VMware Carbon Black Cloud 2.13 | 22 MAR 2022 | Build 2.13.0.905643 Check for additions and updates to these release notes. |
VMware Carbon Black Cloud Linux Sensor 2.13 includes the following improvements:
Linux Efficacy
This feature provides the customer with RepCLI support and local reputation checker. RepCLI is a command line tool that can be used by the superuser to locally administer the sensor. For more information about RepCLI commands and their usage, see Managing Sensors by using RepCLI in the VMware Carbon Black Cloud User Guide.
This feature also provides the ability to verify the reputation of hashes and binaries against the related database prior to cloud look up. Linux sensor uses various reputation sources to determine the reputation of a binary. The 2.13.0 CBC Linux sensor has added secure crypto (maintained by OS package manager) based reputation checker as one more source of reputation detection algorithm. On a FIPS enabled operating system, we use this additional source only when the OS provides support for FIPS compliant secure crypto.
Quarantine
This feature unlocks migrations from hosted/on-prem to Enterprise EDR and improves overall security posture of Linux on Carbon Black Cloud. It includes support for quarantining a Linux endpoint from the CBC console. The quarantine functionality will block all network traffic on the endpoint except for the connections that are required to communicate with the Carbon Black Cloud console. This helps isolate the Linux endpoint from the rest of the network and reduces the risk of spreading malicious content throughout the network.
Sensor Performance Enhancements
This feature provides the customer to successfully run the sensor on large systems without performance degradation.
Public Cloud Workload Protection Initiative
This feature enables Carbon Black Cloud Linux sensor support on AWS EC2 instances. All the EC2 instances that are launched using a custom AMI will auto-register as a separate device on the cloud backend. This simplifies the security process for AWS and Carbon Black Cloud administrators.
Distribution Support Changes
The 2.13 release adds support for the following new Linux distribution versions:
The following issues were fixed in this version of the software.
PSCLNX-10057: OpenSSL version was updated to resolve vulnerabilities
PSCLNX-9782, EA-19192: OSQuery was left running even after the timeout was reached
PSCLNX-9726: Ubuntu installer failed to create the blades directory
PSCLNX-9662, EA-19958: Bulk behavior was causing disk to fill up
PSCLNX-9282: Log directory “not empty” warning message was seen while uninstalling on ubuntu
PSCLNX-9023, EA-19192: Sensor rebooted unexpectedly multiple times with error messages
CBC-11435: Expedited mode of local scan failed if it was triggered from the user interface
PSCLNX-9671: Installation failed on CentOS/RHEL FIPS enabled endpoints
PSCLNX-10110: Upgrade to latest sensor failed on CentOS/RHEL FIPS enabled endpoints
CBC-11966, EA-19859: Event collector resulted in high memory usage in case of a larger event rate
This caused memory alarms on ubuntu 18.0.5.
PSCLNX-3874: When the agent restarts successfully, Error[00000002 (00000002)]
is reported (sensor version found: 2.6.0)
PSCLNX-455: The sensor only supports unauthenticated proxies (sensor version found: 2.6.0)
CB Defense: Endpoint Standard does not collect filemod, netconns, or scriptloads (sensor version found: 2.7.0)
Performance issues may occur when deploying the Carbon Black Cloud Linux sensor and the CB Response Linux sensor to the same endpoint (sensor version found: 2.6.0)
Deploying the Carbon Black Cloud Linux sensor and the CB Response Linux sensor to the same endpoint is not recommended. There are no known interoperability issues when running both sensors; however, higher performance utilization occurs if both sensors are running on an endpoint.
The following issues are known to affect the software. Each lists the sensor version when the issue was first reported. Issues are removed after they are resolved.
PSCLNX-10216: Upgrade from older version of the Linux sensors (2.7.1) and older is unsuccessful (sensor version found: 2.13)
The workaround is to uninstall the sensor and reinstall the latest version.
PSCLNX-10199: 5.14 kernel is not supported on BPF probe (sensor version found: 2.13)
PSCLNX-9707: Software upgrade log messages are not handled gracefully with unsupported distributions (sensor version found: 2.12)
PSCLNX-2710: The sensor does not support uninstall from the Carbon Black Cloud (sensor version found: 2.6.0)
The sensor does not support uninstall from the Carbon Black Cloud. To uninstall, issue the following commands:
rpm -e cb-psc-sensor
dpkg --purge cb-psc-sensor
Note: The agent will still be listed in the Registered Devices list on the backend after running the command unless you choose Take Action > Uninstall.