Endpoint Standard: Mac Sensor reporting TamperBehavior3 Alerts
Article ID: 289804
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
Alerts in the console can be seen with the following context:
- The application /sbin/launchd attempted to disable the Cb Defense Sensor, by calling the function "TamperBehavior3". The operation was blocked by Cb Defense.
Environment
- CB Cloud Console: All Versions
- Endpoint Standard macOS Sensor: 3.4.2.23
- Apple macOS: All Version
Cause
The root cause of this issue is due to an endpoint reboot triggering tamper detect and generating a false positive alert
Resolution
This is a known issue and the fix will addressing in an upcoming release (3.4.3)
Feedback
Yes
No
Powered by
