Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Endpoint Standard: How to approve Mac Sensor 3.0 KEXT for Install/Upgrade

Endpoint Standard: How to approve Mac Sensor 3.0 KEXT for Install/Upgrade

Environment

  • Endpoint Standard: 3.0 and above
  • Apple MacOS: Mac OS 10.13 - 11

Objective

Carbon Black recommends submitting the applicable Endpoint Standard KEXT IDs described in macOS 10.13.4 Kext Approval Changes for approval by MDM before install or upgrade of Mac Sensor 3.0. However, if KEXT is not pre-approved by MDM, this article describes how to approve KEXTs locally upon install or upgrade.

Resolution

  1. When installing or upgrading to Mac Sensor 3.0 on High Sierra+, the installer will pause and you will see a prompt from the installer telling you to allow the kernel extension within 5 minutes
    This is a article attached imageThis is a article attached image

     

  2. Behind this notification is another notification from the OS explaining how to allow the extension from "Scargo, Inc."
    This is a article attached imageThis is a article attached image

     

  3. Opening Security preferences pane, you can allow the software from "Scargo, Inc.” to run
    This is a article attached imageThis is a article attached image

     

  4. The installer will finish, the kernel extension will load, and the Cb logo will load in the menu bar
    This is a article attached imageThis is a article attached image

     

  5. Use the below command to verify that the CB Defense KEXT extension has been approved
    kextstat | grep -s com.confer

Additional Notes

  • The Mac 3.0 Sensor is signed by Confer, a subsidiary of Scargo Inc. Confer is likewise a subsidiary of Carbon Black. See Cb Defense: Why does KEXT approval show Scargo Inc as Developer for new cert? for more information.
  • Starting with macOS 10.13.0 (High Sierra), Apple created a whitelist for KEXTS. This is a new Apple feature that requires user approval before loading new third-party kernel extensions such as CB Defense kernel extension, com.confer.sensor.kext for Sensor version 3.0 or com.carbonblack.defense.kext for Sensor version 3.1 or higher. See Apple Technical Note TN2459 for more details and recommendations for enterprise environments.
  • If KEXT is not approved at the time of loading, the Mac Sensor will install with status "Sensor Bypass Admin Action" in the Sensor Management Page of the CB Defense PSC Console. See Cb Defense: Mac Sensor installs with status "Sensor Bypass Admin Action" for details.
  • In some situations you may see an additional pop up stating that a reboot is required; however, the sensor does not need to reboot after the install/upgrade on physical machines. You may choose not to reboot and the sensor should reload within 30 minutes.
  • If using the 3.1.x.x Sensor and above, see Endpoint Standard: How to Verify Sensor 3.1 KEXT Approval
  • Kernel Extension is being deprecated as versions go forward. For MacOS versions above 12 use System Extension for best results. 

Related Content


Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎02-08-2019
Views:
5888
Contributors