Carbon Black Cloud: How to Collect Data for Troubleshooting a MacOS Kernel Panic
search cancel

Carbon Black Cloud: How to Collect Data for Troubleshooting a MacOS Kernel Panic

book

Article ID: 291085

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

Provides steps on collecting the information needed for Cb Support to diagnose a MacOS kernel panic/crash.

Environment

  • Carbon Black Cloud Sensor: All Versions
  • Apple MacOS: All Versions

Resolution

1. Provide answers:
  • What actions are being performed?
  • How many devices is this occurring with?
  • Provide the device name, operating system, and installed sensor version.
  • Timestamp of the kernel crash
  • Are there blocks in the console at the time of the crash?
    • If so, is a system file being blocked?
  • Is it reproducible?
  • If sensor is in bypass does the machine still crash?
  • Are there any third-party security applications installed?
    • If so, are the AV exclusions in place?
2. Collect the files:
  • MacOS Core Dump
3. Upload the collected files:
  • https://community.carbonblack.com/groups/cb-vault

Additional Information

About MacOS core dumps:
  • Core dumps are located in the /cores/ directory for all versions.
  • MacOS 10.4 and Higher:
    • Core dumps are disabled by default.  To enable core dumps on a MacOS machine of version 10.4 and higher create the file, /etc/launchd.conf.  Next, restart the machine and reproduce the issue to collect the core dump file.
  • Prior to MacOS 10.4:
    • Enable core dumps on a system-wide basis by changing the following line in /etc/hostconfig from:
COREDUMPS=-NO-
To:
COREDUMPS=-YES-
Powered by Wolken Software