CarbonBlack (6.0.4.70328) makes macOS High Sierra 10.13.2 fail

ekkehard
Contributor

It appears that an installation of CarbonBlack (6.0.4.70328) crashes macOS High Sierra 10.13.2 and systems that are running CarbonBlack (6.0.4.70328) will not boot after an upgrade to macOS High Sierra 10.13.2.

Removing CarbonBlack appears to heal all wounds.

1 ACCEPTED SOLUTION

ekkehard
Contributor

Best way to fix this is to uninstall CarbonBlack by booting into the recovery partion chroot to the startup volume and run the CarbonBlack uninstall script:

chroot /Volumes/[BootVolumeName] sh /Applications/CarbonBlack/sensoruninst.sh

Note: CarbonBlack (6.1.2.71112) fixes the kernel panic issue but will basically turn of CarbonBlack for macOS High Sierra 10.13.2 machines.

View solution in original post

9 REPLIES 9

PeterG
Contributor II

Carbon Black tech support sent a message to all their customers when the 10.13.2 beta was released.

This message was sent to allow IT departments to prepare for the general release of 10.13.2.
Many companies are disabling any 'Auto Update' policies, blocking the update and removing the installers if they have already downloaded to the client computers.

[Cb Response] Important Notice Related to MacOS 10.13.2 Beta November 7, 2017 - 3:39PM Hi All, MacOS 10.13.2 Beta was released to developers yesterday. In this release, Apple has made some kernel changes that are not compatible with all versions of the Cb Response MacOS sensor. Based on internal testing, if you update to 10.13.2 Beta with the Cb Response MacOS sensor installed, you will experience a kernel panic on boot. In order to make affected machines usable again, you will need to boot into Safe Mode on each affected machine, remove the Cb Response kexts manually, and then restart. Please do not upgrade to MacOS 10.13.2 Beta on any system with Cb Response installed until we provide a sensor version that officially supports this new OS version. Please follow this post for updates and additional details. If you have any questions, please post back here or contact Cb Technical Support. Thanks, The Cb Response Team

Carbon Black released their 6.1.2-osx sensor on 11/20 and their 5.2.12-osx sensor on 12/4. These sensors have a safeguard to prevent a KP from occurring if macOS 10.13.2 is installed. Support for 10.13.2 will be provided in a upcoming maintenance release.

If you have a computer that is experiencing this problem, you will need to boot into Safe Mode on each affected machine, remove the Cb Response kexts manually, and then restart.

EUC600
New Contributor III

We are having this exact problem today. Where are the kexts located? I've checked in /System/Library/Extensions and also /Library/Extensions but I don't notice anything that stands out as being related to Carbon Black.

BrandonKurtz
New Contributor

@DakotaS96 We did sudo rm -rf /Library/Extensions/Cb* from Safemode and that solved it.

PeterG
Contributor II

Thanks @BrandonKurtz for the post.

I would urge anyone experiencing the issue, or customers of Carbon Black, to participate in the Carbon Black User Exchange. The specific thread on this, which I quoted above) it this one. You need to register to see some of the documents.

Also, you can contact Contact Carbon Black technical support for additional assistance.

cwaldrip
Valued Contributor

My office hasn't deployed CB yet as we continue to see random kernel panics on pre-10.13 machines. We can't afford to have an edit machine go down with a kernel panic which rushing to edit video for broadcast. Luckily we're working closely with the developers, but progress is slow. Nice to know we can do their debugging for them.

Hey Bob, let's make our security software a kernel extension. It'll catch more bad guys that way. But Phil, if there's even a slight bug in our app it'll crash the entire computer! Don't worry about that Bob, it's a feature. If they can't use the computer it can't be infected by bad guys!

ekkehard
Contributor

Best way to fix this is to uninstall CarbonBlack by booting into the recovery partion chroot to the startup volume and run the CarbonBlack uninstall script:

chroot /Volumes/[BootVolumeName] sh /Applications/CarbonBlack/sensoruninst.sh

Note: CarbonBlack (6.1.2.71112) fixes the kernel panic issue but will basically turn of CarbonBlack for macOS High Sierra 10.13.2 machines.

View solution in original post

jlukemeador
New Contributor

I am unable to getekkehard to work. Please advise as I am a novice.

My Hard Drive name is HD 750

In the terminal:

chroot /Volumes/[Boot"HD 750"]

Is that correct?

osxadmin
Contributor II

@jlukemeador don't use brackets, use quotations do this: chroot /Volumes/"HD 750"

bjones
New Contributor III

Just wanted to provide an update and let everyone know Carbon has released version 6.1.3 which addresses the latest Kernel Panic Issues.

This sensor release provides support for macOS 10.11.6 (El Capitan) and 10.12.6 (Sierra) security updates 2018-001, support for macOS 10.13.2 and 10.13.3 High Sierra, bug fixes, and performance improvements.