Carbon Black Kernal Panic

bbracey
New Contributor III

Has anyone found a fix for the Bit9 (Carbon Black Protect) or Carbon Black Response kernel panic? This was caused by having CB installed and installing the Security Update 2018-001.

7 REPLIES 7

jvsuqui
New Contributor II

Please upgrade your Carbon Black sensor to the latest version 6.1.3.80124. This version seems to be stable even on 10.13.4 Beta. I've tested the agent on 10.11.6, 10.12.6, 10.13.3 and 10.13.4 (Beta) with all the Apple Security updates installed. Older agents must be removed first before proceeding with new installation.

Carbon black has a built-in removal uninstaller script
/Applications/CarbonBlack/sensoruninst.sh

MTFIDjamf
Contributor II

@bbracey In our initial testing, CB version 6.1.3 resolves this. However, any prior version of CB on the device has to be removed before 6.1.3 is installed. If you do an upgrade in place to this newer version, CB will still cause kernel panics with 2018-001.

Workflow:
Single policy removes CB version *old and then installs 6.1.3.
Once 6.1.3 is installed the devices fall into a smart group looking for that version.
Security 2018-001 is scoped against that smart group so it installs once 6.1.3 is in place.

steve_summers
Contributor II

You have to either remove the CB Sensor in safe mode, or install a version compatible with the Security Update. If you have a machine experiencing the issue, boot to safe mode, then run the uninstaller.

I got in touch with one of our security guys and they passed along a version of carbon black that was compatible, a recent release. We've not rolled it out yet but I put it on a test machine with 10.13.1 and was successfully able to upgrade to 10.13.3 with no issues.

Hope that helps.

jwojda
Valued Contributor II

theres a new version of CB/Bit9 and to remediate via deleting the b9kernel.kext

see this discussion too

36b729d572d143b7a65fb24755696165

delestor
New Contributor II

The above worked well for us. Just don't forget quotes around cd Step 5 otherwise will not work as is.

ericbenfer
Contributor II

InfoSec leaders often mandate the use of 3rd party security agents on macOS.
It is important to regularly audit the effectiveness of each security agent.
In other words, ask the team(s) responsible for each security agent to provide a monthly report for Mac systems.
What has the security agent caught or prevented? This info can help build a valid argument against using multiple 3rd party security agents.

Eric

Kallendal
New Contributor III

had this same issue. Uninstalled worked well. Easy enough to roll out again once it is fixed up.