Access official resources from Carbon Black experts
Cb Response Sensor 6.1.2 +
Symptoms
If a kext vendor is not on the whitelist at the time of loading, the user will be notified of a blocked kernel extension and will be prompted to go to System Preferences > Security & Privacy to allow the kernel extension to load (if desired). This is an Apple security feature that we cannot avoid, but there are a few options for how to proceed.
Starting with macOS 10.13.0 (High Sierra), Apple created a whitelist for kexts(Cb Response kernel driver.)
Options:
Beginning with the 6.1.2-osx sensor, users that need to approve our Cb Response osx kernel extensions will initially observe a reduced health score from the Cb Response console with the following message:
Cb Response kernel extensions are not approved for load (TN2459)
The overall health score will be 25 (or possibly lower if something else is wrong).
In this event, approving the kernel extensions through System Preferences > Security & Privacy and proceeding to either reboot the machine, or wait about 30 mins for the sensor to verify the changes, will work to load the Cb Response osx kernel extensions as needed and correct the previously reduced health score.
Our recommendation for enterprise customers is to install an MDM profile and disable kext whitelisting. This will mitigate manual user approval that, if not properly followed, could prevent our kernel extensions from loading resulting in a non-functional sensor and reduced health score.
More information on macOS kernel extension approval can be found in Apple's TN2459.
Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.