VMware Carbon Black App Control Rules Installer 1.20 Release Notes

VMware Carbon Black App Control Rules Installer 1.20 \| 24 APR 2023 \| Build 1.20.20.39 Check for additions and updates to these release notes.

VMware Carbon Black App Control Rules Installer 1.20 | 24 APR 2023 | Build 1.20.20.39

Check for additions and updates to these release notes.

What's New

VMware Carbon Black has released Rules Installer version 1.20. New features include:

Process Hollowing Detection Rapid Config

Rules Installer 1.20 release now enables 8.9.0 and later Windows App Control agents to detect if a process is being hollowed out and hijacked to execute malicious code. This expands upon App Control's excellent file-based attack prevention by adding protection for this widely recognized memory-based attack.

Once the Rules Installer 1.20 release is applied to your server, you will find "Process Hollowing Protection" listed under server rapid configs. You can customize the rapid config to choose how the agent handles process hollowing detection, either blocking the process or reporting the process. You can choose the notifier that is displayed for the detection and even specify applications that are allowed to hollow processes for false-positive prevention.

Additional Changes:

Added new file locations to the Mac Carbon Black Cloud Updater to ensure that future updates continue to be approved properly.
Made changes to the Windows Carbon Black Cloud Updater to approve updates written by Repmgr.exe . This process is used by Carbon Black Cloud to provide Avira AV updates, and must be approved.
Updated the "Block Powershell Scripts That Execute Memory" rule to use the <YaraTags:powershell_interpreter> tag to identify powershell processes as opposed to using powershell.exe.

Important:

Beginning with App Control 8.1.4, agent installers and the rule file that determines their behavior are no longer included as part of an App Control Server installation. You upload rule installer packages separately after you install the server. This allows VMware Carbon Black more flexibility to make new and improved rules available to you independent of server releases.
Customers who are performing a fresh (non-upgrade) installation of the VMware Carbon Black App Control Server will need to install the Rules Installer before deploying agents. For customers upgrading the App Control Server, we strongly recommend that you install the latest Rules Installer after the server upgrade. See: VMware Carbon Black App Control Rules Installer and Rapid Configs Guide for detailed instructions.
If you are upgrading from Rules version 1.14 or before, download and apply the script contained in the following UEX Link to ensure that server service is not lost after reboot. This issue was first noticed when upgrading from Rules 1.14 to 1.16.

https://community.carbonblack.com/t5/Documentation-Downloads/App-Control-Rules-1-16-Registry-Script/ta-p/112668#M3597

Resolved Issues

EP-17182: The Carbon Black Cloud Updater for Mac was updated to include new file locations.

Known Issues

EP-18058: The Process Hollowing Protection Rapid Config utilizes two rules to prevent process hollowing from occurring. When blocking is enabled, one rule terminates the hollowing process and the other terminates the hollowed process. This results in two notifiers displaying for each rule trigger, however, when the rules are triggered, only one notifier appears.

This issue can be worked around by searching the events page on server console and looking for the event logs produced by the rule triggers.