CB Defense: Third Party Software Installer or Upgrade Blocked on Mac
book
Article ID: 288931
calendar_today
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
Third party software installer is blocked by CB Defense during initial install or upgrade
Environment
CB Defense Sensor: Version 3.2.x.x and Higher
Apple macOS: 10.10.x and Higher
Third party software installer is Whitelisted by Hash and/or Certificate
Cause
Files within the trusted installer package (PKG) are not signed with a code-signing certificate
Files within the trusted installer package (PKG) return a reputation of Not_Listed
These payload files do not match the hash of the PKG and are typically not signed
Resolution
Whitelist the third party installers with the PKG Certificate Whitelist feature according to https://community.carbonblack.com/t5/Knowledge-Base/Cb-Defense-How-to-Use-Certificate-Whitelisting-for-PKG/ta-p/43247
Once completed, the initial trust (LOCAL_WHITE reputation) granted to the PKG is extended to files within the trusted installer
Complete install/upgrade of third party software
Additional Information
Installer whitelisting by code-signing certificate was introduced in the PSC with the Cb Defense macOS 3.2 Sensor (see the release notes here)
Most 3rd party macOS software installer payloads are delivered as a PKG package, signed differently from code and binary files
Carbon Black recommends using the PKG Installer Whitelisting feature to whitelist the entire installer (and not just individual files) to mitigate the false positive issues during installations or upgrades of 3rd party software commonly used in your environment and approved by an administrator
Use Cases
Internal Software Updates
IT pushes macOS software updates internally in the form of a signed PKG file
Install hooks embedded in the PKG installer or in the executable target payload are often scripted or not signed, so traditional certificate whitelisting of individual files within the installer is not effective
Common productivity software auto-updaters
3rd party software installed by end-users may utilize auto-updaters packaged as signed PKGs that can suffer from similar issues