Carbon Black Cloud macOS Sensor Release Notes

Carbon Black Cloud macOS Sensor Known Issues

Carbon Black Cloud macOS Sensor Fixed Issues

Carbon Black Cloud macOS Sensor Release Notes

3.6.1.10

Carbon Black Cloud sensor version 3.6.1.10 is a generally available release for macOS only.

Important notes

  • Sensor upgrades should not be performed while the sensor is in bypass mode while in System Extension mode. Upgrading the sensor in System Extensions mode while in bypass disables the sensor until a reboot is performed on the endpoint.
  • This release supports macOS 10.15 - 12. MacOS 10.14 is no longer supported.

Resources

 
Release checksums
 
3.6.1.10 DMG SHA256 Checksum 9235ac4b3f147d7efc9458c87749a582b4a581462895c95dd60d72a6b94306e1

3.6.1.10 PKG SHA256 Checksum

e2f2fab3c488c90aefaa9ff565f545bc8ec23e97a89a3469f0eca771a9371afb

 

Apple Silicon support

The 3.6.1.10 Carbon Black Cloud sensor delivers native operation on Apple Silicon hardware, with the exception of the LiveOps (OSQuery engine) because there is no universal binary available yet. Rosetta will be necessary to leverage Audit & Remediation functionality until a universal OSQuery engine binary is available.

macOS Monterey support

Sensor version 3.6.1.10 supports operation on macOS Monterey via System Extensions. Legacy Kernel Extension mode operation is not supported on macOS 12 Monterey. For customers who plan to upgrade macOS11 Big Sur endpoints running the Kernel Extension to Monterey, we recommend using a management tool like Workspace ONE, Jamf, etc. to deploy the 3.6 sensor. Cloud upgrade does not support Kernel Extension mode upgrades from macOS 11 to macOS 12.

As always, to ensure full sensor enablement we recommend that endpoints are preconfigured with System Extension pre-approval via MDM before deployment of the sensor.

Supported operating modes

Supported Operating System Supported Modes and Architectures
macOS 10.15 (Catalina) Kernel Extension (Intel only)
macOS 11 (Big Sur)

Kernel Extension (Intel only)

System Extension (Intel, Apple Silicon)

macOS 12 (Monterey) System Extension (Intel, Apple Silicon)

 

3.5.3.82

Carbon Black Cloud sensor version 3.5.3.82 is a generally available release for macOS only.

Changes to the sensor approval process

VMware Carbon Black recommends using an MDM-compatible mass deploy solution to push the updates, pre-approve, and approve KEXT, System Extension, and Network Extension code signing certificates.

Sensor approvals on macOS Big Sur

Sensor version 3.5.3.82 supports both KEXT and System Extension operation on macOS Big Sur.

The process for approving KEXTs has changed on macOS Big Sur. Please review the following article for more information on the revised process: Changes to KEXT pre-approval on macOS Big Sur.

To avoid the need for user approval, the sensor’s System Extension and Network Extension should be approved via an MDM. Please review the following article for details on the approval process: Approving the macOS sensor’s System Extension and Network Extension.

Changes to Full Disk Access permissions since the 3.5.1 sensor

The 3.5.1 sensor was restructured; the Full Disk Access policy process has changed as a result. An updated profile is required for running 3.5.1+ on any supported version of macOS (10.12 - 11.2). Please review the following article for details on the revised process: Granting the macOS sensor Full Disk Access (v3.5.1+).

Current MDM instructions and payloads for configuring the installation are always available in the mounted DMG of the sensor installer in the docs folder.

Release checksums
 
3.5.3.82 DMG SHA256 Checksum 8f13dcde5429cc5f9b4fb49ef982a75077cbaa72061f6c395cc857f4de0de357

3.5.3.82 PKG SHA256 Checksum

769ddbbfc3c048eec762b63d714630c3be4becf68991b018ef20637c49982801

 

Ending support for macOS 10.12 and 10.13

Beginning with the 3.5.3.82 VMware Carbon Black Cloud sensor, macOS 10.12 (Sierra) and macOS 10.13 (High Sierra) are no longer officially supported. Apple is not issuing security patches for these operating systems. We recommend that before deploying the 3.5.3.82 sensor, you upgrade to macOS 10.14 (Mojave) or later.

10.12 and 10.13 are still supported for use with sensor versions 3.5.2.78 and older, which will remain in Standard or Extended support until May 2022.

See the macOS sensor compatibility guide.

Status of Apple Silicon M1 support

The 3.5.3.82 VMware Carbon Black Cloud sensor is not officially supported for use on Apple Silicon M1 hardware. Although installation on M1 machines is not blocked, performance while using Rosetta 2 emulation can deviate from expected performance and stability on Intel hardware. For this reason, we do not recommend deploying the sensor on production M1 machines.

Native support for the Apple Silicon architecture will be available in a future release.

Supported architectures for CBC 3.5.3 sensor and macOS Big Sur:

macOS/CPU architecture Intel x86-64 Apple Silicon/ARM
KEXT Supported

Not supported; see installation caveats

System Extension Supported Experimental, emulation mode

 

macOS Big Sur support

Sensor version 3.5.3.82 supports macOS Big Sur. This sensor enables a subset of VMware Carbon Black Cloud functionality via System Extensions; full functionality is available via Kernel Extensions (KEXTs). We recommend that all Endpoint Standard customers continue to use Kernel Extensions until notified that all functionality is available via System Extensions.

Before deploying this sensor to macOS Big Sur, please review this documentation on the functionality you can expect to receive with System Extensions vs. KEXTs: macOS Big Sur Functionality Overview.

USB device control for macOS

VMware Carbon Black introduced Device Control for USB storage devices on Windows in November 2020. This functionality is now extended to macOS 10.15 and 11+ with sensor version 3.5.3.82. 

Device Control lets you harden your security posture, control authorized usage, and prevent malware infiltration from USB storage devices. You can view, manage, approve, and implement blocking policies for USB storage devices that are connected to your endpoints. 

You will have access to the following functionality:

  • Policy-based USB Device Blocking: Gain an additional layer of protection and strengthen overall security posture with the ability to block mount operations on a per-policy basis.
  • Configurable Allowed USB Devices List: Allow designated external devices to be mounted by leveraging options for approving distinct USB devices, or approving broader manufacturer- or product-based permissions across your environment.
  • Alert on Block: Receive notifications of USB device blocks in your environment, and easily approve devices directly from the alert. Users also receive notifications when attempting to use blocked devices, thereby educating them on company policy.
  • USB Device Inventory: Gain visibility into all supported USB devices connected to your network with the ability to view, filter, search, and approve USB devices from the Inventory page.

See:


3.5.2.78

Carbon Black Cloud sensor version 3.5.2.78 is a generally available release for macOS only. Version 3.5.2.78 replaces 3.5.1.31. This sensor supports macOS Big Sur, introduces post-execution prevention, and other critical fixes.

Release checksums
 
3.5.2.78 DMG SHA256 Checksum 585abac9d0d87a6a3efd5a156fdabf0eab32063796c264b8d2551e5db1188fa4

3.5.2.78 PKG SHA256 Checksum

70f104398c8d1fb7c392700e6a88753c5d066a1d6777a959bb1c9fe0d97aba2a

 

Status of Apple Silicon M1 support

The 3.5.2.78 Carbon Black Cloud sensor is not officially supported for use on Apple Silicon M1 hardware. Although installation on M1 machines is not blocked, performance while using Rosetta 2 emulation can deviate from expected performance and stability on Intel hardware. For this reason, we do not recommend deploying the sensor on production M1 machines.

Native support for the Apple Silicon architecture will be available in a future release.

Supported architectures matrix for CBC 3.5.2 sensor and macOS BigSur:

macOS / CPU Archs.

Intel x86-64

Apple Silicon / ARM

KEXT

Supported

Not supported, see installation caveats

System Extension

Supported

Experimental, Rosetta 2 emulation, not officially supported

 

macOS Big Sur Support

Sensor version 3.5.2.78 supports macOS Big Sur. This sensor enables a subset of Carbon Black Cloud functionality via System Extensions, but full functionality is still available via Kernel Extensions (KEXTs). We recommend all Endpoint Standard customers continue to use Kernel Extensions until notified that all functionality is available via System Extensions.

Before deploying this sensor to macOS Big Sur, please review this documentation on the functionality you can expect to receive with System Extensions vs. KEXTs: macOS Big Sur Functionality Overview.

Introductory System Extension-based Prevention

The 3.5.2.78 System Extension sensor expands on the subset of Carbon Black Cloud functionality, but does not yet meet feature parity with the Kernel Extension sensor. 

This release introduces post-execution prevention, meaning policy enforcement occurs only after a process has already begun running. The system extension sensor does not yet provide pre-execution prevention (blocking malware before it has a chance to begin running.) The 3.5.2 release is a step towards complete SysEXT-based prevention. 

Rules regarding applications with unknown reputation are not enforced upon in this release. Applications with known malware, suspect malware, adware, PUP reputation or ban listed applications found currently running by the sensor will be terminated. Please note that this means that a termination from the sensor may be sent after the offending application has already finished executing on its own. 

For more information on functional differences between System Extensions and Kernel Extensions, please refer to this document.

 Local Sensor Administration via repCLI

The macOS 3.5.2.78 release extends the repCLI command line tool that enables local administration of the sensor. Please see the following Knowledge Base article for a list of available commands: RepCLI on macOS


3.5.1.31

Carbon Black Cloud sensor version 3.5.1.31 is a generally available release for macOS only. Version 3.5.1.31 replaces 3.5.1.23. This sensor is functionally identical to 3.5.1.23, with the addition of several critical fixes.

Changes to the sensor approval process

VMware Carbon Black recommends using an MDM-compatible mass deploy solution to push the updates, pre-approve, and approve KEXT, System Extension, and Network Extension code signing certificates.

Sensor approvals on macOS Big Sur

Sensor version 3.5.1.31 supports both KEXT and System Extension operation on macOS Big Sur.

The process for approving KEXTs has changed on macOS Big Sur. Please review this article for more information on the revised process: Changes to KEXT pre-approval on macOS Big Sur.

The sensor’s System Extension and Network Extension should be approved via an MDM to avoid the need for user approval. Please review this article for details on the approval process: Approving the macOS sensor’s System Extension and Network Extension.

Changes to Full Disk Access permissions in the 3.5.1 sensor

The 3.5.1 sensor has been restructured and the Full Disk Access policy process has changed as a result. An updated profile is required for running 3.5.1.31 on any supported version of macOS (10.12 - 11.2). Please review this article for details on the revised process: Granting the macOS sensor Full Disk Access (v3.5.1+).

The most up to date MDM instructions and payloads for configuring the installation is always available in the mounted DMG of the sensor installer, under the docs folder.

Release checksums
 
3.5.1.31 DMG SHA256 Checksum e60164d335378d12bed697ef52d2ba6aa994213c0ea94482ccfdbaf340f7add5
3.5.1.31 PKG SHA256 Checksum a308a3c4096c65fdd5df1fc371dd7b9c9d5cd6a6820caa7488021bb0f392b3c3

 

Apple Silicon M1 support

The 3.5.1.31 Carbon Black Cloud sensor is not officially supported for use on Apple Silicon M1 hardware. Although installation on M1 machines is not blocked, performance while using Rosetta 2 emulation can deviate from expected performance and stability on Intel hardware. For this reason, we do not recommend deploying the sensor on production M1 machines.

Native support for the Apple Silicon architecture will be available in a future release.

Supported architecture matrix for 3.5.1 sensor and macOS Big Sur:

macOS / CPU Arch. Intel x86-64 Apple Silicon / ARM
KEXT Supported Not supported, see installation caveats
System Extension Supported Experimental, emulation mode, not officially supported

3.5.1.23

Carbon Black Cloud sensor version 3.5.1.23 is a generally available release for macOS only. 3.5.1.23 replaces 3.5.1.19.

This sensor is functionally identical to 3.5.1.19. Please see the 3.5.1.19 release notes for more details.

Release checksums
 
3.5.1.23 DMG SHA256 Checksum d047c4bd69fb6bdba2b0474c8fc155dafce032000f4401567e01f6c402fd4478
3.5.1.23 PKG SHA256 Checksum a8247d9bea1adbea7b280790fa10a69382a5e7758a6450f2e8c7901285c5f248

 


3.5.1.19

Carbon Black Cloud sensor version 3.5.1.19 is a generally available release for macOS only.

Important Notes:

  • 3.4.4.51 is the only supported downgrade path from the 3.5.1.19 sensor.
  • This sensor provides initial support for macOS Big Sur. Please read these release notes carefully as some functionality and processes have changed.

Changes to the sensor approval process

VMware Carbon Black recommends using an MDM-compatible mass deploy solution to push the updates, pre-approve, and approve KEXT, System Extension, and Network Extension code signing certificates.

Sensor approvals on macOS Big Sur

Sensor version 3.5.1.19 supports both KEXT and System Extension operations on macOS Big Sur.

The process for approving KEXTs has changed on macOS Big Sur. See Changes to KEXT pre-approval on macOS Big Sur.

The sensor’s System Extension and Network Extension should be approved via an MDM to avoid the need for user approval. See Approving the macOS sensor’s System Extension and Network Extension.

Changes to Full Disk Access permissions in the 3.5.1 sensor

The 3.5.1 sensor has been restructured and the Full Disk Access policy process has changed as a result. An updated profile is required for running 3.5.1.19 on any supported version of macOS (10.12 - 11). See Granting the macOS sensor Full Disk Access (v3.5.1+).

Current MDM instructions and payloads for configuring the installation are available in the mounted DMG of the sensor installer, under the docs folder.

Release checksums
 
3.5.1.19 DMG SHA256 Checksum bea78b8e0870f45cd85aedb728676f687c2e522a48fba53bc9aa3fd39f90778c
3.5.1.19 PKG SHA256 Checksum 19bc75f8a7ff00bdc86f01bed06cc1ef024cb01aaa8d70b34f1a30efbdabf640

 

Ended support for macOS 10.11

The CBC 3.5.1.19 sensor release is only compatible with macOS versions 10.12 and newer. You cannot install this sensor version on older operating systems.

Note: The sensor will not allow an upgrade to 3.5.1 on macOS 10.11.

Apple Silicon M1 support

Sensor release 3.5.1.19 introduces experimental support for the Apple Silicon M1 using the non-native, emulation mode. Native support for the Apple Silicon architecture will be available in a future release.

The following table shows a supported architectures matrix for the CBC 3.5.1 sensor and macOS BigSur:

macOS / CPU Architectures Intel x86-64 Apple Silicon / ARM
KEXT Supported Not supported; see installation caveats
System Extension Supported Experimental, emulation mode

 

macOS Big Sur support

Sensor version 3.5.1.19 includes initial support for macOS Big Sur. This sensor enables a subset of Carbon Black Cloud functionality via System Extensions, but full functionality is still available via Kernel Extensions (KEXTs). We recommend all Endpoint Standard customers continue to use Kernel Extensions until you are notified that all functionality is available via System Extensions.

Before deploying this sensor to macOS Big Sur, review the functionality you can expect to receive with System Extensions vs. KEXTs: macOS Big Sur Functionality Overview.

Local administration via repCLI command line tool

The macOS 3.5.1.19 release introduces a command line tool that enables local administration of the sensor. See RepCLI on macOS for a list of available commands.

Sensor file system restructuring

The macOS 3.5.1.19 release introduces updated sensor file system install locations, thereby altering where the sensor stores its executables and resources. The change meets full compliance requirements with latest macOS versions and also concludes branding changes to VMware Carbon Black. This change can impact custom deploy and monitoring tools. See New macOS sensor file paths beginning in 3.5.1.19.

Installer TOCTOU security vulnerability fix

Carbon Black MacOS Sensor 3.5.1 addresses a file overwrite issue in the installer. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2020-4008 to this issue. This release addresses a security issue. See https://www.vmware.com/security/advisories/VMSA-2020-0028.html.

New administrative sensor states

This release adds new administrative sensor states. You can query them from the Endpoints page by using the sensorStates:STATE_STATE query or by using the RepCLI tool.

SENSOR_STATE Description
DRIVER_LOAD_NOT_GRANTED Sensor failed to load KEXT or System Extension. MDM or manual approval is required. Sensor is in bypass until the load is granted. This state coexists with DRIVER_KERNEL or DRIVER_USERSPACE.
DRIVER_INIT_REBOOT_REQUIRED KEXT or System Extension failed to initialize due to reboot requirement. Sensor is in bypass until after reboot.
DRIVER_INIT_ERROR KEXT or System Extension failed to initialize and load for any reason other than the missing grant or reboot. Sensor is in bypass mode.
DRIVER_KERNEL Sensor is in KEXT-enabled mode.
DRIVER_USERSPACE Sensor is in System Extension-enabled mode (macOS11+ only).
FULL_DISK_ACCESS_NOT_GRANTED Sensor does not have full disk access granted, which will reduce the efficacy of select features. MDM or manual approval is required.
DRIVER_OPTIONS_UPDATE_PENDING In 10.14 and 10.15 only. The repcli command to toggle between persistent/unloadable KEXT was acknowledged, but will require a reboot to complete.
DRIVER_OPTIONS_DEVELOPER_MODE
In 10.14 and 10.15 only. The machine has loaded the KEXT in a persistent manner and will require a reboot to successfully uninstall/upgrade.

3.4.4.51

Carbon Black Cloud sensor version 3.4.4.51 is for macOS only. This release is Generally Available. 

Important:

  • 3.4.4.51 is the only supported downgrade path from the 3.5 sensor family that is being released later in 2020.
  • This sensor version is not supported for macOS Big Sur. Installing this sensor on macOS Big Sur results in the sensor entering a Bypass state.

Certificate approval process

Devices that are upgrading to 3.4 from sensor versions 3.0 and older should have the new code signing certificate (Team ID 7AGZNQ2S2T) approved prior to the sensor upgrade. This procedure is required because of a Team ID change in the Carbon Black Cloud code signing certificate that was introduced in the 3.1 sensor release. See Known Issues.

VMware Carbon Black recommends using an MDM-compatible mass deploy solution to push the updates, pre-approve, and approve the KEXT code signing certificate.

See the following article about granting the sensor Full Disk Access as required by macOS 10.14+: macOS 10.14+ Privacy Changes and Granting the macOS Sensor Access.

Release checksums
 
3.4.4.51 DMG SHA256 Checksum 04959ea72c86778a5019cff6bb0f9c89faa0cae775681e12e67a17c3609c0fd7
3.4.4.51 PKG SHA256 Checksum  40138f87b7c8800e8199e384f26be076cb9e7c1afadf079904d4972d52c28397

 

Ended support for macOS 10.10

The macOS 3.4.4.51 sensor release is only compatible with macOS versions 10.11 and newer versions. Installation of this sensor version on older operating systems is not possible.

Note: The sensor will fail to upgrade from 3.4.3 to 3.4.4 on macOS 10.10.

Full Disk Access status reported in the console

Beginning with sensor version 3.4.4.51, the macOS sensor can now detect when it has not been granted Full Disk Access (FDA) on an endpoint. Full Disk Access can be granted manually on the endpoint or with a policy via MDM. To locate endpoints that do not have Full Disk Access enabled, search for the following string on the Endpoints page in the console:

sensorStates: FULL_DISK_ACCESS_NOT_GRANTED


3.4.3.44

Carbon Black Cloud sensor version 3.4.3.44 is for macOS only. This release is Generally Available. 

This release fixes bugs and performance issues. For more information about the cumulative changes in this sensor version, see the macOS 3.4.2.23 release notes.

Important: KEXT certificate approval process

Devices that are upgrading to 3.4 from sensor versions 3.0 and older must have the new code signing certificate (Team ID 7AGZNQ2S2T) approved prior to the sensor upgrade. This procedure is required because of a Team ID change in the Carbon Black Cloud code signing certificate that was introduced in the 3.1 sensor release. See Known Issues for details.
 
VMware Carbon Black recommends using an MDM-compatible mass deploy solution to push the updates, pre-approve, and allow the KEXT code signing certificate.
 
See macOS 10.14+ Privacy Changes and Granting the macOS Sensor Access about granting the sensor Full Disk Access as required by macOS 10.14+.
 
Release checksums
 
3.4.3.44 DMG SHA256 Checksum 0fe44079434904432b2a900e10320fdbf83ae4b29f0b4544f17ff1d9ab449c72
3.4.3.44 PKG SHA256 Checksum  1d0eccb24df75909177201fe4b4499b7107ab64049ba99d1a88416780117d6c0

3.4.2.23

Carbon Black Cloud sensor version 3.4.2.23 is for macOS only. This release is Generally Available.

Certificate whitelist process

Devices that are upgrading to 3.4 from sensor versions 3.0 and older should have the new code signing certificate (Team ID 7AGZNQ2S2T) whitelisted prior to the sensor upgrade. This procedure is required because of a Team ID change in the Carbon Black Cloud code signing certificate that was introduced in the 3.1 sensor release.
 
VMware Carbon Black recommends using an MDM-compatible mass deploy solution to push the updates, pre-approve, and whitelist the KEXT code signing certificate.
 
See the following User Exchange article about granting the sensor Full Disk Access as required by macOS 10.14+: macOS 10.14+ Privacy Changes and Granting the macOS Sensor Access.
 
Release checksums
 
3.4.2.23 DMG SHA256 Checksum f0799c663d45f68f6d4a44ef82c2adcf7196432fcf4e65e829738f701d10b0e9
3.4.2.23 PKG SHA256 Checksum bafb9e759a055c9cc3268eaaf0d1650b4bead91bac589f4c064df4fca8458fc9

3.4.1.7

Carbon Black Cloud sensor version 3.4.1.7 is for macOS only. This release is Generally Available. 

This release builds on work completed for the macOS sensor versions 3.3.3 and 3.3.4. For more information about the cumulative changes in this sensor version, see the macOS 3.3.3 and 3.3.4 release notes.

Certificate whitelist process

Devices that are upgrading to 3.4 from sensor versions 3.0 and older should have the new code signing certificate (Team ID 7AGZNQ2S2T) whitelisted prior to the sensor upgrade. This procedure is required because of a Team ID change in the Carbon Black Cloud code signing certificate that was introduced in the 3.1 sensor release.
 
VMware Carbon Black recommends using an MDM-compatible mass deploy solution to push the updates, pre-approve, and whitelist the KEXT code signing certificate.
 
See the following User Exchange article about granting the sensor Full Disk Access as required by macOS 10.14+: macOS 10.14+ Privacy Changes and Granting the macOS Sensor Access.
 
Release checksums
 
3.4.1.7 DMG SHA256 Checksum 9b505b56a9d909db5e2d27609ad6ed8a9eda620af1867ed4485b004da27391ea
3.4.1.7 PKG SHA256 Checksum 251a09e0bf2ce53b5899abd72126f6a6d1075e0f7d82c14bc5197e3b86cf187d

 

Enhanced investigations with CB ThreatHunter

CB ThreatHunter brings incident response capabilities to macOS on the Carbon Black Cloud, delivering endpoint visibility and enhanced search to our cloud platform. To enable a macOS endpoint to return CB ThreatHunter data, your organization must have purchased CB ThreatHunter and must have the macOS 3.4 or later sensor installed on the endpoint. The macOS 3.4 sensor supports CB ThreatHunter standalone, as well as any combination of CB Defense, CB LiveOps, and CB ThreatHunter. See https://community.carbonblack.com/t5/Cb-ThreatHunter/ct-p/CbThreatHunter.

VMware Workspace ONE on macOS

The Carbon Black Cloud console now reports the universally unique identifier (UUID) of macOS endpoints and shares that information with VMware Workspace ONE. This enables Workspace ONE macOS users, who are also Carbon Black users, to access the Carbon Black Cloud.

 

Sensor Version Fixed Product Issue ID Description
3.6.1.10 All

DSEN-15228

Fixed rare repCLI reporting issue.

3.6.1.10 All

DSEN-14761, DSEN-14003

Improved sensor tamper protection efficacy for sensor operating in Kernel Extension mode.

3.6.1.10 All

DSEN-14394

Improved recovery mechanism of sensor data files that, in rare circumstances, could occur after unexpected machine shutdown.

3.6.1.10 All

DSEN-14892

Minor user interface enhancement.

3.6.1.10 All

DSEN-14909

Log collection enhancements.

3.6.1.10 All

DSEN-15597

Improved error handling when sensor downloads data files. 

3.6.1.10 All

DSEN-15782,
EA-19673

Email address was incorrectly populated by a company code on < 1% of macOS sensors.

3.6.1.10 All

DSEN-15600

The CBCloudUI widget crashed when selecting About Carbon Black Cloud from the drop-down menu. Selecting Open failed to display the window showing protection events.

3.6.1.10 All

CBC-9429

Quality improvements made to configuration management.

3.6.1.10 All

DSEN-15365
EA-19424

Resolved an issue where NTFS-formatted USB devices were not being blocked.

3.5.3.82 All

DSEN-2781, EA-18371

Unattended installation script could fail after customizations due to some variables to paths that are not quoted in the script.

3.5.3.82 All

DSEN-2800, EA-18355

Pushing large amounts of data via MDM (such as Jamf) alongside the configuration for VMware Carbon Black Cloud could cause the sensor to incorrectly report that it was not properly configured for Full Disk Access via the backend console and the output of the RepCLI status command.

3.5.3.82  All

DSEN-13481

In extremely rare circumstances, the sensor failed to uninstall successfully after undergoing repeated installs and uninstalls.

3.5.2.78 All DSEN-13778

The macOS 11.3 kernel introduced a bug that may lead to a kernel panic with sensors running in KEXT mode. 3.5.2.78 contains a workaround for this Apple bug and kernel panics should no longer be experienced on macOS 11.3. Learn more.

NOTE: 3.5.x sensors running in SE mode are not impacted. If running in KEXT mode, customers should upgrade to the 3.5.2.78 sensor prior to upgrading their OS to 11.3.

3.5.2.78 All DSEN-11614 Sensors on macOS Big Sur now correctly report the OS version as 11.X rather than 10.16 on the backend console. This is only a presentation fix, and has no impact on functionality.
3.5.2.78 All

DSEN-9164

DSEN-12487

Updated OpenSSL, cURL, and sqlite3 libraries.
3.5.2.78 All

DSEN-10397

DSEN-11226

When installing System Extension sensor in attended mode without MDM configured, strict System Extension approval timeout has been removed.
3.5.2.78 All DSEN-11666 Installer no longer prevents administrators from switching to KEXT-enabled mode on ARM architecture.
3.5.2.78 All DSEN-10664 Both company and user install codes can now be used in either unattended or attended install (removed the previous limitation)
3.5.2.78 All DSEN-10782, DSEN-11149 Processes spawned by a process that is part of a 'Performs any operation > Bypass' Permissions rule should no longer be reported on and there should no longer be reports of applications with a hash of all 0s and 1s. Learn more.
3.5.2.78 All DSEN-12985 Upgrading sensor in System Extensions mode while in bypass no longer disables the sensor until reboot is performed on endpoint.
3.5.2.78 All DSEN-12831 Resolves a sensor performance issue where the CBC SysEXT caused a spike in CPU usage on endpoints with high file IO, or after a prolonged period in operation depending on system load.
3.5.2.78 All DSEN-12961, DSEN-13099

Resolves repeated CBC service restart on startup, triggered by specific, valid MDM configurations, that could prevent sensors from checking in.

NOTE: MDM unattended upgrade or manual attended upgrade to 3.5.2.78 should be used to resolve this issue, rather than cloud upgrade.

3.5.2.78 All DSEN-13451 Resolves a rare race condition in the connection filter resulting in a crash of the Network Extension and temporary network connectivity drop.
3.5.2.78 All DSEN-13458 Resolves a sensor performance issue where repmgr causes a spike in CPU usage.
3.5.2.78 All DSEN-11669 Cloud-upgrading from the 3.5.2 KEXT-enabled sensor on Big Sur is no longer permitted, so the endpoint  cannot be left in an unprotected state until the KEXT is approved and a reboot is performed.
3.5.2.78 All DSEN-14103 Removed legacy third party libraries in favor of built-in Apple libraries.
3.5.1.31
All DSEN-12831 Resolves a sensor performance issue where the CBC SysEXT causes a spike in CPU usage on endpoints with high file IO, or after a prolonged period in operation depending on system load.
3.5.1.31 All DSEN-13099 Resolves repeated CBC service restart on startup, triggered by specific, valid MDM configurations, that could lead to sensors stop checking in. MDM unattended upgrade or manual attended upgrade to 3.5.1.31 should be used to resolve this issue, rather than cloud upgrade.
3.5.1.31 All DSEN-13450 Enables downgrade from future 3.5 and later sensors back to 3.5.1. Downgrade from future 3.5+ sensors back to 3.5.1.23 or 3.5.1.19 is not supported.
3.5.1.31 All DSEN-13418 Fixes KEXT upgrade and downgrade on MacOS11.3 beta 4 and 11.3 beta 5 sensors. 3.5.1.19 or 3.5.1.23 KEXT-mode sensors will not be able to upgrade over an existing sensor on MacOS11.3 beta 4 and 11.3 beta 5.
3.5.1.23 All DSEN-12388 Resolves an issue where the sensor goes into  bypass on macOS 11.2 due to the OS compatibility check that is built into the sensor.
3.5.1.19 All N/A Adds --extend-approval-timeout to unattended install script. This increases time to two minutes to manually approve the System Extension.
3.5.1.19 All EA-15476, EA-15761, EA-16054 Xcode build times were sometimes impacted on macOS 10.14 and greater with the Carbon Black Cloud sensor installed.
3.4.4.51 All DSEN-8952,
EA-16183
A rare sensor installation failure occurred due to interaction with third party tools.
3.4.4.51 Endpoint Standard DSEN-9331 Normal operating system processes were associated with malicious behavior and generated TamperBehavior4 alerts.
3.4.4.51 Endpoint Standard DSEN-7179 Improved cloud reputation updates (cloud TTL), resulting in improved prevention efficacy of near 0-day malware.
3.4.4.51 Endpoint Standard DSEN-8608 Improved sensor performance by efficient handling of lookups for files that are frequently dropped-executed-deleted.
3.4.4.51 All DSEN-9401 Updated osquery binary to version 4.4.0 that includes OpenSSL Security Vulnerability fix.
3.4.3.44 Endpoint Standard DSEN-8518 Improved Alerting on malware files at the time of malware drop.
3.4.3.44 Endpoint Standard

DSEN-8243,

EA-15346


Fixed latency in certificate approval that caused trusted software installs/updates to fail with sensors in Advanced policies.
3.4.3.44 Endpoint Standard

DSEN-8125

Improved handling of macOS 10.15 maintenance OS upgrades with sensors in Advanced policies.
3.4.3.44 Endpoint Standard

DSEN-7585,
EA-14885

Improved prevention of malicious Office macros embedded in legacy (non - OOXML) Office document format.
3.4.3.44 Endpoint Standard

DSEN-8124

Fixed incorrect process “Start Time” in the console.
3.4.3.44 Endpoint Standard

DSEN-8509,

EA-16114

Resolved a false positive Alert and TTP for TamperBehavior3 triggered during OS shutdown.
3.4.3.44 Enterprise EDR

EA-16177

Missing or duplicate Enterprise EDR process tree nodes were rendered, with both Endpoint Standard and Enterprise EDR enabled.
3.4.3.44 Enterprise EDR

DSEN-8293

Enterprise EDR events were occasionally not reported.
3.4.3.44 Audit and Remediation

DSEN-6645

Updated osquery binary (part of Audit and Remediation engine) to 4.1.2.
3.3.4
All DSEN-2700 Rare issue where repmgr service sporadically crashed on shutdown, typically when the cloud was unreachable. The issue had no impact on end-user or product efficacy.
3.4.1 CB ThreatHunter DSEN-5744, DSER-17746 Code signing certificates were not present in event details or process data views.
3.4.2.23
All DSEN-7120, EA-15474 Resolved tamper protection false positive (MODIFY_SENSOR TTP) against launchd (disabling sensor service) during endpoint reboot.
3.4.2.23 All DSEN-7114, EA-15476 Resolved an issue where a Bypass Permission rule was not fully effective in reducing performance impact during code compilation when the rule was applied to a toolchain (such as XCode).
3.4.1.7 CB Defense DSEN-4105 Enhanced Reputation feedback loop with the cloud that results in more timely updates, thereby effectively improving prevention of near-0 day malware.
3.4.1.7 CB Defense DSEN-5854 Increased length of reported process command-line strings. This is in addition to command-line reporting improvements that were introduced in the macOS 3.3.3 sensor release.
3.4.1.7 CB Defense DSEN-6549 Rule case sensitivity. Blocking and Isolation and Permission "by path" rules are now evaluated as case-insensitive on Mac. Please review your "by path" policy rules, as their scope may now be broader.

 

 

Sensor Version Found Product Issue ID Description
3.6.1.10 All  

Limited LiveOps support on Apple Silicon devices.

In the current release, LiveOps functionality on Apple Silicon devices is limited to endpoints that have Rosetta preinstalled. Due to current limitations of the OSQuery engine, not all queries work fully on Apple Silicon chipsets, even with Rosetta.

If Rosetta is not installed on the Apple Silicon devices, LiveOps queries will not run and will display a “Environment Not Supported” console message for the affected endpoints.

The LiveOps Apple Silicon limitations will be addressed in future sensor releases that will provide full native Apple Silicon/Apple Silicon OSQuery support.

3.6.1.10 All  

If a Kernel Extension sensor is installed in macOS Catalina, and an OS upgrade to Big Sur occurs, users might see an extraneous Kernel Extension approval pop-up, despite the Kernel Extension already being approved.

Users can safely re-approve the Kernel Extension or safely ignore the pop-up. Users should re-approve Kernel Extension upon any future sensor upgrades.

3.6.1.10 All DSEN-15770

Network stack re-initializes, resulting in network disconnection for a few seconds in case of sensor reset, sensor upgrade/downgrade.

Carbon Black is in contact with Apple about this issue.

3.6.1.10 All  

3.6.1.10 is the first GA version supporting the Apple Silicon chipset. Sensor downgrade to versions prior to 3.6.1.10 is therefore not officially supported on Apple Silicon machines. Doing so would bring the sensor to a version that does not officially support Apple Silicon, causing the sensor to run in emulation mode. 

Note that downgrade behavior/expectations on Intel machines does not change.

We are aware that some customers are utilizing the 3.5.x versions for emulated support of the sensor on Apple Silicon chip sets. 

The recommended downgrade path from Apple Silicon native sensors (any 3.6.x+ sensor) to any Apple Silicon pre-native sensor (any sensor prior to 3.6.x) is via uninstall of the native sensor and installation of the pre-native emulated version

Utilizing standard downgrade behaviors is unsupported and can lead to undefined behavior.

3.6.1.10  All  

Including the sensor as part of migrating data from Intel to an Apple Silicon machine (i.e. Migration Assistant) is not a supported workflow.

The recommended workflow is to uninstall the sensor before migration or exclude the sensor during migration and install it on the target machine.

3.6.1.10  All DSEN-15839

When notifying users of XProtect blocks, it was identified that the report message is displaying the translocated path rather than the execution path.

This will be addressed in a future release.

3.6.1.10 All DSEN-16229

System Extension install and Kernel Extension install on macOS 11+ with the “-d off” flag doesn’t install into bypass mode.

This issue was recently discovered and impacts the 3.5 and 3.6 sensor. This will be fixed in a future release. 

The recommended workaround is to put the sensor into bypass mode after installation through other methods, such as the Carbon Black Cloud console or the endpoint user interface.

3.6.1.10 All  

System Extension sensor upgrade or uninstall can fail with error code 4096 in rare circumstances.

This issue will be fixed in a future release.

 For manual remediation steps, see: Carbon Black Cloud: Unable to upgrade or install due to existing system extension (macOS)

3.5.3.82 All n/a

Pre-execution prevention capability is not available with the macOS Big Sur sensor in System Extensions mode. Applications will not be blocked before they are run. This release supports post-execution prevention. Learn more.

Install the sensor in KEXT mode for full prevention functionality. Learn more.

3.5.3.82 All n/a

Per Apple, an MDM is required for KEXT installation and approval on macOS 11. Installing the sensor into KEXT mode without an MDM will not work. Learn more.

Configure MDM KEXT pre-approval before installation, and use the custom RebuildKernelCache command or manually approve the KEXT and reboot OS after install. Learn more.

3.5.3.82 All DSEN-12985

Failing to approve the System Extension prompt will leave the sensor unable to check in with the backend until the system extension is approved.

Configure the System Extension MDM approvals before install. Learn More.

3.5.3.82 All DSEN-11669

Cloud-upgrading from the 3.5.2 KEXT-enabled sensor on Big Sur leaves the endpoint in a bypass state until the KEXT is approved and a reboot is performed.

After running a cloud upgrade from the 3.5.2 KEXT sensor, immediately approve the KEXT through manual approval and reboot the endpoint, or use the RebuildKernelCache MDM command.

3.5.3.82 All DSEN-11110

Active network connections are terminated by the operating system when the Network Extension is enabled for the first time, following the installation of the sensor. Disabling and re-enabling the Network Extension after the initial installation does not disrupt network traffic.

Known Apple macOS limitation when enabling a new network extension. VMware Carbon Black has filed an enhancement request with Apple.

3.5.3.82 All n/a

f Full Disk Access is misconfigured, Live Response sessions display a generic error message when attempting to access ~/Desktop, ~/Documents, or ~/Downloads.

See MDM documentation for instructions on how to give the sensor Full Disk Access. Learn more.

3.5.3.82 All DSEN-12503

RepCLI capture command should always be given an absolute path (beginning with '/') rather than a relative path.

3.5.3.82 All DSEN-13496

While the sensor is in bypass, switching from KEXT to SysEXT(via unattended reinstall, upgrade, or downgrade) will leave the KEXT loaded and the change ineffective until reboot.

Switching from SysEXT to KEXT requires a system reboot to complete regardless of bypass status.

3.5.3.82 All DSEN-14562

If a sensor exits bypass mode, device discovery events may not be generated for devices plugged in while the sensor was in bypass mode.

3.5.3.82 All DSEN-14063

When disabling the Device Control blocking policy, if a previously unseen USB device is mounted, the potential exists that the reported description of the event is incomplete. The device is blocked until the policy is fully revoked.

3.5.2.78 All  

Pre-execution prevention capability is not available with the macOS Big Sur sensor in System Extensions mode. Applications are  not blocked at launch. This release does support post-execution prevention. Learn more

Workaround/Fix/Mitigation:

Install the sensor in KEXT mode for full prevention functionality. Full prevention functionality on the System Extension-enabled sensor will be enabled in future releases. Learn more.

3.5.2.78 All  

Per Apple, an MDM is required for KEXT installation and approval on macOS 11. Installing the sensor into KEXT mode without an MDM will leave the sensor in bypass waiting for MDM approval. Learn more.

Workaround/Fix/Mitigation:

Configure MDM KEXT pre-approval before installation, and use the custom RebuildKernelCache command or manually approve the KEXT and reboot OS after install.

3.5.2.78 All  

Failing to approve the System Extension prompt will leave the sensor unable to check in with the backend until system extension is approved.

Workaround/Fix/Mitigation:

Configure System Extension MDM approvals before install.

3.5.2.78 All  DSEN-10349

Uninstalling the KEXT-enabled sensor on macOS 11 will leave behind the KEXT. This is a known Apple Bug: “Moving a kernel extension bundle out of /Library/Extensions might not completely uninstall it. (64331929)”. This issue is not seen in macOS11.2+.

Workaround/Fix/Mitigation:

Perform a reboot of the machine to remove the KEXT. Alternatively, remove the KEXT after an uninstall by following Apple’s recommended workaround.

3.5.2.78 All DSEN-11110

Active network connections are terminated by the operating system when the Network Extension is enabled for the first time following the installation of the sensor. Disabling and re-enabling the Network Extension after the initial installation does not disrupt network traffic.

Workaround/Fix/Mitigation:

Known Apple macOS limitation when enabling a new network extension. VMware Carbon Black has filed an enhancement request with Apple.

3.5.2.78 All  

If Full Disk Access is misconfigured, Live Response sessions display a generic error message when attempting to access ~/Desktop, ~/Documents, or ~/Downloads.

Workaround/Fix/Mitigation:

The generic error returned in this case will be improved to be Full Disk Access-specific. See MDM documentation for instructions on how to give the sensor Full Disk Access. Learn more

3.5.2.78 All DSEN-12503

RepCLI capture command should always be given an absolute path (beginning with '/') rather than a relative path.

3.5.2.78 All DSEN-13496

While the sensor is in bypass, switching from KEXT to SysEXT(via unattended reinstall, upgrade, or downgrade) will leave the KEXT loaded and the change ineffective until reboot.

Switching from SysEXT to KEXT requires a system reboot to complete regardless of bypass status.

Workaround/Fix/Mitigation:

This issue is resolved by an endpoint reboot.

3.5.1.31 All DSEN-13496

While the sensor is in bypass, switching from KEXT to SysEXT(via unattended reinstall, upgrade, or downgrade) will leave the KEXT loaded and the change ineffective until reboot. Switching from SysEXT to KEXT requires a system reboot for complete regardless of bypass status. This issue is resolved by an endpoint reboot.

3.5.1.31 All DSEN-12298

There is a known issue in macOS 11.3 beta 1 where The System Extension fails to load or crashes repeatedly after an upgrade. This issue is not seen in newer 11.3 betas. Disabling the Network Extension component resolves the System Extension crash issue on macOS 11.3 beta 1.

3.5.1.31 All DSEN-11666

Apple Silicon M1 hardware Rosetta 2 emulation does not support running our sensor in KEXT mode.  The 3.5.1.31 sensor does not block KEXT installs on M1 hardware. Re-install with the system extension mode specifically set. This is functionally equivalent to the current 3.5.1 GA version. It’s fixed in our upcoming 3.5.2 release.

3.5.1.23 All DSEN-12298

There is a known issue in macOS 11.3 beta 1 where the System Extension fails to load or crashes repeatedly after an upgrade. Disabling the Network Extension component resolves the System Extension crash issue.

3.5.1.19 All N/A

Prevention capability is not available with the macOS Big Sur sensor in System Extensions mode. Learn more.

Install the sensor in KEXT mode for prevention functionality. Full prevention functionality on the System Extension-enabled sensor will be available in future releases. Learn more.

3.5.1.19 All DSEN-10349

Uninstalling the KEXT-enabled sensor on macOS 11 will leave behind the KEXT. This is a known Apple Bug: “Moving a kernel extension bundle out of /Library/Extensions might not completely uninstall it. (64331929)”.

Perform a reboot of the machine to remove the KEXT. Alternatively, remove the KEXT after an uninstall by following Apple’s recommended workaround at https://developer.apple.com/documentation/macos-release-notes/macos-big-sur-11-beta-release-notes.

3.5.1.19 All N/A

Per Apple, an MDM is required for KEXT installation and approval on macOS 11. Installing the sensor into KEXT mode without an MDM will not work. Learn more.

Configure MDM KEXT pre-approval before installation, and use the custom RebuildKernelCache command or manually approve the KEXT and reboot OS after install. Learn more.

3.5.1.19 All DSEN-11110

Active network connections are terminated by the operating system when the Network Extension is enabled for the first time following sensor installation. Disabling and re-enabling the Network Extension after the initial installation does not disrupt network traffic.

This is a known Apple macOS limitation when enabling a new network extension. VMware Carbon Black has filed an enhancement request with Apple.

3.5.1.19 All N/A

If Full Disk Access is misconfigured, Live Response sessions display a generic error message when attempting to access ~/Desktop, ~/Documents, or ~/Downloads.

The generic error returned in this case will be improved to be Full Disk Access-specific. See MDM documentation for instructions on how to give the sensor Full Disk Access. 

Learn more.

3.4.4.51 Audit and Remediation DSEN-7849

A sensor that is configured for Audit and Remediation-only does not block network connections when the endpoint is quarantined.

3.4.4.51 All DSEN-8799

Rare issue where repmgr service crashes on shutdown in absence of network connectivity. The issue has no impact on the end-user or product efficacy.

3.4.4.51 All DSEN-8810

Rare issue where CbDefense user interface service crashes. The process is automatically restarted. The issue has no impact on the end-user or product efficacy.

3.4.4.51 Enterprise EDR DSEN-8905

In an Enterprise EDR-only org, code signature certificate details are not always displayed.

3.4.4.51 All CBC-856

Some customers report increased build times on 10.14/10.15 while using Xcode.

3.4.3.44
Audit and Remediation DSEN-7849

A sensor that is configured for Audit and Remediation-only does not block network connections when the endpoint is quarantined.

3.4.3.44 All DSEN-8799

Rare issue where repmgr service crashes on shutdown in absence of network connectivity. The issue has no impact on end-user or product efficacy.

3.4.3.44 All DSEN-8810

Rare issue where CbDefense UI service crashes. The process is automatically restarted. The issue has no impact on end-user or product efficacy.

3.4.3.44 Enterprise EDR DSEN-8905

In an Enterprise EDR-only org, code signature certificate details are not always displayed.

3.4.1.7 All DSEN-3702, DSEN-8839 Malware Removal infrequently and inaccurately reports actions that were or were not taken.
3.4.1.7 All DSEN-2735 Device name in sensor management is case sensitive.
3.4.1.7 All DSEN-2543 The unattended install script does not accept multiple long options. The workaround is to always provide a value (such as 0 or 1) next to every long option following = character; for example: --downgrade=1 --skip-kext-approval-check=1.
3.4.1.7 All DSEN-3740 When a device is removed from an AD domain, the sensor is still reflected within that domain in the Endpoints page and remains in a sensor group. The sensor must be taken out of auto-assignment to make policy updates to that sensor. As a workaround, you can manually remove the sensor from the AD group and assign a policy (click into the device, turn off auto-assign, and change the policy).
3.4.1.7 All DSEN-3752 Cloud uninstall of the sensor takes a long time due to a delay in the uninstall request. Local uninstall is not delayed.
3.4.1.7 CB Defense DSEN-3669 Old canary files, specifically with variable or random file names, are not always properly cleaned up by the sensor. This can cause ransomware false positives.
3.4.1.7 CB ThreatHunter DSEN-8905 There is a known issue where code signing certificates are not present in event details or process data views.
3.4.1.7 All DSEN-6570 Carbon Black PSC and older Confer branding is still present in some files and directories specific to the sensor installation. While the sensor installer name might imply CB Defense only, it supports both CB Defense and CB ThreatHunter, and actual sensor functionality is determined by the customer’s organization. Branding and product names will be updated in a future release.