VMware Carbon Black Cloud 3.9.1.2464 | 28 FEB 2023 | Build 3.9.1.2464

Check for additions and updates to these release notes.

What's New

VMware Carbon Black Cloud Windows Sensor 3.9.1.2464 includes bug fixes and improvements.

Identity Intelligence Feature

  • Introducing the Identity Intelligence feature in Enterprise EDR with a new Auth Events tab on the Investigate page

    Identity Intelligence introduces additional visibility into end users and their authentication activity. When activated, Enterprise EDR collects various types of Windows authentication events, that are reported on a new Auth Events tab on the Investigate page. Users can search and filter through Windows authentication events for anomalous authentication behavior and correlate authentication and process activity. The scope of collected Windows event types includes:

    • 4624 - An account was successfully logged on

    • 4625 - An account failed to log on

    • 4634 - The account was logged off

    • 4647 - User initiated logoff

    • 4672 - Special privileges assigned to new logon (administrator equivalent)

    • 4740 - A user account was locked out

    The collection of authentication events is deactivated by default, but can be activated per Policy.

    For more information, see Investigate - Auth Events in the VMware Carbon Black Cloud User Guide.

Resolved Issues

All

  • UAV-2834: Fixed an issue with HTTP timeouts

    A sensor bug in version 3.8.0 & 3.9.0/1 did not gracefully handle HTTP timeouts, causing excessive repeated upload attempts of event batches.

  • UAV-2807: Added further improvements towards interoperability with FSLogix

    Associated with: EA-22130.

  • DSEN-23154: Permission, Blocking, and Isolation rules

    Permission, Blocking, and Isolation rules that started with ?: or *:  as a means of matching any drive letter were inconsistently enforced.

  • DSEN-22731: Fixed an issue causing system crashes to occur on systems with a large amount of concurrent login sessions such as terminal servers

    This issue was determined to only occur with the use of the 3.9.0.2357 Windows sensor which applies a lower default value towards the  LogonUserInfoCacheSuggestedMaxSize configuration setting for the 3.9.0.2357 sensor version to mitigate the issue.

    Associated with: EA-22464.

  • DSEN-21077: Addressed issues with lengthy subsequent RDP logins associated with execution of .ttc and .ttf font file types

    Please note, initial RDP logins might still experience minor delays while the sensor scans .dll and other portable executable file types used on RDP logins.

    Associated with: EA-21935.

  • DSEN-19962: Adjusted the color contrast for items within the Threats Blocked menu of the sensor UI

  • DSEN-19711: Adjusted the color contrast for hovering and selecting rows of text within the Threats Blocked menu of the sensor UI

  • DSEN-18066: Fixed an issue with inconsistent reporting of domain name information associated with endpoints within the console UI

    Domain names are presented in a more uniform manner for endpoints that are collecting and reporting domain name information.

    Domain-joined machines are expected to be in "domain\hostname" format whereas domain-less machines appear as "hostname".

    Associated with: EA-18278.

  • DSEN-14942: Fixed a bug causing system crashes to occur with references to BigLruCache

    Associated with: EA-19404.

Endpoint Standard

  • DSEN-22351: Fixed an issue with local sensor alerts failing to generate with multiple repeat blocks on the same file

    The sensor now reports one alert per 30 minute interval for blocks on the same file.

  • DSEN-21967: Improved performance of file classification sequences

    Additionally, added performance improvements for processes marked with full bypass permissions.

    Associated with: DSEN-21683, EA-21328, EA-22017.

  • DSEN-21878: Fixed an issue with some processes triggering false positives

    Fixed an issue where some processes including \windows\system32\audiodg.exe and \program files\microsoft office\root\office16\msoia.exe could trigger false positives for the rule Detect PEB command line modification.

  • DSEN-20840: Addressed behavior triggering false positive alerts for "report process hollowing"

    Associated with: EA-22429.

ARM64

  • DSEN-21308: Microsoft has resolved the issue with deployment of the ARM64 sensor package through MSI/GPO methods

    This issue is resolved beginning with Windows 11 Insider Preview Build 25247 and applies to all versions of the Carbon Black Cloud Windows ARM64 sensor packages.

Audit and Remediation

  • DSEN-15828: Due to Microsoft character limit, Live queries are limited to Windows default cmdline character length of 32,767 characters

    Queries exceeding this character length will fail more instantaneously with a more descriptive error referencing the character limit.

Known Issues

The following issues are known to affect the software. Each lists the sensor version when the issue was first reported. Issues are removed after they are resolved.

All

  • CWP-16061: Sensor out of date status filter

    The “sensor out of date” status filter from the Endpoints page displays sensors running version 3.9.1.2464 due to the release of 3.9.1.2691 for CWP environments. No upgrade is required for non-CWP orgs.

  • DSEN-17156: "CrashDumpEnabled" registry configuration resets to 1 on Defense Sensor reboot

    Any custom values used for the "CrashDumpEnabled" config setting is reset to 1 (Complete Memory Dump) on every reboot (restart of Defense Sensor).

  • DSEN-21771: Various Windows operating systems might require a reboot after upgrade in order to apply full protection

    This issue has been observed with Windows Server 2022, 2019 and Windows 10. This is due to an issue unloading the ctinet.sys WFP network driver on various Windows operating systems.

    In such cases where this issue occurs, you must reboot to complete the upgrade.  Failure to reboot post upgrade might result in sensor versions (prior to 3.9.0) ending up in bypass, or sensor versions (3.9.0+) failing to properly load the ctinet.sys network driver resulting in loss of visibility into network events and lack of network enforcement.

    Carbon Black is actively working with Microsoft to address the issue. 

  • DSEN-23981: System crashes can occur during instances where applications truncate or overwrite named pipes

    Associated with: EA-22874.

  • DSEN-23909: System crashes can occur when running VMware Tools version 12.2.0+

  • DSEN-22427: osquery might crash when querying windows_eventlogs in any sensor version that supports the windows_eventlog table

    The affected environment is for OS Windows 10 21H1 x64 and any sensor version with osquery 4.5.0 or higher.

  • DSEN-21771: Windows Server 2019 endpoints might require a reboot after upgrade in order to apply full protection

    This is due to an issue unloading the ctinet.sys WFP network driver on Windows Server 2019 systems. In such cases, you must reboot to complete the upgrade. Failure to reboot post upgrade might result in loss of visibility into network events and lack of network enforcement.

  • DSEN-18389: The sensor can show misleading ProcessTamperAttempt alarms in RepCLI status output and log events

    These events do not constitute a true tamper attempt and indicate that the sensor blocked msmpeng.exe from accessing lsass.exe when Windows Defender is active.

  • DSEN-18181: Duplicate credential theft alerts might appear when procdump creates a memory dump for lsass.exe

  • DSEN-17210: The sensor reports the system’s local user for “Installed By” information instead of the currently logged on user

  • DSEN-15383: The sensor can incorrectly report “--” in place of a valid effective reputation

  • DSEN-12808: Placing a machine into a sleep/suspended state can still show the device as active from the console

    Associated with: DSER-39219.

Endpoint Standard

  • DSEN-18307: In Endpoint Standard, TAU conflicts with the sensor

    Carbon Black Cloud’s TAU provided detections and preventions, such as credential theft alerts, can potentially conflict with the sensor’s own built-in detections and preventions and present multiple, conflicting events for the same endpoint operation. In this case, the sensor’s built-in logic takes precedence.

    Sensor version found 3.8.0.684.

  • DSEN-12189: When a process is blocked from running, multiple block events can display in the console and local user interface

    Sensor version found: 3.7.0.1253.

  • DSEN-9577: Fileless script termination rules

    Fileless script termination rules must be applied to the parent process of the fileless script process. The process executing the fileless script is the fileless script.

XDR

  • DSEN-23922: Inbound connections from different remote ports might generate multiple IDS alerts in the console without suppression

    This will be addressed in the next XDR rules release.

  • DSEN-23853: Inbound IDS alerts might be falsely reported as outbound connections

Auth Events

  • DSEN-23933: Remote IP address is not being reported for a remote logon

check-circle-line exclamation-circle-line close-line
Scroll to top icon