Carbon Black Cloud: Mac Sensor Missing Network Events and Unable to Quarantine after Jan 9th 2023
Article ID: 292130
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
- Device Quarantine
- Reporting Network Activity (netconn events)
- Endpoint Standard detections that leverage the network events
- Enterprise EDR watchlists that leverage the network events
- Endpoint Standard: Policy blocking operation “Communicates over the Network”
Environment
- Carbon Black Cloud Sensor: All Versions
- Apple macOS: All Supported Versions
Cause
- Carbon Black Cloud Mac sensor code signing certificates are expiring on January 9, 2023.
- Carbon Black Cloud Mac sensors installed and approved prior to January 9th, 2023 will continue to fully protect the endpoint past the expiration date, but if a sensor with an expired certificate is installed or approved (Sensor Versions 3.7.2.77 & 3.7.1.12 and lower), or if a sensor is manually reset (via repcli) after January 9th, 2023, then Network Extension functionalities will be unavailable
Resolution
- For any new installations or upgrades after January 9th 2023, please upgrade to the latest macOS sensor.
- We will have new sensor versions available for download from the console within the next couple of weeks. Please follow this post for updated sensor availability and version numbers.
Additional Information
- Sensors deployed in KEXT mode are not impacted
- There are no code changes in the updated macOS Sensor releases; only the updated certificate, but we will change the build number to make clear which version has the newest certificate.
Feedback
Yes
No
Powered by
