Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Kernel Extension Approval for macOS 10.13 (High Sierra) - Cb Response

Kernel Extension Approval for macOS 10.13 (High Sierra) - Cb Response

Environment

Cb Response Sensor 6.1.2 +

Symptoms

If a kext vendor is not on the whitelist at the time of loading, the user will be notified of a blocked kernel extension and will be prompted to go to System Preferences > Security & Privacy to allow the kernel extension to load (if desired). This is an Apple security feature that we cannot avoid, but there are a few options for how to proceed.

Cause

Starting with macOS 10.13.0 (High Sierra), Apple created a whitelist for kexts(Cb Response kernel driver.)

Resolution

Options:

  • Once one of our kexts is approved, future kexts from the same vendor should all be approved

  • If a kext was running on macOS 10.12 or earlier, and the user upgraded to macOS 10.13, all kexts that were running are grandfathered in. That is, they are auto-approved.

  • If the vendor has deployed an MDM profile, kext whitelisting is turned off, and all kexts are approved without user intervention. This option is our primary recommendation for customers.

  • The other way to approve a kext without user intervention is to boot into Recovery mode, run a command to whitelist the kexts, then reboot. (See TN2459 for more information).

Beginning with the 6.1.2-osx sensor, users that need to approve our Cb Response osx kernel extensions will initially observe a reduced health score from the Cb Response console with the following message:

Cb Response kernel extensions are not approved for load (TN2459)

The overall health score will be 25 (or possibly lower if something else is wrong).

In this event, approving the kernel extensions through System Preferences > Security & Privacy and proceeding to either reboot the machine, or wait about 30 mins for the sensor to verify the changes, will work to load the Cb Response osx kernel extensions as needed and correct the previously reduced health score.

Our recommendation for enterprise customers is to install an MDM profile and disable kext whitelisting. This will mitigate manual user approval that, if not properly followed, could prevent our kernel extensions from loading resulting in a non-functional sensor and reduced health score.

More information on macOS kernel extension approval can be found in Apple's TN2459.

Related Content

macOS 10.13.4 Kext Approval Changes

Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎02-23-2018
Views:
3561