Environment

• EDR Sensors: macOS 7.x and higher
• macOS: Big Sur (11) and Monterey (12) 

Objective

Resolution

1. Confirm the sensor is running.  Note '/Applications/VMware Carbon Black EDR.app/Contents/MacOS/CbOsxSensorService' is running.

   ps -ax | grep -i cbosx

2. Confirm the system extension is enabled and running.  Confirm 'com.carbonblack.es-loader.es-extension' is 'activated' and 'enabled' 

   systemextensionctl list

3. Confirm Full Disk Access.  Note: es-extension should be listed but not necessarily checked if pushed by MDM;  Should be listed and checked if manually installed.

   Check Settings > Security&Privacy > es-extension    

4. Confirm Network Content access is enabled.  Note a Carbon Black Content Network Filter should be green and 'Running'. (The name is associated to the policy)

   Check Settings > Network 

5. Check logs for install or upgrade errors.

   cat /var/log/cblog.log

6. If MDM polices were used (Workspace ONE, JamF), there is the option to provide the exported profile to VMware Carbon Black Support for validation.
7. Advanced logging messages.

   log show -start “yyyy-mm-dd hh:mm:ss" -debug | grep -i cb (use the date/timestamp of the install)
   log show -start “yyyy-mm-dd hh:mm:ss" -debug | grep -i carbonblack
   

Additional Notes

• Files to check:

• Stop & Start the sensor.

sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.daemon.plist
sudo launchctl load /Library/LaunchDaemons/com.carbonblack.daemon.plist

• Determine the version running:

/Applications/VMware\ Carbon\ Black\ EDR.app/Contents/MacOS/CbOsxSensorService -v

Related Content

• Installing macOS Sensors on Endpoints
• EDR: How To Confirm MacOS Sensor Has Full Disk Access
• EDR: Where are the installation files located on an OSX sensor?
• EDR: How to manually uninstall an OSX sensor