VMware Carbon Black App Control Windows Agent 8.8.0 Release Notes

VMware Carbon Black App Control 8.8.0 | 20 OCT 2022 | Build 8.8.0.1045

Check for additions and updates to these release notes.

What's New

This minor release resolves several quality issues with the product as well as adding a few new features including Content-based Inspection, IPv6-only Support, and support for some recent Windows operating system changes (details below).

Important:

Important note. Upgrades from versions earlier than 8.1.0 to this version are not supported. We recommend that users wishing to upgrade from those earlier versions first upgrade to agent version 8.7.8 and then upgrade from 8.7.8 to 8.8.0.

VMware encourages customers to always update to the latest versions of VMware software to benefit from security and stability improvements.

Content-based Inspection

In conjunction with the 8.9 App Control Server release, the Windows agent now supports Content-based Inspection. Content-based Inspection enables administrators to leverage the power of the open source Yara engine to create their own Yara rules to provide more granular control over their security policy. On the 8.9 Server, you will see a new tab within Software Rules called Yara. On this tab are existing internal App Control Yara rules and an “Add Yara Rule” button to create your own rules to use in conjunction with Custom rules. Please see the Yara Rules section in the User Guide for more details.

IPv6-only Support

With the release of the 8.8 Windows agent and the 8.9 Server, customers who want to deploy App Control in an IPv6-only network can now do so.

Offloaded Data Transfer (ODX) Support

Windows Server 2012 added ODX to enable file transfers between storage devices without traversing the host operating system. This improves transfer speeds and reduces resource consumption on the host OS. The App Control Windows agent now supports this transfer method.

UPX Installers Now Detected

With the release of the 1.18 Rules package, the agent can now support detecting UPX file installers and correctly “promote” them so that once approved their child files will also be approved on write.

Library Updates

With this release, the following libraries were updated:

Zlib was updated from version 1.2.11 to 1.2.12
Yara was updated from 4.0.1 to 4.0.2
Sqlite was updated to 3.38.2

Installation Instructions

Important Note. As indicated above, the installer for the Windows Agent 8.8.0 can only be used to upgrade Agents of version 8.1.0 or newer. If an Agent on an older version must be upgraded, the recommendation is to upgrade to version 8.7.8 and then upgrade from 8.7.8 to 8.8.0.

As of the 8.1.4 server release, the Windows Agent no longer comes bundled with the VMware Carbon Black App Control Server, nor does it require manual (command line) steps to add it to the server.

You can upgrade Carbon Black App Control Windows Agents without having to upgrade the Carbon Black App Control Server. Please see the VMware Carbon Black App Control Agent Installation Guide for more information.

NOTE: This Windows Agent is compatible with App Control Server version 8.1.4 and subsequent releases

For information regarding which Windows operating systems are supported in this release, please review the respective Windows Agent OER:

Resolved Issues

The following issues were resolved in this release.

EP-13054: Deletion of trusted users corrected

When a Trusted User was created for a local user with "domain\user", the deletion of this Trusted User had not been handled correctly.
EP-13725: Fixed a problem with manually installing agents from Server version 8.6.2 and earlier

When the App Control Server 8.6.2 or earlier was used, manual installation of the agent would fail to download Yara rules. This has now been fixed.
EP-14894: Addressed an issue with querying hard-linked files on Windows XP
EP-15152: Notification prompts no longer occasionally come up blank
EP-15440: Yara scans now work for large files
EP-15951: Fixed a file handle leak that could exhaust memory
EP-16084: Fixed a memory leak during operation of Yara rules
EP-14270: The App Control driver installed on Windows 11 now correctly reports that it supports Windows 11
EP-15805: A driver verifier issue was resolved for Windows XP and Windows Server 2003

When using Driver Verifier, a BSOD used to be generated when unloading the App Control agent's driver. This has been prevented with this release.
EP-13645: A service deadlock that could occur when applying rules to an endpoint has been remedied (EA-19266)
EP-14853: Removed an unneeded health alert

A health alert could appear when the App Control Agent was installed along with the Carbon Black EDR sensor and the Carbon Black Cloud sensor.
EP-13913: Configuration property available to reduce the number of files being analyzed in order to improve performance (EA-16363)

Added the agent configuration property SkipProcessImageEnumeration which is enabled by default. This prevents periodic re-evaluations of executable files for a currently running process.

Known Issues

EP-1201: On Windows 2003 x64, you may see a health check reporting improper classifications immediately after installation

This should go away after roughly fifteen minutes.
EP-1682: Carbon Black App Control does not support in-container enforcement

Users can use the Microsoft Edge Virtualization feature, but Carbon Black App Control will not enforce rules within the container. It will, however, enforce rules on anything that breaks out of the sandbox.
EP-2393: The appearance in the console of block and report events related to the Ransomware rapid config may be delayed by a minute or more
EP-5483: The agent currently tracks all the extracted content from the Windows 10 WIM image in the temp directory

A rule to ignore these writes is not yet functioning properly.
EP-5498: In some cases, the agent will report an empty installer for a given file

The file will still be correctly approved or not, as expected on the endpoint. Only reporting of the source installer is failing, not enforcement of relevant rules.
EP-6104: Cleanmgr.exe is a windows utility process that runs occasionally and will copy files to the "temp" folder in order to run analysis on them

These files are only copies of other files already on the machine and cleanmgr.exe never executes them.
EP-6106: An installation of a new Carbon Black App Control Agent on the latest version of Windows 10 can result in a health check error due to a miscalculation of how many events the agent should send to the Carbon Black App Control server

This problem disappears after a reboot.
EP-6107: After upgrading agents on Windows XP systems, it is possible to see signature error events stating that the installer download failed

The upgrade should be successful and there should not be any impact on the upgrade process.
EP-6197: Occasionally the agent will complain about metadata not being properly populated and trigger an Error

The Error implies a mismatch in expectation but is not expected to break functionality of the agent and can be ignored.
EP-6982: Carbon Black App Control does not support NTFS reparse points as exclusion paths and they should not be used with kernelFileOpExclusions configuration rules

Reparse points include such objects like symbolic links, directory junction points and volume mount points.

EP-10542: When uninstalling the agent, a Carbon Black App Control Agent dialog displays informing the user that certain applications must be closed before continuing the installation

This informational message is caused by a known msiexec defect.

Important: This could occur during a removal of the agent using "add/remove programs" or during an upgrade of the agent if you are using 3rd party software or a manual upgrade using msiexec. Customers that perform agent upgrades from within the Carbon Black App Control Admin console are not affected. When uninstalling the agent or performing a manual upgrade, or upgrade using 3rd party software, you can suppress this dialog with the additional msiexec command line argument "/qb-". This will disable modal dialog during manual uninstalls and upgrades.

Important: This could occur during a removal of the agent using "add/remove programs" or during an upgrade of the agent if you are using 3rd party software or a manual upgrade using msiexec.

Customers that perform agent upgrades from within the Carbon Black App Control Admin console are not affected.

When uninstalling the agent or performing a manual upgrade, or upgrade using 3rd party software, you can suppress this dialog with the additional msiexec command line argument "/qb-". This will disable modal dialog during manual uninstalls and upgrades.

The example below shows how to manually uninstall the Carbon Black App Control agent with the /qb- argument:

msiexec /x {9F2D4E59-0528-4B22-B664-A6B0B8B482EE} /qb-

This issue is not new to the Windows agent and possibly affected customers on earlier releases. A long term fix will be implemented in a future release.