• CB Defense Sensor: Version 3.2.x.x and Higher
• Apple macOS: 10.10.x and Higher
• Third party software installer is Whitelisted by Hash and/or Certificate

• Files within the trusted installer package (PKG) are not signed with a code-signing certificate
• Files within the trusted installer package (PKG) return a reputation of Not_Listed
• These payload files do not match the hash of the PKG and are typically not signed 

1. Whitelist the third party installers with the PKG Certificate Whitelist feature according to https://community.carbonblack.com/t5/Knowledge-Base/Cb-Defense-How-to-Use-Certificate-Whitelisting-for-PKG/ta-p/43247
   • Once completed, the initial trust (LOCAL_WHITE reputation) granted to the PKG is extended to files within the trusted installer
2. Complete install/upgrade of third party software 

• Installer whitelisting by code-signing certificate was introduced in the PSC with the Cb Defense macOS 3.2 Sensor (see the release notes here)
• Most 3rd party macOS software installer payloads are delivered as a PKG package, signed differently from code and binary files
• Carbon Black recommends using the PKG Installer Whitelisting feature to whitelist the entire installer (and not just individual files) to mitigate the false positive issues during installations or upgrades of 3rd party software commonly used in your environment and approved by an administrator

Use Cases

1. Internal Software Updates
   • IT pushes macOS software updates internally in the form of a signed PKG file
   • Install hooks embedded in the PKG installer or in the executable target payload are often scripted or not signed, so traditional certificate whitelisting of individual files within the installer is not effective 
2. Common productivity software auto-updaters
   • 3rd party software installed by end-users may utilize auto-updaters packaged as signed PKGs that can suffer from similar issues