VMware Carbon Black App Control Windows Agent 8.9.0 Release Notes

VMware Carbon Black App Control 8.9.0 \| 24 APR 2023 \| Build 8.9.0.1454.624 Check for additions and updates to these release notes.

VMware Carbon Black App Control 8.9.0 | 24 APR 2023 | Build 8.9.0.1454.624

Check for additions and updates to these release notes.

Important:

Due to an issue discovered after the release of 8.9.0, we DO NOT recommend upgrading to or installing the Windows 8.9.0 agent on any file share or network share servers in your environment without first reviewing this UEX Knowledge Base article. Failure to properly configure your file or network share(s) may result in delays modifying files or otherwise leave your server unusable.

Caution:

Starting with the 8.9.4 App Control server, valid signing certificates are required for all files contained in Windows App Control agent installation packages. In February 2023, the signing certificate used to validate SHA-1 MSI's in the 8.9.4 server expired, which prevents any future Windows App Control agent installation packages from being properly validated and installed with this server version.

We recommend both customers who do and do not use Windows XP/2003 on 8.9.4 server upgrade to 8.9.6 server to ensure there are no issues with future release installations. The 8.9.6 Server contains an updated SHA-1 signing signature required to validate future installation packages of the Windows App Control agent.

Customers who do not wish to upgrade to 8.9.6 server must manually apply the new SHA-1 signing certificate to prevent these issues from occuring. You can download this new signing certificate here.

What's New

This minor release resolves several quality issues with the product as well as adding new features and enhancements.

VMware encourages customers to always update to the latest versions of VMware software to benefit from security and stability improvements.

Process Hollowing Detection

In conjunction with the Rules Installer 1.20 release, the Windows App Control agent can now detect if a process is being hollowed out and hijacked to execute malicious code. This expands upon App Control's excellent file-based attack prevention by adding protection for this widely recognized fileless attack.

Once the Rules Installer 1.20 release is applied to your server, you will find "Process Hollowing Protection" listed under rapid configs. You can customize the rapid config to choose how the agent handles process hollowing detection, either blocking the process or reporting the process. You can choose the notifier that is displayed for the detection and even specify applications that are allowed to hollow processes for false-positive prevention.

Large File Processing Exclusions

The 8.9.0 Windows Agent now allows customers to specify a limit for maximum size of the files that are scanned on endpoints. This will improve performance for customers who have endpoints that constantly produce large files and scripts that the agent must analyze. This feature can be enabled by using the new agent config property "max_analysis_size_mb."

Note:

This config property only applies a scan size limit to any analysis request that is not an execution. Files and scripts that are executed will be analyzed as usual despite whatever file size limit is set.

Other Notable New Features and Enhancements

Made changes to rule processing to only expand rules for newly discovered users while evaluating user logon events. This prevents rules from being unnecessarily expanded for user-specific rules.
Added support for diagnostic uploads greater than 4 GB. Previously, anytime a log file greater than 4 GB was uploaded to a log directory, the diagnostic upload would fail.
Made changes to memory buffering to improve overall agent performance.

Installation Instructions

Important:

The installer for the Windows Agent 8.9.0 can only be used to upgrade agents of version 8.1.0 or newer. If an agent on an older version must be upgraded, we recommend upgrading to version 8.7.8 and then upgrade from 8.7.8 to 8.9.0.

As of the 8.1.4 server release, the Windows Agent no longer comes bundled with the VMware Carbon Black App Control Server, nor does it require manual (command line) steps to add it to the server.

You can upgrade Carbon Black App Control Windows Agents without having to upgrade the Carbon Black App Control Server. Please see the VMware Carbon Black App Control Agent Installation Guide for more information.

NOTE: This Windows Agent is compatible with App Control Server version 8.1.4 and subsequent releases.

For information regarding which Windows operating systems are supported in this release, please review the respective Windows Agent OER:

Resolved Issues

The following issues were resolved in this release.

EP-16489: Fixed an issue where rules were being expanded incorrectly for certain customers (EA-22152, EA-18709, EA-18861)

Rules processing was optimized to expand rules only for newly discovered users while evaluating user log-on events.
EP-17038: Fixed an issue where the yara filesize keyword is not processed correctly for files greater than 1MB
EP-12175: Fixed an issue where Windows Education Edition operating systems do not display properly in the console (EA-17945)
EP-14738: Improved memory buffering to enchance overall agent performance (EA-19036)
EP-16749: Fixed an issue on Window Server 2008 where rules were not being enforced until parity service starts
EP-16811: Fixed an issue where Windows 10 Enterprise Multi-Session Displayed as "Windows Server 2019" in the console
EP-16588: Fixed an issue where performing a database cache rebuild or restore did not delete previous driver data (EA-21637)

In the case of a corrupted DB, the agent now clears prior driver data in all cases.
EP-17192: Fixed an issue where agent diagnostic uploads did not contain memory dump files
EP-17423: Fixed an issue where setting send_sys_info=0 and sys_info_interval_ms=0 the agent will skip CPU usage on endpoints. (EA-22342)

Known Issues

EP-18451: Deploying the 8.9.0 agent on a network or file share server may result in delays modifying files due to the kernel timing out rule expansion.

This issue happens due to a change in the way the agent handles rule expansion for different users.

This issue can be avoided by enabling a config prop that disables the new logic put in place to improve rule expansion. For more details about this workaround and how to use it, please visit this Knowledge Base article.
EP-14223: When using 8.6.x servers, policy and enforcement levels may not display correctly for 8.6.x Windows agents installed on Windows 11.

The 8.7.0+ App Control Server and 8.7.2+ Windows Agent resolves this issue.
EP-18203: In 8.9.0 and greater versions of the Windows Agent, the following health check on Windows XP and 2K3 may be displayed:"Severity[Low]: c:\program files\bit9\parity agent\parity.exe is signed but could not check revocation: Error[800B010E]"

Due to potential SHA-1 collisions, certificate issuers no longer issue SHA-1 certificates. As a result, we've issued our own SHA-1 certificate and we do not have a way to issue CRLs (certificate revocation lists). The issue does not occur on operating systems that fully support SHA-256.
EP-18204: The signature information of App Control binaries on Windows XP and Windows 2003, may display the following error:"A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file".

This is due to Windows XP and WIndows 2003 not fully supporting SHA-256 signatures. The timestamping server that we use only signs with SHA-256 or later, and so the OS cannot verify that the file was signed in the validity period of the Carbon Black signing certificate.
EP-1201: On Windows 2003 x64, you may see a health check reporting improper classifications immediately after installation

This should go away after roughly fifteen minutes.
EP-5483: The agent currently tracks all the extracted content from the Windows 10 WIM image in the temp directory

A rule to ignore these writes is not yet functioning properly.
EP-1682: Carbon Black App Control does not support in-container enforcement

Users can use the Microsoft Edge Virtualization feature, but Carbon Black App Control will not enforce rules within the container. It will, however, enforce rules on anything that breaks out of the sandbox.
EP-2393: The appearance in the console of block and report events related to the Ransomware rapid config may be delayed by a minute or more
EP-5498: In some cases, the agent will report an empty installer for a given file

The file will still be correctly approved or not, as expected on the endpoint. Only reporting of the source installer is failing, not enforcement of relevant rules.
EP-6104: Cleanmgr.exe is a windows utility process that runs occasionally and will copy files to the "temp" folder in order to run analysis on them

These files are only copies of other files already on the machine and cleanmgr.exe never executes them.
EP-6106: An installation of a new Carbon Black App Control Agent on the latest version of Windows 10 can result in a health check error due to a miscalculation of how many events the agent should send to the Carbon Black App Control server

This problem disappears after a reboot.
EP-6107: After upgrading agents on Windows XP systems, it is possible to see signature error events stating that the installer download failed

The upgrade should be successful and there should not be any impact on the upgrade process.
EP-6197: Occasionally the agent will complain about metadata not being properly populated and trigger an Error

The Error implies a mismatch in expectation but is not expected to break functionality of the agent and can be ignored.
EP-6982: Carbon Black App Control does not support NTFS reparse points as exclusion paths and they should not be used with kernelFileOpExclusions configuration rules

Reparse points include such objects like symbolic links, directory junction points and volume mount points.

EP-10542: When uninstalling the agent, a Carbon Black App Control Agent dialog displays informing the user that certain applications must be closed before continuing the installation

This informational message is caused by a known msiexec defect.

Important: This could occur during a removal of the agent using "add/remove programs" or during an upgrade of the agent if you are using 3rd party software or a manual upgrade using msiexec. Customers that perform agent upgrades from within the Carbon Black App Control Admin console are not affected. When uninstalling the agent or performing a manual upgrade, or upgrade using 3rd party software, you can suppress this dialog with the additional msiexec command line argument "/qb-". This will disable modal dialog during manual uninstalls and upgrades.

Important: This could occur during a removal of the agent using "add/remove programs" or during an upgrade of the agent if you are using 3rd party software or a manual upgrade using msiexec.

Customers that perform agent upgrades from within the Carbon Black App Control Admin console are not affected.

When uninstalling the agent or performing a manual upgrade, or upgrade using 3rd party software, you can suppress this dialog with the additional msiexec command line argument "/qb-". This will disable modal dialog during manual uninstalls and upgrades.

The example below shows how to manually uninstall the Carbon Black App Control agent with the /qb- argument:

msiexec /x {EnterGUIDHere} /qb-

This issue is not new to the Windows agent and possibly affected customers on earlier releases. A long term fix will be implemented in a future release.