VMware Carbon Black App Control 8.9.2 | November 6 2023 | Build 8.9.2.1616

Check for additions and updates to these release notes.
Caution:

An issue has been discovered that can cause applications to hang or fail to start on endpoints with the 8.9.2 Windows Agent installed. At this time we do not advise customers upgrade or install this new agent, especially on systems that start lots of processes Ex: build machines, batch jobs, automation/orchestration servers, RDS servers (MS, Citrix, VMware, etc)

To resolve this, we plan to release an updated Windows agent in the near future. Please stay tuned for an updated timeline. In the interim, please refer to this KB article for further explanation of the issue and a workaround. We apologize for this inconvenience.

Caution:

Starting with the 8.9.4 App Control server, valid signing certificates are required for all files contained in Windows App Control agent installation packages. In February 2023, the signing certificate used to validate SHA-1 MSI's in the 8.9.4 server expired, which prevents any future Windows App Control agent installation packages from being properly validated and installed with this server version.

We recommend both customers who do and do not use Windows XP/2003 on 8.9.4 server upgrade to 8.9.6 server to ensure there are no issues with future release installations. The 8.9.6 Server contains an updated SHA-1 signing signature required to validate future installation packages of the Windows App Control agent.

Customers who do not wish to upgrade to 8.9.6 server must manually apply the new SHA-1 signing certificate to prevent these issues from occuring. You can download this new signing certificate here.

What's New

The 8.9.2 Windows Release Notes provide information for users upgrading from previous versions and for users new to VMware Carbon Black App Control. This is a maintenance release.

Client Registration Codes

In conjunction with 8.10 Server, the Windows 8.9.2 Agent now supports the use of client registration codes. These codes prevent other programs from impersonating Carbon Black App Control agents.

You can generate client registration codes, and enable and disable them.

If they are enabled, you must provide the client registration code when you install a new agent that supports this feature or after installation by using the command line interface. Existing agents that have already connected to the server will remain connected, and will not need the registration code.

For more information about using this feature, please refer to the Client Registration Codes section of the 8.10 User Guide.

Automatic DFS Mapping

Several changes have been made to improve the user experience for customers enforcing rules on a distributed file system (DFS). To do this, we've added the ability for the agent to automatically detect referral server paths for DFS folders. This prevents customers from having to manually specify physical server paths for the agent to recognize as DFS server paths. This manual process is time-consuming and does not scale well, especially for customers managing large numbers of DFS Servers.

To control this new feature we've introduced several new config props:

The new "query_ad_dfs_namespaces" config prop controls whether the agent will query the user's domain for any DFS namespaces. This must be turned on for agents to get DFS information from the domain controller.

To enable this config, set: query_ad_dfs_namespaces=1. By default, this config is disabled and must be enabled. Note, with this config prop only the user's direct domain is queried. No other domains are checked.

The new "dfs_refresh_interval_seconds" config prop specifies how often the App Control service will refresh DFS mapping.

The default setting is 14,400 seconds or 4 hours. For example, to edit the setting to refresh every 5 hours, set: dfs_refresh_interval_seconds=18000.

The new "dfs_namespaces" config prop is useful when there are stand-alone DFS servers that require scanning (not part of an Active Directory).

To use this config, use the following syntax: <server1>\<folder1>[|<server2>\<folder2>]. For example, set: dfs_namespaces=\\ID-WINSERV2012\dfs_server1\dfs_folder*|\\ID-WINSERV2012\dfs_server2\*

Specify Minimum Key Size Values For RSA and ECC Certificates

The "minimum_alg_cert_key_size" adds flexibility to the minimum key size that it can accept on publisher certificates. Formerly, there was a fixed minimum size allowed for certificates. This is a problem for customers who approve publishers using ECC certificates.

The value for this property is a list of key-value pairs consisting of algorithm and minimum key size, e.g., RSA:512,ECC:256.  This would set the the minimum key size for RSA algorithm certificates to 512 bytes, and certificates using Elliptic Curve Cryptography to 256.

Rules Expansion Exclusions

The "rule_expansion_exclusions" config prop allows customers to prevent rule expansion for a specific USER SID. This can reduce wait times for users logging into a physical or virtual machine with a large number of rules that need to be processed. The value for this property consists of one or more SIDs, e.g., SID1*, SID2*.

By default, the list contains following exclusions: rule_expansion_exclusions=S-1-5-90*,S-1-5-96* Accounts beginning with S-1-5-90-0 (account names DWM-x) are generated on the fly by the Desktop Window Manager component for its system services. Accounts beginning with S-1-5-96-0 (account names UMFD-x) are generated on the fly by the User Mode Driver Framework component for its system services.

Dascli Command Line Utility Changes

We have made a couple of changes to our dascli command line utility to aid customers in performing actions at the endpoint. Dascli previously did not have the ability to re-evaluate publisher information for a file.

We have extended the parameter “analyzenow” to retrieve the publisher information for the specified file. We have also extended dascli with a new parameter called “register.” Calling “dascli register code [server.id]” registers the agent with the server specified.

Repeated BSOD Prevention

We have added the ability to detect repeated BSOD's caused by policy enforcement on agents. This prevention can aid in the event of a critical MS process being blocked due to rules being incorrectly written. When a specific number of BSOD's are detected the agent will automatically move to a visibility policy preventing any further occurrences. By default this function is disabled.

To enable it a customer must specify a number of BSOD occurrences. This can be done using the kernelEnforcementOverrideDirtyLoadMaxCount config prop. To specify 2 BSOD occurrences, before moving into visibility mode do the following: kernelEnforcementOverrideDirtyLoadMaxCount=2.

Additional Changes Include:

  • Some applications incorrectly attach to the App Control process at launch which can cause App Control to hang. We have made changes to detect if a process is running and account for when a third-party driver behaves poorly.

  • Diagnostic capture files now includes the server.id file in an unencrypted form so that customers and our Support team can aid in diagnosing customer issues.

  • A performance improvement has been made in how the agent processes rules on file servers

  • Updated AgentUninstallUtility to more effectively clean out registry entries.

  • Made changes to reduce unhelpful assertion violation events in the console.

  • zlib updated to 1.2.13 version.

Resolved Issues

  • EP-16856: Fixed the dascli checkcache command to only accept valid options.

  • EP-17440: Significantly improved the performance of rule expansion, by reducing the amount of file IO done during name normalization. Since rule expansion is performed when a new user logs in, significant performance gains should be seen in multi-user environments. (EA-23290, EA-23400)

  • EP-17469: Fixed an issue where certain files can be renamed from an uninteresting extension (eg; txt) to an interesting one (eg; bat) and be inadvertently approved. Now, any file that is renamed during initialization is now forced into analysis to be blocked, instead of being approved by default as part of initialization.

  • EP-18003: Fixed an issue that caused process exclusions to not work properly for cleanup operations. This resulted in performance issues for users of MS Exchange Server.

  • EP-18017: Fixed a small memory leak in the kernel driver, that could occur during driver unload resulting in a BSOD.

  • EP-18113: Fixed an issue where the agent may crash calculating file hashes due to low memory resources on an agent. (EA-22617)

  • EP-18206: Fixed an issue where ELAM drivers were showing up as Microsoft-published. This has been fixed to show the actual publisher, if available.

  • EP-18263: Fixed a small leak of OS synchronization objects that can result in high memory utilization issues on long-running systems.

  • EP-18409: Fixed a race condition that was preventing the agent driver from uninstalling successfully using the FLTMC command. (EA-21750)

  • EP-18415: Fixed an issue that prevented the dascli crawlfile command from working properly

  • EP-18431: Fixed a parity service crash during service startup. This crash could occur when a large number of modifications were made to the file system while the service was in a stopped state, or in a disabled enforcement. (EA-22676)

  • EP-18451: Fixed an issue that caused that caused long delays whenever a file share is accessed from a remote system due to a flaw in the new 8.9.0 process thread user identity check. The old process thread inadvertently detects the operation as a new user on the file server system and triggers rule expansion and a timeout.

  • EP-18819: Fixed an issue where ABExclusion filtering on event publisher names was not working correctly. These events are now filtered properly. (EA-23016, EA-23287)

  • EP-18872: Fixed an issue where global approvals for files in the parityhostagent_sha1.msi were missing, resulting in an "Unexpected ApprovalReason[Initialization]" health check error for Windows XP and 2003 agents.

  • EP-18884: Fixed an issue where users would experience agent performance delays when launching processes in a disabled enforcement mode. (EA-23261)

  • EP-18947: Fixed an issue where files that are modified and then immediately renamed during initialization are approved by default without analysis. (EA-23101)

  • EP-18980: Fixed an issue that causes the App Control server to be flooded with agent configlist requests resulting with server availability issues. (EA-2303)

  • EP-18986: Fixed an issue where the "Estimated Install Date" field in the console was blank for certain Windows software. (EA-22371)

  • EP-19005: Fixed an issue with rule expansion on MS Windows Server 2016 x64 to handle OS specific behavior

  • EP-19006: Fixed a small memory leak that occurred any time a Yara file analysis was started on the agent. (EA-23224)

  • EP-19024: The agent now gets DFS mappings from both stand-alone servers and AD (if enabled by agent config prop). When parsing network paths from the backing servers, these paths are replaced with the DFS path. This allows customers to write rules against DFS paths without knowing all the backing servers. (EA-21108)

  • EP-19051: Fixed an issue that results in more reliable cache backup routines.

  • EP-19126: Fixed an issue that caused agents to become disconnected due to a deadlock related to DB access. (EA-23258)

  • EP-19127: Fixed an issue, which caused rule expansion to be turned off after executing full import of the agent configuration.

  • EP-19455: Fixed an issue where certain files can be renamed from an uninteresting extension (eg; txt) to an interesting one (eg; bat) and be inadvertently unapproved. Now, any file that is renamed during initialization is now forced into analysis to be blocked, instead of being approved by default as part of initialization.

  • EP-19447: Fixed an issue, which may cause rules to be evaluated without waiting for rule expansion to be completed. (EA-23473)

Known Issues

  • EP-1201: On Windows 2003 x64, you may see a health check reporting improper classifications immediately after installation

    This should go away after roughly fifteen minutes.

  • EP-1682: Carbon Black App Control does not support in-container enforcement

    Users can use the Microsoft Edge Virtualization feature, but Carbon Black App Control will not enforce rules within the container. It will, however, enforce rules on anything that breaks out of the sandbox.

  • EP-2393: The appearance in the console of block and report events related to the Ransomware rapid config may be delayed by a minute or more

  • EP-5483: The agent currently tracks all the extracted content from the Windows 10 WIM image in the temp directory

    A rule to ignore these writes is not yet functioning properly.

  • EP-5498: In some cases, the agent will report an empty installer for a given file

    The file will still be correctly approved or not, as expected on the endpoint. Only reporting of the source installer is failing, not enforcement of relevant rules.

  • EP-6104: Cleanmgr.exe is a windows utility process that runs occasionally and will copy files to the "temp" folder in order to run analysis on them

    These files are only copies of other files already on the machine and cleanmgr.exe never executes them.

  • EP-6106: An installation of a new Carbon Black App Control Agent on the latest version of Windows 10 can result in a health check error due to a miscalculation of how many events the agent should send to the Carbon Black App Control server

    This problem disappears after a reboot.

  • EP-6107: After upgrading agents on Windows XP systems, it is possible to see signature error events stating that the installer download failed

    The upgrade should be successful and there should not be any impact on the upgrade process.

  • EP-6197: Occasionally the agent will complain about metadata not being properly populated and trigger an Error

    The Error implies a mismatch in expectation but is not expected to break functionality of the agent and can be ignored.

  • EP-6982: Carbon Black App Control does not support NTFS reparse points as exclusion paths and they should not be used with kernelFileOpExclusions configuration rules

    Reparse points include such objects like symbolic links, directory junction points and volume mount points.

  • EP-10542: When uninstalling the agent, a Carbon Black App Control Agent dialog displays informing the user that certain applications must be closed before continuing the installation

    This informational message is caused by a known msiexec defect.

    Important: This could occur during a removal of the agent using "add/remove programs" or during an upgrade of the agent if you are using 3rd party software or a manual upgrade using msiexec.

    Customers that perform agent upgrades from within the Carbon Black App Control Admin console are not affected.

    When uninstalling the agent or performing a manual upgrade, or upgrade using 3rd party software, you can suppress this dialog with the additional msiexec command line argument "/qb-". This will disable modal dialog during manual uninstalls and upgrades.

    The example below shows how to manually uninstall the Carbon Black App Control agent with the /qb- argument:

    msiexec /x {EnterGUIDHere} /qb-

    This issue is not new to the Windows agent and possibly affected customers on earlier releases. A long term fix will be implemented in a future release.

  • EP-13016: SDHC Cards are not supported.

  • EP-14223: When using 8.6.x servers, policy and enforcement levels may not display correctly for 8.6.x Windows agents installed on Windows 11.

    The 8.7.0+ App Control Server and 8.7.2+ Windows Agent resolves this issue.

  • EP-18203: In 8.9.0 and greater versions of the Windows Agent, the following health check on Windows XP and 2K3 may be displayed:"Severity[Low]: c:\program files\bit9\parity agent\parity.exe is signed but could not check revocation: Error[800B010E]"

    Due to potential SHA-1 collisions, certificate issuers no longer issue SHA-1 certificates. As a result, we've issued our own SHA-1 certificate and we do not have a way to issue CRLs (certificate revocation lists). The issue does not occur on operating systems that fully support SHA-256.

  • EP-18204: The signature information of App Control binaries on Windows XP and Windows 2003, may display the following error:"A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file".

    This is due to Windows XP and WIndows 2003 not fully supporting SHA-256 signatures. The timestamping server that we use only signs with SHA-256 or later, and so the OS cannot verify that the file was signed in the validity period of the Carbon Black signing certificate.

  • EP-18508: Users may only see one notifier display when an instance of process hollowing is detected and blocked. In this case, two notifiers should display, one blocking the hollowing process and one blocking the hollowed process.

    Even though one notifier displays both processes are still blocked.

  • EP-19509: Custom rules are not enforced on WinXP when the DFS Server is from another domain

    Automatic DFS mapping requires the active user to have permissions on the DFS server. Entering separate credentials in explorer is not sufficient.

check-circle-line exclamation-circle-line close-line
Scroll to top icon