Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 66 replies
  • Subscribers 6 subscribers
  • Views 265733 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Mac OS X 10.9 "Mavericks" and SAV for Mac

bobcook

Apple released Mac OS X 10.9 "Mavericks" today, free for everyone with Snow Leopard or newer.

We've been testing our product with this release for many months now and had made numerous changes in version 9.0.3 (the version published about a month ago). The significant changes required were to change how we were building, codesigning, and installing our kernel extensions. You will now find two copies of our kext: one in /System/Library/Extensions and another in /Library/Extensions. This follows Apple's recommendation to support people transitioning from 10.8 to 10.9.

The kexts in /System/Library/Extensions are present for compatiblity with versions of Mac OS X prior to 10.9. Starting in "Mavericks" the location is /Library/Extensions. We are codesigning the kexts in /Library/Extensions to conform to Apple's security requirements.

If you have issues, please report them in this thread.

:1013899


This thread was automatically locked due to age.
Parents
  • 0

    Hello LDMartin1959,

    Can you post a pic of the error message? The significant part is the path (either it will start with /System/Library/Extensions, or it will start with /Library/Extensions). I suspect it will start with /System/Library/Extensions.

    Apple introduced kernel extension codesign verification with 10.9. They did this in a way that is not backwards compatible with codesign procedures in 10.8. As a result, they also introduced a mechanism where developers like Sophos are required to install two different copies of any kernel extensions (one in /System/Library/Extensions, the other in /Library/Extensions) and give these two different kernel extensions two different version numbers. The OS is supposed to pick the highest version number.

    Sophos has been delivering codesigned kernel extensions for a long time. We adopted the new strategy required by Apple during the "preview" cycle for 10.9 in the last few months, per their instructions. Everything tested fine.

    Now it seems the released version of 10.9 is misbehaving when it loads kernel extensions as it does not appear to prefer the highest version number as Apple intended. However it seems to only happen upon the first installation. Next reboot your machine will likely discover the correct kernel extension and never prompt again.

    How can you know what kernel extensions are loaded?

    Run "kextstat" in the Terminal, it shows all the kernel extensions loaded and their version number. Sophos extensions always start with com.sophos. The versions signed for OS X 10.9 are currently numbered 9.0.53 and the versions signed for 10.6/10.7/10.8 are currently numbered 9.0.3. These numbers change when we update those components, but the "rule" that Apple instituted is that the 10.9-ready extensions have a higher version number.

    How can you know whether a kernel extesion is signed?

    Run "codesign -dvv <filename>" in the Terminal, it shows whether a given file is signed and how. Try "codesign -dvv /Library/Extensions/SophosOnAccessInterceptor.kext" and you'll see what that means.

    Hope this information helps.

    :1014063

    ---

    Bob Cook (bob.cook@sophos.com) Director, Software Development

Reply
  • 0

    Hello LDMartin1959,

    Can you post a pic of the error message? The significant part is the path (either it will start with /System/Library/Extensions, or it will start with /Library/Extensions). I suspect it will start with /System/Library/Extensions.

    Apple introduced kernel extension codesign verification with 10.9. They did this in a way that is not backwards compatible with codesign procedures in 10.8. As a result, they also introduced a mechanism where developers like Sophos are required to install two different copies of any kernel extensions (one in /System/Library/Extensions, the other in /Library/Extensions) and give these two different kernel extensions two different version numbers. The OS is supposed to pick the highest version number.

    Sophos has been delivering codesigned kernel extensions for a long time. We adopted the new strategy required by Apple during the "preview" cycle for 10.9 in the last few months, per their instructions. Everything tested fine.

    Now it seems the released version of 10.9 is misbehaving when it loads kernel extensions as it does not appear to prefer the highest version number as Apple intended. However it seems to only happen upon the first installation. Next reboot your machine will likely discover the correct kernel extension and never prompt again.

    How can you know what kernel extensions are loaded?

    Run "kextstat" in the Terminal, it shows all the kernel extensions loaded and their version number. Sophos extensions always start with com.sophos. The versions signed for OS X 10.9 are currently numbered 9.0.53 and the versions signed for 10.6/10.7/10.8 are currently numbered 9.0.3. These numbers change when we update those components, but the "rule" that Apple instituted is that the 10.9-ready extensions have a higher version number.

    How can you know whether a kernel extesion is signed?

    Run "codesign -dvv <filename>" in the Terminal, it shows whether a given file is signed and how. Try "codesign -dvv /Library/Extensions/SophosOnAccessInterceptor.kext" and you'll see what that means.

    Hope this information helps.

    :1014063

    ---

    Bob Cook (bob.cook@sophos.com) Director, Software Development

Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?