Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Announcing the Release of Cb Defense macOS Sensor 3.0

Announcing the Release of Cb Defense macOS Sensor 3.0

We are excited to announce the release of the new Cb Defense macOS sensor 3.0! This major release contains improved ransomware prevention, live response capabilities, High Sierra support, along with a number of other features and bug fixes. The new sensor is now in General Availability (GA) and can be downloaded from the Enrollment page in your Web Console.

This update will be rolling out to Production environments throughout the next few business days. Please see the expected rollout schedule in the table below to learn when this release will be available for download.

Login URL

ETA

https://defense-eu.conferdeploy.net

November 10th

https://dashboard.confer.net/

Week of November 13

https://defense-prod05.conferdeploy.net

Week of November 13

https://defense.conferdeploy.net

Week of November 13

As always, please download this new version by browsing to the Enrollment > Manage Sensors page.

IMPORTANT NOTE:

Sensor installations on macOS 10.13, High Sierra, require initial KEXT approval of the product kernel extension by administrative policy or end-user.  This new requirement enforced by Apple applies to all third party products that have a driver component.

Cb Defense recommends that you pre-configure High Sierra devices with Cb Defense pre-approved drivers by using: MDM policy, netboot, or pre-configured images. This approach simplifies sensor deployment, especially in unattended mode. 

If Cb Defense drivers are not pre-approved before sensor installation, the behavior is as follows:

  • Unattended installation: Installation finalizes and returns success, but logs a warning to installation logs. Because CB Defense drivers cannot load, the sensor enters Bypass state and reports this state to the cloud. After KEXT is approved (either by an end-user or an administrator with MDM policy), the sensor recovers within one hour and enters the full protection state.
  • Attended installation is handled similarly to unattended, with two differences: (1) sensor installation displays a dialog message that requests the end user to approve the KEXT using system preferences; (2) installer stalls for up 10 minutes, giving a user a chance to approve the KEXT.

To identify devices with sensors not supporting currently loaded OS, go to Enrollment page, change Status filter to All, and type the following search query: sensorStates:UNSUPPORTED_OS

Use the following search query to help identify devices with sensors that do support the new OS but with sensor KEXT not approved: sensorStates:DRIVER_INIT_ERROR

See Apple Technical Note TN2459 for more details and recommendations for enterprise.

For more information, please see the release notes: Cb Defense Sensor 3.0 Mac Release Notes

Labels (1)
Comments

So, kyle.donovan the "Installation Code"-email sent out to users with the download link says "OSX(10.6.8 to 10.12)", is this a typo or is it (still) not supported on 10.13?

Hi jbygden​,

Pages5-6 of the Cb Defense Sensor 3.0 Mac Release Notes has the following to shed light on this.

"...the Enrollment Page UI currently has a few errors that reflect inaccurate supported macOS and OSX versions next to the associated sensor in the dropdown:

1) The 3.0.x sensor: 10.10 - 10.13 currently shows 10.8-10.12 (10.8-10.9 do work, but are not officially supported by 3.0.x).

2) The 1.2 sensor: 10.6 - 10.12 currently shows 10.6-10.7

Note, there is an overlap: 10.10 - 10.12 are supported by both 1.2 and 3.0.x. These UI bugs will both be resolved with 0.33.x release of the Backend/UI..."

As the email is sent out from the backend, the email would show the same information displayed on the Enrollment page. Mac OSX v10.13 (High Sierra) is supported by the Mac v3.0 Sensor.

I'm on prod05 and macOS sensor 3.0 is not an available option from sensor update dropdown.  When will it be rolled out? 

Hi erkang​,

The table at the top of the original post should allow you to see this information. For ease of reference, the URL you use to access your dashboard is https://defense-prod05.conferdeploy.net ​ which means you should see it this week barring any delays. If you do not see it available by Monday morning, feel free to follow up by submitting a new Support case by going to Help > Open Case at the top of this and all pages in the User Exchange.

3.0.1.20 is published now in most environments, including prod05.

As noted above, it may show max OS version 10.12 next to it.  It's purely download page / UI issue, it will be updated within next few days.  3.X supports 10.10 - 10.13, as outlined in the Cb Defense Sensor 3.0 Mac Release Notes  with more details.

I'm on Prod 05. Sensor is out.

However, now when I Add Users, the email they get only includes the code for 3.0 sensors. No 1.x/2.x code any more.

Is that intentional? if so, why?  I am trying to install 2.x agents to some 32bit 2008 servers, which, per https://community.carbonblack.com/docs/DOC-7991#jive_content_id_Windows_Server_2008, is not supporte...s for these machines.

I see the new sensor version in the console.  However, sensor upgrade doesn't seem to work.  Does this require a manual install/upgrade of the sensor at the endpoint device? 

Sensor upgrade works ( passed all QA).  There is a delay though - upgrade via cloud is kicked off on the endpoint after up to 4 hours of device uptime after receiving the update request, any chance it was still early? Please submit a ticket if it's still an issue.

mgovolt​ Unfortunately the emails and the codes within are tied specifically to the kit you have selected. So if you have the 3.0 sensor kit selected when pushing out the upgrade, then the emails will only have the 3.0 code.

So if you would like to install the 2.1.0.11 sensor on those machines you will have to select that kit from the dropdown and specifically select your 32 bit machines on server 2008.

However, this announcement is about the macOS 3.0 sensor release, and we do not have a 2.x version of the mac sensor, as our last release was a 1.2.4 sensor. This 3.0 release achieves the feature parity offered in both our 2.x and 3.0 windows sensor (with the exception of the local scanner). 

Hope this helps.

Hi erkang​,

I am glad you see the sensor now! As adam.malinowski​ indicated, when you push the update from the Web Console the sensor receives that instruction the next time it checks into the cloud, and then a random time within the following 4 hours is selected for the sensor to download and install the update (see Cb Defense: How to Update Sensors from Dashboard for more information). If you do not see the sensor get updated within a day, check to make sure it is running and checking into the Web Console. If everything looks fine as far as connectivity goes, please open a support case by going to Help > Open Case at the top of this and all pages within the User Exchange.

kli

I have installed the sensor 3.0 on BMP 2016 with High Sierra but it was not showing up in the console at all. The install went through with no issue, is there anything I have missed? I have tried upgrade from the 1.2.9 version, brand new install sensor 3.0, silent install with company code, and interactive install with email code, none of them worked. The computer didn't show up in console no matter what. Ideas?

kli​ How long did you wait for the device to appear. As mentioned by adam.malinowski​ above,  there is a delay with devices appearing in the console after upgrade. Upgrade via cloud is kicked off on the endpoint after up to 4 hours of device uptime after receiving the update request, any chance it was less than this amount of time?

Please submit a ticket if it's an issue after giving it a few hours, as we would like to research further.

kli

I've waited for a few days since the install on Monday but still appearing in the console. Does the device have to be online for couple hours in order to be picked up by the console? I can leave it on for the rest of today and submit a ticket later if issue persists.

Yes, unfortunately the device needs to be online for roughly 4 hours for the new version to appear in the console. Please let us know if this does not resolve it.

kli

Hi Kyle, I left this MBP online (display stayed on all the time) for 5 hours now and still not showing in Console, no matter of what status is.

I am sorry to hear that! This is the first time we have heard of this happening. Do you mind opening a case, so we can take a look at what might have happened?

Hi kyle.donovan​!

It seems like this new version brings with it the decoy or canary files previously discussed for Windows Sensors v3.0.x.x and above. Can we get information on what file types Mac users (and Admins) will see?

Hi jthoming​,

We take a slightly different approach to our improved Ransomware protection in the 3.0 mac release. There are no canary files deployed as a result of the different approach.

Hi kyle.donovan​,

Are we certain this is correct? I have already had one customer ask about files that look to be very similar to our canary files on a Mac.

My mistake jthoming​. We have additional protections on mac, but canaries are part of the deploy no matter what. No additional files though.

Article Information
Author:
Creation Date:
‎11-09-2017
Views:
11614
Contributors