logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

EDR: OSX Sensor Kernel Extensions Failed to Load

EDR: OSX Sensor Kernel Extensions Failed to Load

Environment

  • EDR Sensor: osx-6.2.3+
  • OSX: 10.13+

Symptoms

Error on the console: 
Health Score continues to say: "Cb Response kernel extensions failed to load. Endpoint must be restarted to complete upgrade."

Sensor log shows: 
E0502 15:41:16.719012 185365952 sensor_service.cpp:565] Failed to start CbOsxSensorProcmon.kext
E0502 15:41:16.812042 185365952 sensor_service.cpp:591] Failed to start CbOsxSensorNetmon.kext

Cause

The issue is that OSX sensor kernel extensions are not being approved before the reboot is being conducted. the "Secure Kernel Extension Loading" (or SKEL) feature which was introduced on 10.13 macOS will not load kernel extensions unless specifically given approval to.

Resolution

  • If MDM is used, it's recommended that the customer use MDM whitelisting or make sure they're being user approved.
           macOS 10.13.4 Kext Approval Changes

Additional Notes

This approval UI is only present in the Security & Privacy preferences pane for 30 minutes after the alert. Until the user approves the KEXT, future load attempts will cause the approval UI to reappear but will not trigger another user alert. 

Related Content


Labels (1)
Labels:
Tags (2)
Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
CB_Support
Creation Date:
‎09-09-2020
Views:
1819
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.