VMware Carbon Black Cloud 3.9.0.2357 | 15 DEC 2022 | Build 3.9.0.2357 Check for additions and updates to these release notes. |
VMware Carbon Black Cloud 3.9.0.2357 | 15 DEC 2022 | Build 3.9.0.2357 Check for additions and updates to these release notes. |
VMware Carbon Black Cloud Windows Sensor 3.9.0.2357 includes bug fixes and improvements.
New ARM64 sensor package for Windows
This new sensor package supports ARM based systems running Windows 11 OS versions. For full details on ARM64 support and functionality please review the Operating Environment Requirements page.
Note: This sensor package will be made generally available at a later date in the 3.9.0 sensor release rollout.
Added support for cb_sensor_curl table for improved sensor comms management
DSEN-17397
Use this table to verify whether a sensor can connect to the CBC backend. This table provides an alternative to the osquery provided curl table.
The cb_sensor_curl table uses schannel and the operating system’s certificate store which does not require a PEM file to be able to reach https addresses.
Extend malware deletion behavior to also remove any scheduled tasks that were configured to run the malware
DSEN-14519
Sensor now reports network pipe opens within Enterprise EDR
DSEN-13366
UAV-2731: Addressed an issue causing system crashes to occur
This was primarily observed on Windows Server 2012 R2 systems.
Associated with: EA-21830, EA-21839, EA-21887.
DSEN-20893: Addressed an issue with the sensor causing delays with Microsoft Management Console (MMC) snap-in with Active Directory Users and Computers (ADUC)
Associated with: EA-21376.
DSEN-13282: Fixed an issue preventing sensor upgrades in hardened environments
Associated with: EA-18012.
DSEN-17161: Addressed an issue causing periodic performance spikes with CPU
Issues were primarily observed in VDI environments.
Associated with: EA-21486.
DSEN-17343: Fixed an issue with catalog signed files being marked as “not signed”
Associated with: EA-21565.
DSEN-17815: Addressed an issue with sensor’s retrieval of certificate information
Associated with: EA-21868.
DSEN-20632: Fixed an issue with the sensor not checking for proxy connections when reregistering
Associated with: EA-21686, EA-22350.
DSEN-8551: Fixed an issue for accessing the sensor installation
When trying to access the sensor installation directories in non-elevated Explorer windows were blocked if the user was not a member of the authenticated RepCLI users.
DSEN-13660: Fixed an issue with files larger than 512Mb not uploading
Associated with: EA-18662.
DSEN-13949: Addressed an issue with delayed logins and black screens occurring when attempting to login to Citrix VMs
Associated with: EA-18552, EA-19591, EA-20445, EA-20428, EA-20747, EA-21827, EA-21303, EA-21460.
DSEN-14768: Addressed an issue where blank alerts appeared in the console with no associated data
Associated with: EA-19197.
DSEN-15565: Supports configurable heuristic detection
Associated with: EA-19461, EA-19709.
DSEN-16777: Addressed performance issues with applications that frequently open files with the CREATE_ALWAYS flag
Applications commonly use the CREATE_ALWAYS flag for opening log files.
Associated with: EA-19367.
DSEN-16886: .msi installation requires Admin permissions to launch
Additionally, log locations have been migrated from the user’s temp directory to the system’s temp directory (c:\Windows\temp).
DSEN-17397: Added support for cb_sensor_curl table for improved sensor comms management
Associated with: EA-20606.
DSEN-17629: Added BlockPopupTimeoutMs config prop to adjust display time for local endpoint notifications
DSEN-17630: Addressed an issue that removed hashes from the sensor's reputation database, while active processes on the system were still using that hash / reputation
This issue led to events occurring from that process to report an unknown reputation.
Associated with: EA-20557, EA-21585, EA-20535.
DSEN-17783: Fixed an issue where sensors might enforce improperly or report inaccurate information about files that resided on recently added volumes
Additionally, fixed an issue with events incorrectly showing the NT file path of dropped files on volumes using a valid DOS drive letter.
Associated with: EA-20619, EA-19300.
DSEN-18791: Addressed a performance issue impacting virtual machines hosted in Citrix Xen server/VMware ESX servers that could cause significant delays with launching a new session
Virtual environments still experiencing performance related issues with launching new sessions might be able to leverage the config prop DefaultTimestampType=1 to temporarily work around the issue while awaiting further improvements in a future sensor release. Please open a case with CB Support if you are experiencing performance issues in your virtual environment to see if this config prop might help you.
Associated with: EA-21053, EA-21199, EA-19983, EA-21690, EA-21282, EA-21783.
DSEN-19017: Fixed an issue that did not delete directories due to the sensor analyzing files within the directory
Associated with: EA-20120.
DSEN-19055: Fixed an issue where duplicate sensor entries appeared for sensors failing to install properly
In this scenario the sensor would rollback/uninstall but failed to deregister from the console.
Associated with: EA-20917.
DSEN-19062: Fixed an issue that triggered false positive OSNotSupported alarms
Associated with: EA-21120.
DSEN-19317: Addressed an issue with sensors unable to use repcli functionality when ctifile.sys is not running
Associated with: EA-20814, EA-21137.
DSEN-19776: Fixed an issue with the sensor causing delays
The sensor caused lengthy delays in launching internet browsers, and shorter delays in loading individual web pages. The issue occured after installing a browser or performing a browser update.
Associated with: EA-21098.
DSEN-19945: Fixed interoperability issues with the tedfs file system driver (tedfs.sys)
Applications were not able to access files on that file system.
Associated with: EA-18798.
DSEN-20121: Fixed an issue causing system crashes to occur
This issue occured on 32-bit versions of Windows 10 with FAILURE_BUCKET_ID: 0x7f_8_STACK_USAGE_IMAGE_ctifile.sys
Associated with: EA-21516.
DSEN-20153: Fixed an issue with the “Total Files Processed” field of a background scan incorrectly reporting “0” total files processed after sensor restarts
Associated with: EA-21385.
DSEN-12202: Fixed an issue where uninstalling by using the sensor removal tool could leave behind the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityCenter\Provider\AV\ registry entry
Please note, the sensor removal tool is not provided as part of the CBC Windows sensor release.
DSEN-12874: Improved the sensor’s deferred injection handling to address interoperability issues
This caused problems with the Digital Guardian product.
Associated with: EA-17866.
DSEN-16372: Fixed an issue causing significant delays when attempting to change permissions on directories with lots of files
Associated with: EA-19931.
DSEN-20151: Fixed an issue with AV signatures updates failing when using a local mirror server
Associated with: EA-21521.
DSEN-20711: Improved the overhead of Endpoint Standard network event collection and enforcement
Associated with: EA-21741, EA-21376.
DSEN-20714: Fixed an issue with blocking applications with external catalog signatures despite having a trusted certificate
Associated with: DSEN-17343, EA-21565, EA-20621, EA-20293.
DSEN-21070: Fixed an issue where the sensor injects code into another process that could terminate or block an application that opens handles to itself
This was seen to impact Microsoft Office applications that use "Save As" as well as some java applications such as javainjectorservice.exe.
Associated with: EA-21824, EA-21942.
The following issues are known to affect the software. Each lists the sensor version when the issue was first reported. Issues are removed after they are resolved.
DSEN-17156: "CrashDumpEnabled" registry configuration resets to 1 on Defense Sensor reboot
Any custom values used for the "CrashDumpEnabled" config setting is reset to 1 (Complete Memory Dump) on every reboot (restart of Defense Sensor).
DSEN-22731: 3.9.0.2357 Windows sensor applies a lower default value to configuration setting
3.9.0.2357 Windows sensor applies a lower default value towards the LogonUserInfoCacheSuggestedMaxSize configuration setting to mitigate system crashes occurring on machines with a high volume of user logons such as terminal servers. Performance impacts may occur on terminal servers running the 3.9.0.2357 sensor due to this configuration enforcement.
DSEN-22427: osquery might crash when querying windows_eventlogs in any sensor version that supports the `windows_eventlog` table
The affected environment is for OS Windows 10 21H1 x64 and any sensor version with osquery 4.5.0 or higher.
DSEN-21878: False positives
Some processes including \windows\system32\audiodg.exe and \program files\microsoft office\root\office16\msoia.exe might still trigger false positives for the rule Detect PEB command line modification.
DSEN-21771: Windows Server 2019 endpoints might require a reboot after upgrade in order to apply full protection
This is due to an issue unloading the ctinet.sys WFP network driver on Windows Server 2019 systems. In such cases, you must reboot to complete the upgrade. Failure to reboot post upgrade might result in loss of visibility into network events and lack of network enforcement.
DSEN-18389: The sensor can show misleading ProcessTamperAttempt alarms in RepCLI status output and log events
These events do not constitute a true tamper attempt and indicate that the sensor blocked msmpeng.exe from accessing lsass.exe when Windows Defender is active.
DSEN-18181: Duplicate Credential Theft alerts might appear when procdump creates a memory dump for lsass.exe
DEN-18066: A domain connected machine might sometimes appear with just hostname instead of domain\hostname format
This can impact the ability to conduct a CIS scan on eligible domain servers which might appear as “not assessed”.
DSEN-17210: The sensor reports the system’s local user for “Installed By” information instead of the currently logged on user
DSEN-15424: Performance issues on Windows 11 systems where WindowsSearch service actively indexes files
DSEN-12808: Placing a machine into a sleep/suspended state can still show the device as active from the console
Associated with: DSER-39219.
DSEN-9577: Fileless script termination rules
Apply fileless script termination rules to the parent process of the fileless script process, as the process executing the fileless script is the fileless script.
DSEN-18307: In Endpoint Standard, TAU conflicts with the sensor
Carbon Black Cloud’s TAU provided detections and preventions, such as credential theft alerts, can potentially conflict with the sensor’s own built-in detections and preventions and present multiple, conflicting events for the same endpoint operation. In this case, the sensor’s built-in logic takes precedence.
Sensor version found 3.8.0.684
DSEN-12189: In Endpoint Standard, when a process is blocked from running, multiple block events can display in the console and local user interface
Sensor version found: 3.7.0.1253
DSEN-15828: Live queries are limited to Windows default cmdline character length of 32,767 characters
DSEN-21308: Unsupported MSI/GPO
Due to a Microsoft bug with MSI/GPO currently not supporting the arm platform, the arm64 sensor does not support MSI/GPO installations at this time.
DSEN-21311: Assertions detected when previously attempting to launch a .vbs, or .msi file from a previously connected OneDrive location