Cannot ‘Allow’ Citrix system file extensions when installing CF for Mac

Grab a copy of the database

  • The path is: /var/db/SystemPolicyConfiguration/ . See screenshot below and the required files:
  • image.png
  • Check if the kernel extension is allowed as shown below:
  • If it is allowed, then perform the steps highlighted below.

To fix the “Drive Unavailable” error, perform the following steps:

  1. Startup the Mac in recovery mode .
  2. Click the Utilities menu and select Terminal.
  3. Enter the following command:
    • /usr/sbin/spctl kext-consent add TEAMID
  4. Press Enter
    • Example: For Citrix the command would be: /usr/sbin/spctl kext-consent add S272Y5R93J
  5. Close the Terminal app and restart

If issue persists, Trigger the prompt by loading the kernel extension manually

sudo kextutil -t /Library/Filesystems/ctxfuse.fs/Contents/Extensions/10.12/ctxfuse.kext/

Note: Older builds (20.9 or less) can use sudo kextutil -t /Library/Filesystems/ctxfuse.fs/Contents/Extensions/10.11/ctxfuse.kext/

After running this command, open the system preferences in the security pane and see if you can approve the prompt.

While running the above command, if you encounter the Unable to stage kext” error then perform the action items highlighted below:


  1. As suggested here, run the below command:
    • chflags restricted /Volumes/Macintosh HD/private/var/db/KernelExtensionManagement
  2. People who have ran into the staging error have also reported upgrading to MacOS 10.15 Catalina also fixes the issue.


  • No Related Posts

How to troubleshoot “Devices” tab missing from Windows Receiver toolbar after connecting a Linux VDA

root@XXXX:# modinfo /opt/Citrix/VDA/lib64/usb-vhci-hcd.ko

filename: /opt/Citrix/VDA/lib64/usb-vhci-hcd.ko


description: USB Virtual Host Controller Interface driver

srcversion: 9E700B46FBDA1647A9A2865


vermagic: 4.4.0-45-generic SMP mod_unload modversions

Note: In above example, Linux kernel version is inconsistent with VHCI Module.


  • No Related Posts

Receiving “Legacy System Extension” Dialog Box After Upgrading To macOS Catalina 10.15.4+

USB Generic redirection is the main component utilizing kernel extensions. Apple is deprecating the use of Kernel extensions in upcoming releases of macOS.

The warning is to inform us before moving forward with the deprecation.

In the event Apple deprecates it in the next release, only Generic USB redirection will be affected, and will not allow the use of said feature.


Improving Linux scan times??

I need a solution

Hello community,

We have been working with SEP 14.2.x on Linux machines for a little while now, and one of the consistent complaints is that scan times are taking too long…sometimes 72 hours. As it turns out, many of the machines with excessive scan times have NFS Shares. I have seen this article:… and realize that exclusions can be made, but unfortunately, there is no easy way for me to ask our thousands of Linux users, what directories are actually NFS Mounts.

My question, is anyone using SEP 14.2.x on their Linux machines in a corporate environment? If so, what policies have you implemented to improve the scan times, and or performance, of those Linux machines…or do you only rely on Autoprotect and skip scheduled scans altogether? If not, is there a more robust, centrally managed, AV solution for Linux machines?

We would like to stick with SEP as our Antivirus solution on Linux machines, but at this point, it feels like the SEP Linux Client will remain the overlooked Redheaded Step Child (no offense to any real readheaded step children), of SEP 14’s supported operating systems, at least for the foreseeable future.

Any thoughts or suggestions will be greatly appreciated.




Ubuntu 18.04.2 VMs can fail to boot on Citrix Hypervisor (formerly XenServer)

When creating an Ubuntu 18.04.2 or 18.04.3 VM or updating an existing VM to Ubuntu 18.04.2 or 18.04.3, your VM can fail to boot.

The console shows the boot sequence hung at the point “Starting Tool to automatically collect and submit kernel crash signatures…”

If you switch the console to shell mode and log in, the console shows errors in ‘org.gnome.Shell.desktop’


Sophos Anti-Virus for Linux and UNIX: Changes to supported platforms

Announced 30 June 2017 – As part of Sophos’ ongoing product lifecycle review process, we plan to update the platforms that are supported by the Sophos Anti-Virus for Linux and UNIX offerings. The changes are designed to enable Sophos to provide the strongest protection for the most popular platforms, and will affect the following:

The following sections are covered:

Applies to the following Sophos products and versions

Central Managed Threat Response [MTR] for Linux

The number of customers requiring Anti-Virus capabilities for legacy UNIX platforms continues to decline. Sophos plans to support the most popular platforms going forward, and plans to retire support for HP-UX.

The latest versions of many popular Linux distributions are now only available for 64-bit platforms. After June 30, 2018, with the exception of Red Hat Enterprise Linux 6, Sophos Anti-Virus for Linux will support 64-bit versions of Linux distributions only.

Update July 1, 2018: In line with previous communications, Sophos Anti-Virus for Linux now supports 64-bit platforms only, with the exception of Red Hat Enterprise 6.

The Sophos Anti-Virus for Linux agent currently includes a large number of pre-compiled Talpa Binary Packs for on-access scanning, many of which are for very old and deprecated kernel versions. Most customers use newer kernels in order to benefit from kernel enhancements and improved security, therefore Sophos plans to reduce the number of pre-compiled Talpa Binary Packs that are provided with the product.

  • When a new kernel version is introduced for a specific Linux distribution, Sophos typically aims to provide a Talpa Binary Pack for the new kernel version within approximately two to four weeks.
  • After June 2018, Talpa Binary Packs for kernel versions that are older than 18 months for that Linux distribution will be removed from the agent download. Update: This change is now scheduled for release October 22, 2018.
  • Talpa Binary Packs for kernel versions that are older than 18 months for that Linux distribution will be removed from the agent download.
  • Sophos will continue to provide Talpa Binary Packs for all kernel versions for supported Red Hat Enterprise Linux 6/7 distributions.

  • A definitive list of kernel versions for which Talpa Binary Packs are provided will continue to be published and updated on a regular basis. See TalpaBinaryPacks.txt for the current list. Note: this list is updated automatically when Talpa Binary Packs are added and removed.
  • Existing Sophos Anti-Virus for Linux installations will not be affected by this change. Talpa on-access scanning will continue to function without interruption and Sophos will continue to support customers using the product.
  • If on-access scanning is required and Sophos does not provide a pre-compiled Talpa Binary Pack for your kernel, the following options are available:


Sophos Anti-Virus for Linux: On-Access filesystem support

This article describes the filesystems supported for on-access scanning on Linux platforms.

The following sections are covered:

Known to apply to the following Sophos product(s) and version(s)

Sophos Anti-Virus for Linux 9 and Sophos Anti-Virus for Linux 10

Good filesystems

The following filesystems are known to work with Sophos Anti-Virus for Linux:

Filesystem Name Talpa Support? Fanotify Support?
btrfs Yes Yes
cifs Yes No
ecryptfs Yes Yes
ext2 Yes Yes
ext3 Yes Yes
ext4 Yes Yes
fuse Yes Yes
fuseblk Yes Yes
iso9660 Yes Yes
jfs Yes Yes
minix Yes Yes
msdos Yes Yes
ncpfs Yes Yes
nfs Yes Yes
nfs4 Yes* No
nssadmin Yes No
oes Yes No
overlayfs Yes Yes
overlay Yes Yes
ramfs Yes Yes
reiserfs Yes Yes
smbfs Yes Yes
tmpfs Yes Yes
udf Yes Yes
vfat Yes Yes
xfs Yes Yes
zfs Yes No

*Note: Talpa does not support locally mounted (non-network) nfs4 filesystems.

Unsupported filesystems

The following filesystems are unsupported. The majority of these are pseudo-filesystems that do not contain regular files and cannot be scanned.

Filesystem Name Talpa Support? Fanotify Support? Notes
aufs No No Pseudo-filesystem
autofs No No Pseudo-filesystem
binfmt_misc No No Pseudo-filesystem
bpf No No Pseudo-filesystem
cgroup No No Pseudo-filesystem
configfs No No Pseudo-filesystem
debugfs No No Pseudo-filesystem
devfs No No Pseudo-filesystem
devpts No No Pseudo-filesystem
devtmpfs No No Pseudo-filesystem
No No See KBA 118982
fusectl No No Pseudo-filesystem
inotifyfs No No Pseudo-filesystem
mqueue No No Pseudo-filesystem
nfsd No No Pseudo-filesystem
nsspool No No Pseudo-filesystem
proc No No Pseudo-filesystem
romfs No No Pseudo-filesystem
rootfs No No Pseudo-filesystem
rpc_pipefs No No Pseudo-filesystem
securityfs No No Pseudo-filesystem
selinuxfs No No Pseudo-filesystem
squashfs No No
subfs No No Pseudo-filesystem
sysfs No No Pseudo-filesystem
usbdevfs No No Pseudo-filesystem
usbfs No No Pseudo-filesystem

Other filesystems

Behavior with other filesystems will depend on the on-access interception method:

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable for us to ensure that we continually strive to give our customers the best information possible.