The 8.1.6 Server Release Notes provide information for users upgrading from previous versions as well as for users new to VMware Carbon Black Protection.
New Features and Product Enhancements
CB Protection version 8.1.6 provides the following improvements and enhancements:
- Customers can now cache a Saved Event view in order to view and manipulate the data more quickly in the future. For more details please see the 8.1.6 UserGuide.
- The PHP library that ships with CB Protection has been upgraded to version 7.2.14 (August2019).
- For new server installs the Java and Powershell Script rules are now enabled by default. Server upgrades will retain the previousvalue.
- The default value for AllowBansFromEventRules has been changed to true. Users can now create bans from Eventrules.
- The default value for AllowMoveComputerFromEventRules has been changed to true. Users can now move computers from Eventrules.
- Administrators can now add a custom banner on the CB Protection Admin login page with customer defined text andformatting.
- The username for SAML can now come from either an attribute named EmailAddress orNameID.
- Action and Operation columns have been added to Custom, Memory, and Registry rule tables. This should make it easier to understand what a rule is doing and filter for certain rule types. The old Action column, which included operations, has been renamed "Action (Legacy)" and will continue to function as before except expert rules that were previously missing information should now show both actions and operations. Filtering on the "Action (Legacy)" column for these expert rules will not work. When grouped by "Action (Legacy)" these rules will show up as "ExpertAction(s)".
- The Microsoft SCEP connector has been deprecated. It will no longer show up in new installs and will be hidden if it is not enabled. It will be removed in a futureversion.
- The FireEye connector has been deprecated. It will no longer show up in new installs and will be hidden if it is not enabled. It will be removed in a futureversion.
- The Update Agent/Rule Versions page will now be more strict about what files can be uploaded to help avoid uploading the wrongfile.
- Made improvements to the process of uploading Host Package Installers and Rules Installers when certificate validation is blocked to check against known local certificates. If validation is still not possible there is a new prompt in the UI to allow users to acknowledge the risk and bypass the certificate check for thatfile.
- The server installer will now install Microsoft ODBC Driver 13.1 if at least version 13.1 is not found on the system.
- The installer versions page now requires the View Configuration permission instead of the Manage Configuration permission. In addition, the link to the page will not display on the Policies page if the user lacks the View Configurationpermission.
- In order to improve the efficacy of a number of the Windows Script Rules (found in the Scripts tab within the Console), the script processors in the rules are now identified by Yara in addition to path and name. For more details, see Windows Script Rules Changes below.
New Events
- An event will now be generated when a user's session timesout.
Product Security Enhancements
- Changed the algorithm that generates password salts and extended the length of the password salt.
- The hashing algorithm used to communicate with agents has been updated to use SHA256. Newer agents will detect if the server is capable of using the SHA256 algorithm to validate and adopt accordingly.
Windows Script Rules Changes
In CB Protection 8.1.6 we now use Yara to identify several different processes as part of the Script rules. The processes we are identifying include: cmd.exe, regedit.exe, reg.exe, regedt32.exe, cscript.exe, wscript.exe, java.exe, javaw.exe, mshata.exe, perl.exe, python.exe, and pythonw.exe.
The Script rules that reflect this change are named: Batch, Registry, Visual Basic, Java, Powershell, and HTML Application.
In addition, when upgrading a server, two new Windows Script rules are added that mirror existing rules but use Yara to identify the processors. These new rules are: Perl using Yara and Python using Yara.
The existing Perl and Python script rules remain unchanged since they do not incorporate a process in the rule but rather rely on file associations for the extensions pl, pm, py, pyc, pyo, and pyw.
It is important to note that new installs will not have the Perl using Yara and Python using Yara rules. The Yara method to identify the process has been added to the Perl and Python rules.
CB Protection Server Supported upgrade paths to 8.1.6
Below is a table explaining the supported upgrade paths for CB Protection servers:
| Upgrading from: | Upgrading to: |
|---|---|
| v8.0.0 | v8.1.6 |
| v8.1.0 | v8.1.6 |
| v8.1.4 | v8.1.6 |
Corrective Content
This section lists the defects that were fixed in CB Protection 8.1.6 Server.
| Corrective Content in CB Protection 8.1.6 Server (Build 436) | |
|---|---|
| Item # | Description |
| EP-9772 | Fixed an issue where the CB Protection Server drive could fill up with temporary files, causing a significant performance impact, prevent events from being logged on the server, and eventually cause your system drive to fill up and subsequently crash. |
| Corrective Content in CB Protection 8.1.6 Server (Build 434) | |
|---|---|
| Item # | Description |
| EP-1334 | Fixed an issue with Chrome by prepopulating the Subject Alternative Name on the Create X.509 Certificate dialog in the server installer. |
| EP-2225 | Fixed an issue where it was possible to receive multiple "New file on network" events for the same hash. |
| EP-2411 | Fixed an issue where file paths on Linux and Mac were showing an extra slash in some parts of the UI. |
| EP-2920 | Fixed an issue that caused newly created alerts to not be saved when they were being applied to selected policies. Customers should now be able to create alerts that apply only to computers in a specific policy. |
| EP-3522 | On table pages, the Select All checkbox will now highlight all of the selected rows. |
| EP-4825 | Corrected the location of the System Configuration page described on dialogs in the server installer. |
| EP-6646 | Multi-Threaded File Processing will now intelligently split processing in order to maximize hosts processed. |
| EP-6716 | Fixed a bug on table pages that caused rows to still be highlighted after the rows were no longer selected. |
| EP-6918 | Fixed an issue where the CB Protection Server would crash due to a timing issue when creating config list files. |
| EP-7681 | Improved the CB Reporter's scheduled task management to halt processing of a task if it is disabled while in the middle of processing data. This fixes an issue where the CB Reporter would detect a running task as being disabled and would attempt to stop the process and cause the timer to be reset instead. |
| EP-7738 | Fixed an issue where a user response of "No" in the installation dialogs was ignored and the installation would continue instead of cancelling the install. This would happen when a user selects to use a new database during install on a server that contains an old database and the installer asks the user to confirm they want to overwrite an existingdatabase. |
| EP-8136 | Fixed issues with creating and deleting baseline drift snapshots. It is now possible to create and delete baseline snapshots. |
| EP-8161 | Fixed an issue where autocomplete was not working in the filters fields for several pages. |
| EP-8305 | When a user changes their password, the event for that action now correctly states who changed the password. |
| EP-8358 | Fixed an issue with External Event Logging to a SQL database where, if access to that external database was lost, events that occurred during the downtime were not synced once the connection was restored. |
| EP-8373 | Fixed an issue with generating Mac host packages where temp files were not being properly cleaned up. |
| EP-8436 | Fixed an issue where a user could get a "PHP Fatal error: Uncaught Error" message when trying to view a Saved View that included a column showing data they did not have permission to view. Now, If a user does not have permission to view a column required for a Saved View, the view will no longer appear in the Saved View dropdown menu for that user. |
| EP-8562 | Fixed an issue where, if the resource download location setting was changed and did not end in a trailing slash, then incorrect URLs were being generated. |
| EP-8829 | Fixed an issue where internal custom rules that should never be edited by users could be edited by double clicking on the table row. |
| EP-8870 | Fixed an issue where if a computer running an agent had been converted into a template, the 8.1.4 server was unable to allow that agent to reconnect once it was brought online again. |
| EP-9075 | Fixed an issue that caused an error to appear when using the "View Cb Reputation Data" action. |
| EP-9112 | Fixed a bug where server config values (set via the API) created events with swapped former and new values. Previously, we would put what should be in param2 in param3 and vice-versa. |
| EP-9169 | Fixed multiple issues with the drag-and-drop interface for agent installers:
|
| EP-9215 | Fixed an issue that caused the help link on the Events page to go to the main help page instead of the chapter on Events. |
| EP-9352 | Fixed an issue where, if the installer finds any Mac and Linux agents while doing an upgrade, it would prompt the user with a warning that no new install packages will be generated. This is an old message that does not apply to CB Protection 8.1.4 Server and above. |
| EP-8829 | Fixed an issue where internal custom rules that should never be edited by users could be edited by double clicking on the table row. |
| EP-8870 | Fixed an issue where if a computer running an agent had been converted into a template, the 8.1.4 server was unable to allow that agent to reconnect once it was brought online again. |
| EP-9075 | Fixed an issue that caused an error to appear when using the "View Cb Reputation Data" action. |
