VMware Carbon Black Cloud 3.8.0.398 | 13 DEC 2021 | Build 3.8.0.398

Check for additions and updates to these release notes.

What's New

VMware Carbon Black Cloud Windows Sensor 3.8.0.398 includes the following improvements:

  • Enterprise EDR (EEDR) Windows sensors now detect and report associated API information relating to Windows cross process events (previously available in Endpoint Standard-enabled environments only). Users can now search on crossproc_api events within the admin console in EEDR-only environments.

  • New OSquery extensions are added for improved collection of sensor diagnostics and endpoint configuration information. New tables include information pertaining to sensor counters, sensor files, sensor processes, sensor status, known devices, and much more. See the VMware Carbon Black Cloud User Guide for more information on our Live Query Extension Tables.

  • Sensor Upgrade Limit Increase - The number of concurrent updates is 25% of the total organization size, with a minimum of 25 sensors and a maximum of 500 sensors. For more information please see the View Progress of Sensor Updates section of the VMware Carbon Black Cloud User Guide. This applies to all Windows sensor upgrades going forward regardless of sensor version. As of the 3.7.0.1411 (MR1) build, Windows sensors will respond to upgrade requests in a more timely and prompt manner.

  • VDI Improvements - File hashes calculated on Golden VM images are reused for associated VDI clones, which saves host resources (disk IO and CPU) and generally improves VM boot and login times. This feature can be enabled in VDI environments using the FileCachePersistenceState config prop with a specified value of "3". See the VMware Carbon Black Cloud Sensor Installation Guide for more information on Horizon Golden Image Considerations for Carbon Black Windows Sensors.

Resolved Issues

The following issues were fixed in this version of the software.

  • DSEN-5145: In Endpoint Standard, improved sensor behavior to check for policy updates prior to blocking actions

    Improved sensor behavior to check for policy updates prior to blocking actions to ensure long-running processes are enforced via new policy rules set after process launch.

  • DSEN-7625, EA-18519: Added ability to protect against aspx files executing on IIS

  • DSEN-11416, EA-17516: The sensor was unable to decrypt proxy_creds with installations performed from system account context

  • DSEN-12801, EA-19124: Improved suppression of “RepUx.exe - Bad Image” prompts when third party apps are blocked from injection attempts

  • DSEN-13173, EA-17975, EA-18052: "Enable svchost.exe mitigation policy" setting

    CbAMSI.dll is now WHQL signed to resolve issues where the sensor was blocked from loading CbAMSI.dll in svchost.exe processes if the "Enable svchost.exe mitigation policy" setting was turned on.

  • DSEN-14134, EA-18111, EA-19331: Deleting a file failed in a redirected folder setup in Horizon VDI with DEM folder redirection

  • DSEN-14184, EA-18800: End-user License Agreement has been updated to indicate the creation of canary files on successful sensor installations

  • DSEN-14550, EA-18912: Updated default zip/compression settings for sensor events being stored on disk to reduce CPU consumption of the sensor

    Updated default zip/compression settings for sensor events being stored on disk to reduce CPU consumption of the sensor. This settings change is intended to mitigate potential event loss due to proxy errors. However, sensor events being written to disk can see a 70% increase in file size/bandwidth compared to previous sensor versions. Event batch disk space usage remains 1GB by default.

  • DSEN-14721, EA-19615: The sensor could cause system crashes to occur with ctifile.sys

  • DSEN-14799, EA-19232: In Endpoint Standard, the sensor was not checking for bypass when enforcing Process Doppelgänging protections

  • DSEN-15013, DSEN-6805, EA-19223: improved command line script detection

  • DSEN-15157, EA-19374: In Endpoint Standard, a rare crash in repmgr could occur when the sensor was scanning files

  • DSEN-15324, EA-19302, EA-19398: Sensor misreported files being executed from Recycle Bin

  • DSEN-16231, DSEN-14832: Windows 11 devices (running build 10.0.2200) displayed as Windows 10 in the Carbon Black Cloud console

  • DSEN-16429, DSEN-12463: Upgrades conducted by non-admin users could leave the sensor in an inoperable state

    Upgrades conducted by non-admin users could leave the sensor in an inoperable state if the Windows registry was corrupted from a previous install or upgrade failure.

  • DSEN-16642, EA-19844: Sensors could not exit Quarantine mode after losing network connectivity

  • UAV-2154, EA-18733, EA-19153: AMSI rules were being bypassed in Windows Terminal and other containerized applications

Known Issues

The following issues are known to affect the software. Each lists the sensor version when the issue was first reported. Issues are removed after they are resolved.

  • DSEN-17156: "CrashDumpEnabled" registry configuration resets to 1 on Defense Sensor reboot

    Any custom values used for the "CrashDumpEnabled" config setting is reset to 1 (Complete Memory Dump) on every reboot (restart of Defense Sensor).

  • DSEN-1387: Background scan remains disabled on devices where VDI=1 was used (sensor version found: 3.7.0.1253)

    Background scan remains disabled on devices where VDI=1 was used. See https://community.carbonblack.com/docs/DOC-12001.

  • DSEN-7416: After upgrading from Windows 7 x64 to 19H1, the endpoint might still report that the machine is running Windows 7 (sensor version found: 3.7.0.1253)

  • DSEN-12202: In Endpoint Standard, uninstalling through the “sensor removal tool” may still leave behind the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityCenter\Provider\AV\ registry entry (sensor version found: 3.7.0.1253)

  • DSEN-8551: Trying to access the sensor installation directories in non-elevated Explorer windows may be blocked if the user is not a member of the authenticated RepCLI users (sensor version found: 3.8.0.398)

    Trying to access the sensor installation directories in non-elevated Explorer windows may be blocked if the user is not a member of the authenticated RepCLI users.

    Customers are encouraged to have a set of RepCLI users authenticated, and use those users for support sessions if there is a need to inspect this folder.

    These users could successfully access %programdata%\CarbonBlack through Explorer.exe.

  • DSEN-9577: Fileless script termination rules (sensor version found: 3.8.0.398)

    Fileless script termination rules should be applied to the parent process of the fileless script process, as the process executing the fileless script is the fileless script.

  • DSEN-11116: In Endpoint Standard and Enterprise EDR, banned file names and paths are not captured correctly when launched through a WebDAV path (sensor version found: 3.7.0.1253)

    Sensor version found: 3.7.0.1253

  • DSEN-12189: In Endpoint Standard, when a process is blocked from running, multiple block events can display in the console and local user interface (sensor version found: 3.7.0.1253)

  • DSEN-13482: Events show NT file path of dropped files (sensor version found: 3.7.0.1253)

  • DSEN-14236, EA-18878: Windows events with error ID 5038 (sensor version found: 3.8.0.398)

    Issue with code integrity where the image hash of some Carbon Black files being loaded are determined to not be valid and create Windows events with error ID 5038.

  • DSEN-15424: Performance issues on Windows 11 systems where WindowsSearch service is actively indexing files (sensor version found: 3.8.0.398)

  • DSEN-16573: Explorer window might be closed (sensor version found: 3.8.0.398)

    If you have an open Explorer window that contains banned or malicious binaries, the Explorer window might be closed due to Explorer having those binaries mapped.

  • DSEN-17019, DSEN-16602: Repmgr.exe's parent process is a hash of all zeroes (sensor version found: 3.8.0.398)

    Beginning with 3.8.0.370, after install or upgrade you might see events or alerts where repmgr.exe's parent process is a hash of all zeroes.

    This goes away after a reboot.

  • DSEN-16957: In rare instances, the sensor can switch to bypass mode post-upgrade (sensor version found: 3.8.0.398)

    In rare instances, the sensor can switch to bypass mode post-upgrade. This is due to an issue unloading one of the drivers and has been seen more frequently on Windows Server 2019 systems. In such cases, a reboot is required to complete the upgrade and remove the bypass sensor state.

check-circle-line exclamation-circle-line close-line
Scroll to top icon