VMware Carbon Black Cloud 3.9.2.2698 | 11 JUL 2023 | Build 3.9.2.2698

Check for additions and updates to these release notes.

What's New

VMware Carbon Black Cloud Windows Sensor 3.9.2.2698 includes bug fixes and improvements.

Sensor Gateway

This release expands on the sensor gateway support for Cloud Workload environments to now include support for brownfield environments.

Resolved Issues

All

  • UAV-2877: Fixed an issue with event batches

    Fixed an issue with the sensor exceeding the MaxPscEventSingleArchiveSizeInBytes and MaxPscEventTotalArchivesSizeInBytes values applied to event batches on the disk due to queued event batches.

    Performing a sensor reset clears the event queue from the disk.

    Associated with: UAV-2840.

  • DSEN-24879: Fixed an issue with the sensor causing high disk i/o activity during instances where the Windows Security Center service is unavailable

    Associated with: EA-22841.

  • DSEN-24084: Addressed an issue causing system crashes to occur on machines with low memory available

    Associated with: EA-22826.

  • DSEN-24075: Fixed an issue with the sensor blocking Rapid7 software from loading procexp.sys

    Associated with: EA-22835, EA-23052.

  • DSEN-23981: Addressed an issue causing system crashes to occur during instances where applications truncate or overwrite named pipes

    Associated with: EA-22874, EA-23124.

  • DSEN-23911: Fixed an issue where explorer.exe was terminated when browsing directories that contained banned or malicious files

    Associated with: EA-22819, EA-2577.

  • DSEN-23909: Addressed an issue causing system crashes to occur when running VMware Tools version 12.2.0+ with NSX Network Introspection enabled through NSX Tools

    Associated with: EA-22911, EA-23103, EA-23195.

  • DSEN-23582: Addressed an issue where the sensor was unable to enforce policy and remained in bypass if the machine had a volume with no name

    Associated with: EA-22336.

  • DSEN-23562: Improved the reliability of sensor upgrades in cases where the ctinet.sys driver unload was significantly delayed which previously required a reboot to address

    Carbon Black is actively working with Microsoft to address additional issues related to failed sensor upgrades due to failure of ctinet.sys to unload properly.

  • DSEN-23233: Added a new config prop CurlDnsCacheTimeoutInSeconds for tuning DNS query performance

    Associated with: EA-22359.

  • DSEN-23177: Addressed some performance related issues with ctinet.sys driver

  • DSEN-22978: Improved performance with bypassed processes

    Associated with: DSEN-22977, EA-21328, EA-22017.

  • DSEN-22614: Fixed an issue with Citrix VDIs

    Fixed an issue with Citrix VDIs failing to re-register properly. This lead to sharing endpoint details such as hostname and device ID, due to conflicting config prop settings (AUTO_REREGISTER_FOR_VDI_CLONES=1 but not also having AUTO_REREGISTER_FOR_CITRIX=TRUE).

    Associated with: EA-21428

  • DSEN-17156: The sensor no longer modifies the registry if it is already configured to be AutomaticMemoryDump

    The sensor still overrides registry settings for other memory dump types unless the ConfigureMemoryDumpSettings config prop is disabled.

    Associated with: EA-20354.

Auth Events

  • DSEN-23933: Fixed an issue with remote IP addresses not being reported for a remote logon

Endpoint Standard

  • DSEN-24869: Fixed an issue where fully bypassed processes might be subject to core prevention alerts and blocks

  • DSEN-24548: Addressed an issue causing system crashes to occur

    Addressed an issue causing system crashes to occur when attempting to bypass processes that normally should not be bypassed, such as explorer.exe.

    Associated with: EA-23114.

  • DSEN-23914: Fixed an issue with sharing violation errors and mishandling configuration

    Fixed an issue with the sensor causing sharing violation errors and mishandling the Scan Execute on Network Drives configuration for processes accessing executables or scripts on the network.

    Associated with: EA-22693.

  • DSEN-23394: Fixed an issue causing crashes to occur in spoolsv.exe and other processes when unloading CbAMSI.dll

    Associated with: EA-22355.

  • DSEN-23202: Fixed an issue preventing some applications from starting after injection of ctiuser.dll

    Associated with: EA-22591, EA-22186.

  • DSEN-23186: Addressed an issue causing an increase in alerts pertaining to applications attempting a network connection to a scanning host

    Associated with: EA-22578.

  • DSEN-23019: Improved bypass process tagging for script interpreter processes such as cmd.exe

  • DSEN-22991: Addressed various issues generating false positive process hollowing alerts

    Associated with: EA-22429, EA-22845.

XDR

  • DSEN-24046: Addressed an issue causing high kernel non-paged memory usage

    This issue was more likely observed on busy servers such as domain controllers.

    Associated with: DSEN-22647, DSEN-22638,  EA-22932.

  • DSEN-23922: Fixed an issue causing Inbound connections from different remote ports to generate multiple IDS alerts in the console without suppression

    This issue was addressed through an XDR policy update.

  • DSEN-23853: Fixed an issue causing inbound IDS alerts to be falsely reported as outbound connections

Known Issues

The following issues are known to affect the software. Each lists the sensor version when the issue was first reported. Issues are removed after they are resolved.

All

  • DSEN-25191: Obfuscation of document filenames is not working as expected when using the Enable Private Logging sensor configuration

  • DSEN-24701: CBFirewall registers itself as a firewall provider in Windows Security Center

  • DSEN-22427: osquery might crash when querying windows_eventlogs in any sensor version that supports the windows_eventlog table

    The affected environment is for OS Windows 10 21H1 x64 and any sensor version with osquery 4.5.0 or higher.

  • DSEN-21771: Various Windows operating systems may require a reboot after upgrade in order to apply full protection

    This issue has been observed with Windows Server 2022, 2019 and Windows 10. This is due to an issue unloading the ctinet.sys WFP network driver on various Windows operating systems. In such cases where this issue occurs, you must reboot to complete the upgrade.  Failure to reboot post upgrade may result in sensor versions (prior to 3.9.0) ending up in bypass or sensor versions (3.9.0+) failing to properly load the ctinet.sys network driver resulting in loss of visibility into network events and lack of network enforcement.

    Carbon Black is actively working with Microsoft to address the issue.

  • DSEN-18389: The sensor can show misleading ProcessTamperAttempt alarms in RepCLI status output and log events

    These events do not constitute a true tamper attempt and indicate that the sensor blocked msmpeng.exe from accessing lsass.exe when Windows Defender is active.

    These events do not constitute a true tamper attempt and indicate that the sensor blocked msmpeng.exe from accessing lsass.exe when Windows Defender is active.

  • DSEN-18181: Duplicate credential theft alerts might appear when procdump creates a memory dump for lsass.exe

  • DSEN-17210: The sensor reports the system’s local user for “Installed By” information instead of the currently logged on user

  • DSEN-15383: The sensor can incorrectly report “--” in place of a valid effective reputation

  • DSEN-12808:Placing a machine into a sleep or suspended state can still show the device as active from the console

    Associated with: DSER-39219

Endpoint Standard

  • DSEN-9577: Fileless script termination rules

    Fileless script termination rules must be applied to the parent process of the fileless script process. The process executing the fileless script is the fileless script.

  • DSEN-12189: When a process is blocked from running, multiple block events can display in the console and local user interface

    Sensor version found: 3.7.0.1253.

  • DSEN-18307: In Endpoint Standard, TAU conflicts with the sensor

    Carbon Black Cloud’s TAU provided detections and preventions, such as credential theft alerts, can potentially conflict with the sensor’s own built-in detections and preventions and present multiple, conflicting events for the same endpoint operation. In this case, the sensor’s built-in logic takes precedence.

check-circle-line exclamation-circle-line close-line
Scroll to top icon