Environment

• Carbon Black Cloud (formerly PSC) Console: All Supported Versions
• Apple macOS: 10.8.x and Higher
• Live Response is Enabled Via Policy

Symptoms

• Live Response Session Connects Successfully
• Commands involving execfg command consistently fail

Cause

• The default current working directory at the beginning of the Live Response session is /Applications/Confer.app
• This directory is protected by Sensor self-protection so there are limited rights when working from this directory

Resolution

1. Change the working directory to a directory outside of the Confer.app directory with the "cd" command
2. Run execfg command

Additional Notes

• The /Users/Shared directory is a default location in macOS that provides the Unix user "Everyone" Read and Write permissions 
• Changing to this directory should eliminate Unix permissions and Sensor self-protection issues
• If execfg is still not working, there may be additional issues with accessing the binary or binary interface that execfg is attempting to launch
• Launching utilities that require Terminal to interface with a utility session typically do not work through Live Response 

Related Content