Silent install issue with Fireeye HX agent v33.51.0

wausband
New Contributor

Last week our cyber security team provided us the newest Fireeye client for Mac OS 11.

Installing via Jamf Pro Cloud pkg is causing a dialog for the user to consent to the P2BNL68L2C.com.fireeye.helper system extension.  It's the same dialog on a standard install.

We've testing out the initial app install and get an install prompt that requires manual intervention. Even added P2BNL68L2C.com.fireeye.helper to system extensions, approved kernel extensions to see what would happen: Intervention was still required. We’ve been pretty liberal with the PPPCs and have had the prior kext which doesn’t appear to be used in Big Sur both included and not.

When reaching out to Fireeye support they initially offered assistance after a few emails gave a blanket "Silent uninstallation with MDM solutions is not currently supported on macOS 11.".  They plan on adding support in future releases.

Prior versions of the Fireeye Client for Mac OS packaged and performed silent installs without issue and we're hoping someone here has seen and figured a work around.

thanks in advance.

Bill

 

33 REPLIES 33

Phantom5
Contributor II

So far we are deploying FireEye HX agent 33.46 on 1600 Macs in Big Sur with no problems. We make sure any PPPC or Extension approval profiles are deployed before the agent is installed.

pueo
Contributor II

Hello 

@Phantom5 Are you able to provide what you profile looks like for PPPC and Extension Approval?  We just received the 33.51.0 installer.  We pushed out to my Mac and I received the pop up.  The System extension we used for v32 does not appear to work (the profile was already in my device).  Many thanks

pueo
Contributor II

Did you ever get this resolved?  I am having the same issue while upgrading from 32 to 33.51.0. The new FireEye Helper is causing a System Extension pop up.

pueo
Contributor II

Hey Folks,

 

I have resolved our issue of receiving the System Extension "content" block and also the FireEye Network Filter pop up.  After many hours of research, testing and a phone call to FireEye I finally have the ingredients to silently upgrade/install version 33.51.10 to Big Sur.


**Note - we do not use BitDefender

** These are not  all of my notes**. 

I also left my previous PPPC profile on which allowed Full Disk Access to xagt.  Which basically included every service.  It does not hurt to have more than you needed.  You can also check with your CSIRT team to see what they needed scanned.

 

System Extension Whitelisting
System Extension Whitelisting is only applicable to xagt v33.51 and greater
pueo_0-1628630659767.jpeg

 

The Team ID for FireEye as of writing is P2BNL68L2C.
You can get this ID from drawing the FE client into PPPC Utility. It will reveal the code and Team ID, which then you can use for deployment.
To whitelist this we need to create a configuration profile. The specific extension name for the xagt that should be whitelisted is com.fireeye.system-extension
 
pueo_1-1628630680617.jpeg
 
 
 
Malware Detection
 
For malware detection FireEye leverages Bitdefender’s AV engine which has its own System Extension. This must be whitlisted also or users will get the below prompt:
 
pueo_2-1628630697606.jpeg

 

The team ID for Bitdefender is GUNFMW623Y and the whitelisting is similar to before but should allow all Driver Extensions, Endpoint Security Extensions and Network Extensions.
 
Socket Filter Whitelisting
System Extension Whitelisting is only applicable to xagt v33.51 and greater
From MacOS Big Sur onwards there is a requirement for the agent to have a network socket filter. Upon installation the agent will trigger this prompt to the user:
 
 
pueo_3-1628630697606.jpeg

 

 
The entries are as follows:
 
SettingValue
Filter NameFireEye Helper
IdentifierP2BNL68L2C.com.fireeye.helper
Filter OrderFirewall
Socket Filter Bundle Identifiercom.fireeye.system-extension
Socket Filter Designated Requirementsidentifier "com.fireeye.system-extension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = P2BNL68L2C
  
FilterSocketsTrue

 

Great write-up... Thank you!

mlarsen
New Contributor III

This is a really useful write up and thank you for that. I do have one question. I go to add the Socket Filter Whitelisting and all the fields you identified are there, with the exception of FilterSockets. I'm entering it in the payload for Content Filtering in the configuration profile, but perhaps I'm supposed to be entering it elsewhere.

 

Again, thanks so much.

pueo
Contributor II
Hello Mlarsen
Glad the write up helped.
You need to add the entry under Custom Data
 
You add the FilterSockets under Key then add True under Value.
 
Good luck,
Cheers

mlarsen
New Contributor III

Hi Pueo,

Got it, and thanks so much again.

Brett_Cox
New Contributor III

@pueo - Many thanks.  I can't imagine how many hours this saved me nor do I want to think about how long you had to work to get this all working correctly.  

This is the first time I have had to specifically call out a system extension by name in order for it to be approved.  Typically approving by team identifier has been enough for me.  

No problem.  There is more. After more than a few emails to FE they eventually gave me updated documentation with the exact procedure a MDM Admin needs to follow in order to successfully deploy FireEye v33.51.0.
One of the bigger changes was adding more settings to the PPPC (whitelist) setting. The previous documentation only had ALLsystemfiles but they now suggest to have quite a few more.  They also provide screen shots for Whitelisting and setting up Malware detection. 
Upgrading FE is easy. Push out profiles, push out HX client (we are using HX Console for agent.  Anyways if you need the pdf there must be away I can send it to you.

 

p.

mlarsen
New Contributor III

Hi @pueo 

Can you tell me the name of the PDF you got from FireEye/Mandiant so I can try to get it from support, or put it up in a place I can grab it? Unfortunately, when I try to distribute the config profile, I get the error "The ‘VPN Service’ payload could not be installed. The VPN service could not be created." so I want to verify that I'm setting it up correctly.

Thanks,

Michael

pueo
Contributor II

Sorry for the delay Michael.  Sent to you private messages.

 

ash

mlarsen
New Contributor III

Got it going! Thanks for all your help!

johnsz_tu
New Contributor III

@pueo  / @mlarsen 

Any chance I could grab a copy of that PDF as well? 

I'm trying to deploy the same version of FireEye and am running into similar issues with building my profiles. 

Thanks 🙂 

johnsz_tu
New Contributor III

I'm struggling with the System Extension approval popup and PPPC Payload but FireEye support claim they have no resources on this to help and that it's up to me to figure out... 

If someone could post their PPPC payload for xagt that would help greatly or If anyone happens to have a copy of the MDM deployment PDF that @pueo was sent from FireEye i would be forever in your debt if you could send it to me as well. 

The FireEye docs talk about packaging and installing it, but nothing about getting it to silently install/upgrade. 

 

 

mlarsen
New Contributor III

Hi @johnsz_tu - I apologize for not responding sooner. I never did get the PDF. I did find a a page on the FireEye community which gave me the details I needed though. The page is here - https://community.fireeye.com/CustomerCommunity/s/article/000003689

pueo
Contributor II

@mlarson  Sorry I didn't follow up with documentation.  

Do the attachments I just added to the post resolve your issue?

Cheers,

 

mlarsen
New Contributor III

Hi @pueo, The screenshots look good and I was able to get it resolved from the FireEye community page I linked to earlier. Thanks again for all the help you've provided.

Hello.  Sorry for the delay in replying.  I am happy to help with screen shots to get you moving along with your FE deployment. The first two screen shots are taken from the Documentation.  The differences between the previous FE installer and the current one (33.51) is you now need a Content Filter.

Again, apologies for the tardiness. 

Cheers.

Our Profiles.

 

Screen Shot 2021-10-27 at 12.58.04 PM.png

 System Extension

Screen Shot 2021-10-27 at 12.58.55 PM.png

Content Filter.

Screen Shot 2021-10-27 at 12.59.04 PM.png

FE Documentation

Screen Shot 2021-08-13 at 11.20.13 AM.png

Screen Shot 2021-08-13 at 11.19.48 AM.png

johnsz_tu
New Contributor III

@pueo Thank you so much!!

That will help so much. 

I managed to get through the System Extension dialog yesterday, and have started battling with the Popup for the Network Filter

Going to try to build based on the screenshots above today

Really appreciate it 🙂 

cc_rider
New Contributor III

Hi @pueo ,

We've been trying to get this upgrade to v.33.51.1 for more than a month and it's still failing for us...Engaged some FireEye tech for this issue and he sent the same guide that you provided the screenshots from, but it doesn't seem to go through the installation, failing somewhere while running the xagtSetup (see below):

"Installing FireEyewPostinstall v.33.51.1 PROD.pkg...
                Successfully installed FireEyewPostinstall v.33.51.1 PROD.pkg.
                Running script FireeyePostinstall v.33.51.1...
                Script exit code: 1
                Script result: installer: Package name is FireEye Agent
                installer: Installing at base path /
                installer: The install failed. (The Installer encountered an error that caused the installation to fail. Contact the software manufacturer for assistance. An error occurred while running scripts from the package “xagtSetup_33.51.1.pkg”.)
                Error running script: return code was 1."

Again, I've already created the required Config Profiles as per the FireEye guide, still No Bueno! 😞

Any ideas?

 

Thanks,

CC

pueo
Contributor II

Hello

**Sorry for the double reply. A few lost screens a re write and I can't figure out how to remove a old post**

-

We keep our FE Agent very basic when it comes to deployment.

For new machines Jamf will install the repackaged client using the following post install script (we use DEPNotify for deployments):

#!/bin/sh
## postinstall

sudo installer -pkg /private/tmp/FireEyeAgent/xagtSetup_33.51.0.pkg -target /
sudo rm -r /private/tmp/FireEyeAgent

--

After this, once the agent checks in with HX the agent will receive any other configurations it needs.  Keep it simple

I packaged this small script using Composer. It took many attempts to get it working.

Things to try

  • Test script locally
  • Remove spaces from pkg name
  • check jamf and install.log files.

As a reminder: Think locally first..:-)

a.

cc_rider
New Contributor III

Hi @pueo,

Thanks for the suggestions. And, you are right, the best test is to try it locally, which I've already done that...I've got the .dmg copied locally and tried to go through the normal installation, but it failed at the end. So, I'm not sure if I'm doing something wrong or if this package received from FireEye has some problems with it.

Thanks,

CC

pueo
Contributor II

Try using a pkg instead. I rarely if ever use a DMG.  

pueo
Contributor II

If the agent does not install just from double clicking the package on a local Mac, then you may have a damaged agent.

cc_rider
New Contributor III

Actually, the .dmg has the package and JSON files, when I double-clicked it. I ran the pkg and got the Failed message right at the end.

pueo
Contributor II

Sounds like a damaged pkg file. Maybe try on one more machine.  I drag both the json and the pkg file to the /private/tmp/FireEyeAgent folder (I created the FireEyeAgent folder). Then package it up with the post install script.

cc_rider
New Contributor III

Yeah, I've tried that too initially...directly from the /private/tmp/FireEyeAgent folder...No dice either! 😞

pueo
Contributor II

Hello @cc_rider

I can't see the contents of your package or any scripts. So I have posted what I did and I works for us.

For new/reimaged Macs we deploy the FE Agent as part of our DEP Notify script.  This is not important.

My post install script for FE is posted below:

--

#!/bin/sh
## postinstall

sudo installer -pkg /private/tmp/FireEyeAgent/xagtSetup_33.51.0.pkg -target /
sudo rm -r /private/tmp/FireEyeAgent

--

I packaged this small script using Composer. It took many attempts to get it working.

Does you script work locally?  You should be able to run it locally after moving the pkg into whatever directory it loads from.

Remove spaces from you pkg file or use _ or - to join words.  This will help simplify things and help trouble shooting. maybe use one name like FEAgent.pkg, test then build up from there.

check jamf.log and install.log.

Test locally..then jamf..

Good luck!

Cheers,

a.

cc_rider
New Contributor III

Hi @pueo ,

Sorry for the long wait before my reply, but our peeps in charged to manage the FireEye appliance had to upgrade it to a newer version, therefore that's why I had to put on hold the testing...Anyways, I just received the v.34.28.1 to test with, but I need to make sure now that I'm following the correct path. 🙂

Could you please tell me how are you doing with upgrading from a lower version to v.34.28.1? Previously, we have been using a script to remove ALL the necessary files/folders/entries before you install the new version...From FireEye tech, I've got this instruction:

"please make sure that the customer correctly removed the system extension and rebooted the mac. The correct command to remove everything is to add the remove helper switch: sudo /Library/FireEye/xagt/uninstall.tool --remove-helper
After running this command and rebooting, the customer should install version 34.28.1 and allow the FireEye and Bitdefender kernel extensions."

Is it going to be enough that "uninstall.tool" with the switch like that?

 

Thanks,

 

CC

mlitton
New Contributor II

Questions about the configuration profile. Kext whitelisting will fail on Apple Silicon. Should I have two configurations profiles one with Kext for Intel and another without Kext for AS? Or just the one and just let the Kext fail?

pueo
Contributor II

@mlitton Kernel Extensions are a thing of the past now, so I guess you are running a macOS less than Catalina?  Create two Profiles, one for System Extension and one for Kernel Extension and scope to the appropriate macOS.  It does not hurt having both profiles on each machine but can add confusion.

Thanks @pueo for sharing your findings on this FireEye HX/xagt release and config screens (just love those vendors hiding important info behind their support portals).

Adding to your reply to @mlitton question... agree w/ creating two profiles for Kext (Intel) and SysExt (ARM), but probably best to exclude each config profile scopes via smart groups for "Architecture type" is/not "arm" or is/not "x86_64"? Otherwise, you're potentially generating extra log chatter and performance overhead for failed installs.