The 8.1.0 Patch 2 Server Release Notes provide information for users upgrading from previous versions as well as for users new to VMware Carbon Black Protection.

New Features and Product Enhancements

Beginning with 8.1 Patch 2, the following UI improvements and enhancements have been added.

Improved Processing of Table Page Actions

  • Table actions (on new table pages only) now show a progress bar on actions.
  • Table actions are now “chunked” for processing. This allows you to perform actions on larger groups of items without timing out or getting logged out, and also makes larger CSV exports possible.
Note: These changes apply to Events, Files, and Rules pages

Other Table Improvements

  • Quickfilters: There are now icons on cells and headers that you can click and quickly filter by fields.
  • Row selection: You can click on a row with a checkbox and the whole row will highlight.
  • Double click for details: If you double click on a row, the the details page for the object in that row will open (if one exists).
  • Drag-and-drop columns: You can reorder columns by dragging-and-dropping the table headers.

Events Page Improvements

  • Subgroups: On the Events page, in addition to displaying results sorted into groups, you can also add a sub-group under the group you choose.
  • Group count: Sorting by group count is now allowed on the Events page.
  • Agent Version: This field is now available as a column on the Events page.

Corrective Content

This section lists the defects that were fixed in CB Protection 8.1.0 Patch 2 Server.

Corrective Content in CB Protection 8.1.0 Patch 2 (Build 3546) – Windows Agent
Item # Description
EP-6200 Fixed the noisy assert in the agent process tracking that would complain about PID 4 not being enumerated.
EP-6144 Fixed the information caching issue where sometimes the agent would give the following error stating "isLocal mismatch Kernel[x] Usermode [y]".
EP-4988 Fixed an issue where a critical system process, for example ntoskrnl.exe, may be tagged by CB Protection Agent as Bit9:Terminated which results in blocks of any I/O the process performs before it is terminated. Because critical system processes cannot be terminated by the Agent, the issue persists until the system is rebooted or the tag is removed by using expert rule tagging actions.
EP-1543 To reduce the number of expanded rules, the system will wildcard per user rules (e.g. C:\Users\*\Documents) instead of expanding the rule once per logged in user. If a user has changed their folder location, this release will always include an expansion for the changed location.
EP-3481 Fixed an issue where files could be silently blocked even after Allow was clicked when being prompted by the notifier.
EP-5280 Updated the OpenSSL version the agent uses to 1.0.2o
EP-6866 Fixed an issue where the agent would, under some circumstances, scan the computer for new scripts on every startup. Users may see a small positive performance impact.
EP-7067 Fixed an issue where it was possible the machine would hang upon reboot after upgrading the CB Protection agent.

Corrective Content in CB Protection 8.1.0 Patch 2 (Build 3546) – Server
Item # Description
EP-6562 Fixed an error on logout during SAML setups that did not use an encryption certificate.
NA Fixed a SAML issue with Active Directory Federation Services. For ADFS we now accept the following Attribute tags: KeyInfo, Issuer, AttributeValue, AttributeStatement
EP-2821 Resolved an issue with uploading diagnostic files to the CBP server that had non-ansi convertible characters. This has been resolved in this version and the User Guide has been updated to reflect the new behavior. Please see “File and Path Information for Uploaded Files” section in the User Guide for more information.
EP-3513 In prior versions, the following message was erroneously triggered when using Unified Management to locally approve files on linked servers: `Notice: Cannot create local approval for computer id: X because it is currently in a deleted state.'
EP-1712 When creating a rule, one can specify a list of users to which the rule applies. This field had room for only 1024 characters. With this release, the field has been expanded to accommodate 2048 characters.
EP-2163 In version 8.0.x in an AD environment, autocomplete of user names was not finding a match when creating a new custom rule. Autocomplete of username fields will now tap into a larger data source.
EP-5246 When rules are exported to CSV, the policy column should now display all policies instead of being truncated as they are the policy column should now contain all policies instead of being truncated as they are when displayed on the rules page.
EP-6130 Expert memory rules where the "Authorization Action" is "Terminate Source Process" now correctly terminate the source process.

Fixed wildcarding of per user macros. Rules that reference per user macros such as

<MyDocuments> will expand to a single rule (C:\Users\*\Documents) instead of expanding to a rule per logged in user.

EP-6227 Fixed an issue where, if a rule was targeted to a specific user was exported and then imported, CB Protection would sometimes fail to assign the rule to the user on import.
TT-47500 User name is no longer lost on import.
EP-6542 Fixed "Imported" column in Custom, Memory, and Registry rule tables. Previously it would not update to “Yes” after importing rules.
EP-5930 Agent upgraded events no longer show the incorrect time stamp as the release of the agent software and now show the time at which the agent was upgraded.
EP-2064 Fixed a bug on the computers page that was preventing expanding or shrinking of groups of assets.
EP-2768 Previously, on Windows machines, enforcement by the CB Protection agent of tamper protection was preventing Windows from cleaning up control sets in the registry after a restart. Symptoms of this problem were an accumulation of registry keys in HKLM\System that are no longer needed and many tamper protection block events in the console that indicate services.exe was blocked from deleting ControlSet??? entries. We now allow the OS to delete old ControlSet??? entries from the registry without blocks from tamper protection and related tamper protection events.
EP-3271 Three more Australia time zones were added: Sydney, Brisbane, and Perth.
EP-3434 Fixed an issue where certain links to the Find Files page were timing out.
EP-3442 Fixed how the Console handles periodic database connection failures. Previously, periodic failures of database connectivity caused the Console to get stuck logging the same error repeatedly. This has now been addressed.
EP-4300 Users with the permission to manage local state can now locally approve files from the events page.
EP-4584 Fixed an issue where it was possible that CBP would report file analyze blocks for files that were already deleted before their analysis could be completed. CBP should no longer report file analyze blocks for deleted files.
EP-4920 Rapid Config rule names should now appear in the Rule Name column on the events page.
EP-5077 Fixed an issue where certain event fields were showing up with HTML escaped code.
EP-5087 Previously, Tamper Events would be seen when svchost.exe attempted to write to the sEstimatedSize2 value in the agents uninstall registry location - HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersi on\Uninstall\{DA971CA3-73AA-4A57-AFB4-8155E72CEB96}\sEstimatedSize2 This fix allows svchost to update that value and avoid the Tamper Protection events.
EP-5764 A limitation that constrained computer names to fewer than 40 characters has been lifted.
EP-5972 Fixed an issue that prevented inserting publishers with long names from being stored in the database.
EP-6556 Fixed an issue where some approval request columns were being exported with HTML tags when exporting to CSV.