DARKTRACE/ENDPOINT CSENSOR FOR

MACOS CONFIGURATION GUIDE

Darktrace/Endpoint cSensor for macOS 1.5.12

Last Updated: November 29 2022

DARKTRACE/ENDPOINT CSENSOR FOR MACOS CONFIGURATION GUIDE 2

DARKTRACE/ENDPOINT CSENSOR FOR MACOS

CONFIGURATION GUIDE
Darktrace/Endpoint cSensor for macOS 1.5.12

Darktrace DETECT & RESPOND/Endpoint 3

Comparing Darktrace Virtual Sensors 4

Requirements and Supported Platforms 5

Darktrace/Endpoint Mac agent (cSensor) Preinstallation Requirements 6

Creating a Profile to Pre-Approve the cSensor macOS System Extension 7

Guidance on Installing the Darktrace/Endpoint Mac agent (cSensor) via MDM 9

Installing the Darktrace/Endpoint Mac agent (cSensor) via CLI 11

Installing the Darktrace/Endpoint Mac agent (cSensor) via the Installer 13

Enabling Darktrace RESPOND/Endpoint 15

Frequently Asked Questions 17

Appendix: Example macOS Profile for System Extension Pre-Approval 20

DARKTRACE/ENDPOINT CSENSOR FOR MACOS CONFIGURATION GUIDE 3

DARKTRACE DETECT & RESPOND/ENDPOINT

Introduction
Darktrace DETECT & RESPOND/Endpoint extends the visibility of the Darktrace Cyber AI Platform to remote devices.
Coverage is provided via Darktrace “cSensor” agents installed directly on the endpoint to monitor and control network
activity. These agents deliver key data and metadata to the central Darktrace deployment; remote devices are then
surfaced alongside devices in on-premises datacenters, SaaS user behavior and insights from email traffic.

How it Works
The Darktrace cSensor is provided as an installation package for Windows, macOS or Linux endpoint devices. During
installation, the agent is supplied with unique credentials that allow it to communicate securely with the cloud-based
cSensor infrastructure.

Once installed on the endpoint device, the cSensor analyzes network traffic sent and received on any network interface and
communicates this information to your Darktrace environment via the cloud-based infrastructure. A combination of on-
endpoint Deep Packet Inspection analysis - forwarding just relevant metadata to minimize bandwidth consumption - and
cloud-based processing is performed. All data is transmitted securely over an encrypted communication mode using
authentication details unique to your Darktrace environment.

Darktrace RESPOND/Endpoint
Darktrace RESPOND/Endpoint brings award-winning autonomous response capability to the endpoint, enabling AI to take
targeted, autonomous actions through Darktrace cSensor agents. Darktrace RESPOND can control network traffic to
restrict anomalous connectivity at the system-level, even on remote devices.

Devices monitored by cSensors are eligible for Darktrace RESPOND/Endpoint actions if they are licensed, in an Darktrace
RESPOND/Endpoint-enabled group (5.2+), and possess one or more of the Darktrace RESPOND (Antigena) tags.
DARKTRACE/ENDPOINT CSENSOR FOR MACOS CONFIGURATION GUIDE 4

COMPARING DARKTRACE VIRTUAL SENSORS

When selecting whether the cSensor is the appropriate type of the sensor for a remote device in your environment, it is
important to understand the advantages and disadvantages of each potential deployment option. Darktrace offers three
virtual sensors: cSensor, osSensor and vSensor.

If you are unsure whether the cSensor is appropriate for your implementation, the following comparisons with other
Darktrace sensors cover the suitability and strengths of each sensor.

cSensors vs osSensors

The Darktrace cSensor and the osSensor are both host-based agents. However, the osSensor performs no on-host Deep
Packet Inspection - all traffic is duplicated to a local vSensor for processing and analysis - and cannot be deployed
standalone. This deployment scenario is unsuitable for remote workers as traffic is unencrypted - a vSensor is required to
securely communicate over untrusted networks - and forwarding all traffic may have bandwidth implications.

The cSensor instead communicates via a secure connection to Darktrace Cloud-based infrastructure, making it suitable for
remote devices. Bandwidth consumption by the cSensor is restricted by performing a combination of on-endpoint DPI,
therefore only transmitting processed metadata, and same cloud-based processing.

The most suitable host-based sensor will differ depending on the deployment scenario and the network device for
monitoring. Hypervisor and Cloud VMs will generally be better served by osSensors. The osSensor is available for a larger
range of operating systems than the cSensor and can be deployed in containerized environments.

cSensors vs vSensors

The Darktrace vSensor is a lightweight virtual probe intended for deployment in cloud-based networks or environments
where it is not feasible to deploy a physical probe, such as virtualized networks. vSensors can be deployed as a standalone
virtual machine receiving packets from a virtual switch, in a public cloud VPC traffic-mirroring scenario, or by collecting
packets from osSensor agents deployed on VMs to be monitored.

The cSensor is suitable for remote workers or tiny offices where traffic mirroring is not viable, and can also potentially see
East/West traffic that may not be reaching existing mirroring locations. It can be installed on host machines via existing
device management systems and is much lighter for host-utilization. Compared to the vSensor, the cSensor performs
slightly less Deep Packet Inspection overall.

Conversely, vSensors can ingest and process physical network traffic in addition to virtualized with additional configuration,
providing monitoring for devices that cannot support a cSensor such as printers and videoconferencing systems. In
general, vSensors serve a different device profile than those best suited to a cSensor deployment.
DARKTRACE/ENDPOINT CSENSOR FOR MACOS CONFIGURATION GUIDE 5

REQUIREMENTS AND SUPPORTED PLATFORMS

Requirements
• A Darktrace deployment running Darktrace Threat Visualizer 5.2 or above.

• The device monitored with the cSensor must be able to contact the cSensor infrastructure over HTTPS/443 for
network traffic monitoring.

• For physical (hardware) Darktrace deployments, the master appliance must be able to contact the cSensor
infrastructure over HTTPS/443.

For virtualized Darktrace deployments, communication with the cSensor infrastructure is handled by Darktrace
operations.

Supported Operating Systems

OS VERSIONS / DISTRIBUTIONS

Windows Windows 365, 11, 10, 8.1; Windows Server 2022, 2019, 2016 and 2012R2

macOS macOS 11, macOS 12, macOS 13

Ubuntu 18.04+; RHEL/Centos 7+; Debian 9+; openSUSE 15.0+/SUSE Linux Enterprise 12.4+; Fedora (maintained
Linux¹
versions)

¹ The cSensor is expected to be compatible with most Linux-based distributions with a kernel version >= 4.6 , therefore,
the package may be effective on distributions outside those explicitly listed above. The only supported architecture is
x86_64 .

Host Utilization Requirements

• Bandwidth utilization is minimal, averaging <1kB/s.

• Negligible CPU impact, <30MB RAM usage

• Installation Packages: macOS <30MB, Linux (all formats) <30MB, Windows <10MB

• Up to 30MB disk required.

DARKTRACE/ENDPOINT CSENSOR FOR MACOS CONFIGURATION GUIDE 6

DARKTRACE/ENDPOINT MAC AGENT (CSENSOR)

PREINSTALLATION REQUIREMENTS

Darktrace/Endpoint System Extension

The Darktrace/Endpoint agent for macOS has an additional installation requirement not present for Windows or Linux.

For macOS cSensor v1.2.# and above, increased functionality required the addition of a system extension. From 1.5.12 and
above, this system extension must be deployed as part of the install process by default. This is applicable to new
installations and installations upgrading from versions prior to 1.5.12.

When a system extension is enabled on macOS devices, the user will be prompted to enter administrator credentials. This
can be prevented where an MDM is present by pre-approving the extension using a profile.

Deploying a Configuration Profile for Pre-Approval

It is strongly recommended that pre-approval for the profile is deployed to all devices prior to install of - or upgrade to -
Darktrace/Endpoint 1.5.12+.

Deployment of a configuration profile varies across MDM solutions. A profile plist file - available from Darktrace support -
provides a definitive description of what must be present in the configuration profile regardless of MDM platform.

Please now refer to Creating a Profile to Pre-Approve the Darktrace/Endpoint macOS System Extension.
DARKTRACE/ENDPOINT CSENSOR FOR MACOS CONFIGURATION GUIDE 7

CREATING A PROFILE TO PRE-APPROVE THE

CSENSOR MACOS SYSTEM EXTENSION

Deploying a Configuration Profile for Pre-Approval

Installing Darktrace/Endpoint macOS cSensor 1.5.12 or later requires configuration profiles to be in place to successfully
install without user interaction. Without these profiles, system extensions can only be approved by providing admin
credentials through a GUI prompt - approval cannot be achieved via a terminal session.

It is important to note that this includes devices that auto-update from prior versions.

Deployment of a configuration profile varies across MDM solutions. The profile plist file - available in
Appendix: Example macOS Profile for System Extension Pre-Approval - provides a definitive description of what must be
present in the configuration profile, regardless of MDM platform. An example profile creation via the JAMF MDM is also
provided below for reference.

Example Profile Creation & Deployment via MDM (JAMF)

To enable deployment of a content filter system extension with a macOS app - without requiring the user to provide admin
credentials - a configuration profile may be deployed to pre-approve the filter activation. Deployment is normally performed
using an MDM product, such as JAMF.

The following steps describe how to prepare the required profile using JAMF v10.41.0 as an example.

1. Log in to the JAMF UI, navigate to Computers and select Configuration Profiles.

2. Create a new profile, using the + New button.

3. In the General option, give the profile a suitable name, e.g. “Darktrace cSensor”.

4. In the options list, select System Extensions and press the Configure button.

5. On the System Extensions page, set the following:

◦ Uncheck the setting Allow users to approve system extensions.

◦ Provide a Display Name (optional).

◦ Set System Extension Types to Allowed System Extensions.

◦ Set Team Identifier to B75W84SR5U .

◦ Under ALLOWED SYSTEM EXTENSIONS, press the + Add button and in text field put the identifier
com.darktrace.csensor.net .

Click the small Save button on the same line.

6. In the options list, select Content Filter.

DARKTRACE/ENDPOINT CSENSOR FOR MACOS CONFIGURATION GUIDE 8

7. On the Content Filter page, set the following.

◦ Set Filter Name to Darktrace cSensor .

◦ Set Identifier to com.darktrace.csensor.agent .

◦ Set Filter Order to Firewall and set toggle on for include.

◦ Under Socket Filter, set Socket Filter Bundle Identifier to com.darktrace.csensor.net .

◦ Under Socket Filter, set Socket Filter Designated Requirement to

identifier "com.darktrace.csensor.net" and anchor apple generic and certificate 1[field.

1.2.840.113635.200.6.2.6] /* exists */ and certificate
leaf[field1.2.840.113635.200.6.113] /* exists */ and certificate
leaf[subject.OU]=B75W84SR5U

◦ Under Network Filter, set Network Filter Bundle Identifier to com.darktrace.csensor.net .

◦ Under Network Filter, set Network Filter Designated Requirement to

identifier "com.darktrace.csensor.net" and anchor apple generic and certificate 1[field.

1.2.840.113635.200.6.2.6] /* exists */ and certificate
leaf[field1.2.840.113635.200.6.113] /* exists */ and certificate
leaf[subject.OU]=B75W84SR5U

◦ All other fields should remain empty, i.e. excluded.

8. Click the Save icon (disk) in the bottom right.

Having saved the profile, it should now be deployed to all devices that will have Darktrace/Endpoint cSensor agents
installed.

Proceed to Guidance on Installing the Darktrace/Endpoint Mac agent via MDM for more guidance on deployment via MDM.
DARKTRACE/ENDPOINT CSENSOR FOR MACOS CONFIGURATION GUIDE 9

GUIDANCE ON INSTALLING THE DARKTRACE/

ENDPOINT MAC AGENT (CSENSOR) VIA MDM

Darktrace/Endpoint System Extension

From 1.5.12, Darktrace/Endpoint macOS cSensor agents require a system extension to be enabled as part of the installation
process. This is applicable to new installations and installations upgrading from versions prior to 1.5.12. If pre-approval is
not provided via a profile, the device user is prompted to enter admin credentials to approve the extension. Deployment via
MDM allows this to be prevented.

Before continuing, ensure you have read the Preinstallation Requirements and created a profile (as described in
Creating a Profile to Pre-Approve the Darktrace/Endpoint macOS System Extension) for pre-approval of the system
extension.

Methods of MDM Install

Headless installations of the macOS client sensor require a config file to be provided before installation. As many MDM
solutions require the installation files to be packaged in a single signed package file, two methods of deployment are
suggested:

• Package-within-Package

The installation package and config.csensor file are wrapped in a further package before distribution. This
method is only feasible where the MDM solution accepts unsigned packages, or the package is signed by your
organization internally.

• Two-Stage Deployment

The installation is performed in two stages - distribution of the config.csensor file and separately, the
distribution and installation of the package. This method requires two MDM policies to be configured and will be
explained in further detail below.

Two-Stage Deployment
To perform this installation method, the installation process should be subdivided. The first deployment policy should install
a configuration file - config.csensor - in the location that the future installation package will be placed. The second
deployment policy should install the standard cSensor install package supplied by Darktrace.

Example First Stage Script

This example uses the standard requisite fields as defined in Installing the macOS cSensor via CLI:

• The FQDN of your dedicated cSensor cloud infrastructure ( FQDN ).

• The unique authentication token ( UNIQUE_KEY ).
• The identifier of the unique authentication token ( KEY_ID ).

Also required is:

• The location on the target device where the cSensor package will be located ( PKG_DIRECTORY )

These placeholders must be substituted before the script is run.

DARKTRACE/ENDPOINT CSENSOR FOR MACOS CONFIGURATION GUIDE 10

#!/bin/bash
set -o errexit

echo "Running Darktrace cSensor Installer (stage 1)"

CSENSOR_PLIST_ENDPOINT="/Library/LaunchDaemons/com.darktrace.csensor.agent.plist"
CFG_PATH="<PKG_DIRECTORY>"
CFG_NAME="config.csensor"
SERVER="<FQDN>"
KEY="<UNIQUE_KEY>"
KEY_ID="<KEY_ID>"

#Make sure any pre-existing agent is not running

if [[ -f $CSENSOR_PLIST_ENDPOINT ]]; then
echo "unloading $CSENSOR_PLIST_ENDPOINT"
/bin/launchctl unload $CSENSOR_PLIST_ENDPOINT
#give agent time to exit gracefully
sleep 5
echo "removed old agent ... DONE"
fi

echo "Installing agent config"

mkdir -p $CFG_PATH
echo "$SERVER:$KEY:$KEY_ID" > $CFG_PATH/$CFG_NAME

#Restart any pre-existing agent

if [[ -f $CSENSOR_PLIST_ENDPOINT ]]; then
echo "loading $CSENSOR_PLIST_ENDPOINT"
/bin/launchctl load $CSENSOR_PLIST_ENDPOINT
fi

Second Stage Script

The second install script can be designed in line with the steps for CLI installations in Installing the macOS cSensor via CLI.
The config file described in step 2 is created by the example script given above.
DARKTRACE/ENDPOINT CSENSOR FOR MACOS CONFIGURATION GUIDE 11

INSTALLING THE DARKTRACE/ENDPOINT MAC

AGENT (CSENSOR) VIA CLI

Prerequisites
Before proceeding, ensure you have three important pieces of information:

• The FQDN of your dedicated cSensor cloud infrastructure.

• The unique authentication token.
• The identifier of the unique authentication token.

These values will be provided directly by your Darktrace representative, or found on theYour Darktrace > Credentials page
of the Darktrace Customer Portal. If the values are not visible, click the  eye icon to reveal them.

If you are supplied with authentication information in the format [#]:[#] , such as
1:45abc6ece9a43c4be4ffe9e3cc31cc19 , the number before the colon is the identifier of the unique authentication
token and the string after the colon is the unique authentication token. In this example, the Key ID is 1 and the Token is
45abc6ece9a43c4be4ffe9e3cc31cc19 .

System Extension

From 1.5.12, Darktrace/Endpoint macOS cSensor agents require a system extension to be enabled as part of the installation
process. This is applicable to new installations and installations upgrading from versions prior to 1.5.12.

It is strongly recommended that a profile is deployed by MDM prior to install that pre-approves this system extension. If the
system extension is not pre-approved, the end-user will receive a GUI prompt to enter admin credentials. Approval cannot
be provided via CLI.

Before continuing, ensure you have read the Preinstallation Requirements and created a profile (as described in
Creating a Profile to Pre-Approve the Darktrace/Endpoint macOS System Extension) for pre-approval of the system
extension.

Installation Process
To install the Darktrace cSensor application remotely or via the command line, the steps required are as follows:

1. Copy the install package onto the target device. The install package has the naming syntax
“darktrace_csensor_v[X].[Y].[Z]-[#].pkg”, where the placeholders in the cSensor package name will differ
between packages as the software version increments.

2. In the same location as the package on the target device, create a configuration file named “config.csensor”.
This file must contain the important pieces of information outlined above:

◦ The FQDN of your dedicated cSensor cloud infrastructure ( FQDN ).

◦ The unique authentication token ( UNIQUE_KEY ).
◦ The identifier of the unique authentication token ( KEY_ID ).

The values must be formatted in one line, colon-separated at the top of the file:

FQDN:UNIQUE_KEY:KEY_ID

For example:

4dg6u41a.live.darktracesensor.com:45abc6ece9a43c4be4ffe9e3cc31cc19:1
DARKTRACE/ENDPOINT CSENSOR FOR MACOS CONFIGURATION GUIDE 12

3. Install the package with the installer utility using the command:

sudo installer -pkg [path-to-package] -target /

Optionally, add the -verbose flag for install logging.

4. Remove the “config.csensor” and package files.

To update an existing installed Darktrace cSensor application remotely or via the command line, without changing
configuration, copy the new version to the target device. Install the package with the installer utility using the command
sudo installer -pkg <path to package> -target / with/without the optional -verbose flag. Remove the
package file after completion.

Reinstallation is required if FQDN , UNIQUE_KEY or KEY_ID change. Uninstall the package first before attempting reinstall.
Information about uninstallation can be found in the FAQ (Customer Portal).
DARKTRACE/ENDPOINT CSENSOR FOR MACOS CONFIGURATION GUIDE 13

INSTALLING THE DARKTRACE/ENDPOINT MAC

AGENT (CSENSOR) VIA THE INSTALLER

Prerequisites
Before proceeding, ensure you have three important pieces of information:

• The FQDN of your dedicated cSensor cloud infrastructure.

• The unique authentication token.
• The identifier of the unique authentication token.

These values will be provided directly by your Darktrace representative, or found on theYour Darktrace > Credentials page
of the Darktrace Customer Portal. If the values are not visible, click the  eye icon to reveal them.

If you are supplied with authentication information in the format [#]:[#] , such as
1:45abc6ece9a43c4be4ffe9e3cc31cc19 , the number before the colon is the identifier of the unique authentication
token and the string after the colon is the unique authentication token. In this example, the Key ID is 1 and the Token is
45abc6ece9a43c4be4ffe9e3cc31cc19 .

System Extension

From 1.5.12, Darktrace/Endpoint macOS cSensor agents require a system extension to be enabled as part of the installation
process. This is applicable to new installations and installations upgrading from versions prior to 1.5.12.

It is strongly recommended that a profile is deployed by MDM prior to install that pre-approves this system extension. If the
system extension is not pre-approved, the end-user will receive a GUI prompt to enter admin credentials. Approval cannot
be provided via CLI.

Before continuing, ensure you have read the Preinstallation Requirements and created a profile (as described in
Creating a Profile to Pre-Approve the Darktrace/Endpoint macOS System Extension) for pre-approval of the system
extension.

Installation Process
1. Download the cSensor .dmg file provided from the customer portal or your Darktrace representative. Double-
click on the .dmg file to open a new window containing the package.

2. In this new window, double click the ‘install’ package to launch the installation wizard.

3. In the installation dialog, proceed through the “Introduction” to the “Settings” page. This is where the three
important values described above must be entered.

In the Server field, enter the FQDN of your dedicated cSensor cloud infrastructure. For example,
4dg6u41a.live.darktracesensor.com

In the Key ID field, enter the identifier for your unique token. For example, 1 .

In the Token field, enter your unique organizational authentication token, for example
45abc6ece9a43c4be4ffe9e3cc31cc19 .

4. Click “Continue” and proceed. If prompted, provide admin credentials to approve the installation.

5. Click “Install” and allow the package to install.

6. Optionally allow the wizard to delete the installation package after successful install.

7. Open a Finder window and eject the .dmg file.

DARKTRACE/ENDPOINT CSENSOR FOR MACOS CONFIGURATION GUIDE 14

8. (Optional) If the profile as described in Preinstallation Requirements and

Creating a Profile to Pre-Approve the System Extension have not been fulfilled, wait for the system extension
pop ups to appear and follow any instructions given in the pop ups to allow installation of the system extension.
This will require administrator credentials.

Installation is now complete. Information about uninstallation can be found in the FAQ (Customer Portal).
DARKTRACE/ENDPOINT CSENSOR FOR MACOS CONFIGURATION GUIDE 15

ENABLING DARKTRACE RESPOND/ENDPOINT

Darktrace DETECT & RESPOND/Endpoint extends Darktrace autonomous response capabilities to network connectivity on
endpoint devices. To enable Darktrace RESPOND/Endpoint from Darktrace Threat Visualizer 5.2, a license must be entered
into the Darktrace System Config page.

Darktrace RESPOND/Endpoint functionality must also be enabled on individual cSensors - this can be configured by your
Darktrace representative or performed automatically when devices are added to a Darktrace RESPOND/Endpoint-enabled
group (5.2+).

• When Darktrace RESPOND/Endpoint capabilities are enabled on Windows devices, no configuration changes
are required.

• To enable Darktrace RESPOND/Endpoint capabilities on macOS, a System Extension is required.

◦ Installations of Darktrace/Endpoint macOS agent from 1.5.12 include the system extension by default -
no configuration changes are required. This is also applicable to existing installations that upgrade to
1.5.12+

◦ Installations prior to 1.5.12+ will require the System Extension to be enabled on all devices. Please refer to
Preinstallation Requirements and Creating a Profile to Pre-Approve the System Extension.

How it Works

Darktrace RESPOND actions are primarily taken by integrating with system-level traffic filtering. The Windows cSensor
integrates with the Windows Filtering Platform to restrict connectivity. On macOS devices, a system extension applies
content filter restrictions. Darktrace RESPOND RST actions can also be taken directly on host as a secondary action.

Devices monitored by cSensors, like network devices, will breach Darktrace RESPOND (Antigena) models if tagged
appropriately with one or more of the five Darktrace RESPOND tags: Antigena Compliance, Antigena External Threat,
Antigena Insider Threat, Antigena Significant Anomaly and Antigena All. Custom models which trigger Darktrace RESPOND
actions on endpoint devices can also be created as desired.

These model breaches will appear in the Threat Tray and create entries in the Darktrace Darktrace RESPOND Actions
window. Actions from cSensor devices are indicated by the type “Endpoint”.

Exempt Applications

Applications can be exempted from actions to allow remote control or limited connectivity to continue. For VPN
applications, the cSensor can prevent all connectivity sent via the VPN but allow the connection to the VPN itself to remain
intact.

To exempt an application, you must provide the path to the executable that denotes that application. Your Darktrace
representative can configure this exemption for you, or it can be configured manually on the cSensor Admin Page.

The cSensor application is exempt from actions to ensure continuous communication from your Darktrace environment.
Where a full-tunnel VPN is in place - all communication from the cSensor is itself routed through the tunnel - the VPN
application should be exempted to ensure ongoing communication with the cSensor cloud-based infrastructure is
possible.
DARKTRACE/ENDPOINT CSENSOR FOR MACOS CONFIGURATION GUIDE 16

Enabling Darktrace RESPOND/Endpoint

1. Add the Darktrace RESPOND/Endpoint license key to the Darktrace System Config page. Your Darktrace
representative may add this key for you or provide the value for manual entry.

If a Darktrace RESPOND/Network license is already present, add the license as a comma-separated value.

2. Your Darktrace representative will enable Darktrace RESPOND/Endpoint on the Darktrace master instance.

3. Create a new policy or edit an existing policy on the cSensor admin page and turn on the setting Antigena
Endpoint Actions.

4. Devices this policy applies to will enable Darktrace RESPOND/Endpoint functionality.

For macOS, this will trigger a system prompt if a profile is not installed. Please see above.

5. Add Darktrace RESPOND tags to devices covered by Darktrace RESPOND/Endpoint in the Threat Visualizer
user interface.

Once these devices trigger model breaches, Darktrace RESPOND/Endpoint actions will be taken.
DARKTRACE/ENDPOINT CSENSOR FOR MACOS CONFIGURATION GUIDE 17

FREQUENTLY ASKED QUESTIONS

How are updates handled?

Updates are available via two channels: automated and manual. Automated updates are provided from Darktrace
infrastructure and, like the main Threat Visualizer software, are available in two tracks - Stable and Early Adopter. Automated
updates ensure that agents are running the most recent software version and receiving new features and product
improvements with minimal maintenance. Automated updates should be preferred where possible.

Manual updates can be handled by your existing organizational device management systems for device applications if
desired.

For the Linux cSensor, automatic updates are provisioned outside the scope of the package manager.

How do I uninstall the agent?

Windows

• For GUI uninstallation, the “Settings > Apps” or “Add or Remove Programs” dialogs can be used to remove the
application.

• CLI uninstall can be performed with msiexec /x Darktrace_cSensor.msi /norestart /quiet . Please
note, relational paths ( .\ ) to the .msi location are not supported on install or uninstall.

macOS (current - Darktrace/Endpoint macOS cSensor 1.1+ installs)

• For CLI installations, copy the relevant uninstall package onto the target device. The package has the naming
syntax “uninstall_csensor_v[X].[Y].[Z]-[#].pkg”, where the placeholders in the package name will differ between
packages as the software version increments. Remove the package with the installer utility using the command
sudo installer -pkg [path to package] -target / with the optional -verbose flag for logging.
Remove the uninstall package afterwards.

• For GUI installs, the uninstall package is providing within the initial .dmg file. Double-click on the .dmg file to
open a new window containing the packages, then double click the ‘uninstall’ package to launch the
uninstallation.

macOS (legacy - Darktrace/Endpoint macOS cSensor 1.0.# series installs)

Please note, if a 1.0.# series install has been upgraded to 1.1.0+, please follow the steps described above.

• For CLI installs, the uninstall_csensor_agent.sh shell script is provided. The script should be run without
arguments - sudo sh uninstall_csensor_agent.sh - on the device where the agent is installed.

• For GUI installs, the “Darktrace cSensor” application icon should be dragged from the Applications folder into
the Trash or Bin.
DARKTRACE/ENDPOINT CSENSOR FOR MACOS CONFIGURATION GUIDE 18

Linux

• To remove the cSensor, run the appropriate uninstallation command for the package type installed with the
target darktrace-csensor :

sudo rpm -e darktrace-csensor

sudo dpkg -r darktrace-csensor

Optionally the command may require a modification to completely remove configuration, for example:

sudo dpkg -P darktrace-csensor

In some instances, uninstallation will produce many warnings of the form:

warning: file <path>: remove failed: No such file or directory

This is caused by installed files being created/deleted during normal operation and cleaned up before the package
manager expects them to be. Warnings of this format can be safely ignored.

Where can I find logs for troubleshooting?

If relevant logs are requested by your Darktrace representative or a member of Darktrace support, these can be found in the
following locations for each operating system.

Windows

Installation logs - AppData/Local/Temp/DtcsInstall.log

Operating logs - ProgramData/Darktrace/cSensor/csensor.log

macOS

Installation logs can be found in the generic /var/log/install.log . This log will contain from other services, so only the
loglines relevant to the cSensor service can be extracted and other lines discarded if preferred.

Operating logs - /var/log/com.darktrace.csensor/com.darktrace.csensor.agent.log

Linux

Exact installation output will depend on package manager used for installation. Relevant information should be outputted
when the install command is run.

Operating logs can be found at /var/log/darktrace-csensor/info.log . Standard systemctl / journalctl

commands are also supported for darktrace-csensor.service .

How do I change proxy settings for my Windows cSensor agents after install?

The csmanage.exe command line application can be used to modify proxy configuration of individual agents after
installation. The application requires administrator privileges to run.
DARKTRACE/ENDPOINT CSENSOR FOR MACOS CONFIGURATION GUIDE 19

To review the full list of available proxy configurations please refer to the inbuilt application documentation. The application
is located in the same directory as the csensor.exe application after installation, for example:

C:\Program Files\Darktrace\cSensor>csmanage.exe proxy --help-all

How will cSensors appear on my deployment?

Devices monitored by cSensors are aggregated by country and displayed on the Threat Visualizer world map accordingly.
Monitored devices will display a cSensor icon in the omnisearch bar to indicate the data source and will show additional
information on hover including the OS and installed agent version.

How does device tracking work?

cSensor-monitored devices are modeled as distinct entities by a unique identifier. Traffic on multiple interfaces (such as
concurrent Wifi and Ethernet connections) is modeled together as part of the single entity. cSensor devices are currently
aggregated into per-country groups, rather than subnets. Device tracking options are not available for these groups.

If network traffic is seen for a monitored device via a different source - for example, a remote worker visits a satellite office
and connects to the wifi - traffic will not be deduplicated.

How does Advanced Search data differ from other traffic monitoring methods?

For long-lived connections, in its current implementation, the cSensor performs deep packet inspection analysis on the
connection start. Advanced Search data for these connections will be incomplete for connection history and total data
transfer over the connection lifetime. Records for short-lived or encrypted connections such as DNS and SSL will be
complete.

What happens if the user restarts their device during an Darktrace RESPOND/Endpoint action?

The user cannot remove the action by restarting their device. Actions will be reapplied immediately upon the agent
restarting.

What happens if the user changes user account during an Darktrace RESPOND/Endpoint action?

The user cannot remove the action by changing user account; actions on both macOS and Windows are system-level and
apply to all users.

Why am I seeing DNS traffic during an Darktrace RESPOND/Endpoint quarantine?

The cSensor agent may perform DNS resolution during an Antigena Action (such as a quarantine) in order to ensure
connections to the relevant endpoints are blocked.
DARKTRACE/ENDPOINT CSENSOR FOR MACOS CONFIGURATION GUIDE 20

APPENDIX: EXAMPLE MACOS PROFILE FOR SYSTEM

EXTENSION PRE-APPROVAL

The following is an example MDM configuration profile definition for Mac cSensor. This should be used as reference when
creating a MDM configuration profile via appropriate MDM solution (e.g. JAMF) to pre-approve the macOS System
Extension.

For more information, please refer to

• Preinstallation Requirements

• Creating a Profile to Pre-Approve the Darktrace/Endpoint macOS System Extension)

DARKTRACE/ENDPOINT CSENSOR FOR MACOS CONFIGURATION GUIDE 21

Example Profile

#<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/
PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>AllowUserOverrides</key>
<false/>
<key>AllowedSystemExtensions</key>
<dict>
<key>B75W84SR5U</key>
<array>
<string>com.darktrace.csensor.net</string>
</array>
</dict>
<key>PayloadDescription</key>
<string>System Extensions Policy settings for Darktrace cSensor</string>
<key>PayloadDisplayName</key>
<string>System Extensions</string>
<key>PayloadIdentifier</key>
<string>com.darktrace.csensor.net.D269D50D-BC4C-4812-A6E4-51AB83A7BFAD</string>
<key>PayloadOrganization</key>
<string>Darktrace Ltd</string>
<key>PayloadType</key>
<string>com.apple.system-extension-policy</string>
<key>PayloadUUID</key>
<string>D269D50D-BC4C-4812-A6E4-51AB83A7BFAD</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
<dict>
<key>FilterDataProviderBundleIdentifier</key>
<string>com.darktrace.csensor.net</string>
<key>FilterDataProviderDesignatedRequirement</key>
<string>identifier "com.darktrace.csensor.net" and anchor apple generic and
certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.
1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = B75W84SR5U</
string>
<key>FilterPacketProviderBundleIdentifier</key>
<string>com.darktrace.csensor.net</string>
<key>FilterPacketProviderDesignatedRequirement</key>
<string>identifier "com.darktrace.csensor.net" and anchor apple generic and
certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.
1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = B75W84SR5U</
string>
<key>FilterPackets</key>
<true/>
<key>FilterSockets</key>
<true/>
<key>FilterType</key>
<string>Plugin</string>
<key>FilterGrade</key>
<string>firewall</string>
<key>PayloadDescription</key>
<string>Web Content Filter Payload</string>
<key>PayloadDisplayName</key>
<string>Web Content Filters</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>com.apple.webcontent-filter.8237701A-4ED8-473A-AC86-4BEFF6662A62</
string>
<key>PayloadType</key>
<string>com.apple.webcontent-filter</string>
<key>PayloadUUID</key>
<string>8237701A-4ED8-473A-AC86-4BEFF6662A62</string>
<key>PayloadVersion</key>
DARKTRACE/ENDPOINT CSENSOR FOR MACOS CONFIGURATION GUIDE 22

continued…

<integer>1</integer>
<key>PluginBundleID</key>
<string>com.darktrace.csensor.agent</string>
<key>UserDefinedName</key>
<string>Darktrace cSensor</string>
</dict>
</array>
<key>PayloadDescription</key>
<string>System Extension and Content Filter Configuration</string>
<key>PayloadDisplayName</key>
<string>Darktrace cSensor Network Filter</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>com.darktrace.csensor.net</string>
<key>PayloadOrganization</key>
<string>Darktrace Ltd</string>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>B9D97618-9E24-4388-9C7F-DDFDEC3A7933</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
US:+1 415 229 9100 UK:+44 (0) 1223 394 100 LATAM:+55 11 4949 7696 APAC:+65 6804 5010 [email protected] darktrace.com