Carbon Black Cloud: How to use the MAC sensor removal tool.
book
Article ID: 284990
calendar_today
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
How to use the MAC sensor removal tool.
Environment
Endpoint Standard (formerly CB defense): 3.8.0.58 and newer
Apple macOS: All Supported Versions
Resolution
Drop a 3.8.0+ version sensor DMG onto the affected endpoint.
Execute the CBCloud Cleanup Tool.pkg from the docs/ directory of the DMG.
Once deployed, the tool will run the clean up at the time of PKG execution. When the PKG executes, the tool detects SysEXT in the stale state and performs its clean up.
If successful, the system extension will be in the "uninstalled" state and/or [Terminated waiting to uninstall on reboot] state. A reboot is not required, and sensor upgrade or uninstall can immediately be re-attempted.
Additional Information
The tool will evaluate sensors to ensure they are “healthy” before verifying the system extension bundle exists on the disk in Applications and has the correct code signed. Once that is verified it will exit without remediation. Please note the system extension will not be removed if the sensor is deemed healthy.
The Cleanup Tool version X only will clean up stale SysEXT version <= X, so to cleanup SysEXT version X+1, you need the Cleanup Tool version X+1.
CBC Cleanup Tool DOES NOT actually get installed on the endpoint. Although we are leveraging PKG installer format to distribute this tool, the tool itself runs as part of the “installation” and it then performs the clean up. It DOES NOT leave any artifacts on the sensor that later would require be to removed.
PKG execution does not install any files or other persisted artifacts on the endpoint and therefore the tool itself does not need to be uninstalled.