EDR: OSX Sensor Kernel Extensions Failed to Load
search cancel

EDR: OSX Sensor Kernel Extensions Failed to Load

book

Article ID: 290409

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Error on the console: 
Health Score continues to say: "Cb Response kernel extensions failed to load. Endpoint must be restarted to complete upgrade."

Sensor log shows: 
E0502 15:41:16.719012 185365952 sensor_service.cpp:565] Failed to start CbOsxSensorProcmon.kext
E0502 15:41:16.812042 185365952 sensor_service.cpp:591] Failed to start CbOsxSensorNetmon.kext

Environment

  • EDR Sensor: osx-6.2.3+
  • OSX: 10.13+

Cause

The issue is that OSX sensor kernel extensions are not being approved before the reboot is being conducted. the "Secure Kernel Extension Loading" (or SKEL) feature which was introduced on 10.13 macOS will not load kernel extensions unless specifically given approval to.

Resolution

  • If MDM is used, it's recommended that the customer use MDM whitelisting or make sure they're being user approved.
           macOS 10.13.4 Kext Approval Changes

  • End users can also approve kernel extensions using the Security & Privacy page.
    Kernel Extension Approval for macOS 10.13 (High Sierra) - Cb Response 

    Apple documentation on approving kernel extensions: https://developer.apple.com/library/archive/technotes/tn2459/_index.html. This article has some more clarification around the behavior of approving kernel extensions through the security & privacy window. 

Additional Information

This approval UI is only present in the Security & Privacy preferences pane for 30 minutes after the alert. Until the user approves the KEXT, future load attempts will cause the approval UI to reappear but will not trigger another user alert. 
Powered by Wolken Software