We’re migrating product documentation to docs.vmware.com, starting with Carbon Black Cloud. Learn more.

[Carbon Black Cloud] macOS Big Sur Functionality Overview

[Carbon Black Cloud] macOS Big Sur Functionality Overview

Introduction

Beginning in macOS 11, the Carbon Black Cloud macOS sensor (v3.5.1) will operate by default in user-space via System Extensions (user-space) instead of Kernel Extensions (KEXTs) used in prior versions of the agent.

As a result of this change, some functionality will be temporarily unavailable when using the sensor in System Extension mode on macOS 11 and later. Using the sensor in KEXT mode achieves the same functionality on macOS 11 as seen in older operating systems and is recommended for customers who plan to immediately adopt macOS 11.

While we plan to deliver the additional functionality gradually to avoid the performance implications that come with operating in user-space, we plan to deliver a large subset of the functionality detailed in the matrix below in a follow-on release in Q1 2021.

Please be advised that unless otherwise specified, documentation related to macOS functionality on the Carbon Black Cloud pertains to macOS 10.15 and earlier or to functionality delivered via the KEXT on macOS 11.

This matrix outlines macOS functionality on the Carbon Black Cloud. The functionality detailed in the macOS 11 column pertains to the sensor’s functionality in user space (System Extension) in the initial macOS 11-compatible sensor release (v3.5.1). For functionality provided via the kernel extension, please refer to the macOS 10.12 - 11 column.

We will keep this matrix updated as we release functionality. Please be advised that any delivery timelines specified below are estimates and subject to change.

 

Endpoint Standard

Functionality

macOS
10.12 - 11 (KEXT)

macOS 11
(user-space)

Behavioral EDR (analytics detection)

X

X

Behavior-based prevention (non-reputation policy rules)

X

Est. 2H21

Targeted Prevention (block action, not just kill process)

X

Est. 2H21

Reputation-based prevention

X

X

Banned-list based prevention (Deny List) 

X

X

Automatic Malware Removal

X

X

On-demand File Collection

X

X

On-demand File Deletion

X

X

On-demand - Endpoint Network Isolation (Quarantine)

X

X

Interactive Remote Shell Capability for Remediation (Live Response)

X

X

Ransomware Detection/Prevention

X

Est. 2H21

XProtect Block Event Collect

 

X


Enterprise EDR

Functionality

macOS
10.12 - 11 (KEXT)

macOS 11
(user-space)

Continuous Endpoint Telemetry Data Collection:

   

            Process Start/Stop/Parent/Source binary, etc.

X

X

           In/Outbound Network Connections

X

X

           File Modifications (RWCD)

X

X

          Cross Process Memory Injection/Scraping

X

Est. 2H21

          Module Loads

X

Est. 2H21

         Script Loads

X

X

30 Day Data Retention (longer if associated with an alert)

X

X

Regex and Wildcard Search/Alert Query Language Support

X

X

Custom/Customer-created Alert Criteria

X

X

Support for Industry-standard Threat Feeds (STIX/TAXII)

X

X

 

Operations

Functionality

macOS
10.12 - 11 (KEXT)

macOS 11
(user-space)

Sensor Uninstall Prevention (require unique code)

X

Est. 2H21

Sensor Tamper Prevention

X

Est. 2H21

Industry Standard Installer (.msi/.dmg/tar)

X

X

Console Driven Sensor Upgrade

X

X

Policy Controlled Sensor Upgrade

X

X

Sensor Health Monitoring/Alerting

X

X

 

Audit & Remediation and Integrations

Functionality

macOS
10.12 - 11 (KEXT)

macOS 11
(user-space)

Audit & Remediation (enterprise-class Osquery)

X

X

Open APIs to Query All Endpoint Data

X

X

Open APIs to Invoke All Remediation Functions

X

X

 

Labels (1)
Comments

Im struggling so bad in finding the actual installer on this webpage.
Ive been searching for the 3.5.1.23 sensor installer for mac for 30 minutes and Im just getting looped aroind on your information pages.

Where can I find the download?

 

 

I believe that the download would be available in your console.

@viktor_filipsso sensor downloads are always done directly through the console.

Endpoints > Sensor Options > Download Sensor Kits. 

Is there any update on the user-space features? Some are estimated to be available in Q1, which would mean this month.

What about the ones that are planned or in development?

Article Information
Author:
Creation Date:
‎02-26-2021
Views:
13629
Contributors