. This sensor supports macOS Big Sur, introduces post-execution prevention, and other critical fixes.
Release checksums
| 3.5.2.78 DMG SHA256 Checksum |
585abac9d0d87a6a3efd5a156fdabf0eab32063796c264b8d2551e5db1188fa4 |
|
3.5.2.78 PKG SHA256 Checksum
|
70f104398c8d1fb7c392700e6a88753c5d066a1d6777a959bb1c9fe0d97aba2a
|
Status of Apple Silicon M1 support
The 3.5.2.78 Carbon Black Cloud sensor is not officially supported for use on Apple Silicon M1 hardware. Although installation on M1 machines is not blocked, performance while using Rosetta 2 emulation can deviate from expected performance and stability on Intel hardware. For this reason, we do not recommend deploying the sensor on production M1 machines.
Native support for the Apple Silicon architecture will be available in a future release.
Supported architectures matrix for CBC 3.5.2 sensor and macOS BigSur:
|
macOS / CPU Archs.
|
Intel x86-64
|
Apple Silicon / ARM
|
|
KEXT
|
Supported
|
Not supported, see installation caveats
|
|
System Extension
|
Supported
|
Experimental, Rosetta 2 emulation, not officially supported
|
macOS Big Sur Support
Sensor version 3.5.2.78 supports macOS Big Sur. This sensor enables a subset of Carbon Black Cloud functionality via System Extensions, but full functionality is still available via Kernel Extensions (KEXTs). We recommend all Endpoint Standard customers continue to use Kernel Extensions until notified that all functionality is available via System Extensions.
Before deploying this sensor to macOS Big Sur, please review this documentation on the functionality you can expect to receive with System Extensions vs. KEXTs: macOS Big Sur Functionality Overview.
Introductory System Extension-based Prevention
The 3.5.2.78 System Extension sensor expands on the subset of Carbon Black Cloud functionality, but does not yet meet feature parity with the Kernel Extension sensor.
This release introduces post-execution prevention, meaning policy enforcement occurs only after a process has already begun running. The system extension sensor does not yet provide pre-execution prevention (blocking malware before it has a chance to begin running.) The 3.5.2 release is a step towards complete SysEXT-based prevention.
Rules regarding applications with unknown reputation are not enforced upon in this release. Applications with known malware, suspect malware, adware, PUP reputation or ban listed applications found currently running by the sensor will be terminated. Please note that this means that a termination from the sensor may be sent after the offending application has already finished executing on its own.
For more information on functional differences between System Extensions and Kernel Extensions, please refer to this document.
Local Sensor Administration via repCLI
The macOS 3.5.2.78 release extends the repCLI command line tool that enables local administration of the sensor. Please see the following Knowledge Base article for a list of available commands: RepCLI on macOS
3.5.1.31
Carbon Black Cloud sensor version 3.5.1.31 is a generally available release for macOS only. Version 3.5.1.31 replaces 3.5.1.23. This sensor is functionally identical to 3.5.1.23, with the addition of several critical fixes.
Changes to the sensor approval process
VMware Carbon Black recommends using an MDM-compatible mass deploy solution to push the updates, pre-approve, and approve KEXT, System Extension, and Network Extension code signing certificates.
Sensor approvals on macOS Big Sur
Sensor version 3.5.1.31 supports both KEXT and System Extension operation on macOS Big Sur.
The process for approving KEXTs has changed on macOS Big Sur. Please review this article for more information on the revised process: Changes to KEXT pre-approval on macOS Big Sur.
The sensor’s System Extension and Network Extension should be approved via an MDM to avoid the need for user approval. Please review this article for details on the approval process: Approving the macOS sensor’s System Extension and Network Extension.
Changes to Full Disk Access permissions in the 3.5.1 sensor
The 3.5.1 sensor has been restructured and the Full Disk Access policy process has changed as a result. An updated profile is required for running 3.5.1.31 on any supported version of macOS (10.12 - 11.2). Please review this article for details on the revised process: Granting the macOS sensor Full Disk Access (v3.5.1+).
The most up to date MDM instructions and payloads for configuring the installation is always available in the mounted DMG of the sensor installer, under the docs folder.
Release checksums
| 3.5.1.31 DMG SHA256 Checksum |
e60164d335378d12bed697ef52d2ba6aa994213c0ea94482ccfdbaf340f7add5 |
| 3.5.1.31 PKG SHA256 Checksum |
a308a3c4096c65fdd5df1fc371dd7b9c9d5cd6a6820caa7488021bb0f392b3c3 |
Apple Silicon M1 support
The 3.5.1.31 Carbon Black Cloud sensor is not officially supported for use on Apple Silicon M1 hardware. Although installation on M1 machines is not blocked, performance while using Rosetta 2 emulation can deviate from expected performance and stability on Intel hardware. For this reason, we do not recommend deploying the sensor on production M1 machines.
Native support for the Apple Silicon architecture will be available in a future release.
Supported architecture matrix for 3.5.1 sensor and macOS Big Sur:
| macOS / CPU Arch. |
Intel x86-64 |
Apple Silicon / ARM |
| KEXT |
Supported |
Not supported, see installation caveats |
| System Extension |
Supported |
Experimental, emulation mode, not officially supported |
3.5.1.23
Carbon Black Cloud sensor version 3.5.1.23 is a generally available release for macOS only. 3.5.1.23 replaces 3.5.1.19.
This sensor is functionally identical to 3.5.1.19. Please see the 3.5.1.19 release notes for more details.
Release checksums
| 3.5.1.23 DMG SHA256 Checksum |
d047c4bd69fb6bdba2b0474c8fc155dafce032000f4401567e01f6c402fd4478 |
| 3.5.1.23 PKG SHA256 Checksum |
a8247d9bea1adbea7b280790fa10a69382a5e7758a6450f2e8c7901285c5f248 |
3.5.1.19
Carbon Black Cloud sensor version 3.5.1.19 is a generally available release for macOS only.
Important Notes:
- 3.4.4.51 is the only supported downgrade path from the 3.5.1.19 sensor.
- This sensor provides initial support for macOS Big Sur. Please read these release notes carefully as some functionality and processes have changed.
Changes to the sensor approval process
VMware Carbon Black recommends using an MDM-compatible mass deploy solution to push the updates, pre-approve, and approve KEXT, System Extension, and Network Extension code signing certificates.
Sensor approvals on macOS Big Sur
Sensor version 3.5.1.19 supports both KEXT and System Extension operations on macOS Big Sur.
The process for approving KEXTs has changed on macOS Big Sur. See Changes to KEXT pre-approval on macOS Big Sur.
The sensor’s System Extension and Network Extension should be approved via an MDM to avoid the need for user approval. See Approving the macOS sensor’s System Extension and Network Extension.
Changes to Full Disk Access permissions in the 3.5.1 sensor
The 3.5.1 sensor has been restructured and the Full Disk Access policy process has changed as a result. An updated profile is required for running 3.5.1.19 on any supported version of macOS (10.12 - 11). See Granting the macOS sensor Full Disk Access (v3.5.1+).
Current MDM instructions and payloads for configuring the installation are available in the mounted DMG of the sensor installer, under the docs folder.
Release checksums
| 3.5.1.19 DMG SHA256 Checksum |
bea78b8e0870f45cd85aedb728676f687c2e522a48fba53bc9aa3fd39f90778c |
| 3.5.1.19 PKG SHA256 Checksum |
19bc75f8a7ff00bdc86f01bed06cc1ef024cb01aaa8d70b34f1a30efbdabf640 |
Ended support for macOS 10.11
The CBC 3.5.1.19 sensor release is only compatible with macOS versions 10.12 and newer. You cannot install this sensor version on older operating systems.
Note: The sensor will not allow an upgrade to 3.5.1 on macOS 10.11.
Apple Silicon M1 support
Sensor release 3.5.1.19 introduces experimental support for the Apple Silicon M1 using the non-native, emulation mode. Native support for the Apple Silicon architecture will be available in a future release.
The following table shows a supported architectures matrix for the CBC 3.5.1 sensor and macOS BigSur:
| macOS / CPU Architectures |
Intel x86-64 |
Apple Silicon / ARM |
| KEXT |
Supported |
Not supported; see installation caveats |
| System Extension |
Supported |
Experimental, emulation mode |
macOS Big Sur support
Sensor version 3.5.1.19 includes initial support for macOS Big Sur. This sensor enables a subset of Carbon Black Cloud functionality via System Extensions, but full functionality is still available via Kernel Extensions (KEXTs). We recommend all Endpoint Standard customers continue to use Kernel Extensions until you are notified that all functionality is available via System Extensions.
Before deploying this sensor to macOS Big Sur, review the functionality you can expect to receive with System Extensions vs. KEXTs: macOS Big Sur Functionality Overview.
Local administration via repCLI command line tool
The macOS 3.5.1.19 release introduces a command line tool that enables local administration of the sensor. See RepCLI on macOS for a list of available commands.
Sensor file system restructuring
The macOS 3.5.1.19 release introduces updated sensor file system install locations, thereby altering where the sensor stores its executables and resources. The change meets full compliance requirements with latest macOS versions and also concludes branding changes to VMware Carbon Black. This change can impact custom deploy and monitoring tools. See New macOS sensor file paths beginning in 3.5.1.19.
Installer TOCTOU security vulnerability fix
Carbon Black MacOS Sensor 3.5.1 addresses a file overwrite issue in the installer. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2020-4008 to this issue. This release addresses a security issue. See https://www.vmware.com/security/advisories/VMSA-2020-0028.html.
New administrative sensor states
This release adds new administrative sensor states. You can query them from the Endpoints page by using the sensorStates:STATE_STATE query or by using the RepCLI tool.
| SENSOR_STATE |
Description |
| DRIVER_LOAD_NOT_GRANTED |
Sensor failed to load KEXT or System Extension. MDM or manual approval is required. Sensor is in bypass until the load is granted. This state coexists with DRIVER_KERNEL or DRIVER_USERSPACE. |
| DRIVER_INIT_REBOOT_REQUIRED |
KEXT or System Extension failed to initialize due to reboot requirement. Sensor is in bypass until after reboot. |
| DRIVER_INIT_ERROR |
KEXT or System Extension failed to initialize and load for any reason other than the missing grant or reboot. Sensor is in bypass mode. |
| DRIVER_KERNEL |
Sensor is in KEXT-enabled mode. |
| DRIVER_USERSPACE |
Sensor is in System Extension-enabled mode (macOS11+ only). |
| FULL_DISK_ACCESS_NOT_GRANTED |
Sensor does not have full disk access granted, which will reduce the efficacy of select features. MDM or manual approval is required. |
| DRIVER_OPTIONS_UPDATE_PENDING |
In 10.14 and 10.15 only. The repcli command to toggle between persistent/unloadable KEXT was acknowledged, but will require a reboot to complete. |
DRIVER_OPTIONS_DEVELOPER_MODE
|
In 10.14 and 10.15 only. The machine has loaded the KEXT in a persistent manner and will require a reboot to successfully uninstall/upgrade. |
3.4.4.51
Carbon Black Cloud sensor version 3.4.4.51 is for macOS only. This release is Generally Available.
Important:
- 3.4.4.51 is the only supported downgrade path from the 3.5 sensor family that is being released later in 2020.
- This sensor version is not supported for macOS Big Sur. Installing this sensor on macOS Big Sur results in the sensor entering a Bypass state.
Certificate approval process
Devices that are upgrading to 3.4 from sensor versions 3.0 and older should have the new code signing certificate (Team ID 7AGZNQ2S2T) approved prior to the sensor upgrade. This procedure is required because of a Team ID change in the Carbon Black Cloud code signing certificate that was introduced in the 3.1 sensor release. See Known Issues.
VMware Carbon Black recommends using an MDM-compatible mass deploy solution to push the updates, pre-approve, and approve the KEXT code signing certificate.
See the following article about granting the sensor Full Disk Access as required by macOS 10.14+: macOS 10.14+ Privacy Changes and Granting the macOS Sensor Access.
Release checksums
| 3.4.4.51 DMG SHA256 Checksum |
04959ea72c86778a5019cff6bb0f9c89faa0cae775681e12e67a17c3609c0fd7 |
| 3.4.4.51 PKG SHA256 Checksum |
40138f87b7c8800e8199e384f26be076cb9e7c1afadf079904d4972d52c28397 |
Ended support for macOS 10.10
The macOS 3.4.4.51 sensor release is only compatible with macOS versions 10.11 and newer versions. Installation of this sensor version on older operating systems is not possible.
Note: The sensor will fail to upgrade from 3.4.3 to 3.4.4 on macOS 10.10.
Full Disk Access status reported in the console
Beginning with sensor version 3.4.4.51, the macOS sensor can now detect when it has not been granted Full Disk Access (FDA) on an endpoint. Full Disk Access can be granted manually on the endpoint or with a policy via MDM. To locate endpoints that do not have Full Disk Access enabled, search for the following string on the Endpoints page in the console:
sensorStates: FULL_DISK_ACCESS_NOT_GRANTED
3.4.3.44
Carbon Black Cloud sensor version 3.4.3.44 is for macOS only. This release is Generally Available.
This release fixes bugs and performance issues. For more information about the cumulative changes in this sensor version, see the macOS 3.4.2.23 release notes.
Important: KEXT certificate approval process
Devices that are upgrading to 3.4 from sensor versions 3.0 and older must have the new code signing certificate (Team ID 7AGZNQ2S2T) approved prior to the sensor upgrade. This procedure is required because of a Team ID change in the Carbon Black Cloud code signing certificate that was introduced in the 3.1 sensor release. See Known Issues for details.
VMware Carbon Black recommends using an MDM-compatible mass deploy solution to push the updates, pre-approve, and allow the KEXT code signing certificate.
Release checksums
| 3.4.3.44 DMG SHA256 Checksum |
0fe44079434904432b2a900e10320fdbf83ae4b29f0b4544f17ff1d9ab449c72 |
| 3.4.3.44 PKG SHA256 Checksum |
1d0eccb24df75909177201fe4b4499b7107ab64049ba99d1a88416780117d6c0 |
3.4.2.23
Carbon Black Cloud sensor version 3.4.2.23 is for macOS only. This release is Generally Available.
Certificate allow list process
Devices that are upgrading to 3.4 from sensor versions 3.0 and older should have the new code signing certificate (Team ID 7AGZNQ2S2T) allow-listed prior to the sensor upgrade. This procedure is required because of a Team ID change in the Carbon Black Cloud code signing certificate that was introduced in the 3.1 sensor release.
VMware Carbon Black recommends using an MDM-compatible mass deploy solution to push the updates, pre-approve, and allow-list the KEXT code signing certificate.
Release checksums
| 3.4.2.23 DMG SHA256 Checksum |
f0799c663d45f68f6d4a44ef82c2adcf7196432fcf4e65e829738f701d10b0e9 |
| 3.4.2.23 PKG SHA256 Checksum |
bafb9e759a055c9cc3268eaaf0d1650b4bead91bac589f4c064df4fca8458fc9 |
3.4.1.7
Carbon Black Cloud sensor version 3.4.1.7 is for macOS only. This release is Generally Available.
This release builds on work completed for the macOS sensor versions 3.3.3 and 3.3.4. For more information about the cumulative changes in this sensor version, see the macOS 3.3.3 and 3.3.4 release notes.
Certificate allow list process
Devices that are upgrading to 3.4 from sensor versions 3.0 and older should have the new code signing certificate (Team ID 7AGZNQ2S2T) allow-listed prior to the sensor upgrade. This procedure is required because of a Team ID change in the Carbon Black Cloud code signing certificate that was introduced in the 3.1 sensor release.
VMware Carbon Black recommends using an MDM-compatible mass deploy solution to push the updates, pre-approve, and allow list the KEXT code signing certificate.
Release checksums
| 3.4.1.7 DMG SHA256 Checksum |
9b505b56a9d909db5e2d27609ad6ed8a9eda620af1867ed4485b004da27391ea |
| 3.4.1.7 PKG SHA256 Checksum |
251a09e0bf2ce53b5899abd72126f6a6d1075e0f7d82c14bc5197e3b86cf187d |
Enhanced investigations with CB ThreatHunter
CB ThreatHunter brings incident response capabilities to macOS on the Carbon Black Cloud, delivering endpoint visibility and enhanced search to our cloud platform. To enable a macOS endpoint to return CB ThreatHunter data, your organization must have purchased CB ThreatHunter and must have the macOS 3.4 or later sensor installed on the endpoint. The macOS 3.4 sensor supports CB ThreatHunter standalone, as well as any combination of CB Defense, CB LiveOps, and CB ThreatHunter. See https://community.carbonblack.com/t5/Cb-ThreatHunter/ct-p/CbThreatHunter.
VMware Workspace ONE on macOS
The Carbon Black Cloud console now reports the universally unique identifier (UUID) of macOS endpoints and shares that information with VMware Workspace ONE. This enables Workspace ONE macOS users, who are also Carbon Black users, to access the Carbon Black Cloud.
