VMware Carbon Black Cloud 4.0.0.1292| 14 NOV 2023 | Build 4.0.0.1292

Check for additions and updates to these release notes.

What's New

VMware Carbon Black Cloud Windows Sensor 4.0.0.1292 includes bug fixes and improvements.

Note: For more information about Windows Sensor operating systems, view the Windows Sensor for Desktop Operating Environment Requirements documentation for Windows Desktop, or the Windows Sensor for Server Operating Environment Requirements documentation for Windows Server.

  • Windows Server Core

    The Windows sensor now supports various Windows Server Core operating systems including 2016, 2019, and 2022.

  • On-demand Scanning

    The Windows sensor now invokes the local AV scanner when using on-demand scanning through RepCLI for Endpoint Standard enabled orgs. You can perform on-demand scanning as a full background scan as well as directly on specific files or directories.

  • Host-Based Firewall - Location Aware Firewall Rules

    The Windows sensor now supports differentiating Host-based Firewall rules based on public, private, or domain network profiles. As the location of a device changes, as well as the network profile assigned to the device, the host-based firewall rules assigned to the device are updated accordingly.

  • Azure and Google Cloud Platform (GCP) support for Public Cloud Workloads

    The Windows sensor now supports Azure and Google Cloud Platform (GCP) environments for public cloud workloads enabled orgs.

  • New OSquery Extension Tables

    Added cb_sensor_policies and cb_sensor_rules tables to the CBC OSquery extensions to query information about loaded rules and policies on sensors. This is associated with CBC-27469.

  • Receive Segment Coalescing (RSC) Support

    Sensor now supports Receive Segment Coalescing (RSC) with ctinet.sys driver to help improve network throughput performance.

Resolved Issues

All

  • DSEN-26499: Multibyte characters were not being read properly from the cfg.ini file

    Fixed an issue with multibyte characters not being read properly from the cfg.ini file which was leading to upgrade issues with backend server not reachable since Japanese policy name is not fetched properly from cfg.ini.

    Associated with: EA-23547.

  • DSEN-26243: Fixed an issue causing applications such as java and jboss to stall when attempting to rename files

    Associated with: EA-23545, EA-23449.

  • DSEN-26173: Delays in updating the mounted volume list

    Fixed an issue causing lengthy delays in updating the mounted volume list which might impact the build process of containers on a container host.

    Associated with: EA-23601.

  • DSEN-26085: Improved tamper protection interop behavior with Hitachi JP1 software

    Associated with: EA-23588.

  • DSEN-25870: Addressed a BSOD issue relating to named pipes

    Associated with: EA-23513.

  • DSEN-25481: Fixed an issue where the sensor did not apply blocking and isolation rules properly if repmgr.exe was restarted but the kernel was not reloaded

    Associated with: EA-23376.

  • DSEN-25222: Improved tamper protection interop behavior with sysinternal tools

    Associated with: EA-23325.

  • DSEN-25188: Added support for alternate parent devices to modify vDisk in private/maintenance mode without causing deregistration issues

  • DSEN-25030: Sensor repeatedly attempted to download the .msi installer

    Fixed an issue with the sensor repeatedly attempting to download the .msi installer, during failed upgrades due to no_network_error, regardless of the retry value set.

    Associated with: EA-23251.

  • DSEN-24951: Fixed an issue where signed files could sometimes be reported as unsigned

    Associated with: EA-23091.

  • DSEN-24946: Fixed an issue where the sensor could incorrectly declare PEB command line modification was detected

    Associated with: EA-23153.

  • DSEN-24701: CBFirewall registered itself as a firewall provider in Windows Security Center

    Fixed an issue where CBFirewall registered itself as a firewall provider in Windows Security Center without Host-Based Firewall being enabled in the org policy.

    Associated with: EA-22614.

  • DSEN-24295: Fixed an issue with remote powershell sessions getting blocked

    Associated with: EA-22855.

  • DSEN-21795: Improved logon performance

    Improved logon performance and addressed high CPU activity of registry processing for sensors running in a Horizon VDI + DEM environment.

    Associated with: DSEN-21851, EA-19855, EA-21171, EA-21269, EA-21783.

  • DSEN-21581: Mismatch in hash reputations

    Fixed an issue where restoring db_rep from backup could cause a mismatch in hash reputations leading to unintended approve/ban behavior of files.

    Associated with: EA-23762, EA-22105.

  • DSEN-20893: Fixed an issue with ctinet.sys causing delays in MMC ADUC snap-in

  • DSEN-18181: Fixed an issue where duplicate Credential Theft alerts appeared when procdump created a memory dump for lsass.exe.

  • DSEN-17743: Fixed an issue with the sensor causing delays in applying security permissions on directories or files from the Security tab of the Properties menu

    Associated with: EA-22569.

  • DSEN-15735: Fixed an issue with sensors misreporting the parent process of network events

    This issue was observed on endpoints running VPN software where the actual parent process of the network event was abruptly terminated causing the next application launched to be mistakenly associated as the parent process.

    Associated with: EA-19639.

Endpoint Standard

  • DSEN-26353: Fixed an issue with applications being terminated

    Fixed an issue with applications being terminated after modifying their own instruction sets if the sensor’s policy has a matching prevention rule set to terminate on "Injects code or modifies memory of another process".

    Assciated with: EA-23709.

  • DSEN-26138: Fixed an issue with ctiuser.dll causing false positive “report process hollowing” alerts

    Associated with: EA-23451.

  • DSEN-25426: Fixed an issue where a timeout error could cause the scanhost.exe to fail during reload of a new AV signature pack

    Associated with: EA-23366.

  • DSEN-25333: Fixed an issue where canary files might fail to deploy if not enough disk space was available

    Associated with: EA-23018.

  • DSEN-23190: Fixed an issue where Microsoft Edge update failed to install due to an incorrect file reputation being applied

    Associated with: EA-22057.

  • DSEN-19107: The sensor now supports preferred servers for receiving AV signature updates

    Associated with: EA-21161.

  • DSEN-18141: Fixed an issue with the sensor failing to download AV signature packs if connectivity checks fail

  • DSEN-16544: Sensor now reports background scan status, last completion time and last active time

    Associated with: EA-19987.

  • DSEN-10127: Fixed an issue with .dll files associated with a specified IT Tool were not inheriting the IT Tool’s reputation

    Associated with: EA-17381.

Known Issues

The following issues are known to affect the software. Each lists the sensor version when the issue was first reported. Issues are removed after they are resolved.

All

  • DSEN-25191: Obfuscation of document filenames is not working as expected when using the Enable Private Logging sensor configuration

  • DSEN-22427: osquery might crash when querying windows_eventlogs in any sensor version that supports the windows_eventlog table

    The affected environment is for OS Windows 10 21H1 x64 and any sensor version with osquery 4.5.0 or higher.

  • DSEN-21771: Various Windows operating systems may require a reboot after upgrade in order to apply full protection

    This issue has been observed with Windows Server 2022, 2019 and Windows 10. This is due to an issue unloading the ctinet.sys WFP network driver on various Windows operating systems. In such cases where this issue occurs, you must reboot to complete the upgrade.  Failure to reboot post upgrade may result in sensor versions (prior to 3.9.0) ending up in bypass or sensor versions (3.9.0+) failing to properly load the ctinet.sys network driver resulting in loss of visibility into network events and lack of network enforcement.

    Carbon Black is actively working with Microsoft to address the issue.

  • DSEN-18389: The sensor can show misleading ProcessTamperAttempt alarms in RepCLI status output and log events

    These events do not constitute a true tamper attempt and indicate that the sensor blocked msmpeng.exe from accessing lsass.exe when Windows Defender is active.

  • DSEN-17210: The sensor reports the system’s local user for “Installed By” information instead of the currently logged on user

  • DSEN-12808:Placing a machine into a sleep or suspended state can still show the device as active from the console

    Associated with: DSER-39219

Endpoint Standard

  • DSEN-18307: In Endpoint Standard, TAU conflicts with the sensor

    Carbon Black Cloud’s TAU provided detections and preventions, such as credential theft alerts, can potentially conflict with the sensor’s own built-in detections and preventions and present multiple, conflicting events for the same endpoint operation. In this case, the sensor’s built-in logic takes precedence.

  • DSEN-12189: When a process is blocked from running, multiple block events can display in the console and local user interface

    Sensor version found: 3.7.0.1253.

  • DSEN-9577: Fileless script termination rules

    Fileless script termination rules must be applied to the parent process of the fileless script process. The process executing the fileless script is the fileless script.

check-circle-line exclamation-circle-line close-line
Scroll to top icon