Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

[Carbon Black Cloud] macOS User Space Functionality Overview

[Carbon Black Cloud] macOS User Space Functionality Overview


Attention (Jun 27 2022):

Support information for each Carbon Black Cloud Sensor has moved to VMware Docs. This UEX page will no longer be updated and has migrated to VMware Docs macOS User Space Functionality.

Each sensor is a distinct OER on VMware Docs and the links are provided below:


 

Introduction

Beginning in macOS 11, the Carbon Black Cloud macOS sensor (v3.5.1) will operate by default in user-space via System Extensions (user-space) instead of Kernel Extensions (KEXTs) used in prior versions of the agent.

As a result of this change, there are some functional differences when using the sensor in System Extension mode on macOS 11 and later. Using the sensor in KEXT mode achieves the same functionality on macOS 11 as it does on older operating systems.

Please be advised that unless otherwise specified, documentation related to macOS functionality on the Carbon Black Cloud pertains to macOS 10.15 and earlier or to functionality delivered via the KEXT on macOS 11.

This matrix outlines macOS functionality on the Carbon Black Cloud. The functionality detailed in the macOS 11+ column pertains to the sensor’s functionality in user space (System Extension) in the initial macOS 11-compatible sensor release (v3.5.1+). For functionality provided via the kernel extension, please refer to the macOS 10.12 - 11+ column.

Endpoint Standard

Functionality

macOS
10.12 - 11 (KEXT)

macOS 11+
(user-space)

Behavioral EDR (analytics detection)

X

X

Behavior-based prevention (non-reputation policy rules)

X

In Progress

Targeted Prevention (Terminate Process)

X

X

Targeted Prevention (Deny Process)

X

X

Reputation-based prevention (CB Analytics)

X

X

Banned-list based prevention (Deny List) 

X

X

Approved-list allowances (hash, cert, IT tool)

All

Hash only

Automatic Malware Removal

X

X

Script Detection

X

X

On-demand File Collection

X

X

On-demand File Deletion

X

X

On-demand - Endpoint Network Isolation (Quarantine)

X

X

Interactive Remote Shell Capability for Remediation (Live Response)

X

X

Behavior-based Ransomware Detection/Prevention (non-reputation)

X

X

Keylogger (CGEventTap) Detection

X

X

XProtect Block Event Collection

 

X


Enterprise EDR

Functionality

macOS
10.12 - 11 (KEXT)

macOS 11+
(user-space)

Continuous Endpoint Telemetry Data Collection:

   

           Process Start/Stop/Parent/Source binary, etc.

X

X

           In/Outbound Network Connections

X

X

           File Modifications (RWCD)

X

X

           Cross Process Memory Injection/Scraping

X

 

           Module Loads

X

 

           Script Loads

X

X

30 Day Data Retention (longer if associated with an alert)

X

X

Regex and Wildcard Search/Alert Query Language Support

X

X

Custom/Customer-created Alert Criteria

X

X

Support for Industry-standard Threat Feeds (STIX/TAXII)

X

X

 

Operations

Functionality

macOS
10.12 - 11 (KEXT)

macOS 11+
(user-space)

Sensor Uninstall Prevention (require unique code)

X

 

Sensor Tamper Prevention

X

In Progress

Industry Standard Installer (.msi/.dmg/tar)

X

X

Console Driven Sensor Upgrade

X

X

Policy Controlled Sensor Upgrade

X

X

Sensor Health Monitoring/Alerting

X

X

 

Audit & Remediation and Integrations

Functionality

macOS
10.12 - 11 (KEXT)

macOS 11+
(user-space)

Audit & Remediation (enterprise-class Osquery)

X

X

Open APIs to Query All Endpoint Data

X

X

Open APIs to Invoke All Remediation Functions

X

X

 

Labels (1)
Comments

Im struggling so bad in finding the actual installer on this webpage.
Ive been searching for the 3.5.1.23 sensor installer for mac for 30 minutes and Im just getting looped aroind on your information pages.

Where can I find the download?

 

 

I believe that the download would be available in your console.

@viktor_filipsso sensor downloads are always done directly through the console.

Endpoints > Sensor Options > Download Sensor Kits. 

Is there any update on the user-space features? Some are estimated to be available in Q1, which would mean this month.

What about the ones that are planned or in development?

May I know your support plan for user-space features that have not been resolved yet?

Any new ETA on Sensor Uninstall Prevention & Sensor Tamper Prevention for the System Extension version of Carbon Black Cloud?

@srissland do you know if carbon black cloud sensor 3.5.3.82 supports Macos big sur 11.6?

@bashir M1 support is still in Beta/Early-Access test status and has not been released yet.

[Carbon Black Cloud] Update on Apple Silicon Support 

Hello @srissland 

Does the above matrix still apply to sensor version 3.6.1.10 which supports macOS 12 Monterey?

The missing user-space functionalities for macOS 11, is it still missing for 3.6.1.10 as well?

 

Thanks in advance

@haro yes, the user space matrix is still applicable to 3.6.1.10 on Monterey.

@srissland those are news i would less like to hear , when will the required fixing will we finished ? 

Is there suggestion or mitigation we use within the software ?   

@srissland Is this still relevant for 3.6.1.10?

@srissland Never mind, saw your comment answering this

is this still relevant for M1 Big Sur devices on 3.6.1.10?

 

Because Tamper Protection seems to work... blocked my unloading of the daemon

@srissland Joining the question from @peterj : 
Here it says “We’re pleased to announce that support for macOS Monterey and native Apple Silicon operation will be available on all production environments on Monday, October 25th, aligned to Apple’s release of macOS Monterey.”

So what is the status for Sensor Tamper Protection for Carbon Black Cloud Standard for both Apple Silicon and Intel on Monterey? The descriptions can be a bit misleading, and our management wants definite answers.

As of now seems like table above is outdated. At least Targeted Prevention(Terminate Process) works fine. Sensor Tamper Protection seems to be working just fine too. All test done on MacBook Air M1 Monterey 12.1 with sensor version3.6.1.10 .

Can you please update this table with latest supported functionality?

Can you please update this table with latest supported functionality?

orc

the document got updated..

but looks like Targeted Prevention(Terminate Process) is "In Process" status

Article Information
Author:
Creation Date:
‎02-26-2021
Views:
22537
Contributors