We’re migrating product documentation to docs.vmware.com, starting with Carbon Black Cloud. Learn more.

[Carbon Black Cloud] macOS User Space Functionality Overview

[Carbon Black Cloud] macOS User Space Functionality Overview

Introduction

Beginning in macOS 11, the Carbon Black Cloud macOS sensor (v3.5.1) will operate by default in user-space via System Extensions (user-space) instead of Kernel Extensions (KEXTs) used in prior versions of the agent.

As a result of this change, there are some functional differences when using the sensor in System Extension mode on macOS 11 and later. Using the sensor in KEXT mode achieves the same functionality on macOS 11 as it does on older operating systems.

Please be advised that unless otherwise specified, documentation related to macOS functionality on the Carbon Black Cloud pertains to macOS 10.15 and earlier or to functionality delivered via the KEXT on macOS 11.

This matrix outlines macOS functionality on the Carbon Black Cloud. The functionality detailed in the macOS 11+ column pertains to the sensor’s functionality in user space (System Extension) in the initial macOS 11-compatible sensor release (v3.5.1+). For functionality provided via the kernel extension, please refer to the macOS 10.12 - 11+ column.

Endpoint Standard

Functionality

macOS
10.12 - 11 (KEXT)

macOS 11+
(user-space)

Behavioral EDR (analytics detection)

X

X

Behavior-based prevention (non-reputation policy rules)

X

 

Targeted Prevention (deny operation vs. terminate process)

X

 

Reputation-based prevention (CB Analytics)

X

X

Banned-list based prevention (Deny List) 

X

X

Approved-list allowances (hash, cert, IT tool)

All

Hash only

Automatic Malware Removal

X

X

On-demand File Collection

X

X

On-demand File Deletion

X

X

On-demand - Endpoint Network Isolation (Quarantine)

X

X

Interactive Remote Shell Capability for Remediation (Live Response)

X

X

Behavior-based Ransomware Detection/Prevention (non-reputation)

X

 

XProtect Block Event Collection

 

X


Enterprise EDR

Functionality

macOS
10.12 - 11 (KEXT)

macOS 11
(user-space)

Continuous Endpoint Telemetry Data Collection:

   

            Process Start/Stop/Parent/Source binary, etc.

X

X

           In/Outbound Network Connections

X

X

           File Modifications (RWCD)

X

X

          Cross Process Memory Injection/Scraping

X

 

          Module Loads

X

 

         Script Loads

X

X

30 Day Data Retention (longer if associated with an alert)

X

X

Regex and Wildcard Search/Alert Query Language Support

X

X

Custom/Customer-created Alert Criteria

X

X

Support for Industry-standard Threat Feeds (STIX/TAXII)

X

X

 

Operations

Functionality

macOS
10.12 - 11 (KEXT)

macOS 11
(user-space)

Sensor Uninstall Prevention (require unique code)

X

 

Sensor Tamper Prevention

X

 

Industry Standard Installer (.msi/.dmg/tar)

X

X

Console Driven Sensor Upgrade

X

X

Policy Controlled Sensor Upgrade

X

X

Sensor Health Monitoring/Alerting

X

X

 

Audit & Remediation and Integrations

Functionality

macOS
10.12 - 11 (KEXT)

macOS 11
(user-space)

Audit & Remediation (enterprise-class Osquery)

X

X

Open APIs to Query All Endpoint Data

X

X

Open APIs to Invoke All Remediation Functions

X

X

 

Labels (1)
Comments

Im struggling so bad in finding the actual installer on this webpage.
Ive been searching for the 3.5.1.23 sensor installer for mac for 30 minutes and Im just getting looped aroind on your information pages.

Where can I find the download?

 

 

I believe that the download would be available in your console.

@viktor_filipsso sensor downloads are always done directly through the console.

Endpoints > Sensor Options > Download Sensor Kits. 

Is there any update on the user-space features? Some are estimated to be available in Q1, which would mean this month.

What about the ones that are planned or in development?

May I know your support plan for user-space features that have not been resolved yet?

Any new ETA on Sensor Uninstall Prevention & Sensor Tamper Prevention for the System Extension version of Carbon Black Cloud?

@srissland do you know if carbon black cloud sensor 3.5.3.82 supports Macos big sur 11.6?

@bashir M1 support is still in Beta/Early-Access test status and has not been released yet.

[Carbon Black Cloud] Update on Apple Silicon Support 

Hello @srissland 

Does the above matrix still apply to sensor version 3.6.1.10 which supports macOS 12 Monterey?

The missing user-space functionalities for macOS 11, is it still missing for 3.6.1.10 as well?

 

Thanks in advance

@haro yes, the user space matrix is still applicable to 3.6.1.10 on Monterey.

@srissland those are news i would less like to hear , when will the required fixing will we finished ? 

Is there suggestion or mitigation we use within the software ?   

Article Information
Author:
Creation Date:
‎02-26-2021
Views:
18875
Contributors