VMware Carbon Black App Control 8.9.4 | 21 FEB 2023 | Build 8.9.4.55

Check for additions and updates to these release notes.

What's New

The 8.9.4 Server Release Notes provide information for users upgrading from previous versions as well as for users new to VMware Carbon Black App Control. This is a maintenance release.

The VMware Carbon Black App Control Server has been identified to contain a critical security vulnerability. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2023-20858 to this issue. We strongly recommend that you upgrade as soon as possible.

For more information, see the VMware Security Advisory: VMSA-2023-0004. For questions and assistance with installation, please contact Customer Support.

The 8.9.4 Server resolves the vulnerability identified in CVE-2023-20858. We strongly recommend you upgrade to this 8.9.4 Server release as soon as possible.

Server Support for Mac Trusted Publisher

The App Control 8.9.4 Server can now receive publisher certificate information from the latest 8.8.0 Mac agent. This allows server users to approve and ban Apple-based certificates discovered on 8.8.0 Mac agents. This reduces the complexity involved with approving/banning new software and updates from Apple or other third-party vendors.

On Windows agents, many customers leverage Trusted Publishers to create high-enforcement policies, allowing all trusted Windows software vendors and blocking all else. With this feature on Mac, customers will now be able to more easily lock down their endpoints, providing a high level of security, previously challenging to obtain on Apple devices.

For more information about Mac Trusted Publishers, see Approving or Banning by Publisher in the 8.9.4 User Guide.

Other changes in this release include:

  • Added a new action on the Computers page to allow users to run cache consistency checks on multiple computers at once. Previously, this could only be performed on the Computer Details page. In addition, a new option to the cache consistency check menu, Re-evaluate publishers, to retrieve publisher certificate information from files on previous Mac agents that did not support Trusted Publishers. For more information, see Performing a Cache Consistency Check in the 8.9.4 User Guide.

  • Added 'dircasesensitivityenabled' as an available agent config property in the server to address case insensitive Windows operating systems. For information, see the Rules Installer 1.18 Release Notes.

  • Made performance improvements to reduce timeouts and delays while using the Computers page.

Library Changes

The following libraries were updated:

  • Updated SQLite to version 3.40.1

  • Updated curl to version 7.87.0

Supported Upgrade Paths

Important:

For customers using SQL 2019, installation of the latest Cumulative Update is required before installing version Carbon Black App Control Server 8.9.4. Please see the Server OER for more details.

The table below shows the supported upgrade paths for Carbon Black App Control 8.9.4 servers:

Upgrading from:

Upgrading to:

8.8.4

8.9.4

8.8.2

8.9.4

8.8.0

8.9.4

8.7.x

8.9.4

8.6.x

8.9.4

8.5.x

8.9.4

8.1.10

8.9.4

8.1.8

8.9.4

8.1.6

8.9.4

8.1.4

8.9.4

8.1.0 Patch 2

8.9.4

8.1.0

8.9.4

8.0.0

8.9.4

Resolved Issues

The following defects were fixed in the Carbon Black App Control 8.9.4 Server.

  • EP-17443: Fixed an issue where CPE stopped syncing due to a change in the NVD API

  • EP-17495: Fixed an issue where users with the correct permission could not move computers to a different policy from the computers page

  • EP-17414: Fixed missing user feedback when disabling tamper protection on the computer details page

  • EP-17347: Fixed an issue that prevented AD users setup with a UPN alias that is different than the domain name from being able to login.

  • EP-15476: Fixed an issue where data would no longer flow to syslog

  • EP-16012: Fixed a UI issue where the Revocation Check configurations were not showing the correct value

  • EP-16914: Fixed an issue where installing a new agent-server communication certificate results in connected agents switching to encrypted communication over an untrusted channel

    Installing a new agent-server communication certificate should no longer result in connected agents switching to encrypted communication over an untrusted channel - they will now be given a time buffer to learn about the new certificate to trust before the switch occurs.

  • EP-17346: Improved performance of the "Computers Page" (EA-22351)

  • EP-17373: Fixed an issue with AD rules .XSD file not updating on upgrade

  • EP-6366: Fixed an issue where the"Applications on Computer" would display deleted computers

    The "Applications on Computers" page will no longer display from deleted computers.

  • EP-17246: Fixed an issue where logging in using the Active Directory pre-Windows 2000 user logon name

  • EP-17233: Fixed an issue where the "Date Registered" column is missing from the computers page

    Added Date Registered column back to the computers page.

Known Issues

The following known issues and limitations are present in the Carbon Black App Control 8.9.4 Server.

  • EP-17537: When running on Windows Server 2012 R2 the AppC Server is unable to access the NIST API due to incompatible cipher suites. Because of this, CPE syncing is not possible on this operating system

  • EP-4085: When uninstalling the App Control server a message may appear saying that the system is protected by the App Control agent even though the agent has already been uninstalled

  • EP-1222: If the CryptoAPI cannot initialize, the license will not be imported

    This is typically due to the environment not being set up according to the installation instructions.

  • EP-14702: Due to an InstallShield issue, if a reboot is required during install, the installer may not automatically continue after reboot

    If this occurs, you must manually restart the install.

  • EP-2752: If you modify the permissions of, or disable, the "admin" user that ships with the product, the API module may no longer function correctly, causing problems when using the REST API and the console

    Make sure that the "admin" user retains its "View users" and "Manage users" permissions, and that it is not disabled.

  • EP-2879: Baseline Drift Reports only report on Windows computers

    Baseline Drift Reports do not report on Mac or Linux computers.

  • EP-3157: Exports to CSV of tabular data from console pages do not render date and time fields consistently with respect to time zone

    Some columns are reported as UTC; others use the local time zone.

  • EP-3349: Right after a new version of App Control is installed, the version health indicator will incorrectly report that the previous version is the newest version

    Refreshing the health indicator will cause it to disappear and will remove the incorrect report.

  • EP-3352: An event with the subtype "File deletion failed" is erroneously generated when a file that no longer exists is selected for deletion

    When a file that no longer exists is selected for deletion, the App Control Server should generate an error with subtype "File deletion processed (file not found)". Instead, an event with the subtype "File deletion failed" is erroneously generated.

  • EP-4094: Users without the "View Policies" permission will not be able to make use of Role-Based Access Controls based on policies

  • EP-4578: If a user turns on the config property ShowHiddenCustomRules and creates a Custom Rule with a hidden action (that is, an action ending with "(Hidden)") that rule will display as an expert rule after being saved

    Rules of this type requiring an Operation value of "Execute and Write" should be created as two separate rules to avoid losing data.

  • EP-5504: Systems created using Sysprep may not boot if Tamper Protection was enabled when Sysprep was performed

  • EP-5703: Canceling a diagnostic request while it is underway does not always work

    From the App Control console one can request a diagnostic upload from an endpoint. Canceling such a request while it is underway does not always work. Sometimes cancellation can merely cause the endpoint to retry the upload.

  • EP-6510: Some customers have reported seeing false positives with the Doppleganger rule being triggered by TIWorker.exe and TrustedInstaller.exe

  • EP-6515: In a specific scenario it's possible for newly installed agents to register with the server from a deleted policy

  • EP-6719: File analysis through connectors will not work with files containing certain foreign characters in the name

  • EP-6721: If a SAML identity provider requires a signed logout request, the logout request will fail

  • EP-6796: In some cases it's not possible to export a large amount (300+) of custom rules

  • EP-7891: When adding a user to the "Linux User/Group to Manage Agents" section of the Agent Management configuration the message “(Not validated)” is erroneously returned

    The new user should still be added.

  • EP-13195: Rapidly changing a computer's policy more than once can sometimes cause the last policy change to not apply

  • EP-16158: Incorrect list of files when creating a snapshot

    Sometimes when filtering files and creating a snapshot from the result set, files not part of the result set are included in the snapshot.

check-circle-line exclamation-circle-line close-line
Scroll to top icon