Unable to upgrade or install due to existing system extension (macOS)
Article ID: 291372
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
- Install of 3.5.1.x or higher Sensor fails
- Error message displayed in preinstall log indicates failure to unload installed System Extension
failed to uninstall system extension program terminated with error code: 4096
- Checking on Systemextensionsctl shows Carbon Black installed
sudo Systemextensionsctl list --- com.apple.system_extension.endpoint_security enabled active teamID bundleID (version) name [state] * * 7AGZNQ2S2T com.vmware.carbonblack.cloud.se-agent.extension (3.5.2fc76/3.5.2fc76) com.vmware.carbonblack.cloud.se-agent.extension [activated enabled]
Environment
- Carbon Black Cloud Sensor: 3.5.1.x and Higher
- Apple macOS: 10.15 and Higher (Catalina
Cause
Previously installed System Extension is unable to be uninstalled without first disabling System Integrity Protection (SIP)
NOTE: Using newly added scripts this can be worked around without disabling SIP. This can be done using Resolution 1 below. Resolution 2 can still be used if Resolution 1 cannot be used.
NOTE: Using newly added scripts this can be worked around without disabling SIP. This can be done using Resolution 1 below. Resolution 2 can still be used if Resolution 1 cannot be used.
Resolution
- This is the optimal solution using scripts that don't require SIP to be disabled. Script attached.
- Drop a 3.8.0 or greater series sensor DMG onto the affected endpoints.
- From the docs/ directory of the sensor DMG, find and execute the CBCloud Cleanup Tool.pkg.
- Follow the steps of the CBCloud Cleanup Tool installer.
- Upon successful completion, the system extension will be in the [Terminated waiting to uninstall on reboot] state. A reboot is not required, and sensor upgrade or uninstall can immediately be re-attempted.
- Note: This tool is not intended to be used on healthy endpoints and will not continue with removing the system extension if a healthy endpoint is detected.
- Previous Solution requiring SIP to be disabled. Does not need to be used if the Resolution above has been followed.
- Check Systemextensionsctl for com.vmware.carbonblack.cloud.se-agent.extension
sudo Systemextensionsctl list | grep carbonblack
- Disable System Integrity Protection (SIP)
- Once rebooted in normal mode with SIP disabled, check Systemextensionsctl for com.vmware.carbonblack.cloud.se-agent.extension again
sudo Systemextensionsctl list | grep carbonblack
- Manually uninstall system extension
sudo systemextensionsctl uninstall 7AGZNQ2S2T com.vmware.carbonblack.cloud.se-agent.extension
- Verify com.vmware.carbonblack.cloud.se-agent.extension is no longer present
sudo Systemextensionsctl list | grep carbonblack
- Next clean up files for software using this KB.
- Attempt installation of desired Sensor version, collecting most recent /tmp/preinstall-<Timestamp>.log
- Enable System Integrity Protection (SIP)
- Check Systemextensionsctl for com.vmware.carbonblack.cloud.se-agent.extension
Additional Information
- Version will display with 'fc' included (i.e., 3.5.1fc23, 3.5.1fc31, or 3.5.2fc76) and is normal
- If the system is on macOS12+, we have success stories resolving the error by adding the "RemoveableSystemExtensions" setting in the System Extensions payload specifically targeting com.vmware.carbonblack.cloud.se-agent.extension.
- If installation still fails, run through step 5 above, outputting to a file with the name of the device and please open a case with Carbon Black Technical Support
Attachments
Feedback
Yes
No
Powered by
