VMware Carbon Black App Control 8.10.2 | 31 January 2024 | Build 8.10.2.161

Check for additions and updates to these release notes.

What's New

Important:

Due to a critical installation bug that causes SAML integrations to fail after upgrade, 8.10.2 has been discontinued and the download is no longer available. Please see the new product release note: 8.10.4.

The 8.10.2 Server Release Notes provide information for users upgrading from previous versions and for users new to VMware Carbon Black App Control.

Important:

Customers upgrading to 8.10.2 Server may experience longer than usual upgrade times due to important changes we've made to improve the performance and reliability regarding the storage of Yara rule tags. Customer installations with a high volume of yara tags associated with files are most likely to experience these longer wait times. We apologize for any inconvenience this may cause.

Changes to this version include:

Removed Support for Windows SQL Server 2012

The 8.10.2 server no longer contains support for Microsoft Windows SQL Server 2012. Microsoft no longer supports This SQL Server version as of July 12th, 2022, which means it will no longer receive security updates, non-security updates, bug fixes, or technical support. Attempting to install the App Control Server on an operating system equipped with SQL Server 2012 will now result in an error message, and the installation fails.

Please consult the Server OER for information regarding supported Microsoft Windows SQL Server versions.

Automatic Detection of Expired Server Communication Certificates

In the 8.9.4 server, we added the ability to delay the exchange from one agent/server communication certificate to another to allow agents adequate time to receive a new certificate without resulting in disconnected agents. However, this default change resulted in some instances where an expired server communication certificate would remain in use due to the "CertificateDelaySwapMinutes" config property being set to a 60-minute interval, preventing a new, valid certificate from being applied. This issue also resulted in agents entering a disconnected state.

To resolve this issue, the 8.10.2 server automatically detects an expired communication certificate and will automatically apply a new one once it is added or created in the console. Note that when this new process occurs, the console page may still indicate that a delay occurred before using the new certificate. Refreshing the page will show that the new certificate is in effect.

Additional Communication Certificate Management Improvements

In addition, we've also introduced two new fields when editing a certificate in the console under the System Config -> Security Tab. The first field is "Agent Certificate Update," and the second is "Update Schedule." Under the "Agent Certificate Update," there are two drop-down options.

One option allows users to prevent a newly added or updated communication certificate from being activated until a current active communication certificate expires. The other option will enable users to delay the activation of a communication certificate that has been newly generated or is currently uploading to replace the old one. This option is similar to the "CertificateDelaySwapMinutes" config property but is now more easily accessible in the console.

The "Update Schedule" field allows users to specify a time until the option they choose in the "Agent Certificate Update" drop-down executes. For example, suppose they choose the abovementioned option and enter "30" into the "Update Schedule" field. In that case, a new communication certificate will not activate until 30 minutes before the expiration of the current active certificate. If a user chooses the second option, the activation of a new communication certificate will be delayed 30 minutes after generation/uploading.

These options make swapping communication certificates easier for customers with large endpoint counts. If you are experiencing issues with certificate swaps, we recommend customers work with support representatives to find out what options work best for their specific needs.

Alternative Communication Certificates Download Location

The 8.10.2 Server allows users to enter an alternate download location URL for communication certificates under the System Config -> Advanced Options Tab. Under the "Carbon Black App Control Agent" section, a second URL field (under "Resource Download Location") has been added called "Certificate Download Location." This allows users to reduce IIS resource contention by allowing direct file downloads of communication certificates from the console.

IIS Performance Improvements

The 8.10.2 server now leverages a separate app pool for new agent installations and upgrades. Files downloaded by agents from the server are now placed in this new separate pool. This change allows more control over limiting downloads, especially for customers experiencing issues with IIS when agents overload the server with requests. In addition, the performance of trusted certificates downloads by agents has been improved.

Other notable changes include:

  • We have added warnings to prevent the creation of certain expert rule combinations known to cause performance issues.

  • We added an alert for expiring server SSL certificates. Note it will not be added on upgrade if a similar alert already exists.

  • We made changes to restore connectivity to the NIST NVD API and decrease the chances of future service disruptions to CVE/CPE functionality.

  • We separated the "DailyPrune" task into three different tasks - DailyAntibodyPruningTask, DailyNamePruningTask and DailyPruneTask, to improve overall performance of the Pruning tasks. Note, that the scheduled run time of the DailyPruneTask has been moved to 11:30 PM. DailyAntibodyPruningTask and DailyNamePruningTask run by default at midnight (12:00AM).

  • We fixed an installer issue that allowed the selection of "Local System Account" when installing against a remote database. Local system Accounts do not apply to customers doing two-tier server installations.

Library Changes

The following libraries were updated:

  • jQuery to version 3.6.4

  • SQLite to version 3.44.2

  • 7-zip version to 23.01

  • SimpleSAMLPHP to version 2.1.0

  • PCRE2 to version 10.42

  • nghttp2 to version 1.57.0

  • zlib to version 1.3

  • PHP to version 8.1.24

  • Microsoft Drivers for PHP for SQL Server to version 5.11.1

  • cURL to version 8.5.0

  • OpenSSL to version 3.2.0

  • Entity Framework to version 6.4.4

  • TinyXML2 to version 9.0.0

Supported Upgrade Paths

Important:

For customers using SQL 2019, installation of the latest Cumulative Update is required before installing version Carbon Black App Control Server 8.10.2. Please see the Server OER for more details.

The table below shows the supported upgrade paths for Carbon Black App Control 8.10.2 servers:

Upgrading from:

Upgrading to:

8.10.x

8.10.2

8.9.x

8.10.2

8.8.x

8.10.2

8.7.x

8.10.2

8.6.x

8.10.2

8.5.x

8.10.2

8.1.10

8.10.2

8.1.8

8.10.2

8.1.6

8.10.2

8.1.4

8.10.2

8.1.0 Patch 2

8.10.2

8.1.0

8.10.2

Resolved Issues

The following defects were fixed in the Carbon Black App Control 8.10.2 Server.

  • EP-5617: Fixed a bug where the file system would try to use a proxy URL when the proxy was not enabled

  • EP-5962: Fixed an issue where approval request actions "Open," "Close," and "Escalate" would not display on the "Approval Request Details" page sidebar if the logged-in user did not have the "Manage Files" permission

  • EP-8299: Fixed an issue that causes the ASP.NET crash (EA-13435, EA-14202)

  • EP-15865: Fixed an issue with the connected status on the computers page (EA-21392)

  • EP-16680: Fixed a bug in the installer involving relocating a remote database before upgrading it (EA-23338)

  • EP-17591: Fixed an issue filtering the Yara Tags field on the “Files on Computers” page

  • EP-18141: Fixed an issue where computer enforcement levels were blank on the computers page when in local approval (EA-22437)

  • EP-18158: Fixed an issue where HTML escaped characters would appear in the "Move Computers to Policy" sections of the computer's action menu

  • EP-18159: Fixed the empty policy column on the "Applications on Computers" page (EA-22802)

  • EP-18170: Files downloaded from the server are now placed in a separate app pool for new agent installations (EA-22729, EA-22801)

    This allows more control over limiting downloads, especially for customers experiencing issues with IIS when agents overload the server with requests.

  • EP-18192: Fixed an issue where saved views could be missing after upgrade (EA-22726)

  • EP-18262: Fixed an issue that caused the rule installer to fail after a rapid config is saved without notifier permissions (EA-22721)

    To resolve this, editing rapid configs now requires notifier permissions.

  • EP-18302: Users are now prevented from creating certain expert rules that can cause performance issues (EA-23557)

  • EP-18900: Improved API query performance for some requests

  • EP-`18956: Fixed an issue where separate user entries are created when a user tries to log-in with UPN and Pre-windows 2000 names for the same user

  • EP-19021: When the server communication certificate has expired, adding or creating a new one will take effect immediately (EA-23399)

    When this occurs, the console page may still indicate that a delay is taking place before using the new certificate - refreshing the page will show that the new certificate is in fact in effect.

  • EP-19071: Fixed an issue where event rules with Wildfire analysis actions weren't saving correctly (EA-23226)

  • EP-19103: Fixed an issue where the host package installer and rule logs were not being downloaded properly on the "Requested Files > Diagnostic Files" page, which resulted in the log files being empty

  • EP-19140: Fixed a bug where the total number of licensed hosts was not showing correctly on the Licensing tab of the" System Configuration" page

  • EP-19218: Fixed an issue that caused the Carbon Black EDR integration tab to not display all the expected information on the "Computer Details" page from a connected EDR sensor

  • EP-19340: Fixed an issue that could sometimes cause specific scheduled tasks to run more than once at their defined time

  • EP-19341: Fixed an issue where the configuration "Syslog Export Process Command Lines" was being reported as changed without users changing it

  • EP-19370: Enhanced antibody pruning to include the file_actions and file_rules_history tables (EA-23504)

  • EP-19453: Altered UnusedAntibodyIdFinder task to not process records for small installations (EA-22794, EA-23645))

  • EP-19460: Changed how we store yara tags associated with file instances to improve query performance and to significantly reduce disk storage usage (EA-23060)

    Upgrades may take considerable time due to this change. Especially, for customers with larger deployments.

  • EP-19489: Fixed an installer issue that allowed the selection of "Local System Account" when installing against a remote database (two-tier installation)

  • EP-19508: Fixed an issue displaying files on the "Files on Computers" page when the "Show Individual Files" checkbox is unchecked

  • EP-19538: Fixed an issue where CPEs and CVEs for certain applications continued appearing even after applications were removed from computers (EA-23753, EA-23747)

    It may take up to a day for them to no longer appear. In addition, we fixed an issue where all computers appeared in a CPE computer search when no computers should have appeared.

  • EP-19539: Fixed a memory leak caused by a third party library (EA-23741, EA-22739)

  • EP-19616: Fixed an issue that caused the user is "in OU or domain" AD Mapping to not work as expected

  • EP-19637: Fixed an issue where the Carbon Black File Reputation Unavailable Alert was incorrectly named and impossible to enable/disable

  • EP-20097: Added an option when updating the trusted certificate to not swap to it until close to the active one's expiration, potentially allowing more time for all agents to receive the new certificate information (EA-24019)

  • EP-20136: Fixed an issue sending config lists to agents after locally approving files with negative IDs. Upgrading to this version will also immediately fix any existing local approvals in this bad state. (The usage of these negative IDs was introduced in 8.10.0, and only for customers with incredibly large file catalogs.) (EA-24072)

  • EP-20140: Fixed an issue with agent re-registration with the server that can occur due to changes in communication key or trusted certificates.

  • EP-20142: Server should now generate events ahead of time indicating that the server certificate will expire. 8.10 Server contained a bug that prevented SSL certifcate expiration events from appearing (EA-23996)

  • EP-20278: Fixed an issue with updating SAML identity providers

Known Issues

The following known issues and limitations are present in the Carbon Black App Control 8.10.2 Server.

  • EP-1222: If the CryptoAPI cannot initialize, the license will not be imported

    This is typically due to the environment needing to be set up according to the installation instructions.

  • EP-2752: If you modify the permissions of, or disable, the "admin" user that ships with the product, the API module may no longer function correctly, causing problems when using the REST API and the console

    Make sure that the "admin" user retains its "View users" and "Manage users" permissions and that it is not disabled.

  • EP-2879: Baseline Drift Reports only report on Windows computers

    Baseline Drift Reports do not report on Mac or Linux computers.

  • EP-3157: Exports to CSV of tabular data from console pages do not render date and time fields consistently with respect to time zone

    Some columns are reported as UTC; others use the local time zone.

  • EP-3349: Right after a new version of App Control is installed, the version health indicator will incorrectly report that the previous version is the newest

    Refreshing the health indicator will cause it to disappear and will remove the incorrect report.

  • EP-3352: An event with the subtype "File deletion failed" is erroneously generated when a file that no longer exists is selected for deletion

    When a file no longer exists is selected for deletion, the App Control Server should generate an error with the subtype "File deletion processed (file not found)." Instead, an event with the subtype "File deletion failed" is erroneously generated.

  • EP-4085: When uninstalling the App Control server a message may appear saying that the system is protected by the App Control agent even though the agent has already been uninstalled

  • EP-4094: Users without the "View Policies" permission will not be able to make use of Role-Based Access Controls based on policies

  • EP-4578: If a user turns on the config property ShowHiddenCustomRules and creates a Custom Rule with a hidden action (that is, an action ending with "(Hidden)") that rule will display as an expert rule after being saved

    Rules of this type requiring an Operation value of "Execute and Write" should be created as two separate rules to avoid losing data.

  • EP-5504: Systems created using Sysprep may not boot if Tamper Protection was enabled when Sysprep was performed

  • EP-5703: Canceling a diagnostic request while it is underway does not always work from the App Control console, one can request a diagnostic upload from an endpoint

    From the App Control console one can request a diagnostic upload from an endpoint. Canceling such a request while it is underway only sometimes works. Sometimes, cancellation can cause the endpoint to retry the upload.

  • EP-6510: Some customers have reported seeing false positives with the Doppelganger rule being triggered by TIWorker.exe and TrustedInstaller.exe

  • EP-6515: In a specific scenario newly installed agents can register with the server from a deleted policy

  • EP-6719: File analysis through connectors will not work with files containing certain foreign characters in the name

  • EP-6721: If a SAML identity provider requires a signed logout request, the logout request will fail

  • EP-6796: In some cases, it's not possible to export a large amount (300+) of custom rules

  • EP-7891: When adding a user to the "Linux User/Group to Manage Agents" section of the Agent Management configuration the message “(Not validated)” is erroneously returned

    The new user should still be added.

  • EP-13195: Rapidly changing a computer's policy more than once can sometimes cause the last policy change not to apply

  • EP-14702: Due to an InstallShield issue, if a reboot is required during installation, the installer may not automatically continue after the reboot

    If this occurs, you must manually restart the installation.

  • EP-16158: Incorrect list of files when creating a snapshot

    Sometimes when filtering files and creating a snapshot from the result set, files not part of the result set are included.

  • EP-17537: When running on Windows Server 2012 R2 the AppC Server cannot access the NIST API due to incompatible cipher suites. Because of this, CPE syncing is not possible on this operating system

check-circle-line exclamation-circle-line close-line
Scroll to top icon