VMware Carbon Black Cloud 3.9.0.2357 | 15 DEC 2022 | Build 3.9.0.2357

Check for additions and updates to these release notes.

What's New

VMware Carbon Black Cloud Windows Sensor 3.9.0.2357 includes bug fixes and improvements.

  • New ARM64 sensor package for Windows

    This new sensor package supports ARM based systems running Windows 11 OS versions. For full details on ARM64 support and functionality please review the Operating Environment Requirements page.

    • Note: This sensor package will be made generally available at a later date in the 3.9.0 sensor release rollout.

  • Added support for cb_sensor_curl table for improved sensor comms management

    DSEN-17397

    • Use this table to verify whether a sensor can connect to the CBC backend. This table provides an alternative to the osquery provided curl table. 

    • The cb_sensor_curl table uses schannel and the operating system’s certificate store which does not require a PEM file to be able to reach https addresses.

  • Extend malware deletion behavior to also remove any scheduled tasks that were configured to run the malware

    DSEN-14519

  • Sensor now reports network pipe opens within Enterprise EDR

    DSEN-13366

Resolved Issues

All

  • UAV-2731: Addressed an issue causing system crashes to occur

    This was primarily observed on Windows Server 2012 R2 systems.

    Associated with: EA-21830, EA-21839, EA-21887.

  • DSEN-20893: Addressed an issue with the sensor causing delays with Microsoft Management Console (MMC) snap-in with Active Directory Users and Computers (ADUC)

    Associated with: EA-21376.

  • DSEN-13282: Fixed an issue preventing sensor upgrades in hardened environments

    Associated with: EA-18012.

  • DSEN-17161: Addressed an issue causing periodic performance spikes with CPU

    Issues were primarily observed in VDI environments.

    Associated with: EA-21486.

  • DSEN-17343: Fixed an issue with catalog signed files being marked as “not signed”

    Associated with: EA-21565.

  • DSEN-17815: Addressed an issue with sensor’s retrieval of certificate information

    Associated with: EA-21868.

  • DSEN-20632: Fixed an issue with the sensor not checking for proxy connections when reregistering

    Associated with: EA-21686, EA-22350.

  • DSEN-8551: Fixed an issue for accessing the sensor installation

    When trying to access the sensor installation directories in non-elevated Explorer windows were blocked if the user was not a member of the authenticated RepCLI users.

  • DSEN-13660: Fixed an issue with files larger than 512Mb not uploading

    Associated with: EA-18662.

  • DSEN-13949: Addressed an issue with delayed logins and black screens occurring when attempting to login to Citrix VMs

    Associated with: EA-18552, EA-19591, EA-20445, EA-20428, EA-20747, EA-21827, EA-21303, EA-21460.

  • DSEN-14768: Addressed an issue where blank alerts appeared in the console with no associated data

    Associated with: EA-19197.

  • DSEN-15565: Supports configurable heuristic detection

    Associated with: EA-19461, EA-19709.

  • DSEN-16777: Addressed performance issues with applications that frequently open files with the CREATE_ALWAYS flag

    Applications commonly use the CREATE_ALWAYS flag for opening log files.

    Associated with: EA-19367.

  • DSEN-16886: .msi installation requires Admin permissions to launch

    Additionally, log locations have been migrated from the user’s temp directory to the system’s temp directory (c:\Windows\temp).

  • DSEN-17397: Added support for cb_sensor_curl table for improved sensor comms management

    Associated with: EA-20606.

  • DSEN-17629: Added BlockPopupTimeoutMs config prop to adjust display time for local endpoint notifications

  • DSEN-17630: Addressed an issue that removed hashes from the sensor's reputation database, while active processes on the system were still using that hash / reputation

    This issue led to events occurring from that process to report an unknown reputation.

    Associated with: EA-20557, EA-21585, EA-20535.

  • DSEN-17783: Fixed an issue where sensors might enforce improperly or report inaccurate information about files that resided on recently added volumes

    Additionally, fixed an issue with events incorrectly showing the NT file path of dropped files on volumes using a valid DOS drive letter.

    Associated with: EA-20619, EA-19300.

  • DSEN-18791: Addressed a performance issue impacting virtual machines hosted in Citrix Xen server/VMware ESX servers that could cause significant delays with launching a new session

    Virtual environments still experiencing performance related issues with launching new sessions might be able to leverage the config prop DefaultTimestampType=1 to temporarily  work around the issue while awaiting further improvements in a future sensor release. Please open a case with CB Support if you are experiencing performance issues in your virtual environment to see if this config prop might help you.

    Associated with: EA-21053, EA-21199, EA-19983, EA-21690, EA-21282, EA-21783.

  • DSEN-19017: Fixed an issue that did not delete directories due to the sensor analyzing files within the directory

    Associated with: EA-20120.

  • DSEN-19055: Fixed an issue where duplicate sensor entries appeared for sensors failing to install properly

    In this scenario the sensor would rollback/uninstall but failed to deregister from the console.

    Associated with: EA-20917.

  • DSEN-19062: Fixed an issue that triggered false positive OSNotSupported alarms

    Associated with: EA-21120.

  • DSEN-19317: Addressed an issue with sensors unable to use repcli functionality when ctifile.sys is not running

    Associated with: EA-20814, EA-21137.

  • DSEN-19776: Fixed an issue with the sensor causing delays

    The sensor caused lengthy delays in launching internet browsers, and shorter delays in loading individual web pages. The issue occured after installing a browser or performing a browser update.

    Associated with: EA-21098.

  • DSEN-19945: Fixed interoperability issues with the tedfs file system driver (tedfs.sys)

    Applications were not able to access files on that file system.

    Associated with: EA-18798.

  • DSEN-20121: Fixed an issue causing system crashes to occur

    This issue occured on 32-bit versions of Windows 10 with FAILURE_BUCKET_ID: 0x7f_8_STACK_USAGE_IMAGE_ctifile.sys

    Associated with: EA-21516.

  • DSEN-20153: Fixed an issue with the “Total Files Processed” field of a background scan incorrectly reporting “0” total files processed after sensor restarts

    Associated with: EA-21385.

Endpoint Standard

  • DSEN-12202: Fixed an issue where uninstalling by using the sensor removal tool could leave behind the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityCenter\Provider\AV\ registry entry

    Please note, the sensor removal tool is not provided as part of the CBC Windows sensor release.

  • DSEN-12874: Improved the sensor’s deferred injection handling to address interoperability issues

    This caused problems with the Digital Guardian product.

    Associated with: EA-17866.

  • DSEN-16372: Fixed an issue causing significant delays when attempting to change permissions on directories with lots of files

    Associated with: EA-19931.

  • DSEN-20151: Fixed an issue with AV signatures updates failing when using a local mirror server

    Associated with: EA-21521.

  • DSEN-20711: Improved the overhead of Endpoint Standard network event collection and enforcement

    Associated with: EA-21741, EA-21376.

  • DSEN-20714: Fixed an issue with blocking applications with external catalog signatures despite having a trusted certificate

    Associated with: DSEN-17343, EA-21565, EA-20621, EA-20293.

  • DSEN-21070: Fixed an issue where the sensor injects code into another process that could terminate or block an application that opens handles to itself

    This was seen to impact Microsoft Office applications that use "Save As" as well as some java applications such as javainjectorservice.exe.

    Associated with: EA-21824, EA-21942.

Known Issues

The following issues are known to affect the software. Each lists the sensor version when the issue was first reported. Issues are removed after they are resolved.

All

  • DSEN-17156: "CrashDumpEnabled" registry configuration resets to 1 on Defense Sensor reboot

    Any custom values used for the "CrashDumpEnabled" config setting is reset to 1 (Complete Memory Dump) on every reboot (restart of Defense Sensor).

  • DSEN-22731: 3.9.0.2357 Windows sensor applies a lower default value to configuration setting

    3.9.0.2357 Windows sensor applies a lower default value towards the LogonUserInfoCacheSuggestedMaxSize configuration setting to mitigate system crashes occurring on machines with a high volume of user logons such as terminal servers. Performance impacts may occur on terminal servers running the 3.9.0.2357 sensor due to this configuration enforcement. 

  • DSEN-22427: osquery might crash when querying windows_eventlogs in any sensor version that supports the `windows_eventlog` table

    The affected environment is for OS Windows 10 21H1 x64 and any sensor version with osquery 4.5.0 or higher.

  • DSEN-21878: False positives

    Some processes including \windows\system32\audiodg.exe and \program files\microsoft office\root\office16\msoia.exe might still trigger false positives for the rule Detect PEB command line modification.

  • DSEN-21771: Windows Server 2019 endpoints might require a reboot after upgrade in order to apply full protection

    This is due to an issue unloading the ctinet.sys WFP network driver on Windows Server 2019 systems. In such cases, you must reboot to complete the upgrade.  Failure to reboot post upgrade might result in loss of visibility into network events and lack of network enforcement.

  • DSEN-18389: The sensor can show misleading ProcessTamperAttempt alarms in RepCLI status output and log events

    These events do not constitute a true tamper attempt and indicate that the sensor blocked msmpeng.exe from accessing lsass.exe when Windows Defender is active.

  • DSEN-18181: Duplicate Credential Theft alerts might appear when procdump creates a memory dump for lsass.exe

  • DEN-18066: A domain connected machine might sometimes appear with just hostname instead of domain\hostname format

    This can impact the ability to conduct a CIS scan on eligible domain servers which might appear as “not assessed”.

  • DSEN-17210: The sensor reports the system’s local user for “Installed By” information instead of the currently logged on user

  • DSEN-15424: Performance issues on Windows 11 systems where WindowsSearch service actively indexes files

  • DSEN-12808: Placing a machine into a sleep/suspended state can still show the device as active from the console

    Associated with: DSER-39219.

  • DSEN-9577: Fileless script termination rules

    Apply fileless script termination rules to the parent process of the fileless script process, as the process executing the fileless script is the fileless script.

Endpoint Standard

  • DSEN-18307: In Endpoint Standard, TAU conflicts with the sensor

    Carbon Black Cloud’s TAU provided detections and preventions, such as credential theft alerts, can potentially conflict with the sensor’s own built-in detections and preventions and present multiple, conflicting events for the same endpoint operation. In this case, the sensor’s built-in logic takes precedence.

    Sensor version found 3.8.0.684

  • DSEN-12189: In Endpoint Standard, when a process is blocked from running, multiple block events can display in the console and local user interface

    Sensor version found: 3.7.0.1253

Audit & Remediation

  • DSEN-15828: Live queries are limited to Windows default cmdline character length of 32,767 characters

ARM64

  • DSEN-21308: Unsupported MSI/GPO

    Due to a Microsoft bug with MSI/GPO currently not supporting the arm platform, the arm64 sensor does not support MSI/GPO installations at this time.

  • DSEN-21311: Assertions detected when previously attempting to launch a .vbs, or .msi file from a previously connected OneDrive location

check-circle-line exclamation-circle-line close-line
Scroll to top icon