EDR: MAC Sensor Not Collecting Netconns When Connected to VPN
Article ID: 290270
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
When a MacOS endpoint is connected to a VPN sometimes the Sensor will not report netconn info for that endpoint.
Environment
- EDR Apple macOS Sensor: Versions 7.2 and 7.1.1
- Apple macOS: All Supported Versions
Cause
- There is a limitation in Apple's implementation of NEFilterPacketProvide
- There is no method to ensure that packet flow will reach our filter before they are fed into the VPN tunnel interface. In some instances we may indeed be able to inspect these packets, but in others we might not.
Resolution
This thread in the Apple developer forum explains the issue: https://developer.apple.com/forums/thread/133622
It appears that other developers have submitted feedback requests to Apple regarding this issue. We will also submit a FBR for our own tracking purposes.
It appears that other developers have submitted feedback requests to Apple regarding this issue. We will also submit a FBR for our own tracking purposes.
Feedback
Yes
No
Powered by
