Bit 9

In a prior life I asked IT security folks for the threat vectors on Mac that justified YAA (yet another agent) on our boxes. It was to the point where there was Casper, McAfee ePO, McAfee Antivirus, firewall (both app and packet level), remote support etc. I asked them to pick which agent I was to peel off so I could replace it with Bit 9.

Crickets, as expected.

Windows got Bit 9. Nothing else did.

All I can say if it's being forced on you is "good luck." Our security team attempted to force this on us, but during our testing it proved to be so unusable that we were able to push back and block it for good. We got sick of being their de facto beta testers for the production release of their Mac agent.

Basically, every time we encountered an issue, they'd say the version we were using wasn't the official Mac version, even though it was advertised as the official Mac version when we test deployed it. This went on for about 9 months of agent releases where they'd say the only official Mac agent wasn't whatever one it was we were using at the time.

And, their support is absolutely atrocious. This sidenote isn't related to the product, but it took a month's worth of communication for me to be able to access the support portal. The only way they'd send me info for how to access the support portal was via ticket notes, which I obviously couldn't observe since my ticket (submitted initially via email) was about how I couldn't log into the support portal! It was a Kafka-esque experience that I hope to never experience again.

Our company had Bit9 installed on all 900 macs and it caused nothing but problems from Lock ups to terminal commands no longer functioning. After hundred's of complaints we have removed Bit9 from all Macs.

Yeah, and for us, we also experienced ridiculously high CPU utilization and subsequent repeated severe performance degradation.

Thanks for the replies... I'll pass it up the chain. This reminds me of the move from netOctopus to Big Fix at a previous job that came with a contract renewal (Yeah - it will work on all operating systems)... and yes, Big Fix spiked the processors.... and I moved to a contract where I worked with Casper 6... and haven't moved away from Casper...

Another consideration is that dot releases often are not immediately supported by Bit9. That alone is reason enough not to use it since your users may very well brick their own machines when Apple releases a new update.

I really appreciate the feedback above from those of you who have used Bit9 on Macs. We have Bit9 running for thousands of Windows clients, and it is a wonderful tool for blocking malware on Windows. I frequently see cases where viruses appear on systems and are blocked by Bit9, but McAfee does not detect them until 2-3 months later.

That being said, we have a smaller Mac environment, and some of our management would like to install Bit9 there as well. Knowing that others are experiencing issues with Bit9 on Mac will help us to continue to push back in that environment.

Thanks!

That reminds me... at least with Mavericks, the first 10.9 version of the agent wasn't available until the following February, i.e. over 5 months after its release. In the current OS X world of annual release cycles, that's a very long time in my opinion. I don't know how quickly they offered Yosemite support because we had given by then after testing the Mavericks agent for so long and still not getting a stable product.

@sgoetz have a question in reference to the way you guys deployed your bit9 client to 900 macs. I have heard on multiple sites and with experience how cpu heavy this app is but they want to deploy for testing. I am able to just take the app and install it and everything works fine. I have tried to deploy through casper using a bit9 installation created in composer and it doesn't work?

@bjones - The way I packaged bit9 has to do with the fact that the .dmg file had a visible 'Install Bit9 Security Platform.pkg' and two hidden files: config.xml, server.conf in it.

I built my installer with packagemaker - placing the .dmg file into /tmp and running a post flight script:

#!/bin/sh
####################################################
## This is to run Bit 9 install ##
####################################################

####################################################
## Mount Disk Image ##
hdiutil attach /tmp/disabled-freshinstall-mac.dmg

############################################
###Run Bit9 Installer######
sudo installer -pkg /Volumes/Bit9 Agent/Install Bit9 Security Platform.pkg -target /

############################################
###Unmount Installer######      
hdiutil unmount /Volumes/Bit9 Agent/

@Lhsachs Question is there a way to just deploy the 'Install Bit9 Security Platform.pkg

@bjones Unfortunately installing just the "Install Bit9 Security Platform.pkg" doesn't include the server info and settings. So you will have Bit9 installed, but not configured, so it won't talk to your Bit9 servers.

In my testing the best way to install was the method that @Lhsachs used. Cache the dmg, and then mount it and run the installer via postflight script. I think there are ways to mount the dmg so it doesn't show up via -shadow, I would take a look at how the adobe installer scripts run for ways to do that.

Thanks @Lhsachs and @benbass that seemed to work pretty well the last question i have is when the installer ran i got this message.
installer: Cannot install on volume / because it is disabled.
installer: The Bit9 Platform is not supported on major versions of OS X beyond 10.9

I am running this on 10.11 .. has anyone installed this on that OS X version ?

Hi @bjones . I think that they might have 10.10.5 certified, but I haven't checked recently. We had an SLA of 60 days on minor OS versions, and 90 days on major. Which pretty much means the latest version is only certified after the OS stops receiving updates.

@bjones did you ever run this on 10.11 successfully? I am having a few issues with 10.11.4 where it freezes the machine and goes into a kernel panic

Hi guys, for those of you trying to deploy this:
1) Make sure to use a package that is in disabled enforcement mode.
2) You can create an easily deployable pkg by creating a .pkg.zip file for Casper Suite similar to the Adobe Production Premium CS6 method. The easiest way to do this is by running the following command:

cd /Volumes/Bit9 Agent
zip -r -X ~/Desktop/Bit9-v7.2.3.9204.zip *

This will create a ZIP file that contains all of the files that were in the DMG.
Casper Suite can deploy this format natively.

NOTE: Bit9 is not well designed for macs. 7.2.3 Patch 2 causes macOS Sierra to kernel panic. Supposedly 7.2.3 Patch 3 fixes this, though I have not confirmed this yet. This should really only be run on high priority targets... XProtect+Quarantine do pretty much the same thing Bit9 does but natively and in a more efficient way.
Carbon Black is a little more friendly...

If you need help with this, ping me on the MacAdmins Slack. (@prbsparx)

Hi,

Has anyone had experience deploying Carbon Black agent for Macs? We are being asked by our security team to perform a pilot. Just wondering if it is actually the same thing as Bit9? Because from reading the thread here it sounds like Bit9 has some issues.

Hi @segan, Yes, I have experience deploying it. I'll send a KB article to Jamf to ask them to post it that includes creating the deployable PKG, the extension attribute, and the smart groups.

I'll try to do the same with Bit9 in the next little while, though you need to be very careful deploying both, as both run into issues in OS X.

@prbsparx that would be immensely helpful.

@prbsparx Yes that will help a lot since I was task to pilot Bit9 as well.

Does anyone have an EA to detect the installed stuff? Did the install document get made?

Hi everyone, sorry for the delay in posting this. I'm hoping this will help everyone. I'm also planning on posting a much better written version in a blog in the near future (once I get the blog setup properly).

Creating a Jamf Pro deployable Package out of the Bit9 files
Mount the DMG from your security people.
Open Terminal.
copy the contents of the Bit9 DMG to a folder on your desktop (or anywhere else)

cd /Volumes/enter_dmg_mount_path_here
cp * ~/Desktop/Bit9_files

cd to that folder, and create a single-level ZIP:

cd ~/Desktop/Bit9_files
zip -r "~/Desktop/Bit9_installer-version.pkg.zip" *

You can upload this pkg.zip to Casper Suite and it will act exactly like a PKG. (much easier than recompiling too).

Extension Attribute

#!/bin/bash
b9_cli="/Applications/Bit9/Tools/b9cli"
if [ -f "$b9_cli" ]; then
    b9_version="$($b9_cli --version | grep Kernel | sed -e 's/Kernel: *(.*) [A-Z](.*)/1/')"
    echo "<result>${b9_version}</result>"
else
    echo "<result></result>"
fi

You may want to change the second result to "Not Installed" if you want to be able to track computers that have run it but show as not installed.

You can then create smart groups with this by comparing the "Bit9 Version" EA to the version your security people say should be installed.

Stupid question. Anytime I'm trying to use the "*" nothing happens. This is the case with both the cp and the zip command. Not sure what I'm doing wrong.

@prbsparx thanks for the info, any chance the EA could display the patch version in addition?