Skip to main content
Red Canary help

Carbon Black Cloud Sensor for MacOS stays on Bypass.

  • Updated .

Issue

After updating Carbon Black Cloud sensor to version 3.5.1.23 the endpoint status will show as bypassed. After attempting to remove the endpoints from bypass the endpoints will loop back to the same status. 

 

Environment

VMware Carbon Black Endpoint Standard (CB Defense)

macOS 10.15.X and higher

 

Resolution

Reboot the endpoint to complete the KEXT (also check system extensions for macOS 10.16 to 11.x "Big Sur") approval for the Kernel. Then follow the steps below to enable permissions for the Network  extensions:

 

1. From Terminal Run the following Command:

$ sudo /Applications/VMware\ Carbon\ Black\ Cloud/VMware\CBCloud.app/Contents/MacOS/VMware\CBCloud -ne

Carbon Black Cloud: How to approve network extension after manual install in System Extension mode

Carbon Black Cloud: What is the impact of not approving the network extension (macOS)
Also please check to see if Full Disk Access is already approved:

Carbon Black Cloud Granting the macOS Sensor Full Disk Access (v3.5.1+)
Reference Article:
https://community.carbonblack.com/t5/Knowledge-Base/Carbon-Black-Cloud-How-to-disable-and-re-enable-CBC-network/ta-p/99531

 

Cause

From the Sensor diagnostics from at least one of the affected endpoints you can see the following from the confer logs:

03/02/21 09:36:45 [WARN] a78d failed to rebuild kextcache
03/02/21 09:37:06 [INFO] a78d detected not loaded kext com.carbonblack.defense.kext
03/02/21 09:37:07 [INFO] a78d KextManagerLoadKextWithIdentifier returns -603946981
03/02/21 09:37:07 [WARN] a78d system policy prevents loading the sensor kernel extension
03/02/21 09:39:21 [WARN] a78d failed to load com.carbonblack.defense.kext (attempt 1)
03/02/21 09:39:23 [INFO] a78d KextManagerLoadKextWithIdentifier returns -603946981
03/02/21 09:39:23 [WARN] a78d system policy prevents loading the sensor kernel extension
03/02/21 09:39:50 [INFO] a78d loaded kext com.carbonblack.defense.kext

VMware Carbon Black Cloud support confirmed that the logs above show that the KEXT was not approved or not working for the sensor.

Vmware Carbon Black also reviewed the Server and noticed that the Network Extension was not approved for the endpoints. This causes the sensor to not provide full data to the server.

 

Comments

0 comments

Please sign in to leave a comment.