VMware Carbon Black Cloud 3.9.1.2691 | 15 JUN 2023 | Build 3.9.1.2691

Check for additions and updates to these release notes.

What's New

Important Note: This release is only available to Carbon Black Cloud organizations with Cloud Workload Protection enabled.

VMware Carbon Black Cloud Windows Sensor 3.9.1.2691  fixes an issue preventing sensor deployments through the Carbon Black Launcher for Cloud Workload environments. This sensor release also includes all changes and fixes from previous releases.

Resolved Issues

Cloud Workload Protection

  • CBC-28853: Fixed an issue preventing sensor deployments via Carbon Black Launcher for Cloud Workload environments

    Associated with: EA-23145.

Known Issues

The following issues are known to affect the software. Each lists the sensor version when the issue was first reported. Issues are removed after they are resolved.

All

  • DSEN-23981: System crashes can occur during instances where applications truncate or overwrite named pipes

    Associated with: EA-22874.

  • DSEN-23909: System crashes can occur when running VMware Tools version 12.2.0+

  • DSEN-22427: osquery might crash when querying windows_eventlogs in any sensor version that supports the windows_eventlog table

    The affected environment is for OS Windows 10 21H1 x64 and any sensor version with osquery 4.5.0 or higher.

  • DSEN-21771: Various Windows operating systems may require a reboot after upgrade in order to apply full protection

    This issue has been observed with Windows Server 2022, 2019 and Windows 10. This is due to an issue unloading the ctinet.sys WFP network driver on various Windows operating systems. In such cases where this issue occurs, you must reboot to complete the upgrade.  Failure to reboot post upgrade may result in sensor versions (prior to 3.9.0) ending up in bypass or sensor versions (3.9.0+) failing to properly load the ctinet.sys network driver resulting in loss of visibility into network events and lack of network enforcement.

    Carbon Black is actively working with Microsoft to address the issue.

  • DSEN-18389: The sensor can show misleading ProcessTamperAttempt alarms in RepCLI status output and log events

    These events do not constitute a true tamper attempt and indicate that the sensor blocked msmpeng.exe from accessing lsass.exe when Windows Defender is active.

    These events do not constitute a true tamper attempt and indicate that the sensor blocked msmpeng.exe from accessing lsass.exe when Windows Defender is active.

  • DSEN-18181: Duplicate credential theft alerts might appear when procdump creates a memory dump for lsass.exe

  • DSEN-17210: The sensor reports the system’s local user for “Installed By” information instead of the currently logged on user

  • DSEN-17156: "CrashDumpEnabled" registry configuration resets to 1 on Defense Sensor reboot

    Any custom values used for the "CrashDumpEnabled" config setting is reset to 1 (Complete Memory Dump) on every reboot (restart of Defense Sensor).

  • DSEN-15383: The sensor can incorrectly report “--” in place of a valid effective reputation

  • DSEN-12808:Placing a machine into a sleep or suspended state can still show the device as active from the console

    Associated with: DSER-39219

Auth Events

  • DSEN-23933: Remote IP address is not being reported for a remote logon

Endpoint Standard

  • DSEN-18307: In Endpoint Standard, TAU conflicts with the sensor

    Carbon Black Cloud’s TAU provided detections and preventions, such as credential theft alerts, can potentially conflict with the sensor’s own built-in detections and preventions and present multiple, conflicting events for the same endpoint operation. In this case, the sensor’s built-in logic takes precedence.

    Sensor version found 3.8.0.684.

  • DSEN-12189: When a process is blocked from running, multiple block events can display in the console and local user interface

    Sensor version found: 3.7.0.1253.

  • DSEN-9577: Fileless script termination rules

    Fileless script termination rules must be applied to the parent process of the fileless script process. The process executing the fileless script is the fileless script.

XDR

  • DSEN-23922: Inbound connections from different remote ports might generate multiple IDS alerts in the console without suppression

    This will be addressed in the next XDR rules release.

  • DSEN-23853: Inbound IDS alerts might be falsely reported as outbound connections

check-circle-line exclamation-circle-line close-line
Scroll to top icon