Live Response Execfg Commands Fail on Mac
Article ID: 291748
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Carbon Black Cloud Endpoint Standard
Issue/Introduction
- Live Response Session Connects Successfully
- Commands involving execfg command consistently fail
Environment
- Carbon Black Cloud (formerly PSC) Console: All Supported Versions
- Apple macOS: 10.8.x and Higher
- Live Response is Enabled Via Policy
Cause
- The default current working directory at the beginning of the Live Response session is /Applications/Confer.app
- This directory is protected by Sensor self-protection so there are limited rights when working from this directory
Resolution
- Change the working directory to a directory outside of the Confer.app directory with the "cd" command
- Run execfg command
Additional Information
- The /Users/Shared directory is a default location in macOS that provides the Unix user "Everyone" Read and Write permissions
- Changing to this directory should eliminate Unix permissions and Sensor self-protection issues
- If execfg is still not working, there may be additional issues with accessing the binary or binary interface that execfg is attempting to launch
- Launching utilities that require Terminal to interface with a utility session typically do not work through Live Response
Feedback
Yes
No
Powered by
