VMware Carbon Black Cloud Linux Sensor 2.12 | 18 NOV 2021 | Build 2.12

Check for additions and updates to these release notes.

What's New

VMware Carbon Black Cloud Linux Sensor 2.12 includes the following improvements:

Enterprise EDR hash banning

This feature provides Enterprise EDR customers with the ability to ban process execution by hash.

Background scan

This feature enables a one-time scan of all files on an endpoint. Background scans can be enabled per policy or run on specific endpoints.

VDI improvements

The VDI workflow is enabled with the Linux 2.12 sensor. VDI auto re-registration simplifies the VDI security process for Horizon and Carbon Black Cloud admins.

VDI clones and re-registered devices inherit the policy of the primary image if one exists. Otherwise, clones and re-registered devices are assigned the Virtual Desktop policy or the Standard policy, in that order.

If an organization is using sensor groups, the new device will be moved to the appropriate policy when the metadata matches. See the Sensor Installation Guide for full VDI considerations and see the in-product User Guide for more information about sensor groups.

Installation improvements

This release adds additional installation options to the Linux sensor installer, including:

  • Placing the sensor in bypass after installation
  • Disabling Live Response
  • Only registering the sensor and not starting
  • Setting the sensor policy during installation
  • Providing proxy server and port parameters to the install script.

Learn more about these new installation options in the Sensor Installation Guide.

Verified sensor upgrade

This release enforces digital signature verification of future sensor upgrades. A sensor kit that cannot be verified will not be accepted as an upgrade by 2.12+ sensors. Sensors 2.11.2 and later are enabled for signature verification.

Distribution support changes

The 2.12 release ends support for the following Linux distribution versions:

  • RHEL/CentOS/Oracle 6
  • SLES 12 (SP2, SP3)
  • OpenSUSE 42.2, 42.3
  • Ubuntu 16.04

Resolved Issues

The following issues were fixed in this version of the software.

  • PSCLNX-9084: Ban_events were missing in some cases

  • PSCLNX-8488: Some file operations (renames) sometimes caused the agent to associate the wrong file with a path

  • PSCLNX-8333: Setting kptr_restrict=2 blocked kprobes on system calls

  • PSCLNX-8265: Operations could arrive out of order on multiple CPUs, improving blocking efficacy

  • CBC-10551: OSquery binary version is upgraded to 5.0.1

  • CBC-9846: Libcurl library version is upgraded to 7.78

  • CBC-9725: OpenSSL library version is upgraded to 1.1.1l, the latest

  • CBC-9514: Librarchive library version is upgraded to 3.5.1

  • CBC-9513: Sqlite-ee library version is upgraded to 3.36

Known Issues

The following issues are known to affect the software. Each lists the sensor version when the issue was first reported. Issues are removed after they are resolved.

  • PSCLNX-9707: Software upgrade log messages are not handled gracefully with unsupported distributions (sensor version found: 2.12)

  • PSCLNX-3874: When the agent restarts successfully, Error[00000002 (00000002)] is reported (sensor version found: 2.6.0)

  • PSCLNX-2710: The sensor does not support uninstall from the Carbon Black Cloud (sensor version found: 2.6.0)

    The sensor does not support uninstall from the Carbon Black Cloud. To uninstall, issue the following commands:

    • For CentOS, RHEL, SUSE, or Amazon Linux:
    rpm -e cb-psc-sensor
    • For Ubuntu:
    dpkg --purge cb-psc-sensor

    Note: The agent will still be listed in the Registered Devices list on the backend after running the command unless you choose Take Action > Uninstall.

  • PSCLNX-455: The sensor only supports unauthenticated proxies (sensor version found: 2.6.0)

  • CB Defense: Endpoint Standard does not collect filemod, netconns, or scriptloads (sensor version found: 2.7.0)

  • Performance issues may occur when deploying the Carbon Black Cloud Linux sensor and the CB Response Linux sensor to the same endpoint (sensor version found: 2.6.0)

    Deploying the Carbon Black Cloud Linux sensor and the CB Response Linux sensor to the same endpoint is not recommended. There are no known interoperability issues when running both sensors; however, higher performance utilization occurs if both sensors are running on an endpoint.

check-circle-line exclamation-circle-line close-line
Scroll to top icon