Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

[Cb Defense] 10.13.4 MacOS Support

[Cb Defense] 10.13.4 MacOS Support

All,

The Cb Defense team is pleased to announce support for the 10.13.4 High Sierra macOS. This macOS version is currently supported by our 3.0 sensor and all future releases.

Please see our Supported Operating Systems UeX post for more detailed information on Cb Defense supported OS versions.

Thanks!

The Cb Defense Team

Labels (1)
Tags (3)
Comments

CB Defense is blocking legitimate processes/programs after the 10.13.4 update.

My policy group is very strict.

Deny RUN_UNKNOWN_APP:

"/System/Library/CoreServices/UniversalAccessControl.app/Contents/MacOS/UniversalAccessControl!"

"/bin/date"
"/usr/libexec/silhouette"

"/usr/libexec/firmwarecheckers/eficheck/eficheck"
"/usr/libexec/applessdstatistics"
"/usr/bin/bzip2"
"/System/Library/Frameworks/SystemConfiguration.framework/Versions/A/Helpers/SCHelper"
"/usr/libexec/rpcsvchost"
"/System/Library/PrivateFrameworks/Heimdal.framework/Helpers/digest-service"
"/usr/libexec/smb-sync-preferences"

Thank you for the feedback. Please open a support case through Salesforce. The issue will be reviewed and feedback will be provided through those channels. Please also note that support for the new OS has not yet been fully confirmed. The team is still testing but will provide updates soon.

Thanks again for being an active member of the community.

Thank you, already filed a support case.

mclausen For mass deployment scenarios, what is your suggested method for handing the KEXT block? We have had two instances before we got infront of it, where admin users updated their OS to 10.13.4 and their sensors were placed in bypass. Luckily I found the remedy before the timer ran out - but I cant imagine there is not a way around this.

Thanks in advance!

Ps. Mac sensor is 3.0.2.8

Great question. Unfortunately, there is not an easy , out-of-the-box way to automate this using CbD. The most enterprise ready solution is an admin leveraging MDM. It is also possible to configure the OS image for new users, although that is likely not feasible for endpoints currently in-use by employees. I would like to point you to additional documentation to assist you in your work.

This document provides an easy way to find sensors with KEXT not approved.

This document provides details from Apple on managing Kernel Extensions.

I would also like to call out that CbD for Mac will be upgrading our certificate in the 3.1 release which will require a second KEXT approval. This is also documented in our release notes for 3.0.2. You can find those here.

Thanks for being involved in the community, please never hesitate to ask any questions!

Are previous versions supporting 10.13.4?

The 3.0.1 and 3.0.2 mac sensors currently support 10.13.4. Upcoming sensor releases will also have support for it.

There is more information on OS support in this document: https://community.carbonblack.com/docs/DOC-7991#jive_content_id_OS_1013_High_Sierra

Thanks for being an active member of the community.

Please be aware that 10.13.4 breaks the Mac Displaylink driver support. 

macOS 10.13.4 update breaks Duet Display, Air Display & USB DisplayLink drivers

Article Information
Author:
Creation Date:
‎03-30-2018
Views:
4249
Contributors