Bit 9

Lhsachs
Contributor II

Does anyone have experience implementing Bit9? https://www.bit9.com Seems that infosec is telling us we must do this... Just wondering what other's experience is.

Thanks.

37 REPLIES 37

jarednichols
Honored Contributor

In a prior life I asked IT security folks for the threat vectors on Mac that justified YAA (yet another agent) on our boxes. It was to the point where there was Casper, McAfee ePO, McAfee Antivirus, firewall (both app and packet level), remote support etc. I asked them to pick which agent I was to peel off so I could replace it with Bit 9.

Crickets, as expected.

Windows got Bit 9. Nothing else did.

bmarks
Contributor II

All I can say if it's being forced on you is "good luck." Our security team attempted to force this on us, but during our testing it proved to be so unusable that we were able to push back and block it for good. We got sick of being their de facto beta testers for the production release of their Mac agent.

bmarks
Contributor II

Basically, every time we encountered an issue, they'd say the version we were using wasn't the official Mac version, even though it was advertised as the official Mac version when we test deployed it. This went on for about 9 months of agent releases where they'd say the only official Mac agent wasn't whatever one it was we were using at the time.

And, their support is absolutely atrocious. This sidenote isn't related to the product, but it took a month's worth of communication for me to be able to access the support portal. The only way they'd send me info for how to access the support portal was via ticket notes, which I obviously couldn't observe since my ticket (submitted initially via email) was about how I couldn't log into the support portal! It was a Kafka-esque experience that I hope to never experience again.

sgoetz
Contributor

Our company had Bit9 installed on all 900 macs and it caused nothing but problems from Lock ups to terminal commands no longer functioning. After hundred's of complaints we have removed Bit9 from all Macs.

bmarks
Contributor II

Yeah, and for us, we also experienced ridiculously high CPU utilization and subsequent repeated severe performance degradation.

Lhsachs
Contributor II

Thanks for the replies... I'll pass it up the chain. This reminds me of the move from netOctopus to Big Fix at a previous job that came with a contract renewal (Yeah - it will work on all operating systems)... and yes, Big Fix spiked the processors.... and I moved to a contract where I worked with Casper 6... and haven't moved away from Casper...

grahamfw
New Contributor III

Another consideration is that dot releases often are not immediately supported by Bit9. That alone is reason enough not to use it since your users may very well brick their own machines when Apple releases a new update.

sthoward
New Contributor

I really appreciate the feedback above from those of you who have used Bit9 on Macs. We have Bit9 running for thousands of Windows clients, and it is a wonderful tool for blocking malware on Windows. I frequently see cases where viruses appear on systems and are blocked by Bit9, but McAfee does not detect them until 2-3 months later.

That being said, we have a smaller Mac environment, and some of our management would like to install Bit9 there as well. Knowing that others are experiencing issues with Bit9 on Mac will help us to continue to push back in that environment.

Thanks!

bmarks
Contributor II

That reminds me... at least with Mavericks, the first 10.9 version of the agent wasn't available until the following February, i.e. over 5 months after its release. In the current OS X world of annual release cycles, that's a very long time in my opinion. I don't know how quickly they offered Yosemite support because we had given by then after testing the Mavericks agent for so long and still not getting a stable product.

bjones
New Contributor III

@sgoetz have a question in reference to the way you guys deployed your bit9 client to 900 macs. I have heard on multiple sites and with experience how cpu heavy this app is but they want to deploy for testing. I am able to just take the app and install it and everything works fine. I have tried to deploy through casper using a bit9 installation created in composer and it doesn't work?

Lhsachs
Contributor II

@bjones - The way I packaged bit9 has to do with the fact that the .dmg file had a visible 'Install Bit9 Security Platform.pkg' and two hidden files: config.xml, server.conf in it.

I built my installer with packagemaker - placing the .dmg file into /tmp and running a post flight script:

#!/bin/sh
####################################################
## This is to run Bit 9 install ##
####################################################

####################################################
## Mount Disk Image ##
hdiutil attach /tmp/disabled-freshinstall-mac.dmg

############################################
###Run Bit9 Installer######
sudo installer -pkg /Volumes/Bit9 Agent/Install Bit9 Security Platform.pkg -target /

############################################
###Unmount Installer######      
hdiutil unmount /Volumes/Bit9 Agent/

bjones
New Contributor III

@Lhsachs Question is there a way to just deploy the 'Install Bit9 Security Platform.pkg

benbass
New Contributor III

@bjones Unfortunately installing just the "Install Bit9 Security Platform.pkg" doesn't include the server info and settings. So you will have Bit9 installed, but not configured, so it won't talk to your Bit9 servers.

In my testing the best way to install was the method that @Lhsachs used. Cache the dmg, and then mount it and run the installer via postflight script. I think there are ways to mount the dmg so it doesn't show up via -shadow, I would take a look at how the adobe installer scripts run for ways to do that.

bjones
New Contributor III

Thanks @Lhsachs and @benbass that seemed to work pretty well the last question i have is when the installer ran i got this message.
installer: Cannot install on volume / because it is disabled.
installer: The Bit9 Platform is not supported on major versions of OS X beyond 10.9

I am running this on 10.11 .. has anyone installed this on that OS X version ?

benbass
New Contributor III

Hi @bjones . I think that they might have 10.10.5 certified, but I haven't checked recently. We had an SLA of 60 days on minor OS versions, and 90 days on major. Which pretty much means the latest version is only certified after the OS stops receiving updates.

wmateo
Contributor

@bjones did you ever run this on 10.11 successfully? I am having a few issues with 10.11.4 where it freezes the machine and goes into a kernel panic

prbsparx
Contributor II

Hi guys, for those of you trying to deploy this:
1) Make sure to use a package that is in disabled enforcement mode.
2) You can create an easily deployable pkg by creating a .pkg.zip file for Casper Suite similar to the Adobe Production Premium CS6 method. The easiest way to do this is by running the following command:

cd /Volumes/Bit9 Agent
zip -r -X ~/Desktop/Bit9-v7.2.3.9204.zip *

This will create a ZIP file that contains all of the files that were in the DMG.
Casper Suite can deploy this format natively.

NOTE: Bit9 is not well designed for macs. 7.2.3 Patch 2 causes macOS Sierra to kernel panic. Supposedly 7.2.3 Patch 3 fixes this, though I have not confirmed this yet. This should really only be run on high priority targets... XProtect+Quarantine do pretty much the same thing Bit9 does but natively and in a more efficient way.
Carbon Black is a little more friendly...

If you need help with this, ping me on the MacAdmins Slack. (@prbsparx)

segan
New Contributor II

Hi,

Has anyone had experience deploying Carbon Black agent for Macs? We are being asked by our security team to perform a pilot. Just wondering if it is actually the same thing as Bit9? Because from reading the thread here it sounds like Bit9 has some issues.

prbsparx
Contributor II

Hi @segan, Yes, I have experience deploying it. I'll send a KB article to Jamf to ask them to post it that includes creating the deployable PKG, the extension attribute, and the smart groups.

I'll try to do the same with Bit9 in the next little while, though you need to be very careful deploying both, as both run into issues in OS X.

bento
New Contributor

@prbsparx that would be immensely helpful.

Harr2804
New Contributor

@prbsparx Yes that will help a lot since I was task to pilot Bit9 as well.

swapple
Contributor III

Does anyone have an EA to detect the installed stuff? Did the install document get made?

prbsparx
Contributor II

Hi everyone, sorry for the delay in posting this. I'm hoping this will help everyone. I'm also planning on posting a much better written version in a blog in the near future (once I get the blog setup properly).

Creating a Jamf Pro deployable Package out of the Bit9 files
Mount the DMG from your security people.
Open Terminal.
copy the contents of the Bit9 DMG to a folder on your desktop (or anywhere else)

cd /Volumes/enter_dmg_mount_path_here
cp * ~/Desktop/Bit9_files

cd to that folder, and create a single-level ZIP:

cd ~/Desktop/Bit9_files
zip -r "~/Desktop/Bit9_installer-version.pkg.zip" *

You can upload this pkg.zip to Casper Suite and it will act exactly like a PKG. (much easier than recompiling too).

Extension Attribute

#!/bin/bash
b9_cli="/Applications/Bit9/Tools/b9cli"
if [ -f "$b9_cli" ]; then
    b9_version="$($b9_cli --version | grep Kernel | sed -e 's/Kernel: *(.*) [A-Z](.*)/1/')"
    echo "<result>${b9_version}</result>"
else
    echo "<result></result>"
fi

You may want to change the second result to "Not Installed" if you want to be able to track computers that have run it but show as not installed.

You can then create smart groups with this by comparing the "Bit9 Version" EA to the version your security people say should be installed.

rpayne
Contributor II

Stupid question. Anytime I'm trying to use the "*" nothing happens. This is the case with both the cp and the zip command. Not sure what I'm doing wrong.

ImAMacGuy
Valued Contributor II

@prbsparx thanks for the info, any chance the EA could display the patch version in addition?

bradtchapman
Valued Contributor II

WARNING - heads up for those of you testing Bit9.

The company is still WAY behind on High Sierra support. If you upgrade to 10.13.2 while Bit9 is installed, or install Bit9 on top of 10.13.2+, your computer will have a kernel panic immediately. On subsequent restarts, the computer will have a kernel panic and you can't even boot in Safe Mode.

The only way to fix this is to boot to Recovery OS, mount your primary boot volume, and remove the b9daemon.kext from /Library/LaunchDaemons.

ImAMacGuy
Valued Contributor II

Security team told me they released a new patch on the 5th or something, looks like patch 8 when I installed it.

wmateo
Contributor

@prbsparx I am looking for a Removal script for bit9 - Can you help?

bradtchapman
Valued Contributor II

@wmateo

There is no way to script this if you updated MacOS 10.13.2 while Bit9 was installed. You have to start the computer in Recovery OS or Single User Mode, mount the disk, and delete /Library/Extensions/b9daemon.kext.

Carbon Black utterly failed here. They should have been testing the betas and advising their customers a lot more proactively.

prbsparx
Contributor II

@wmateo: I believe I do, but I'll have to find it. That being said, as I recall, Bit9 protects itself, so you have to either:
1. Work with your security team to disable the protection from the admin console and THEN uninstall
2. Uninstall from Single User Mode, or Recovery Volume.

If Bit9 caused crashes, @bradtchapman is correct, you have to manually remove it.

pcrandom
Contributor

@wmateo once you remove b9daemon.kext as @bradtchapman indicated, you should be able to log into your Mac as normal and then run the uninstall script that Carbon Black provides in /Applications/Bit9/.

I had issues with both Carbon Black Protect and Carbon Black Response after this week's Security Update 2018-001 for Sierra and El Capitan (High Sierra not in our environment ... yet), and removing the kernel extensions did not get rid of the kernel panics, so I had to remove the LaunchDaemons and the binaries. Below is the list of files I had to remove.

For Response, I deleted:

/Library/Extensions/CbOsxSensorNetmon.kext
/Library/Extensions/CbOsxSensorProcmon.kext
/Library/LaunchDaemons/com.carbonblack.daemon.plist
/Applications/CarbonBlack/CbOsxSensorService

For Protect, I deleted:

/Library/Extensions/b9kernel.kext
/Library/LaunchDaemons/com.bit9.Daemon.plist
/Applications/Bit9/Daemons/b9daemon

I either booted an affected Mac to Target Disk Mode, connected it to a working Mac, and used the Finder to delete the files, or I booted into the Recovery partition and use Terminal to delete them (remembering to target "/Volume/Macintosh HD/" in the commands). After removing those files, the Mac should be able to start up without kernel panicking, and the uninstall scripts for each product still remained, which I then ran in Terminal:

sudo /Applications/CarbonBlack/sensoruninst.sh
sudo /Applications/Bit9/uninstall.sh

This has worked on all but one of the Macs that were affected.

prbsparx
Contributor II

@bradtchapman I think we as a community should also try to inform each other through both Slack and JamfNation.

I always forget to post on JamfNation.

For everyone on here, is you aren't aware already: The MacAdmins slack (macadmins.slack.com) has a channel dedicated to CarbonBlack products: #carbonblack

wmateo
Contributor

@prbsparx @pcrandom

Thanks guys! yeah I manually did above. For CB I didn't have the instructions. The latest MacOS Security patches for Spectrum/Meltdown to machines with Bit9 / CB installed place the machines into Kernel Panick. What I am trying to do now it proactively remove Bit9 from all my machines before we run SWU

swapple
Contributor III

Has this gotten any better? testing the bit 9 notifier on 10.12 -10.14. Does the output to any logs?

mcrispin
Contributor II

The latest versions CbProtect (aka Bit9) still cause kernel panics in 10.13.6 and 10.14.3, though somewhat more "gracefully" than in the past. log output hasn't changed as far as I can tell.

swapple
Contributor III

I haven't found the log files yet. Does the kernel panic happen right after install or does some other condition trigger it? I have it on 10.14.3 and 10.13.6 with out a Kernel panic (so far). We are installing Bit9 Notifier 7.2.3.4000 patch 12

LaMantia
New Contributor III

We still use bit9 today. There was never an app built for us on macOS to provide a UI for employees to unlock using a timedoverride code. Here is what I came up with and it has been working perfect. Just save it as an app in the AppleScript editor. Hope it helps.

APPLESCRIPT
set theResponse to display dialog "Enter code: " default answer "" with icon stop buttons {"Cancel", "Continue"} default button "Continue" with hidden answer

set code to button returned of the theResponse
if code = "Cancel" then return ""

set textResponse to (text returned of theResponse)

display dialog ("Code is: " & textResponse & ".") buttons {"OK"} default button 1

set results to (do shell script "cd /Applications/Bit9/Tools; ./b9cli -timedoverride " & textResponse)

display dialog results
END SCRIPT