Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: What is the impact of not approving the network extension (macOS)

Carbon Black Cloud: What is the impact of not approving the network extension (macOS)

Environment

  • Carbon Black Cloud Sensor: 3.5.1.19 and Higher
    • Audit & Remediation (was CB LiveOps)
    • Endpoint Standard (was CB Defense)
    • Enterprise EDR (was CB ThreatHunter)
  • Apple macOS: 11.0 (Big Sur) and Higher

Question

What would the impact be if full disk access is added but the network extension is not approved for System Extension mode?

Answer

Network events would not be recorded or reported, and prevention rules dealing with network operations and quarantine would not be functional until the Network Extension is approved for Sensors installed in System Extension mode.

Additional Notes

  • The network extension should become active as soon as it is approved, though the exact timing will vary as the OS inserts the NE into the stack of handlers at its discretion
  • Sensors installed in Kernel Extension mode require full disk access (FDA) to be configured, but do not require the Network Extension to be approved

Related Content


Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎01-11-2021
Views:
906
Contributors