VMware Carbon Black Cloud 3.8.0.627 | 13 MAY 2022 | Build 3.8.0.627 Check for additions and updates to these release notes. |
VMware Carbon Black Cloud 3.8.0.627 | 13 MAY 2022 | Build 3.8.0.627 Check for additions and updates to these release notes. |
VMware Carbon Black Cloud Windows Sensor 3.8.0.627 includes bug fixes and improvements.
Improvements include:
DSEN-17728: Improved sensor’s ability to manage content download when connected through a proxy
DSEN-17948: Improved interoperability when kernel32.dll address was rebased in memory
Related to: EA-20022
DSEN-18338: Updated osquery to version 5.2.3
UAV-2573: Improved Event Batch Upload failure handling to use backend provided RetryAfter value or default value of 5 minutes if one is not specified
Related to: EA-20785
The following issues were fixed in this version of the software.
DSEN-18155: Non-RepMgr process logging
Fixed an issue with Non-RepMgr process logging growing unbounded. Resulted in large log files that failed to get removed.
This includes logs like CbRepWSC.log, scanhost.log, LiveQuery.log, LiveResponse.log, vhostcomms.log, or upd.log.
Related to: EA-21131
UAV-2553: Fixed a bug causing performance degradation on directory rename operations
Related to: EA-20723
DSEN-17381: Fixed a bug with Repux pop-ups missing information related to blocking and actionable details when triggered by certain Tamper Protection rule behavior
Related to: EA-20107
DSEN-17747: Fixed an interop issue between ctifile.sys and CtxUvi.sys (used in Citrix Desktop as a Service) resulting in system hangs and login issues
Related to: EA-20296
DSEN-18078: Fixed a bug where temporary Excel files were not being deleted while excel.exe is in full bypass
Related to: EA-20423
DSEN-18477: Fixed a bug with Microsoft-signed system files (specifically files without a.exe, .dll, or .sys extension) failing to get a trusted signature state
Relates to: EA-19566
DSEN-18585: Fixed a bug with the 3.8.0.535 sensor causing blue screen system crashes on Windows 7 (x64) and Windows Server 2008 R2 machines
For additional information please refer to our User Exchange post: https://community.carbonblack.com/t5/Carbon-Black-Cloud-Discussions/Critical-issue-with-Windows-sensor-3-8-0-535-on-Windows-7-x64/m-p/112104#M1612
DSEN-18649: Fixed a bug with updating network policies for processes reusing the PID of a previously terminated process from an older policy
Related to: EA-20781
The following issues are known to affect the software. Each lists the sensor version when the issue was first reported. Issues are removed after they are resolved.
DSEN-17156: "CrashDumpEnabled" registry configuration resets to 1 on Defense Sensor reboot
Any custom values used for the "CrashDumpEnabled" config setting is reset to 1 (Complete Memory Dump) on every reboot (restart of Defense Sensor).
DSEN-8551: Trying to access the sensor installation directories in non-elevated Explorer windows may be blocked if the user is not a member of the authenticated RepCLI users (sensor version found: 3.8.0.398)
Trying to access the sensor installation directories in non-elevated Explorer windows may be blocked if the user is not a member of the authenticated RepCLI users.
Customers are encouraged to have a set of RepCLI users authenticated, and use those users for support sessions if there is a need to inspect this folder.
These users could successfully access %programdata%\CarbonBlack through Explorer.exe.
DSEN-9577: Fileless script termination rules (sensor version found: 3.8.0.535)
Fileless script termination rules should be applied to the parent process of the fileless script process, as the process executing the fileless script is the fileless script.
DSEN-12808: Placing a machine into a sleep/suspended state can show the device as shutdown from the console (sensor version found: 3.8.0.535)
DSEN-13482: Events show NT file path of dropped files (sensor version found: 3.7.0.1253)
DSEN-14236, EA-18878: Windows events with error ID 5038 (sensor version found: 3.8.0.535)
Issue with code integrity where the image hash of some Carbon Black files being loaded are determined to not be valid and create Windows events with error ID 5038.
DSEN-15424: Performance issues on Windows 11 systems where WindowsSearch service is actively indexing files (sensor version found: 3.8.0.535)
DSEN-18389: ProcessTamperAttempt alarms in RepCLI status (sensor version found: 3.8.0.535)
The sensor can show misleading ProcessTamperAttempt alarms in RepCLI status output and log events. These events likely do not constitute a true tamper attempt and just indicate that the sensor restricted read access to lsass.exe, which some applications will request even if they do not require that access. This behavior has been observed on Windows Defender and other products.
DSEN-18733: Sensor upgrades initiated through the console may fail for upgrade requests sent while the sensor is in bypass due to the inability to validate the file hash of the sensor upgrade installer (sensor version found: 3.8.0.627)
You can work around this problem by temporarily removing the sensor from its bypass state before upgrading. SCCM/GPO and manual upgrades initiated directly on the endpoint are not impacted.
DSEN-12189: When a process is blocked from running, multiple block events can display in the console and local user interface (sensor version found: 3.8.0.535)
DSEN-12202: Uninstalling by using the sensor removal tool can leave behind the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityCenter\Provider\AV\ registry entry (sensor version found: 3.8.0.535)
DSEN-11116: Banned file names and paths are not captured correctly when launched through a WebDAV path (sensor version found: 3.8.0.535)