VMware Carbon Black App Control Rules Installer 1.24 Release Notes

VMware Carbon Black App Control Rules Installer 1.242 \| 31 Jan 2024 \| Build 1.24.9.49 Check for additions and updates to these release notes.

VMware Carbon Black App Control Rules Installer 1.242 | 31 Jan 2024 | Build 1.24.9.49

Check for additions and updates to these release notes.

What's New

VMware Carbon Black has released Rules Installer version 1.24. Notable updates to the installer include:

Visual Studio Rapid Config Updated to Support Visual Studio 2022 64-Bit - We made a few changes to the rules within this rapid config to support automatically approving code created and compiled using Microsoft 64-bit version of Visual Studio 2022.

Powershell Script Interpreter Yara Rule Updates - We made changes to this Yara rule to identify newer versions of Microsoft PowerShell.

This update is especially important for customers using this rule in environments with PowerShell 6 or above. Starting with PowerShell 6, Microsoft changed the name of the executable from powershell.exe to pwsh.exe.

Updated OOTB List of Never Trust Executables - We made changes to update our "Never Trust" rules for Windows endpoints, including two new executables: 7zg.exe and \windows\system32\dfsrs.exe.

7zg.exe is one of the recognized executables for 7-Zip, that when allowed to run in certain cases, could be used to execute unwanted or malicious software in zip/unzipping process.

\windows\system32\dfsrs.exe is the executable used for Microsoft's DFS Replication Service.This DFS Replication service keeps files and folders synchronized between multiple DFS severs.

While considered to be a useful service by Microsoft, this service could potentially be used to spread unwanted or malicious software from one server to another without any warning to a system administrator.

Note:

Never Trust Rules are hidden by default in the App Control console. For assistance in viewing these rules please consult an App Control support specialist.

Resolved Issues

EP-17474: Added 7zg.exe and dfsrs.exe to the OOTB Never Trust Custom Rule (EA-22433)
EP-18915: Fixed an issue that prevented the "Powershell Script Interpreter" Yara rule from marking certain versions of Powershell as power shell script interpreters (EA-23295)
EP-19262: Fixed an issue with the Visual Studio Rapid Config using Visual Studio 2022
EP-19888: Fixed an issue that causes a new instance of the Chrome extension script rule to be created every time a new rule installer version is applied

Known Issues

EP-18058: The Process Hollowing Protection Rapid Config utilizes two rules to prevent process hollowing from occurring. When blocking is enabled, one rule terminates the hollowing process and the other terminates the hollowed process. This results in two notifiers displaying for each rule trigger, however, when the rules are triggered, only one notifier appears.

This issue can be worked around by searching the events page on server console and looking for the event logs produced by the rule triggers.