Carbon Black Cloud: Mac Sensor Missing Network Events and Unable to Quarantine after Jan 9th 2023
Environment
Carbon Black Cloud Sensor: All Versions
Apple macOS: All Supported Versions
Symptoms
Device Quarantine
Reporting Network Activity (netconn events)
Endpoint Standard detections that leverage the network events
Enterprise EDR watchlists that leverage the network events
Endpoint Standard: Policy blocking operation “Communicates over the Network”
Cause
Carbon Black Cloud Mac sensor code signing certificates are expiring on January 9, 2023.
Carbon Black Cloud Mac sensors installed and approved prior to January 9th, 2023 will continue to fully protect the endpoint past the expiration date, but if a sensor with an expired certificate is installed or approved (Sensor Versions 3.7.2.77 & 3.7.1.12 and lower), or if a sensor is manually reset (via repcli) after January 9th, 2023, then Network Extension functionalities will be unavailable
Resolution
For any new installations or upgrades after January 9th 2023, please upgrade to the latest macOS sensor.
We will have new sensor versions available for download from the console within the next couple of weeks. Please follow this post for updated sensor availability and version numbers.
Additional Notes
Sensors deployed in KEXT mode are not impacted
There are no code changes in the updated macOS Sensor releases; only the updated certificate, but we will change the build number to make clear which version has the newest certificate.
