VMware Carbon Black Cloud 3.9.1.2464 | 28 FEB 2023 | Build 3.9.1.2464 Check for additions and updates to these release notes. |
VMware Carbon Black Cloud 3.9.1.2464 | 28 FEB 2023 | Build 3.9.1.2464 Check for additions and updates to these release notes. |
VMware Carbon Black Cloud Windows Sensor 3.9.1.2464 includes bug fixes and improvements.
Introducing the Identity Intelligence feature in Enterprise EDR with a new Auth Events tab on the Investigate page
Identity Intelligence introduces additional visibility into end users and their authentication activity. When activated, Enterprise EDR collects various types of Windows authentication events, that are reported on a new Auth Events tab on the Investigate page. Users can search and filter through Windows authentication events for anomalous authentication behavior and correlate authentication and process activity. The scope of collected Windows event types includes:
4624 - An account was successfully logged on
4625 - An account failed to log on
4634 - The account was logged off
4647 - User initiated logoff
4672 - Special privileges assigned to new logon (administrator equivalent)
4740 - A user account was locked out
The collection of authentication events is deactivated by default, but can be activated per Policy.
For more information, see Investigate - Auth Events in the VMware Carbon Black Cloud User Guide.
UAV-2834: Fixed an issue with HTTP timeouts
A sensor bug in version 3.8.0 & 3.9.0/1 did not gracefully handle HTTP timeouts, causing excessive repeated upload attempts of event batches.
UAV-2807: Added further improvements towards interoperability with FSLogix
Associated with: EA-22130.
DSEN-23154: Permission, Blocking, and Isolation rules
Permission, Blocking, and Isolation rules that started with ?: or *: as a means of matching any drive letter were inconsistently enforced.
DSEN-22731: Fixed an issue causing system crashes to occur on systems with a large amount of concurrent login sessions such as terminal servers
This issue was determined to only occur with the use of the 3.9.0.2357 Windows sensor which applies a lower default value towards the LogonUserInfoCacheSuggestedMaxSize configuration setting for the 3.9.0.2357 sensor version to mitigate the issue.
Associated with: EA-22464.
DSEN-21077: Addressed issues with lengthy subsequent RDP logins associated with execution of .ttc and .ttf font file types
Please note, initial RDP logins might still experience minor delays while the sensor scans .dll and other portable executable file types used on RDP logins.
Associated with: EA-21935.
DSEN-19962: Adjusted the color contrast for items within the Threats Blocked menu of the sensor UI
DSEN-19711: Adjusted the color contrast for hovering and selecting rows of text within the Threats Blocked menu of the sensor UI
DSEN-18066: Fixed an issue with inconsistent reporting of domain name information associated with endpoints within the console UI
Domain names are presented in a more uniform manner for endpoints that are collecting and reporting domain name information.
Domain-joined machines are expected to be in "domain\hostname" format whereas domain-less machines appear as "hostname".
Associated with: EA-18278.
DSEN-14942: Fixed a bug causing system crashes to occur with references to BigLruCache
Associated with: EA-19404.
DSEN-22351: Fixed an issue with local sensor alerts failing to generate with multiple repeat blocks on the same file
The sensor now reports one alert per 30 minute interval for blocks on the same file.
DSEN-21967: Improved performance of file classification sequences
Additionally, added performance improvements for processes marked with full bypass permissions.
Associated with: DSEN-21683, EA-21328, EA-22017.
DSEN-21878: Fixed an issue with some processes triggering false positives
Fixed an issue where some processes including \windows\system32\audiodg.exe and \program files\microsoft office\root\office16\msoia.exe could trigger false positives for the rule Detect PEB command line modification.
DSEN-20840: Addressed behavior triggering false positive alerts for "report process hollowing"
Associated with: EA-22429.
DSEN-21308: Microsoft has resolved the issue with deployment of the ARM64 sensor package through MSI/GPO methods
This issue is resolved beginning with Windows 11 Insider Preview Build 25247 and applies to all versions of the Carbon Black Cloud Windows ARM64 sensor packages.
DSEN-15828: Due to Microsoft character limit, Live queries are limited to Windows default cmdline character length of 32,767 characters
Queries exceeding this character length will fail more instantaneously with a more descriptive error referencing the character limit.
The following issues are known to affect the software. Each lists the sensor version when the issue was first reported. Issues are removed after they are resolved.
CWP-16061: Sensor out of date status filter
The “sensor out of date” status filter from the Endpoints page displays sensors running version 3.9.1.2464 due to the release of 3.9.1.2691 for CWP environments. No upgrade is required for non-CWP orgs.
DSEN-17156: "CrashDumpEnabled" registry configuration resets to 1 on Defense Sensor reboot
Any custom values used for the "CrashDumpEnabled" config setting is reset to 1 (Complete Memory Dump) on every reboot (restart of Defense Sensor).
DSEN-21771: Various Windows operating systems might require a reboot after upgrade in order to apply full protection
This issue has been observed with Windows Server 2022, 2019 and Windows 10. This is due to an issue unloading the ctinet.sys WFP network driver on various Windows operating systems.
In such cases where this issue occurs, you must reboot to complete the upgrade. Failure to reboot post upgrade might result in sensor versions (prior to 3.9.0) ending up in bypass, or sensor versions (3.9.0+) failing to properly load the ctinet.sys network driver resulting in loss of visibility into network events and lack of network enforcement.
Carbon Black is actively working with Microsoft to address the issue.
DSEN-23981: System crashes can occur during instances where applications truncate or overwrite named pipes
Associated with: EA-22874.
DSEN-23909: System crashes can occur when running VMware Tools version 12.2.0+
DSEN-22427: osquery might crash when querying windows_eventlogs in any sensor version that supports the windows_eventlog table
The affected environment is for OS Windows 10 21H1 x64 and any sensor version with osquery 4.5.0 or higher.
DSEN-21771: Windows Server 2019 endpoints might require a reboot after upgrade in order to apply full protection
This is due to an issue unloading the ctinet.sys WFP network driver on Windows Server 2019 systems. In such cases, you must reboot to complete the upgrade. Failure to reboot post upgrade might result in loss of visibility into network events and lack of network enforcement.
DSEN-18389: The sensor can show misleading ProcessTamperAttempt alarms in RepCLI status output and log events
These events do not constitute a true tamper attempt and indicate that the sensor blocked msmpeng.exe from accessing lsass.exe when Windows Defender is active.
DSEN-18181: Duplicate credential theft alerts might appear when procdump creates a memory dump for lsass.exe
DSEN-17210: The sensor reports the system’s local user for “Installed By” information instead of the currently logged on user
DSEN-15383: The sensor can incorrectly report “--” in place of a valid effective reputation
DSEN-12808: Placing a machine into a sleep/suspended state can still show the device as active from the console
Associated with: DSER-39219.
DSEN-18307: In Endpoint Standard, TAU conflicts with the sensor
Carbon Black Cloud’s TAU provided detections and preventions, such as credential theft alerts, can potentially conflict with the sensor’s own built-in detections and preventions and present multiple, conflicting events for the same endpoint operation. In this case, the sensor’s built-in logic takes precedence.
Sensor version found 3.8.0.684.
DSEN-12189: When a process is blocked from running, multiple block events can display in the console and local user interface
Sensor version found: 3.7.0.1253.
DSEN-9577: Fileless script termination rules
Fileless script termination rules must be applied to the parent process of the fileless script process. The process executing the fileless script is the fileless script.
DSEN-23922: Inbound connections from different remote ports might generate multiple IDS alerts in the console without suppression
This will be addressed in the next XDR rules release.
DSEN-23853: Inbound IDS alerts might be falsely reported as outbound connections
DSEN-23933: Remote IP address is not being reported for a remote logon