VMware Carbon Black Cloud Windows Sensor 18.104.22.1688 | 17 NOV 2021 | Build 22.214.171.1248
Check for additions and updates to these release notes.
VMware Carbon Black Cloud Windows Sensor 126.96.36.1998 includes the following improvements:
The following issues were fixed in this version of the software.
UAV-2154, EA-18733, EA-19153: AMSI rules were being bypassed in Windows Terminal and other containerized applications
DSEN-16642, EA-19844: Sensors could not exit Quarantine mode after losing network connectivity
DSEN-16429, DSEN-12463: Upgrades conducted by non-admin users could leave the sensor in an inoperable state
Upgrades conducted by non-admin users could leave the sensor in an inoperable state if the Windows registry was corrupted from a previous install or upgrade failure.
DSEN-16231, DSEN-14832: Windows 11 devices (running build 10.0.2200) displayed as Windows 10 in the Carbon Black Cloud console
DSEN-15324, EA-19302, EA-19398: Sensor misreported files being executed from Recycle Bin
DSEN-15157, EA-19374: In Endpoint Standard, a rare crash in repmgr could occur when the sensor was scanning files
DSEN-15013, DSEN-6805, EA-19223: improved command line script detection
DSEN-14799, EA-19232: In Endpoint Standard, the sensor was not checking for bypass when enforcing Process Doppelgänging protections
DSEN-14721, EA-19615: The sensor could cause system crashes to occur with ctifile.sys
DSEN-14550, EA-18912: Updated default zip/compression settings for sensor events being stored on disk to reduce CPU consumption of the sensor
Updated default zip/compression settings for sensor events being stored on disk to reduce CPU consumption of the sensor. This settings change is intended to mitigate potential event loss due to proxy errors. However, sensor events being written to disk can see a 70% increase in file size/bandwidth compared to previous sensor versions. Event batch disk space usage remains 1GB by default.
DSEN-14184, EA-18800: End-user License Agreement has been updated to indicate the creation of canary files on successful sensor installations
DSEN-14134, EA-18111, EA-19331: Deleting a file failed in a redirected folder setup in Horizon VDI with DEM folder redirection
DSEN-13173, EA-17975, EA-18052: "Enable svchost.exe mitigation policy" setting
CbAMSI.dll is now WHQL signed to resolve issues where the sensor was blocked from loading CbAMSI.dll in svchost.exe processes if the "Enable svchost.exe mitigation policy" setting was turned on.
DSEN-12801, EA-19124: Improved suppression of “RepUx.exe - Bad Image” prompts when third party apps are blocked from injection attempts
DSEN-11416, EA-17516: The sensor was unable to decrypt proxy_creds with installations performed from system account context
DSEN-7625, EA-18519: Added ability to protect against aspx files executing on IIS
DSEN-5145: In Endpoint Standard, improved sensor behavior to check for policy updates prior to blocking actions
Improved sensor behavior to check for policy updates prior to blocking actions to ensure long-running processes are enforced via new policy rules set after process launch.
The following issues are known to affect the software. Each lists the sensor version when the issue was first reported. Issues are removed after they are resolved.
DSEN-16957: In rare instances, the sensor can switch to bypass mode post-upgrade (sensor version found: 188.8.131.528)
In rare instances, the sensor can switch to bypass mode post-upgrade. This is due to an issue unloading one of the drivers and has been seen more frequently on Windows Server 2019 systems. In such cases, a reboot is required to complete the upgrade and remove the bypass sensor state.
DSEN-17019, DSEN-16602: Repmgr.exe's parent process is a hash of all zeroes (sensor version found: 184.108.40.2068)
Beginning with 220.127.116.110, after install or upgrade you might see events or alerts where repmgr.exe's parent process is a hash of all zeroes.
This goes away after a reboot.
DSEN-16573: Explorer window might be closed (sensor version found: 18.104.22.1688)
If you have an open Explorer window that contains banned or malicious binaries, the Explorer window might be closed due to Explorer having those binaries mapped.
DSEN-15424: Performance issues on Windows 11 systems where WindowsSearch service is actively indexing files (sensor version found: 22.214.171.1248)
DSEN-14236, EA-18878: Windows events with error ID 5038 (sensor version found: 126.96.36.1998)
Issue with code integrity where the image hash of some Carbon Black files being loaded are determined to not be valid and create Windows events with error ID 5038.
DSEN-13482: Events show NT file path of dropped files (sensor version found: 188.8.131.523)
DSEN-12189: In Endpoint Standard, when a process is blocked from running, multiple block events can display in the console and local user interface (sensor version found: 184.108.40.2063)
DSEN-11116: In Endpoint Standard and Enterprise EDR, banned file names and paths are not captured correctly when launched through a WebDAV path (sensor version found: 220.127.116.113)
Sensor version found: 18.104.22.1683
DSEN-9577: Fileless script termination rules (sensor version found: 22.214.171.1248)
Fileless script termination rules should be applied to the parent process of the fileless script process, as the process executing the fileless script is the fileless script.
DSEN-8551: Trying to access the sensor installation directories in non-elevated Explorer windows may be blocked if the user is not a member of the authenticated RepCLI users (sensor version found: 126.96.36.1998)
Trying to access the sensor installation directories in non-elevated Explorer windows may be blocked if the user is not a member of the authenticated RepCLI users.
Customers are encouraged to have a set of RepCLI users authenticated, and use those users for support sessions if there is a need to inspect this folder.
These users could successfully access %programdata%\CarbonBlack through Explorer.exe.
DSEN-12202: In Endpoint Standard, uninstalling through the “sensor removal tool” may still leave behind the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityCenter\Provider\AV\ registry entry (sensor version found: 188.8.131.523)
DSEN-7416: After upgrading from Windows 7 x64 to 19H1, the endpoint might still report that the machine is running Windows 7 (sensor version found: 184.108.40.2063)
DSEN-1387: Background scan remains disabled on devices where VDI=1 was used (sensor version found: 220.127.116.113)
Background scan remains disabled on devices where VDI=1 was used. See https://community.carbonblack.com/docs/DOC-12001.