Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

CB Defense: How to Verify Sensor 3.0.x.x KEXT Approval

CB Defense: How to Verify Sensor 3.0.x.x KEXT Approval

Environment

  • CB Defense Sensor: 3.0.x.x
  • Apple macOS: 10.13 - 11

Objective

Verify that the CB Defense kernel extension (Kext) has been approved on a macOS machine

Resolution

  1. Open a Terminal window
  2. Enter the following to search for the kernel extension according to sensor version
    kextstat | grep -s com.confer
  3. Verify that com.confer.sensor.kext is found
    0 0xffffff7f828e2000 0x46000 0x46000 com.confer.sensor.kext (3.0.2fc8) A0B8D03C-57AD-3516-B3E7-16D8130ICBA3 <78 51 46 24 12 7 5 4 3 2 1>

Additional Notes

  • Secure Kernel Extension Loading was introduced with macOS 10.13 High Sierra. As a result, the KEXT associated with the CB Defense Sensor must either be manually approved by end users or pre-approved with an MDM profile.
  • When Secure Kernel Extension Loading was first introduced in macOS 10.13.0, it was bypassed as long as the Mac was managed with any MDM profile. Beginning with macOS 10.13.4, MDM management alone is not sufficient. The CB Defense Team ID and Bundle ID must be added to the profile for KEXT approval.
  • The Team ID and Bundle ID vary depending on the CB Defense sensor version.
  • Additional required and optional parameters included with MDM profiles are covered in Apple's developer documentation.
  • Going forward the Kernel Extension is being deprecated. For MacOS versions 12 and higher use System Extension going forward.

Related Content


Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎11-20-2018
Views:
1032
Contributors