VMware Carbon Black App Control Windows Agent 8.7.0.342 Release Notes

VMware Carbon Black App Control Windows Agent 8.7.0.342 | 02 NOV 2021

Check for additions and updates to these release notes.

What's New

This document provides change information and installation instructions for VMware Carbon Black App Control v8.7.0 Windows Agents.

3 March 2022 Announcement:

The Windows agent App Control engineering team has uncovered an issue for customers on Windows Server 2008 Service Pack 2 where upgrading to or installing any Windows Agent Versions after 8.6.0 will not work as intended.

We are advising customers planning to install or upgrade their Windows Agent on Windows Server 2008 SP2 not to use 8.6.2, 8.7.0, or 8.7.2. Customers on Server 2008 R2 are not affected by this issue. We are working on a resolution to this issue and will update this post when we have more information.

The keychain is now populated from Keychain.json file present under "ProgramData\Bit9\Parity Agent" directory
Added a new dascli command to show trusted server certificate list. It also has an option to see last mismatch certificate
```
dascli showservercertlist
```
Support of Horizon Instant Clone agent v7.13 is added to detect instant clone customization
Added kernel config property SkipClassificationReinit

This avoids BSODs seen in some Windows 7 machines. Add an agent config property on the server and the agent will store this value in the registry for next boot.
Windows 11 and Windows Server 2022 are now supported

For additional information please review our Operating System Support Page on the UeX.

Security Improvements

Secure server communication by populating certificate list from TrustedCertList.pem file present under "ProgramData\Bit9\Parity Agent" directory
New health check event will be generated to report issues around server communication using trusted certificate list
App Control client and server v8.7 have made some significant improvements in protecting from man-in-the middle attack

App Control windows client protects from man-in-the-middle attack by verifying encryption key against the list of trusted keys. If discrepancies detected, client encrypts messages using pre-defined communication key.
For registry rules, new type of registry operation was added : Registry Key restore operation

Installation Instructions

As of the 8.1.4 server release, the Windows Agent no longer comes bundled with the VMware Carbon Black App Control Server, nor does it require manual (command line) steps to add it to the server.

You can upgrade Carbon Black App Control Windows Agents without having to upgrade the Carbon Black App Control Server. Please see the latest Carbon Black App Control User Guide for more information.

NOTE: This Windows Agent is compatible with App Control Server version 8.1.4 and subsequent releases

For information regarding which Windows operating systems are supported in this release, please review the Carbon Black EDR sensors & Carbon Black App Control agents document on the Carbon Black User Exchange.

Resolved Issues

The following issues were resolved in this release:

EP-8505: Uninstalling Appc got stuck if Windows XP, If EDR and APPC was installed

This was XP specific issue.
EP-9273: New files unknown to agent were being approved during initialization
EP-11019: The notifier did not render correctly on screens with a high value for scaling
EP-11127: Microsoft OneDrive application binaries are marked dirty every time they are executed
EP-11570: In some cases, App Control was prevented from controlling applications launched from Syncplicity cloud drive
EP-11928: Yara analysis failed on large files
EP-11948: AgentUninstallUtility updated to display the correct version of the agent being uninstalled

Product version string:

Version 8.5 and above - Carbon Black App Control Agent <version>

Version 8.0 - <8.5 - Cb Protection Agent <version>

Version below 8.0 - Bit9 Agent <version>

Updated the Product version, Product Name and Copyright details of the executable.

Product version: 1.0.0.31

Product Name: Carbon Black App Control Agent Uninstall Utility

Copyright: Copyright 2004-2021 VMWare Inc. All rights reserved.

Carbon Black App Control Agent
EP-11971: read block events were generated with incorrect description and file details
EP-12068: Trusted directory approvals were not generated for files inside a mounted volume
EP-12906: In some instances, performance deteriorated when handling certain types of registry operations, which are often used by installers of software

This also resolved: EA-17532.
EP-13107: Some kernel logging statements caused a BSOD
EP-13214: In some cases, the agent was blocked from running on Server 2003.
EP-13765: Rules with SIDS did not expand correctly
EP-11999: Low memory conditions resulted in memory allocation exceptions which lead to agent crashes. Agent now takes appropriate corrective actions to handle these exceptions

Known Issues

EP-1201: On Windows 2003 x64, you may see a health check reporting improper classifications immediately after installation

This should go away after roughly fifteen minutes.
EP-1682: Carbon Black App Control does not support in-container enforcement

Users can use the Microsoft Edge Virtualization feature, but Carbon Black App Control will not enforce rules within the container. It will, however, enforce rules on anything that breaks out of the sandbox.
EP-2393: The appearance in the console of block and report events related to the Ransomware rapid config may be delayed by a minute or more
EP-5483: The agent currently tracks all the extracted content from the Windows 10 WIM image in the temp directory

A rule to ignore these writes is not yet functioning properly.
EP-5498: In some cases, the agent will report an empty installer for a given file

The file will still be correctly approved or not, as expected on the endpoint. Only reporting of the source installer is failing, not enforcement of relevant rules.
EP-6104: Cleanmgr.exe is a windows utility process that runs occasionally and will copy files to the "temp" folder in order to run analysis on them

These files are only copies of other files already on the machine and cleanmgr.exe never executes them.
EP-6106: An installation of a new Carbon Black App Control Agent on the latest version of Windows 10 can result in a health check error due to a miscalculation of how many events the agent should send to the Carbon Black App Control server

This problem disappears after a reboot.
EP-6107: After upgrading agents on Windows XP systems, it is possible to see signature error events stating that the installer download failed

The upgrade should be successful and there should not be any impact on the upgrade process.
EP-6197: Occasionally the agent will complain about metadata not being properly populated and trigger an Error

The Error implies a mismatch in expectation but is not expected to break functionality of the agent and can be ignored.
EP-6982: Carbon Black App Control does not support NTFS reparse points as exclusion paths and they should not be used with kernelFileOpExclusions configuration rules

Reparse points include such objects like symbolic links, directory junction points and volume mount points.

EP-10542: When uninstalling the agent, a Carbon Black App Control Agent dialog displays informing the user that certain applications must be closed before continuing the installation

This informational message is caused by a known msiexec defect:

https://support.microsoft.com/en-ph/help/2745579/same-file-or-service-name-causes-incorrect-fileinuse-dialog

Important: This could occur during a removal of the agent using "add/remove programs" or during an upgrade of the agent if you are using 3rd party software or a manual upgrade using msiexec. Customers that perform agent upgrades from within the Carbon Black App Control Admin console are not affected. When uninstalling the agent or performing a manual upgrade, or upgrade using 3rd party software, you can suppress this dialog with the additional msiexec command line argument "/qb-". This will disable modal dialog during manual uninstalls and upgrades.

Important: This could occur during a removal of the agent using "add/remove programs" or during an upgrade of the agent if you are using 3rd party software or a manual upgrade using msiexec.

Customers that perform agent upgrades from within the Carbon Black App Control Admin console are not affected.

When uninstalling the agent or performing a manual upgrade, or upgrade using 3rd party software, you can suppress this dialog with the additional msiexec command line argument "/qb-". This will disable modal dialog during manual uninstalls and upgrades.

The example below shows how to manually uninstall the Carbon Black App Control agent with the /qb- argument:

msiexec /x {9F2D4E59-0528-4B22-B664-A6B0B8B482EE} /qb-

This issue is not new to the Windows agent and possibly affected customers on earlier releases. A long term fix will be implemented in a future release.