EDR: How To Confirm MacOS Sensor Has Full Disk Access
book
Article ID: 287664
calendar_today
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
Validate the Full Disk Access is properly enabled after an MacOS install or upgrade.
Environment
EDR macOS Sensor: 6.2.6 and Higher
Resolution
Check the /var/log/system.log file for es-extension errors.
Use the following commands:
grep "filterPackets is not enabled" /var/log/system.log
grep "Full Disk Access not enabled" /var/log/system.log
grep "extension not entitled" /var/log/system.log
grep "Error subscribing to EndpointSecurity events" /var/log/system.log
Manually reinstall the sensor if the errors exist.
Additional Information
Currently in some environments, the EDR server may record the macOS sensor at 100% healthy even though FDA did not enable properly.
System Preferences > Security & Privacy > Full Disk Access may not show CbOsxSensorService as enabled because the user does not have Admin privileges.