Carbon Black EDR MacOS 7.4.0 sensor is misattributing file modifications to the parent process launchd instead of the actual process.

• Carbon Black EDR Server: All Supported Versions
• Carbon Black EDR MacOS Sensor: Version 7.4.0

The sensor daemon attributes each event to a process by looking up (pid, pid_version) in its process-details cache. Process details for a child are only created when the exec event for that child is processed. If a file event for that child is processed before its exec event:

1. Lookup for the file event's (pid, pid_version) finds no process details (exec not processed yet).
2. The daemon then uses the fork-child fallback: it looks up the PID in the fork map and returns the parent's process details.
3. The file event is serialized with the parent's process_path/process_guid and fork_pid set to the child's PID.
4. The event is therefore shown under the parent in the UI, and the child process has no corresponding file events.

So the underlying cause is: file and exec events are out of sync — the file event is handled before the exec event for the same process.

• WORKAROUND: Manually uninstall and reinstall the 7.3.0 MacOS EDR sensor (downgrade is not supported)
• FIX: 7.5.0 MacOS EDR sensor will contain the permanent fix when it is released Q2 2026.