Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud macOS Sensor 3.3.4 Release Notes

Carbon Black Cloud macOS Sensor 3.3.4 Release Notes

Carbon Black Cloud sensor version is a generally available maintenance release for macOS only. Sensor version includes full support for macOS Catalina.


In these release notes:

Important notification about the certificate whitelist process 

Devices that are upgrading to 3.3.4 from sensor versions 3.0 and older should have the new code signing certificate (Team ID 7AGZNQ2S2T) whitelisted prior to the sensor upgrade. This procedure is required because of a Team ID change in the Carbon Black Cloud code signing certificate that was introduced in the 3.1 sensor release. See the Known issues section for more details. 

VMware Carbon Black recommends using an MDM-compatible mass deployment solution to push the updates, pre-approve, and whitelist the KEXT code signing certificate.

See the following User Exchange article about granting the sensor Full Disk Access as required by macOS 10.14+: macOS 10.14+ Privacy Changes and Granting the macOS Sensor Access.

Release checksums DMG SHA256 Checksum

beba3486dbce19c50f48b73cbafe26b02351171369b87e8232b3707ac43a1a95 PKG SHA256 Checksum



Fixed in this release

Efficacy enhancements and bug fixes

Issue ID




Resolved an issue that caused macOS endpoints to experience degraded performance and event population latency in the backend.



Work around a regression in macOS 10.15.1 concerning Apple’s VFS API that, in some hardware configurations, resulted in kernel panics at OS boot/reboot when the macOS sensor was installed.


Resolves a LiveQuery issue that resulted in the sensor occasionally entering a loop when it encountered an error while attempting to run a query.



Resolved sensor tamper protection false positive triggered during OS reboot that resulted in interop between sensor and OS tools attempting to temporarily disable sensor service. That issue manifested with Alerts and MODIFY_SENSOR TTP.


General script detection improvements


Installer fixes for 10.15 Catalina that address issues of failed sensor upgrade and incomplete uninstall


Known issues and caveats


There is a known issue where Malware Removal infrequently and inaccurately reports actions.


Issue ID

Affected Product



Carbon Black Cloud

Device name in sensor management is case sensitive.


Carbon Black Cloud sensor

Rare issue where repmgr sporadically crashes on shutdown, typically when the cloud is unreachable.


Carbon Black Cloud sensor

The unattended install script does not accept multiple long options. The workaround is to always provide a value (such as 0 or 1) next to every long option following = character; for example: --downgrade=1 --skip-kext-approval-check=1.


Carbon Black Cloud

When a device is removed from an AD domain, the sensor is still reflected within that domain on the Endpoints page and remains in a sensor group. The sensor must be taken out of auto-assignment to make policy updates to that sensor. As a workaround, you can manually remove the sensor from the AD group and assign a policy (click into the device, turn off auto-assign, and change the policy).


Carbon Black Cloud

Cloud uninstall of the sensor takes a long time due to a change in the backend.


CB Defense

Old canary files, specifically with variable or random file names, are not always properly cleaned up by the sensor. This can cause ransomware false positives.


0 Kudos


Few questions on the release notes.

(1) The above known issues lists, there is a reference to an issue with DSEN-5744 and DSER-17746.

      However, in the PDF version of release note, there no reference to above issues.

      Which is correct?


(2) In the release note, there are reference to macOS sensor not supporting "CB ThreatHunter Only" environments.

    But this release note does not have this restriction mentioned.

    Has this restriction been removed or does it still apply?





Is there an updated 'un-attended install' script that should be used for this newest sensor? I am trying to upgrade to this newest sensor using the script version for VERSION= while combining it with the newest package ( in JAMF however I am having issues.


ANSWER: Editing my comment since I found out that the new unattended install script is actually contained in the DMG, under docs.

Just to confirm, with this release, it is safe for our users to finally upgrade to MacOS Catalina 15.1?

What's the recommended approach to install this new sensor version for (1) machines on 10.15.1 that were affected, and had the KEXT removed, (2) machines that are on 10.15.1 that did not have their KEXT removed/weren't affected, and (3) machines NOT on 10.15.1 with the older sensor version?


1. apologies, that was a rogue copy and paste. Those tickets do not apply to
2. and do not support CB ThreatHunter on macOS. If you have CB ThreatHunter you must use sensor version (or higher) in order to report CB ThreatHunter events from macOS endpoints. CB ThreatHunter-only organizations with macOS are only supported on or higher, earlier sensor versions will not report events to the backend in CB ThreatHunter-only organizations.

@victornee , yes, and higher are supported on macOS 10.15.1 and higher.

Article Information
Creation Date: