logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

EDR: System dylib load events no longer being reported

EDR: System dylib load events no longer being reported

Environment

  • EDR Apple MacOS Sensor: 7.3.0 and higher
  • Apple MacOS: 11 Big Sur and higher

Symptoms

  • No longer seeing events related to system dylib loads
  • Toggling the Filter Known Modules option in Advanced Sensor Group Settings has no effect

Cause

Starting from MacOS 11 BigSur, the OS protects against system library file tampering by loading libraries from trusted prebuilt cache instead of disk.

Resolution

EDR sensors running on MacOS 11 BigSur and higher systems would not report modload events for such system library files and there is no effect of “Filter known modloads” advanced sensor group level setting on these events.

Additional Notes

  • Dynamically loaded code (typically dylibs on macOS) are classified into two categories.
    • System dylib - typically bundled with OS/system software.
    • Application specific/third party dylib (non system dylibs)
  • As part of telemetry, the EDR sensor would report events for loading of such dylibs and the “Filter known modloads” feature if enabled filters out system dylib load events.
  • This issue should not impact the application specific/third-party dylibs, only the system dylibs

Related Content


Labels (2)
Labels:
Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎01-19-2024
Views:
162
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.