Issue
When trying to reinstall the sensor on a new macOS endpoint the installer fails with the following errors:
Post install logs errors:
03/22/22 13:29:59 [ERROR] 2494cb failed to uninstall system extension
03/22/22 13:29:59 [INFO] 2494cb program terminated with error code: 4096
Note: To generate the logs during installation use the command line commands to install the sensor.
macOS Command Line Install Examples
Environment
VMware Carbon Black Cloud
macOS
Resolution
This is the optimal solution using scripts that do not require SIP to be disabled. The scripts can be found at the bottom of this article.
-
- Download and extract the "VMware CBC Mitigation bundle.zip" to only the affected endpoints.
Note: Running this tool on a healthy endpoint is not intended and will result in undefined behavior. - As a root user, execute the driver_remediation.sh script. If a clean uninstall of the endpoint is desired, run with the -u/--uninstall flag. Otherwise, default behavior is to clean up the old system extension to allow for a sensor upgrade to take place afterwards.
- The script will unload the old system extension. Due to OS requirements, there may be a popup requesting user permission for the unload. User credentials should be inputted, and the script will continue.
- After a successful execution of the script, the old system extension will be in the "Terminated waiting to uninstall on reboot" state. A reboot is not required, and sensor upgrade or uninstall can immediately be re-attempted.
- Download and extract the "VMware CBC Mitigation bundle.zip" to only the affected endpoints.
If the above does not work, please follow the steps below:
1. Verify that a system extension for Carbon Black is active:
sudo Systemextensionsctl list
2. If a system extension is present for com.vmware.carbonblack.cloud.se-agent.extension, move to step 3 otherwise proceed to step 7.
3. Disable System Integrity Protection (SIP) from recovery mode to allow the system extension to be removed. Refer to Disabling and enabling system integrity protection for the steps.
4. Once you have disabled SIP reboot to normal mode and sign in.
5. Check if the system extension for com.vmware.carbonblack.cloud.se-agent.extension is still active:
sudo Systemextensionsctl list | grep carbonblack
6. Manually uninstall the system extension from the device:
sudo systemextensionsctl uninstall <enter your company code here> com.vmware.carbonblack.cloud.se-agent.extension
Note: your company code or installation code does not need <>.
7. Verify that the system extension is disabled and waiting for a reboot:
sudo Systemextensionsctl list | grep carbonblack
8. Reboot the device.
9. Run the Sensor installer, the sensor should install without any other issues. If you encounter any problems please open a support ticket with Red Canary.
10. Re-enable the System Integrity Protection (SIP) by following the steps from Disabling and enabling system integrity protection
Reference: Carbon Black Cloud: Unable to upgrade or install due to existing system extension (macOS)
Cause
Previous system extension is still active in the environment.