logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

App Control: Agent Has Unprotected Status in Console (macOS)

App Control: Agent Has Unprotected Status in Console (macOS)

Environment

  • App Control Agent: All Supported Versions
  • macOS: All Supported Versions

Symptoms

  • Receiving an event for "Unable to connect to the Kernel. Agent will not track files" and the condition persists after reboot of the machine
  • Receiving an event for "Computer not protected. The agent was unable to communicate with the kernel. Agent may be unprotected."
  • A "./b9cli --status" command returns the following: 
    Kernel: Not Connected, or
Kernel: 0.0.0.0

Cause

App Control driver is either not properly installed or not fully loaded.

Resolution

  1. Verify any third party security application has all Agent Exclusions added.
  2. Verify the Agent and macOS combination being used is supported.
  3. Use the following command in Terminal to verify the System Extension for Team ID 7AGZNQ2S2T is Enabled & Active: 
    systemextensionsctl list
    Example Output: 
    teamID       name                [state]
7AGZNQ2S2T   appc-es-extension   [activated enabled]
  4. Check for errors when manually starting the System Extension via Terminal: 
    cd /Applications/Bit9/Agent
./appc-es-loader.app/Contents/MacOS/appc-es-loader
  5. In System Preferences > Security & Privacy > Privacy > Full Disk Access: Verify permissions have been granted to:
    • appc_es_extension
    • b9notifier
    • b9daemon
  6. Reboot the endpoint, or restart the Agent: 
    cd /Applications/Bit9/Tools 
./b9cli --password 'GlobalCLIPassword'
./b9cli --shutdown
sudo launchctl unload /Library/LaunchDaemons/com.bit9.Daemon.plist
sudo launchctl load /Library/LaunchDaemons/com.bit9.Daemon.plist
./b9cli --status
  7. Upgrade to the latest version of the Agent
  8. A full uninstall of the Agent and manual reinstall may be required.

Additional Notes

  • System Extensions are used as of macOS 11.0+ and Agent 8.7.0+.
  • Kernel Extensions were used for macOS versions 11.x and older when Agent 8.6.x and older were used.
  • The Agent driver location for OS X versions 10.9 (Mavericks) and later is: 
    /Library/Extensions/b9kernel.kext
  • The Agent driver location for OS X versions prior to 10.9 
    /System/Library/Extensions/b9kernel.kext

Related Content


Labels (1)
Labels:
Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎10-30-2020
Views:
1151
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.