Environment
- Carbon Black Cloud Sensor: 3.5.1.19 and Higher
- Audit & Remediation (was CB LiveOps)
- Endpoint Standard (was CB Defense)
- Enterprise EDR (was CB ThreatHunter)
- Apple macOS: 11.0 (Big Sur) and Higher
Question
What would the impact be if full disk access is added but the network extension is not approved for System Extension mode?
Answer
Network events would not be recorded or reported, and prevention rules dealing with network operations and quarantine would not be functional until the Network Extension is approved for Sensors installed in System Extension mode.
Additional Notes
- The network extension should become active as soon as it is approved, though the exact timing will vary as the OS inserts the NE into the stack of handlers at its discretion
- Sensors installed in Kernel Extension mode require full disk access (FDA) to be configured, but do not require the Network Extension to be approved
Related Content