Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

PSC macOS Sensor Version 3.3.3 Release Notes

PSC macOS Sensor Version 3.3.3 Release Notes

PSC sensor version 3.3.3.35 is a GA (General Availability) release for macOS.

Important: This sensor version does not support CB ThreatHunter standalone. Customers who have CB ThreatHunter standalone should not upgrade to the 3.3.3 sensor.

This sensor supports the following PSC implementations:

  • CB Defense
  • CB Defense and CB LiveOps
  • CB LiveOps
  • CB Defense and CB ThreatHunter*
  • CB Defense, CB ThreatHunter, and CB LiveOps*

*macOS is not currently supported for CB ThreatHunter. In these configurations, only Defense events will be displayed for macOS endpoints.

In these release notes:

Important

Devices that are upgrading to 3.3.3 from sensor versions 3.0 and older should have the new code signing certificate (Team ID 7AGZNQ2S2T) allow-listed prior to the sensor upgrade. This procedure is required because of a Team ID change in the CB Defense code signing certificate that was introduced in the 3.1 sensor release. See the Known issues section for more details. 

Carbon Black recommends using an MDM-compatible mass deploy solution to push the updates, pre-approve, and allow-list the KEXT code signing certificate.

See the following User Exchange article about granting the sensor Full Disk Access as required by macOS 10.14+ in order to enable all PSC sensor features: macOS 10.14+ Privacy Changes and Granting the macOS Sensor Access.

Release checksums

3.3.3.35 DMG SHA256 Checksum 8725fc7727b1f352d8d06b15648d7990e90d7bd90ed9e4c91e3cc30ff63f5236
3.3.3.35 PKG SHA256 Checksum c20d6e7c39db6494445735c5b0de506a6378fa9125d8fa79c95ccdfbd0f7da64

 

Updated macOS engine

Version 3.3.3 of the macOS sensor includes an updated engine that brings numerous efficacy enhancements to macOS detection and prevention features.

Enhancements and fixes include the following:

  • More accurate process reporting and an improved alert process tree
  • Malicious DYLD on-load prevention
  • Improved script detection heuristics and reporting of script processes
  • Command line reporting accuracy improvements
  • Improved file and process block reporting with more granularity
  • Improved fileless script and command line interpreter detection
  • Improved disk type detection of removable and network drives
  • Improved detection of privilege escalation
  • Greater efficacy in allow-listing and policy application that resolves occasional problems with Allow-listing and Permissions rules lag
  • Resolved false positives around shell process scraping memory and communicating on network
  • Overall performance improvements due to the upgraded engine


LiveOps standalone mode

LiveOps-only implementations are now supported for macOS beginning with the 3.3.3 sensor.

Support for macOS 10.15 Catalina beta

This sensor release provides support for the macOS 10.15 Catalina beta. Please note that because Apple is still iterating on the 10.15 beta, you may experience some inconsistency when running the sensor on this beta OS. Subsequent PSC macOS sensor releases will include additional improvements to account for potential macOS changes between 10.15 Beta and GM.

Beginning in macOS 10.15, a system reboot is required for newly-installed KEXTs to load. Factor this reboot requirement into your deployment workflow. Endpoints that require a reboot report that state on the Dashboard or Endpoints page; search for sensorStates:DRIVER_INIT_REBOOT_REQUIRED 
on the Endpoints page to find 10.15 beta devices in bypass mode that require a reboot.

Fixed in this Release

Efficacy enhancements and bug fixes

Issue ID

Description

DSEN-2966
DSEN-3641
DSEN-4414

This release includes cumulative macOS engine updates that deliver numerous security efficacy enhancements. See the Updated macOS Engine section for more details.

DSEN-5724
DSEN-5942
EA-14530

This release improves detection of PRIVILEGE_ESCALALATION, FILELESS_SCRIPT, and RUN_CMD_SHELL TTPs.

DSEN-5613
DSEN-5535
DSEN-5537

This release enables the sensor to install and operate on an endpoint that is running macOS 10.15 Catalina beta. This includes reboot handling, KEXT install location change, updated Time Machine handling, OS upgrade support, and updated 10.15 driver support.

DSEN-5875

CB LiveOps: Enhanced tamper protection of the CB LiveOps engine, which prevents it from being terminated by external actors.

 

Performance and Stability

Issue ID Description
DSEN-2996 This release includes an updated engine that improves sensor performance under high system load.

 

Other

Issue ID Description
DSEN-4056 This release includes an updated Osquery engine binary (3.3.2).                                  

 

Known Issues and caveats

Description

Carbon Black has identified a bug in the 3.3.x sensors that can in some instances cause the following symptoms:

  • endpoint sluggishness
  • applications taking several minutes to open
  • delays in events reporting to the console

The team is working on a fix, but in the meantime we recommend holding off on upgrading 3.2.x sensors to 3.3.x sensors. If you have already upgraded to 3.3.x, a reboot will temporarily resolve the issue in most cases. This bug is only impacting a small number of endpoints at this time.

Although Carbon Black officially dropped support for macOS versions 10.6 - 10.9 in the 3.1 release, 3.1 and 3.2 sensors would still install and operate on 10.8 - 10.9. In the 3.3.1 release, we dropped this unofficial capability altogether, and the 3.3+ sensor will no longer install on macOS versions 10.8 - 10.9.

The last sensor version for 10.6-10.9 is 1.2.4 (EOL). The range of macOS versions covered is as follows: 

3.x sensor: macOS 10.10 - 10.14.6 (official support), 10.15 (beta support)

1.x sensor (EOL): 10.6 - 10.12 

The following behavior is expected when pushing a 3.3 sensor upgrade (cloud, attended, and unattended) to 1.x sensors that are running on an unsupported OS: 

  • Devices running 10.6-10.9 will not upgrade.
There is an infrequent known issue where the Malware Removal UI inaccurately reports the actions that were or were not taken. This issue will be resolved in an upcoming backend release.

 

Issue ID Description
DSEN-6034 Events from endpoints running v3.3.3 of the sensor do not display in CB ThreatHunter-only orgs. Customers with only CB ThreatHunter should not run v3.3.3 of the sensor.
DSEN-2735 Device name in sensor management is case sensitive.
DSEN-2700 Rare issue where repmgr sporadically crashes on shutdown, typically when the cloud is unreachable.
DSEN-2543

The unattended install script does not accept multiple long options.

The workaround is to always provide a value (such as 0 or 1) next to every long option following = character; for example:
--downgrade=1 --skip-kext-approval-check=1.
DSEN-3740 When a device is removed from an AD domain, the sensor is still reflected as being within that domain in the Endpoints page and remains in a sensor group. The sensor must be taken out of auto-assignment to make policy updates to that sensor. As a workaround, you can manually remove the sensor from the AD group and assign a policy (click into the device, turn off auto-assign, and change the policy).
DSEN-3752 Cloud uninstall of the sensor takes a long time due to a change in the backend.
DSEN-3669 Old canary files, specifically with variable or random files names, are not always properly cleaned up by the sensor. This can cause ransomware false positives.

 

Known issues with macOS 10.15 Catalina beta

Issue ID Description
DSEN-5912 There is a known issue where the uninstaller will send an error when running on macOS 10.15 beta. This will be resolved in a future release of the sensor, and can be safely ignored for your macOS 10.15 testing because it does not impact subsequent installations of the sensor.

 

Additional resources

CB Predictive Security Cloud: macOS 10.14+ Privacy Changes and Granting the PSC macOS Sensor Access
Cb Defense: How To Find Sensors on High Sierra With KEXT Not Approved
PSC Sensor macOS Support
[PSC macOS] macOS 10.15 Catalina Reboot Requirement and Sensor Installation

 

Carbon Black, Inc. | 1100 Winter Street, Waltham, MA 02451 USA | Tel: 617.393.7400

Copyright © 2011–2019 Carbon Black, Inc. All rights reserved. Carbon Black, CB Defense, Cb ThreatHunter, CB ThreatSight, and CB LiveOps are registered trademarks and/or trademarks of Carbon Black, Inc. in the United States and other countries. All other trademarks and product names may be the trademarks of their respective owners.

Comments

Exemplary to have the code signing Team-id so prominently in this article! Thanks!

A download link in this article would have been greatly appreciated though...

@jbygden what download link are you wanting here?

Well, this is the release notes for the macos sensor - so, a link to download it doesn't seem totally unreasonable.

I did find it, and downloaded it, through our customer portal. So I don't need it any more, but I find it strange that this article doesn't even mention how to actually get it.

We're a pretty new customer, and doesn't know all the (to older, more experienced customers) obvious ways things are done with CB.

Jbygden is not alone, 

This page has quite poor structure and things are hard to find unless you spend a lot of time here.

 

As with all GA releases for a Carbon Black Cloud (PSC) Sensor, the sensor itself will be fully available to download via the Console...

ENDPOINTS>>Sensor Options>>Download Sensor Kits>>macOS

Article Information
Author:
Creation Date:
‎09-05-2019
Views:
5831