All

• DSEN-20053: Tamper protection rules

  Fixed a bug with tamper protection rules preventing use of VMware Horizon TrueSSO and other SSO solutions due to SAML authentication failures.

  Associated with EA-21419, EA-21439, EA-21550, EA-21628, EA-21781.

• DSEN-16957: Sensor upgrades

  Fixed an issue where sensors upgraded from the console would occasionally result in the sensor being stuck in bypass after upgrade, requiring a reboot to restore.

  Additional improvements may be needed to fully resolve this issue.

  Associated with EA-16960, EA-19286, EA-19589, EA-20328, EA-20631, EA-20859, EA-21061, EA-19027, EA-20814.

• DSEN-18601: Updated zlib software to v1.2.12

• DSEN-18733: Fixed an issue with sensor upgrades initiated through the console failing if the sensor was in bypass

  Associated with EA-20963.

• DSEN-19179: Fixed an issue with PowerShell fileless script rules blocking the use of the “-executionpolicy” command line option

  Associated with EA-21026.

• DSEN-19186: Microsoft Defender would sometimes classify psc_sensor.zip as a severe virus

  Fixed a bug where Microsoft Defender would sometimes classify psc_sensor.zip as a severe virus due to the plain text of the psc_yara_rules_classification_2.txt file included in the zip. This was observed with Windows 22H2 systems.

• DSEN-19475: CRL checking

  Now supports more relaxed CRL checking through the use of CURL_CRL_REVOKE_BEST_EFFORT = True command line option or CurlCrlRevokeBestEffort=True configuration setting within the cfg.ini file.

  Associated with EA-21261.

• DSEN-19952: Fixed a bug causing gray screens and login delays in RDP/VDI environments

  Associated with EA-21303, EA-21460, EA-21827.

• DSEN-20008: Fixed a buffer overrun issue that could lead to system crashes

  Associated with EA-21438.

• DSEN-20206: Upload rules

  Fixed an issue where endpoints enforced by a policy that had ever added upload rules would still enforce the upload rules even after they were deleted or the endpoint was moved to a policy that had no upload rules.

• DSEN-20353: Fixed an issue with the sensor preventing file rename operations due to sharing violations

  This issue could especially impact tools used on build servers from renaming temporary files.

  Associated with EA-21207, EA-21329, EA-21487, EA-21504, EA-21868.

• DSEN-20711: Fixed an issue with the sensor causing DPC/ISR latency

  Associated with EA-21376, EA-21741.

• UAV-2683: Fixed an interop issue with NPM compiler software

  Associated with EA-20875, EA-20922, EA-21378, EA-21698, EA-21797.

Endpoint Standard

Endpoint Standard and Enterprise EDR

Enterprise EDR

• UAV-2700: Fixed a bug with tamper protection rules incorrectly blocking execution of PowerShell scripts

  Associated with EA-21455, EA-21466, EA-21563.

All

• DSEN-17156: "CrashDumpEnabled" registry configuration resets to 1 on Defense Sensor reboot

  Any custom values used for the "CrashDumpEnabled" config setting is reset to 1 (Complete Memory Dump) on every reboot (restart of Defense Sensor).

• DSEN-8551: Trying to access the sensor installation directories in non-elevated Explorer windows may be blocked if the user is not a member of the authenticated RepCLI users (sensor version found: 3.8.0.398)

  Trying to access the sensor installation directories in non-elevated Explorer windows may be blocked if the user is not a member of the authenticated RepCLI users.

  Customers are encouraged to have a set of RepCLI users authenticated, and use those users for support sessions if there is a need to inspect this folder.

  These users could successfully access %programdata%\CarbonBlack through Explorer.exe.

• DSEN-18767, DSEN-18739: The .msi CLI option DELAY_SIG_DOWNLOAD does not work as expected (sensor version found 3.8.0.684)

• DSEN-17210: Sensor reports the system’s local user for “Installed By” information instead of the currently logged on user (sensor version found 3.8.0.684)

• DSEN-9577: Fileless script termination rules (sensor version found: 3.8.0.535)

  Fileless script termination rules should be applied to the parent process of the fileless script process, as the process executing the fileless script is the fileless script.

• DSEN-12808: Placing a machine into a sleep/suspended state can show the device as shutdown from the console (sensor version found: 3.8.0.535)

• DSEN-13482: Events show NT file path of dropped files (sensor version found: 3.7.0.1253)

• DSEN-15424: Performance issues on Windows 11 systems where WindowsSearch service is actively indexing files (sensor version found: 3.8.0.535)

• DSEN-18389: ProcessTamperAttempt alarms in RepCLI status (sensor version found: 3.8.0.535)

  The sensor can show misleading ProcessTamperAttempt alarms in RepCLI status output and log events. These events likely do not constitute a true tamper attempt and just indicate that the sensor restricted read access to lsass.exe, which some applications will request even if they do not require that access. This behavior has been observed on Windows Defender and other products.

Endpoint Standard

• DSEN-12189: When a process is blocked from running, multiple block events can display in the console and local user interface (sensor version found: 3.8.0.535)

• DSEN-18307: TAU-provided detections and preventions can potentially conflict with the sensor’s own built-in detections and preventions (sensor version found 3.8.0.684)

  Carbon Black Cloud’s TAU-provided detections and preventions, such as credential theft alerts, can potentially conflict with the sensor’s own built-in detections and preventions and present multiple, conflicting events for the same endpoint operation. In this case, the sensor’s built-in logic takes precedence.

• DSEN-12202: Uninstalling by using the sensor removal tool can leave behind the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityCenter\Provider\AV\ registry entry (sensor version found: 3.8.0.535)

Endpoint Standard and Enterprise EDR

• DSEN-11116: Banned file names and paths are not captured correctly when launched through a WebDAV path (sensor version found: 3.8.0.535)