EDR: System dylib load events no longer being reported
search cancel

EDR: System dylib load events no longer being reported

book

Article ID: 288583

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response) Carbon Black Hosted EDR (formerly Cb Response Cloud)

Issue/Introduction

  • No longer seeing events related to system dylib loads
  • Toggling the Filter Known Modules option in Advanced Sensor Group Settings has no effect

Environment

  • EDR Apple MacOS Sensor: 7.3.0 and higher
  • Apple MacOS: 11 Big Sur and higher

Cause

Starting from MacOS 11 BigSur, the OS protects against system library file tampering by loading libraries from trusted prebuilt cache instead of disk.

Resolution

EDR sensors running on MacOS 11 BigSur and higher systems would not report modload events for such system library files and there is no effect of “Filter known modloads” advanced sensor group level setting on these events.

Additional Information

  • Dynamically loaded code (typically dylibs on macOS) are classified into two categories.
    • System dylib - typically bundled with OS/system software.
    • Application specific/third party dylib (non system dylibs)
  • As part of telemetry, the EDR sensor would report events for loading of such dylibs and the “Filter known modloads” feature if enabled filters out system dylib load events.
  • This issue should not impact the application specific/third-party dylibs, only the system dylibs
Powered by Wolken Software