VMware Carbon Black Cloud 3.8.0.722 | 07 SEP 2022 | Build 3.8.0.722

Check for additions and updates to these release notes.

What's New

VMware Carbon Black Cloud Windows Sensor 3.8.0.722 includes bug fixes and improvements.

Resolved Issues

The following issues were fixed in this version of the software.

All

  • UAV-2683: Fixed an interop issue with NPM compiler software

    Associated with EA-20875, EA-20922, EA-21378, EA-21698, EA-21797.

  • DSEN-20711: Fixed an issue with the sensor causing DPC/ISR latency

    Associated with EA-21376, EA-21741.

  • DSEN-20353: Fixed an issue with the sensor preventing file rename operations due to sharing violations

    This issue could especially impact tools used on build servers from renaming temporary files.

    Associated with EA-21207, EA-21329, EA-21487, EA-21504, EA-21868.

  • DSEN-20206: Upload rules

    Fixed an issue where endpoints enforced by a policy that had ever added upload rules would still enforce the upload rules even after they were deleted or the endpoint was moved to a policy that had no upload rules.

  • DSEN-20008: Fixed a buffer overrun issue that could lead to system crashes

    Associated with EA-21438.

  • DSEN-19952: Fixed a bug causing gray screens and login delays in RDP/VDI environments

    Associated with EA-21303, EA-21460, EA-21827.

  • DSEN-19475: CRL checking

    Now supports more relaxed CRL checking through the use of CURL_CRL_REVOKE_BEST_EFFORT = True command line option or CurlCrlRevokeBestEffort=True configuration setting within the cfg.ini file.

    Associated with EA-21261.

  • DSEN-19186: Microsoft Defender would sometimes classify psc_sensor.zip as a severe virus

    Fixed a bug where Microsoft Defender would sometimes classify psc_sensor.zip as a severe virus due to the plain text of the psc_yara_rules_classification_2.txt file included in the zip. This was observed with Windows 22H2 systems.

  • DSEN-19179: Fixed an issue with PowerShell fileless script rules blocking the use of the “-executionpolicy” command line option

    Associated with EA-21026.

  • DSEN-18733: Fixed an issue with sensor upgrades initiated through the console failing if the sensor was in bypass

    Associated with EA-20963.

  • DSEN-18601: Updated zlib software to v1.2.12

  • DSEN-16957: Sensor upgrades

    Fixed an issue where sensors upgraded from the console would occasionally result in the sensor being stuck in bypass after upgrade, requiring a reboot to restore.

    Additional improvements may be needed to fully resolve this issue.

    Associated with EA-16960, EA-19286, EA-19589, EA-20328, EA-20631, EA-20859, EA-21061, EA-19027, EA-20814.

  • DSEN-20053: Tamper protection rules

    Fixed a bug with tamper protection rules preventing use of VMware Horizon TrueSSO and other SSO solutions due to SAML authentication failures.

    Associated with EA-21419, EA-21439, EA-21550, EA-21628, EA-21781.

Endpoint Standard

Endpoint Standard and Enterprise EDR

Enterprise EDR

  • UAV-2700: Fixed a bug with tamper protection rules incorrectly blocking execution of PowerShell scripts

    Associated with EA-21455, EA-21466, EA-21563.

Known Issues

The following issues are known to affect the software. Each lists the sensor version when the issue was first reported. Issues are removed after they are resolved.

All

  • DSEN-8551: Trying to access the sensor installation directories in non-elevated Explorer windows may be blocked if the user is not a member of the authenticated RepCLI users (sensor version found: 3.8.0.398)

    Trying to access the sensor installation directories in non-elevated Explorer windows may be blocked if the user is not a member of the authenticated RepCLI users.

    Customers are encouraged to have a set of RepCLI users authenticated, and use those users for support sessions if there is a need to inspect this folder.

    These users could successfully access %programdata%\CarbonBlack through Explorer.exe.

  • DSEN-18767, DSEN-18739: The .msi CLI option DELAY_SIG_DOWNLOAD does not work as expected (sensor version found 3.8.0.684)

  • DSEN-17210: Sensor reports the system’s local user for “Installed By” information instead of the currently logged on user (sensor version found 3.8.0.684)

  • DSEN-9577: Fileless script termination rules (sensor version found: 3.8.0.535)

    Fileless script termination rules should be applied to the parent process of the fileless script process, as the process executing the fileless script is the fileless script.

  • DSEN-12808: Placing a machine into a sleep/suspended state can show the device as shutdown from the console (sensor version found: 3.8.0.535)

  • DSEN-13482: Events show NT file path of dropped files (sensor version found: 3.7.0.1253)

  • DSEN-15424: Performance issues on Windows 11 systems where WindowsSearch service is actively indexing files (sensor version found: 3.8.0.535)

  • DSEN-18389: ProcessTamperAttempt alarms in RepCLI status (sensor version found: 3.8.0.535)

    The sensor can show misleading ProcessTamperAttempt alarms in RepCLI status output and log events. These events likely do not constitute a true tamper attempt and just indicate that the sensor restricted read access to lsass.exe, which some applications will request even if they do not require that access. This behavior has been observed on Windows Defender and other products.

Endpoint Standard

  • DSEN-12189: When a process is blocked from running, multiple block events can display in the console and local user interface (sensor version found: 3.8.0.535)

  • DSEN-18307: TAU-provided detections and preventions can potentially conflict with the sensor’s own built-in detections and preventions (sensor version found 3.8.0.684)

    Carbon Black Cloud’s TAU-provided detections and preventions, such as credential theft alerts, can potentially conflict with the sensor’s own built-in detections and preventions and present multiple, conflicting events for the same endpoint operation. In this case, the sensor’s built-in logic takes precedence.

  • DSEN-12202: Uninstalling by using the sensor removal tool can leave behind the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityCenter\Provider\AV\ registry entry (sensor version found: 3.8.0.535)

Endpoint Standard and Enterprise EDR

  • DSEN-11116: Banned file names and paths are not captured correctly when launched through a WebDAV path (sensor version found: 3.8.0.535)

check-circle-line exclamation-circle-line close-line
Scroll to top icon