Environment
- Carbon Black Cloud Web Console: All Versions
- Carbon Black Cloud macOS Sensor: 3.3.4.6 and higher
- Apple macOS: 10.14 and higher
Symptoms
- File-operation intensive commands are slow to execute on Mac developer machines
- This issue is especially noticeable on multi-core systems performing multi-threaded processing and file intensive tasks, such as Xcode builds
- A unique characteristic of this issue is that both full sensor bypass and bypass rules do not alleviate the issue
- Example, “git status” command takes 4-5 seconds to run when the sensor is installed in either active or bypass mode. The command completes in less than 1 second when the sensor is uninstalled
Cause
- A kernel feature that allows the sensor to safely unload KEXT without requiring a macOS reboot, introduces a performance issue when synchronizing low level operations in Apple XNU code
- Although this feature has been present since macOS 10.6, our investigation shows that more recent macOS internals changes exacerbated this interaction in macOS 10.14 and higher
Resolution
A permanent fix has been provided in macOS sensor version GA 3.5.1.19 and above.
Related Content
