Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: Mac Sensor Missing Network Events and Unable to Quarantine after Jan 9th 2023

Carbon Black Cloud: Mac Sensor Missing Network Events and Unable to Quarantine after Jan 9th 2023

Environment

  • Carbon Black Cloud Sensor: All Versions
  • Apple macOS: All Supported Versions

Symptoms

  • Device Quarantine 
  • Reporting Network Activity (netconn events)
  • Endpoint Standard detections that leverage the network events
  • Enterprise EDR watchlists that leverage the network events
  • Endpoint Standard: Policy blocking operation “Communicates over the Network”

Cause

  • Carbon Black Cloud Mac sensor code signing certificates are expiring on January 9, 2023.
  • Carbon Black Cloud Mac sensors installed and approved prior to January 9th, 2023 will continue to fully protect the endpoint past the expiration date, but if a sensor with an expired certificate is installed or approved (Sensor Versions 3.7.2.77 & 3.7.1.12 and lower), or if a sensor is manually reset (via repcli) after January 9th, 2023, then Network Extension functionalities will be unavailable

Resolution

  • For any new installations or upgrades after January 9th 2023, please upgrade to the latest macOS sensor.
  • We will have new sensor versions available for download from the console within the next couple of weeks. Please follow this post for updated sensor availability and version numbers. 

Additional Notes

  • Sensors deployed in KEXT mode are not impacted
  • There are no code changes in the updated macOS Sensor releases; only the updated certificate, but we will change the build number to make clear which version has the newest certificate.  

Related Content


Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎12-13-2022
Views:
508
Contributors