Issue
Web Protection for macOS is not properly allowing and blocking domains.
Environments
- Nebula
- macOS
- Google Chrome
- Mozilla Firefox
- Safari
Symptoms
End users are able to access blocked domains, or are not allowed to access excluded domains.
Cause
- Missing network extensions
- Network filter disabled
- Full Disk Access not granted
- DNS cached
Resolution
Open a web browser and navigate to http://iptest.malwarebytes.com to verify if Web Protection is working. If you are able to reach the page, that means Web Protection is not working on the endpoint.
Follow the steps below to resolve this issue.
Check Network extension is installed and active
- Open Terminal
- Run the following command
systemextensionsctl list | grep ncep.engine.sys - Output should look similar to this
* * GVZRY6KDKR com.malwarebytes.ncep.engine.sys.ext (5.6.0/5.6.0.0) Malwarebytes Engine [activated enabled]
Check Network filter is enabled and green.
- Open System Settings.
- Go to Network.
- Look for MB-EngineHostApp-NCEP Content Filter.
- Verify there is a green dot next to it.
For more information, see Allow system extension for Web Protection on macOS devices - Nebula.
Check Full Disk Access permissions
- Go to System Settings.
- Go to Privacy & Security > Full Disk Access.
- Verify Full Disk Access is enabled for Malwarebytes Endpoint Agent and Malwarebytes Protection.
For more information, see Grant Full Disk Access on Mac devices in Nebula.
Enable Debug logging
- Hold the Control key and left-click on the endpoint agent icon in the menu bar.
- Select Enable debug logging.
For more information, see Enable debug logging on the Endpoint Agent.
Flush DNS Cache
- Quit your web browsers.
- Open terminal
- Run the following commands:
- dscacheutil -flushcache
- sudo killall -9 mDNSResponder
- sudo killall -9 com.malwarebytes.ncep.engine.sys.ext
Note: If you don't have access to use sudo commands, reboot the machine instead.
Clear DNS cache
Follow the instructions below to clear the DNS cache for the impacted browser.
Safari
- Open Safari
- Go to Settings > Advanced.
- Check Show develop menu in menu bar.
- In the Menu bar, go to Develop > Empty Caches.
- Restart Safari.
Chrome
- Open Chrome.
- Enter the following address in the address bar:
chrome://net-internals/#dns - Click Clear host cache.
Firefox
- Open Firefox
- Enter the following address in the address bar:
about:networking#dns - Click Clear DNS Cache.
Attempt to access the conflicting website in the web browser that saw the initial failure again. If the issue is resolved, disable debug logging by holding the Control key and left clicking on the endpoint agent icon in the menu bar, then clicking Disable debug logging.
If the issue persists, continue on to gather configuration info for support.
Gathering configuration and state
Follow the steps below to gather additional information on the machine and browser configuration to provide to support. This helps to further diagnose and resolve the issue.
- Open Terminal.
- Execute the following commands and take note of the output:
- nslookup www.example.com
- nslookup example.com
- dig www.example.com
- dig example.com
-
curl -i www.example.com
Only take note of the output if the command fails and there is no body in the response. - ifconfig
- Open System Settings and search for DNS Servers. Take note of all DNS servers that are configured.
- If the failure occurs in Chrome:
- Open Chrome.
- Enter the following address into the address bar
chrome://settings/security?search=dns - Take note of the Safe Browsing setting
- Take note of the Use secure DNS setting.
- If the failure occurs in Firefox:
- Open FireFox.
- Revisit the problematic domain.
- Enter the following address into the address bar
about:networking#dns - Take note of DNS Suffix, DoH URL, DoH Mode
- Check the list of resolved domains for the failing domain and take note of the resolved hostname, addresses, and the Expires (Seconds) value.
- Collect Endpoint Agent diagnostics. For more information, see Collect Endpoint Agent diagnostic logs in Nebula
- Disable Debug logging.