Does anyone have experience implementing Bit9? https://www.bit9.com Seems that infosec is telling us we must do this... Just wondering what other's experience is.
Thanks.
Page 2 / 2
WARNING - heads up for those of you testing Bit9.
The company is still WAY behind on High Sierra support. If you upgrade to 10.13.2 while Bit9 is installed, or install Bit9 on top of 10.13.2+, your computer will have a kernel panic immediately. On subsequent restarts, the computer will have a kernel panic and you can't even boot in Safe Mode.
The only way to fix this is to boot to Recovery OS, mount your primary boot volume, and remove the b9daemon.kext from /Library/LaunchDaemons.
Security team told me they released a new patch on the 5th or something, looks like patch 8 when I installed it.
@prbsparx I am looking for a Removal script for bit9 - Can you help?
There is no way to script this if you updated MacOS 10.13.2 while Bit9 was installed. You have to start the computer in Recovery OS or Single User Mode, mount the disk, and delete /Library/Extensions/b9daemon.kext.
Carbon Black utterly failed here. They should have been testing the betas and advising their customers a lot more proactively.
@wmateo: I believe I do, but I'll have to find it. That being said, as I recall, Bit9 protects itself, so you have to either:
1. Work with your security team to disable the protection from the admin console and THEN uninstall
2. Uninstall from Single User Mode, or Recovery Volume.
If Bit9 caused crashes, @bradtchapman is correct, you have to manually remove it.
@wmateo once you remove b9daemon.kext as @bradtchapman indicated, you should be able to log into your Mac as normal and then run the uninstall script that Carbon Black provides in /Applications/Bit9/.
I had issues with both Carbon Black Protect and Carbon Black Response after this week's Security Update 2018-001 for Sierra and El Capitan (High Sierra not in our environment ... yet), and removing the kernel extensions did not get rid of the kernel panics, so I had to remove the LaunchDaemons and the binaries. Below is the list of files I had to remove.
For Response, I deleted:
/Library/Extensions/CbOsxSensorNetmon.kext
/Library/Extensions/CbOsxSensorProcmon.kext
/Library/LaunchDaemons/com.carbonblack.daemon.plist
/Applications/CarbonBlack/CbOsxSensorService
For Protect, I deleted:
/Library/Extensions/b9kernel.kext
/Library/LaunchDaemons/com.bit9.Daemon.plist
/Applications/Bit9/Daemons/b9daemon
I either booted an affected Mac to Target Disk Mode, connected it to a working Mac, and used the Finder to delete the files, or I booted into the Recovery partition and use Terminal to delete them (remembering to target "/Volume/Macintosh HD/" in the commands). After removing those files, the Mac should be able to start up without kernel panicking, and the uninstall scripts for each product still remained, which I then ran in Terminal:
sudo /Applications/CarbonBlack/sensoruninst.sh
sudo /Applications/Bit9/uninstall.sh
This has worked on all but one of the Macs that were affected.
@bradtchapman I think we as a community should also try to inform each other through both Slack and JamfNation.
I always forget to post on JamfNation.
For everyone on here, is you aren't aware already: The MacAdmins slack (macadmins.slack.com) has a channel dedicated to CarbonBlack products: #carbonblack
Thanks guys! yeah I manually did above. For CB I didn't have the instructions. The latest MacOS Security patches for Spectrum/Meltdown to machines with Bit9 / CB installed place the machines into Kernel Panick. What I am trying to do now it proactively remove Bit9 from all my machines before we run SWU
Has this gotten any better? testing the bit 9 notifier on 10.12 -10.14. Does the output to any logs?
The latest versions CbProtect (aka Bit9) still cause kernel panics in 10.13.6 and 10.14.3, though somewhat more "gracefully" than in the past. log output hasn't changed as far as I can tell.
I haven't found the log files yet. Does the kernel panic happen right after install or does some other condition trigger it? I have it on 10.14.3 and 10.13.6 with out a Kernel panic (so far). We are installing Bit9 Notifier 7.2.3.4000 patch 12
We still use bit9 today. There was never an app built for us on macOS to provide a UI for employees to unlock using a timedoverride code. Here is what I came up with and it has been working perfect. Just save it as an app in the AppleScript editor. Hope it helps.
APPLESCRIPT
set theResponse to display dialog "Enter code: " default answer "" with icon stop buttons {"Cancel", "Continue"} default button "Continue" with hidden answer
set code to button returned of the theResponse
if code = "Cancel" then return ""
set textResponse to (text returned of theResponse)
display dialog ("Code is: " & textResponse & ".") buttons {"OK"} default button 1
set results to (do shell script "cd /Applications/Bit9/Tools; ./b9cli -timedoverride " & textResponse)
display dialog results
END SCRIPT
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.