VMware Carbon Black Cloud 3.8.0.535 | 22 MAR 2022 | Build 3.8.0.535

Check for additions and updates to these release notes.

What's New

VMware Carbon Black Cloud Windows Sensor 3.8.0.535 includes bug fixes and improvements.

Note: The Known Issues section is updated as of 4 April 2022.

Resolved Issues

The following issues were fixed in this version of the software.

  • DSEN-14134, EA-18111, EA-19331: Deleting a file could fail in a redirected folder setup in Horizon VDI with DEM folder redirection

  • DSEN-14942, EA-19404: The system could crash when system resources were low and memory allocations were failing

  • DSEN-16422: Added BIOS UUID based auto re-registrations for vSphere client based clones

  • DSEN-16674, EA-17717: Login delays in VDI environments

  • DSEN-16734, EA-20003: Improved sensor’s persisting and restoring of kernel classifications on repmgr restarts

  • DSEN-16796, EA-19962: Performance degradation with reading of .bat files

  • DSEN-16957: In rare instances, the sensor switched to bypass mode post-upgrade

    Includes EA-16960, EA-19027, EA-19286, EA-19589, EA-20328, EA-20631

  • DSEN-16981: ETW manifest registration errors caused sensor installations to fail

    Includes EA-19799, EA-20252, EA-20740

  • DSEN-17019, DSEN-16602: Events/alerts where repmgr.exe's parent process was a hash of all zeroes

  • DSEN-17030, EA-20716: File metadata gathering on virtual volumes

    Fixed several issues with file metadata gathering on virtual volumes that do not have unique volume serial numbers, which can lead to enforcement issues.

  • DSEN-17176, EA-20131: Added support to skip possible sharing violation cases for network location files

    Added support to skip possible sharing violation cases for network location files by enabling config prop PreventAccessViolationForNetworkFiles to true (default is false). This change is intended to help improve the overall performance for applications that modify files on network drives using handles that do not share read access.

  • DSEN-17184: Normalization of network files during a rename operation

  • DSEN-17192, EA-20358: System crashed when the sensor scanned malformed files

  • DSEN-17290, EA-20413: Events were being reported for early start services with bypass permissions

  • DSEN-17342, EA-20318: Endpoint Standard - Sensor now provides the name of the script interpreter as part of the event detail when loaded by an application

  • DSEN-17591, EA-20368: Audit and Remediation - REG_BINARY keys failed to populate proper type and data when queried using Live Response

  • UAV-2438: Improved overall performance with machines conducting lots of uninteresting registry or file operations

    Includes EA-20491, EA-20515, EA-20505

  • UAV-2453: The system could crash under rare circumstances if multiple threads were accessing the same file in parallel

    Includes EA-20216, EA-20269, EA-20336, EA-20344, EA-20405

  • UAV-2477: Sensor now reports the on-disk hash of script files in addition to the AMSI content hash for AMSI reported events

    Includes EA-18137, EA-19524, EA-19682, EA-19815, EA-20448, Ea-20418, EA-20743

  • UAV-2496, EA-20504: Sensor could stop processing events while under high load

  • UAV-2517, EA-20659, EA-20426: Endpoint Standard - Large number of alerts

    A large number of alerts were generated with Windows sensors around Wordpad.exe attempting to inject code into other processes via SetWindowsHookEx when launched from the WinSxS directory.

Known Issues

The following issues are known to affect the software. Each lists the sensor version when the issue was first reported. Issues are removed after they are resolved.

  • DSEN-17156: "CrashDumpEnabled" registry configuration resets to 1 on Defense Sensor reboot

    Any custom values used for the "CrashDumpEnabled" config setting is reset to 1 (Complete Memory Dump) on every reboot (restart of Defense Sensor).

  • DSEN-18585: Reported blue screen issues (sensor version found: 3.8.0.535)

    Reported blue screen issues after upgrading from v3.8.0.398, or uninstalling v3.8.0.535, on Windows 7 and Windows Server 2008 R2 machines.

    Please follow our User Exchange post for the latest details regarding workarounds and resolution: https://community.carbonblack.com/t5/Announcements/Critical-issue-with-Windows-sensor-3-8-0-535-on-Windows-7-and/td-p/112074

  • DSEN-13482: Events show NT file path of dropped files (sensor version found: 3.7.0.1253)

  • DSEN-8551: Trying to access the sensor installation directories in non-elevated Explorer windows may be blocked if the user is not a member of the authenticated RepCLI users (sensor version found: 3.8.0.398)

    Trying to access the sensor installation directories in non-elevated Explorer windows may be blocked if the user is not a member of the authenticated RepCLI users.

    Customers are encouraged to have a set of RepCLI users authenticated, and use those users for support sessions if there is a need to inspect this folder.

    These users could successfully access %programdata%\CarbonBlack through Explorer.exe.

  • DSEN-15424: Performance issues on Windows 11 systems where WindowsSearch service is actively indexing files (sensor version found: 3.8.0.535)

  • DSEN-14236, EA-18878: Windows events with error ID 5038 (sensor version found: 3.8.0.535)

    Issue with code integrity where the image hash of some Carbon Black files being loaded are determined to not be valid and create Windows events with error ID 5038.

  • DSEN-12202: Endpoint Standard - Uninstalling by using the sensor removal tool can leave behind the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityCenter\Provider\AV\ registry entry (sensor version found: 3.8.0.535)

  • DSEN-11116: Endpoint Standard, Enterprise EDR - Banned file names and paths are not captured correctly when launched through a WebDAV path (sensor version found: 3.8.0.535)

  • DSEN-12808: Placing a machine into a sleep/suspended state can show the device as shutdown from the console (sensor version found: 3.8.0.535)

  • DSEN-12189: Endpoint Standard - When a process is blocked from running, multiple block events can display in the console and local user interface (sensor version found: 3.8.0.535)

  • DSEN-9577: Fileless script termination rules (sensor version found: 3.8.0.535)

    Fileless script termination rules should be applied to the parent process of the fileless script process, as the process executing the fileless script is the fileless script.

  • DSEN-17728: The sensor will not check for an alternate proxy in response to a content download failure from content.carbonblack.io

  • DSEN-18389: ProcessTamperAttempt alarms in RepCLI status (sensor version found: 3.8.0.535)

    The sensor can show ProcessTamperAttempt alarms in RepCLI status output and log events, which indicate that it blocked msmpeng.exe from accessing lsass.exe when Windows Defender is active.

check-circle-line exclamation-circle-line close-line
Scroll to top icon