Unprotected Agents With Red Status (macOS)
search cancel

Unprotected Agents With Red Status (macOS)

book

Article ID: 286642

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

  • Receiving an event for "Unable to connect to the Kernel. Agent will not track files" and the condition persists after reboot of the machine
  • Receiving an event for "Computer not protected. The agent was unable to communicate with the kernel. Agent may be unprotected."
  • A "./b9cli --status" command returns the following: 
    Kernel: Not Connected, or
Kernel: 0.0.0.0

Environment

  • App Control Agent: All Supported Versions
  • macOS: All Supported Versions

Cause

App Control driver is either not properly installed or not fully loaded.

Resolution

  1. Verify any third party security application has all Agent Exclusions added.
  2. Verify the Agent and macOS combination being used is supported.
  3. Use the following command in Terminal to verify the System Extension for Team ID 7AGZNQ2S2T is Enabled & Active: 
    systemextensionsctl list
    Example Output: 
    teamID       name                [state]
7AGZNQ2S2T   appc-es-extension   [activated enabled]
  4. Check for errors when manually starting the System Extension via Terminal: 
    cd /Applications/Bit9/Agent
./appc-es-loader.app/Contents/MacOS/appc-es-loader
  5. In System Preferences > Security & Privacy > Privacy > Full Disk Access: Verify permissions have been granted to:
    • appc_es_extension
    • b9notifier
    • b9daemon
  6. Reboot the endpoint, or restart the Agent: 
    cd /Applications/Bit9/Tools 
./b9cli --password 'GlobalCLIPassword'
./b9cli --shutdown
sudo launchctl unload /Library/LaunchDaemons/com.bit9.Daemon.plist
sudo launchctl load /Library/LaunchDaemons/com.bit9.Daemon.plist
./b9cli --status
  7. Upgrade to the latest version of the Agent
  8. A full uninstall of the Agent and manual reinstall may be required.

Additional Information

  • System Extensions are used as of macOS 11.0+ and Agent 8.7.0+.
  • Kernel Extensions were used for macOS versions 11.x and older when Agent 8.6.x and older were used.
  • The Agent driver location for OS X versions 10.9 (Mavericks) and later is: 
    /Library/Extensions/b9kernel.kext
  • The Agent driver location for OS X versions prior to 10.9 
    /System/Library/Extensions/b9kernel.kext
Powered by Wolken Software