VMware Carbon Black Cloud 3.8.0.535 | 22 MAR 2022 | Build 3.8.0.535 Check for additions and updates to these release notes. |
VMware Carbon Black Cloud 3.8.0.535 | 22 MAR 2022 | Build 3.8.0.535 Check for additions and updates to these release notes. |
VMware Carbon Black Cloud Windows Sensor 3.8.0.535 includes bug fixes and improvements.
Note: The Known Issues section is updated as of 4 April 2022.
The following issues were fixed in this version of the software.
DSEN-14134, EA-18111, EA-19331: Deleting a file could fail in a redirected folder setup in Horizon VDI with DEM folder redirection
DSEN-14942, EA-19404: The system could crash when system resources were low and memory allocations were failing
DSEN-16422: Added BIOS UUID based auto re-registrations for vSphere client based clones
DSEN-16674, EA-17717: Login delays in VDI environments
DSEN-16734, EA-20003: Improved sensor’s persisting and restoring of kernel classifications on repmgr restarts
DSEN-16796, EA-19962: Performance degradation with reading of .bat files
DSEN-16957: In rare instances, the sensor switched to bypass mode post-upgrade
Includes EA-16960, EA-19027, EA-19286, EA-19589, EA-20328, EA-20631
DSEN-16981: ETW manifest registration errors caused sensor installations to fail
Includes EA-19799, EA-20252, EA-20740
DSEN-17019, DSEN-16602: Events/alerts where repmgr.exe's parent process was a hash of all zeroes
DSEN-17030, EA-20716: File metadata gathering on virtual volumes
Fixed several issues with file metadata gathering on virtual volumes that do not have unique volume serial numbers, which can lead to enforcement issues.
DSEN-17176, EA-20131: Added support to skip possible sharing violation cases for network location files
Added support to skip possible sharing violation cases for network location files by enabling config prop PreventAccessViolationForNetworkFiles to true (default is false). This change is intended to help improve the overall performance for applications that modify files on network drives using handles that do not share read access.
DSEN-17184: Normalization of network files during a rename operation
DSEN-17192, EA-20358: System crashed when the sensor scanned malformed files
DSEN-17290, EA-20413: Events were being reported for early start services with bypass permissions
DSEN-17342, EA-20318: Endpoint Standard - Sensor now provides the name of the script interpreter as part of the event detail when loaded by an application
DSEN-17591, EA-20368: Audit and Remediation - REG_BINARY keys failed to populate proper type and data when queried using Live Response
UAV-2438: Improved overall performance with machines conducting lots of uninteresting registry or file operations
Includes EA-20491, EA-20515, EA-20505
UAV-2453: The system could crash under rare circumstances if multiple threads were accessing the same file in parallel
Includes EA-20216, EA-20269, EA-20336, EA-20344, EA-20405
UAV-2477: Sensor now reports the on-disk hash of script files in addition to the AMSI content hash for AMSI reported events
Includes EA-18137, EA-19524, EA-19682, EA-19815, EA-20448, Ea-20418, EA-20743
UAV-2496, EA-20504: Sensor could stop processing events while under high load
UAV-2517, EA-20659, EA-20426: Endpoint Standard - Large number of alerts
A large number of alerts were generated with Windows sensors around Wordpad.exe attempting to inject code into other processes via SetWindowsHookEx when launched from the WinSxS directory.
The following issues are known to affect the software. Each lists the sensor version when the issue was first reported. Issues are removed after they are resolved.
DSEN-17156: "CrashDumpEnabled" registry configuration resets to 1 on Defense Sensor reboot
Any custom values used for the "CrashDumpEnabled" config setting is reset to 1 (Complete Memory Dump) on every reboot (restart of Defense Sensor).
DSEN-18585: Reported blue screen issues (sensor version found: 3.8.0.535)
Reported blue screen issues after upgrading from v3.8.0.398, or uninstalling v3.8.0.535, on Windows 7 and Windows Server 2008 R2 machines.
Please follow our User Exchange post for the latest details regarding workarounds and resolution: https://community.carbonblack.com/t5/Announcements/Critical-issue-with-Windows-sensor-3-8-0-535-on-Windows-7-and/td-p/112074
DSEN-13482: Events show NT file path of dropped files (sensor version found: 3.7.0.1253)
DSEN-8551: Trying to access the sensor installation directories in non-elevated Explorer windows may be blocked if the user is not a member of the authenticated RepCLI users (sensor version found: 3.8.0.398)
Trying to access the sensor installation directories in non-elevated Explorer windows may be blocked if the user is not a member of the authenticated RepCLI users.
Customers are encouraged to have a set of RepCLI users authenticated, and use those users for support sessions if there is a need to inspect this folder.
These users could successfully access %programdata%\CarbonBlack through Explorer.exe.
DSEN-15424: Performance issues on Windows 11 systems where WindowsSearch service is actively indexing files (sensor version found: 3.8.0.535)
DSEN-14236, EA-18878: Windows events with error ID 5038 (sensor version found: 3.8.0.535)
Issue with code integrity where the image hash of some Carbon Black files being loaded are determined to not be valid and create Windows events with error ID 5038.
DSEN-12202: Endpoint Standard - Uninstalling by using the sensor removal tool can leave behind the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityCenter\Provider\AV\ registry entry (sensor version found: 3.8.0.535)
DSEN-11116: Endpoint Standard, Enterprise EDR - Banned file names and paths are not captured correctly when launched through a WebDAV path (sensor version found: 3.8.0.535)
DSEN-12808: Placing a machine into a sleep/suspended state can show the device as shutdown from the console (sensor version found: 3.8.0.535)
DSEN-12189: Endpoint Standard - When a process is blocked from running, multiple block events can display in the console and local user interface (sensor version found: 3.8.0.535)
DSEN-9577: Fileless script termination rules (sensor version found: 3.8.0.535)
Fileless script termination rules should be applied to the parent process of the fileless script process, as the process executing the fileless script is the fileless script.
DSEN-17728: The sensor will not check for an alternate proxy in response to a content download failure from content.carbonblack.io
DSEN-18389: ProcessTamperAttempt alarms in RepCLI status (sensor version found: 3.8.0.535)
The sensor can show ProcessTamperAttempt alarms in RepCLI status output and log events, which indicate that it blocked msmpeng.exe from accessing lsass.exe when Windows Defender is active.