Carbon Black Cloud: What is the impact of not approving the network extension (macOS)
search cancel

Carbon Black Cloud: What is the impact of not approving the network extension (macOS)

book

Article ID: 290040

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

What would the impact be if full disk access is added but the network extension is not approved for System Extension mode?

Environment

  • Carbon Black Cloud Sensor: 3.5.1.19 and Higher
    • Audit & Remediation (was CB LiveOps)
    • Endpoint Standard (was CB Defense)
    • Enterprise EDR (was CB ThreatHunter)
  • Apple macOS: 11.0 (Big Sur) and Higher

Resolution

Network events would not be recorded or reported, and prevention rules dealing with network operations and quarantine would not be functional until the Network Extension is approved for Sensors installed in System Extension mode.

Additional Information

  • The network extension should become active as soon as it is approved, though the exact timing will vary as the OS inserts the NE into the stack of handlers at its discretion
  • Sensors installed in Kernel Extension mode require full disk access (FDA) to be configured, but do not require the Network Extension to be approved
Powered by Wolken Software