Carbon Black Cloud 2.16.0 | 24 June 2024 | Build 2.16.0.2566828 Check for additions and updates to these release notes. |
Carbon Black Cloud 2.16.0 | 24 June 2024 | Build 2.16.0.2566828 Check for additions and updates to these release notes. |
The 2.16.0 Carbon Black Cloud Linux Sensor is a minor release that includes several new features and OS distribution updates.
This sensor release also addresses defects found in the previous releases.
OS Distribution Updates
Support for the following minor OS updates are also included as part of this release:
RHEL 8.10, 9.3
Oracle RHCK 8.10, 9.3
Rocky 8.9, 8.10, 9.3
Alma 8.9, 8.10, 9.3
Ubuntu 22.04.4
Debian 11.9, 12.5
Ubuntu 22.04.3 with kernel 6.5
SUSE 15 SP6
OpenSuse 15.6
Inline Blocking
Carbon Black Cloud Linux Sensor now offers enhanced prevention capabilities by providing a mechanism for blocking a malware on its very first execution. Prior to this release, blocking of executables using hash banning relied on the sensor knowing the reputation for a binary. As a result, the first execution of any malware would go through and the sensor would only kill the process at a later point.
The Inline Blocking feature, when turned on, completely blocks a malware from running. This feature is disabled by default and can be turned on by checking the toggle with title “Block known bad files before execution” in the policy page for custom policies. The Inline Blocking toggle is enabled by default for Advanced and Standard policies. This feature does not support network/remote file systems. This feature is supported for Endpoint Standard only.
Signing sensor kits with SHA256 keys
The sensor kits are now signed with SHA256 key only. The SHA1 key is completely deprecated. Sensor upgrade logic validates the integrity of the package using this key. With this release, the upgrade logic will allow SHA256 signed packages only.
This section lists the defects that were resolved in the 2.16.0 Carbon Black Cloud Linux Sensor.
CBC-29584: Fixed an issue where the output of “repcli status” command was missing the “Local Scan Info” section (EA-23263)
CBC-31494 : Fixed an issue where the user was not able to uninstall Linux sensor using Uninstall action from console
PSCLNX-12137: Fixed an issue where the installer was throwing an error message for kernel versions with specific formats (7 components in the patch version after “-”. e.g 3.10.0-1160.83.1.0.1.el7.x86_64) (EA-22997)
This error was misleading since the installation and subsequent sensor functionality was working fine on such versions.
PSCLNX-13267: Fixed an issue where the sensor was reporting system name when multiple users were logged-in (EA-23685)
With this release, the sensor will start reporting the last logged in user, in this scenario.
This section lists the known issues and limitations present in the Carbon Black Cloud 2.16.0 Linux Sensor.
PSCLNX-10923: Sensor might have some leftover files running after sensor shutdown
PSCLNX-10980: On kernel module distros, banned binaries are not allowed to execute even after the sensor shutdown
The expected behavior is for the sensor to allow the blocked binary after sensor shutdown.
PSCLNX-11089: A banned script results in a "Failed to terminate" error message
Execution of a banned script results in "Failed to terminate" error message in the threat hunter logs, and generates duplicate alerts.
PSCLNX-13306: Container context missing from the alert If a binary inside the container is executed from outside using container engine exec command, the container context is missing from the alert