The 8.9.2 Windows Release Notes provide information for users upgrading from previous versions and for users new to VMware Carbon Black App Control. This is a maintenance release.
Client Registration Codes
In conjunction with 8.10 Server, the Windows 8.9.2 Agent now supports the use of client registration codes. These codes prevent other programs from impersonating Carbon Black App Control agents.
You can generate client registration codes, and enable and disable them.
If they are enabled, you must provide the client registration code when you install a new agent that supports this feature or after installation by using the command line interface. Existing agents that have already connected to the server will remain connected, and will not need the registration code.
For more information about using this feature, please refer to the Client Registration Codes section of the 8.10 User Guide.
Automatic DFS Mapping
Several changes have been made to improve the user experience for customers enforcing rules on a distributed file system (DFS). To do this, we've added the ability for the agent to automatically detect referral server paths for DFS folders. This prevents customers from having to manually specify physical server paths for the agent to recognize as DFS server paths. This manual process is time-consuming and does not scale well, especially for customers managing large numbers of DFS Servers.
To control this new feature we've introduced several new config props:
The new "query_ad_dfs_namespaces" config prop controls whether the agent will query the user's domain for any DFS namespaces. This must be turned on for agents to get DFS information from the domain controller.
To enable this config, set: query_ad_dfs_namespaces=1. By default, this config is disabled and must be enabled. Note, with this config prop only the user's direct domain is queried. No other domains are checked.
The new "dfs_refresh_interval_seconds" config prop specifies how often the App Control service will refresh DFS mapping.
The default setting is 14,400 seconds or 4 hours. For example, to edit the setting to refresh every 5 hours, set: dfs_refresh_interval_seconds=18000.
The new "dfs_namespaces" config prop is useful when there are stand-alone DFS servers that require scanning (not part of an Active Directory).
To use this config, use the following syntax: <server1>\<folder1>[|<server2>\<folder2>]. For example, set: dfs_namespaces=\\ID-WINSERV2012\dfs_server1\dfs_folder*|\\ID-WINSERV2012\dfs_server2\*
Specify Minimum Key Size Values For RSA and ECC Certificates
The "minimum_alg_cert_key_size" adds flexibility to the minimum key size that it can accept on publisher certificates. Formerly, there was a fixed minimum size allowed for certificates. This is a problem for customers who approve publishers using ECC certificates.
The value for this property is a list of key-value pairs consisting of algorithm and minimum key size, e.g., RSA:512,ECC:256. This would set the the minimum key size for RSA algorithm certificates to 512 bytes, and certificates using Elliptic Curve Cryptography to 256.
Rules Expansion Exclusions
The "rule_expansion_exclusions" config prop allows customers to prevent rule expansion for a specific USER SID. This can reduce wait times for users logging into a physical or virtual machine with a large number of rules that need to be processed. The value for this property consists of one or more SIDs, e.g., SID1*, SID2*.
By default, the list contains following exclusions: rule_expansion_exclusions=S-1-5-90*,S-1-5-96* Accounts beginning with S-1-5-90-0 (account names DWM-x) are generated on the fly by the Desktop Window Manager component for its system services. Accounts beginning with S-1-5-96-0 (account names UMFD-x) are generated on the fly by the User Mode Driver Framework component for its system services.
Dascli Command Line Utility Changes
We have made a couple of changes to our dascli command line utility to aid customers in performing actions at the endpoint. Dascli previously did not have the ability to re-evaluate publisher information for a file.
We have extended the parameter “analyzenow” to retrieve the publisher information for the specified file. We have also extended dascli with a new parameter called “register.” Calling “dascli register code [server.id]” registers the agent with the server specified.
Repeated BSOD Prevention
We have added the ability to detect repeated BSOD's caused by policy enforcement on agents. This prevention can aid in the event of a critical MS process being blocked due to rules being incorrectly written. When a specific number of BSOD's are detected the agent will automatically move to a visibility policy preventing any further occurrences. By default this function is disabled.
To enable it a customer must specify a number of BSOD occurrences. This can be done using the kernelEnforcementOverrideDirtyLoadMaxCount config prop. To specify 2 BSOD occurrences, before moving into visibility mode do the following: kernelEnforcementOverrideDirtyLoadMaxCount=2.
Additional Changes Include:
-
Some applications incorrectly attach to the App Control process at launch which can cause App Control to hang. We have made changes to detect if a process is running and account for when a third-party driver behaves poorly.
-
Diagnostic capture files now includes the server.id file in an unencrypted form so that customers and our Support team can aid in diagnosing customer issues.
-
A performance improvement has been made in how the agent processes rules on file servers
-
Updated AgentUninstallUtility to more effectively clean out registry entries.
-
Made changes to reduce unhelpful assertion violation events in the console.
-
zlib updated to 1.2.13 version.