VMware Carbon Black Cloud 3.8.0.627 | 13 MAY 2022 | Build 3.8.0.627

Check for additions and updates to these release notes.

What's New

VMware Carbon Black Cloud Windows Sensor 3.8.0.627 includes bug fixes and improvements.

Improvements include:

  • DSEN-17728: Improved sensor’s ability to manage content download when connected through a proxy

  • DSEN-17948: Improved interoperability when kernel32.dll address was rebased in memory

    Related to: EA-20022

  • DSEN-18338: Updated osquery to version 5.2.3

  • UAV-2573: Improved Event Batch Upload failure handling to use backend provided RetryAfter value or default value of 5 minutes if one is not specified

    Related to: EA-20785

Resolved Issues

The following issues were fixed in this version of the software.

All

  • DSEN-18155: Non-RepMgr process logging

    Fixed an issue with Non-RepMgr process logging growing unbounded. Resulted in large log files that failed to get removed.

    This includes logs like CbRepWSC.log, scanhost.log, LiveQuery.log, LiveResponse.log, vhostcomms.log, or upd.log.

    Related to: EA-21131

  • UAV-2553: Fixed a bug causing performance degradation on directory rename operations

    Related to: EA-20723

  • DSEN-17381: Fixed a bug with Repux pop-ups missing information related to blocking and actionable details when triggered by certain Tamper Protection rule behavior

    Related to: EA-20107

  • DSEN-17747: Fixed an interop issue between ctifile.sys and CtxUvi.sys (used in Citrix Desktop as a Service) resulting in system hangs and login issues

    Related to: EA-20296

  • DSEN-18078: Fixed a bug where temporary Excel files were not being deleted while excel.exe is in full bypass

    Related to: EA-20423

  • DSEN-18477: Fixed a bug with Microsoft-signed system files (specifically files without a.exe, .dll, or .sys extension) failing to get a trusted signature state

    Relates to: EA-19566

  • DSEN-18585: Fixed a bug with the 3.8.0.535 sensor causing blue screen system crashes on Windows 7 (x64) and Windows Server 2008 R2 machines

Endpoint Standard

  • DSEN-18649: Fixed a bug with updating network policies for processes reusing the PID of a previously terminated process from an older policy

    Related to: EA-20781

Known Issues

The following issues are known to affect the software. Each lists the sensor version when the issue was first reported. Issues are removed after they are resolved.

All

  • DSEN-17156: "CrashDumpEnabled" registry configuration resets to 1 on Defense Sensor reboot

    Any custom values used for the "CrashDumpEnabled" config setting is reset to 1 (Complete Memory Dump) on every reboot (restart of Defense Sensor).

  • DSEN-8551: Trying to access the sensor installation directories in non-elevated Explorer windows may be blocked if the user is not a member of the authenticated RepCLI users (sensor version found: 3.8.0.398)

    Trying to access the sensor installation directories in non-elevated Explorer windows may be blocked if the user is not a member of the authenticated RepCLI users.

    Customers are encouraged to have a set of RepCLI users authenticated, and use those users for support sessions if there is a need to inspect this folder.

    These users could successfully access %programdata%\CarbonBlack through Explorer.exe.

  • DSEN-9577: Fileless script termination rules (sensor version found: 3.8.0.535)

    Fileless script termination rules should be applied to the parent process of the fileless script process, as the process executing the fileless script is the fileless script.

  • DSEN-12808: Placing a machine into a sleep/suspended state can show the device as shutdown from the console (sensor version found: 3.8.0.535)

  • DSEN-13482: Events show NT file path of dropped files (sensor version found: 3.7.0.1253)

  • DSEN-14236, EA-18878: Windows events with error ID 5038 (sensor version found: 3.8.0.535)

    Issue with code integrity where the image hash of some Carbon Black files being loaded are determined to not be valid and create Windows events with error ID 5038.

  • DSEN-15424: Performance issues on Windows 11 systems where WindowsSearch service is actively indexing files (sensor version found: 3.8.0.535)

  • DSEN-18389: ProcessTamperAttempt alarms in RepCLI status (sensor version found: 3.8.0.535)

    The sensor can show misleading ProcessTamperAttempt alarms in RepCLI status output and log events. These events likely do not constitute a true tamper attempt and just indicate that the sensor restricted read access to lsass.exe, which some applications will request even if they do not require that access. This behavior has been observed on Windows Defender and other products.

  • DSEN-18733: Sensor upgrades initiated through the console may fail for upgrade requests sent while the sensor is in bypass due to the inability to validate the file hash of the sensor upgrade installer (sensor version found: 3.8.0.627)

    You can work around this problem by temporarily removing the sensor from its bypass state before upgrading. SCCM/GPO and manual upgrades initiated directly on the endpoint are not impacted.

Endpoint Standard

  • DSEN-12189: When a process is blocked from running, multiple block events can display in the console and local user interface (sensor version found: 3.8.0.535)

  • DSEN-12202: Uninstalling by using the sensor removal tool can leave behind the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityCenter\Provider\AV\ registry entry (sensor version found: 3.8.0.535)

Endpoint Standard and Enterprise EDR

  • DSEN-11116: Banned file names and paths are not captured correctly when launched through a WebDAV path (sensor version found: 3.8.0.535)

check-circle-line exclamation-circle-line close-line
Scroll to top icon