VMware Carbon Black Cloud 3.8.0.684 | 02 AUG 2022| Build 3.8.0.684

Check for additions and updates to these release notes.

What's New

VMware Carbon Black Cloud Windows Sensor 3.8.0.684 includes bug fixes and improvements.

Resolved Issues

The following issues were fixed in this version of the software.

All

  • DSEN-20056: Possible database corruption

    Fixed a bug where endpoints running v3.8 sensor versions prior to v3.8.0.684 with policies that contain Deny or Allow upload path rules and attempt to upgrade to a v3.8 sensor build prior to v3.8.0.684 could possibly result in database corruption.

  • DSEN-18781, EA-20728: An application could get DELETE_PENDING error code if it checked for file existence immediately after deleting a file

  • DSEN-19634, EA-21244: System crashed when the sensor was unable to calculate Authenticode hashes

  • DSEN-19728, EA-21289: Gathering signature information from binaries

    Fixed an issue with gathering signature information from binaries residing in the windows side by side directory (WinSxS) that were installed prior to their external catalog files being registered.

  • DSEN-19781, EA-21372: Fixed an issue with sensor temp log files growing unbounded and failing to rename properly

  • DSEN-20115, EA-21417: Sensor installs can fail to verify signature information if the Sectigo signing certificate is not added to the trust store of the operating system

    Steps to download and install the Sectigo signing certificate include:

    1. Download "AAA Certificate Services" (https://support.sectigo.com/articles/Knowledge/Sectigo-Intermediate-Certificates)

    2. Download "SHA-2 Root : USERTrust RSA Certification Authority" (https://support.sectigo.com/articles/Knowledge/Sectigo-Intermediate-Certificates)

    3. Install the .srt file by double clicking the certificate file.

  • UAV-2627, EA-20911: High volume of AMSI events generated on Exchange Servers which could cause performance issues for the sensor

Endpoint Standard

Endpoint Standard and Enterprise EDR

  • DSEN-19538, EA-20386: Upload exclusions configured on the Uploads section of the Prevention tab on the policies page can now be used to exclude UBS file uploads

    Please contact VMware Carbon Black support if you want this feature enabled.

Known Issues

The following issues are known to affect the software. Each lists the sensor version when the issue was first reported. Issues are removed after they are resolved.

All

  • DSEN-17156: "CrashDumpEnabled" registry configuration resets to 1 on Defense Sensor reboot

    Any custom values used for the "CrashDumpEnabled" config setting is reset to 1 (Complete Memory Dump) on every reboot (restart of Defense Sensor).

  • DSEN-20206: Enforced upload rules (sensor version found 3.8.0.684)

    Endpoints enforced by a policy that has ever added upload parameters can still enforce the upload rules even after they are deleted or the endpoint is moved to a policy that has no upload rules.

    To work around the issue, you can update a policy to temporarily maintain at least one fake or non-existent path in the upload directory rules, to prevent previously deleted upload rules from being enforced.

  • DSEN-8551: Trying to access the sensor installation directories in non-elevated Explorer windows may be blocked if the user is not a member of the authenticated RepCLI users (sensor version found: 3.8.0.398)

    Trying to access the sensor installation directories in non-elevated Explorer windows may be blocked if the user is not a member of the authenticated RepCLI users.

    Customers are encouraged to have a set of RepCLI users authenticated, and use those users for support sessions if there is a need to inspect this folder.

    These users could successfully access %programdata%\CarbonBlack through Explorer.exe.

  • DSEN-20053: Tamper protection rules included with 3.8.0.684 can cause VMware Horizon True SSO to fail (sensor version found 3.8.0.684)

    This can be worked around by adding an Allow rule for Memory Scraping for c:\program files\vmware\vmware view\agent\bin\wsnm.exe.

  • DSEN-19186: Microsoft Defender can classify psc_sensor.zip as a severe virus (sensor version found 3.8.0.684)

    Microsoft Defender can classify psc_sensor.zip as a severe virus due to the plain text of the psc_yara_rules_classification_2.txt file included in the zip. This was observed with Windows 22H2 systems.

  • DSEN-18767, DSEN-18739: The .msi CLI option DELAY_SIG_DOWNLOAD does not work as expected (sensor version found 3.8.0.684)

  • DSEN-17210: Sensor reports the system’s local user for “Installed By” information instead of the currently logged on user (sensor version found 3.8.0.684)

  • DSEN-16957: Sensors upgraded from the CBC console can occasionally result in the sensor being stuck in bypass (sensor version found 3.8.0.684)

    Due to a race condition, sensors upgraded from the CBC console can occasionally result in the sensor being stuck in bypass after upgrade, requiring a reboot to restore.

  • DSEN-9577: Fileless script termination rules (sensor version found: 3.8.0.535)

    Fileless script termination rules should be applied to the parent process of the fileless script process, as the process executing the fileless script is the fileless script.

  • DSEN-12808: Placing a machine into a sleep/suspended state can show the device as shutdown from the console (sensor version found: 3.8.0.535)

  • DSEN-13482: Events show NT file path of dropped files (sensor version found: 3.7.0.1253)

  • DSEN-15424: Performance issues on Windows 11 systems where WindowsSearch service is actively indexing files (sensor version found: 3.8.0.535)

  • DSEN-18389: ProcessTamperAttempt alarms in RepCLI status (sensor version found: 3.8.0.535)

    The sensor can show misleading ProcessTamperAttempt alarms in RepCLI status output and log events. These events likely do not constitute a true tamper attempt and just indicate that the sensor restricted read access to lsass.exe, which some applications will request even if they do not require that access. This behavior has been observed on Windows Defender and other products.

  • DSEN-18733: Sensor upgrades initiated through the console may fail for upgrade requests sent while the sensor is in bypass due to the inability to validate the file hash of the sensor upgrade installer (sensor version found: 3.8.0.627)

    You can work around this problem by temporarily removing the sensor from its bypass state before upgrading. SCCM/GPO and manual upgrades initiated directly on the endpoint are not impacted.

Endpoint Standard

  • DSEN-18307: TAU-provided detections and preventions can potentially conflict with the sensor’s own built-in detections and preventions (sensor version found 3.8.0.684)

    Carbon Black Cloud’s TAU-provided detections and preventions, such as credential theft alerts, can potentially conflict with the sensor’s own built-in detections and preventions and present multiple, conflicting events for the same endpoint operation. In this case, the sensor’s built-in logic takes precedence.

  • DSEN-12189: When a process is blocked from running, multiple block events can display in the console and local user interface (sensor version found: 3.8.0.535)

  • DSEN-12202: Uninstalling by using the sensor removal tool can leave behind the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityCenter\Provider\AV\ registry entry (sensor version found: 3.8.0.535)

Endpoint Standard and Enterprise EDR

  • DSEN-11116: Banned file names and paths are not captured correctly when launched through a WebDAV path (sensor version found: 3.8.0.535)

check-circle-line exclamation-circle-line close-line
Scroll to top icon