Carbon Black Cloud 4.0.1.1428| 01 May 2024| Build 4.0.1.1428

Check for additions and updates to these release notes.

What's New

Carbon Black Cloud Windows Sensor 4.0.1.1428 includes bug fixes and improvements.

Note: For more information about Windows Sensor operating systems, view the Windows Sensor for Desktop Operating Environment Requirements documentation or the Windows Sensor for Server Operating Environment Requirements documentation.

  • Submit unknown binaries for analysis by Avira improvements

    Improved reputation efficacy when local scanner timeouts occur and Submit unknown binaries for analysis by Avira is enabled under Enforce > Policies > Sensor > Settings. These improvements provide additional threat analysis and reputation context to ensure enforcement of policy actions performed on hashes with unknown reputation encountered under these conditions.

Resolved Issues

All

  • DSEN-28089: Fixed incorrect HBFW alert descriptions for Outbound Test Rules

  • DSEN-27946: Fixed incorrect HBFW alert descriptions for Inbound connections

    Includes EA-24221.

  • DSEN-27024: Fixed issue in the Repux system tray to open <href url…> to system default browser

    Includes EA-23956.

  • DSEN-18079: Added support for NTLM proxy configurable with existing proxy config prop

    Includes EA-19956.

  • DSEN-17210: Device_username field in the console was not updating correctly

    Resolved an issue where the device_username field in the console was not updating correctly after  Uninstall/Reinstall of the sensor using a different username. Includes EA-20292.

  • DSEN-22274: Implemented a workaround to ensure sensor upgrade succeeds without a loss in visibility to network operations

    Includes EA-19027.

  • DSEN-24539: Some sensor upgrades failed

    Updates to work around a Microsoft bug which prevents a driver from unloading thereby causing some sensor upgrades to fail. Includes EA-22717.

  • DSEN-25866: Resolved an issue where the sensor was intermittently blocking a previously ALLOWED script from running

    Includes EA-24042, EA-23484.

  • DSEN-26169: Added a config prop to avoid a Microsoft crash

    Added a config prop (SkipInPreCreateNetworkNonExecuteOps) to avoid a Microsoft crash when using certain software: Workgroup Manager Client and CNC machine software. Includes EA-23631, EA-23642.

  • DSEN-26219: Fixed long wait times

     Fixed an issue that caused wait times to be unnecessarily long when opening rtf/docx/pptx/xlsx files on a file share server. Includes EA-23520.

  • DSEN-26326, DSEN-26325: Fixed an issue to prevent blocking of remote printing/PDF generation software when using RDP

    Includes EA-23166, EA-23450.

  • DSEN-26565: Fixed an issue in Live Query

    Fixed an issue in Live Query where queries including the chrome_extensions data type could fail. Includes EA-23689.

  • DSEN-27202: Processes with allow-listed certificates were incorrectly blocked

    Fixed sensor behavior that occasionally caused processes with allow-listed certificates to be incorrectly blocked.  Includes DSEN-27637, EA-24135, EA-24009, EA-23347.

  • DSEN-21771: Various Windows operating systems may require a reboot after upgrade in order to apply full protection

    This issue has been observed with Windows Server 2022, 2019 and Windows 10. This is due to an issue unloading the ctinet.sys WFP network driver on various Windows operating systems. In such cases where this issue occurs, you must reboot to complete the upgrade.  Failure to reboot post upgrade may result in sensor versions (prior to 3.9.0) ending up in bypass or sensor versions (3.9.0+) failing to properly load the ctinet.sys network driver resulting in loss of visibility into network events and lack of network enforcement.

    Carbon Black is actively working with Microsoft to address the issue.

  • DSEN-17210: The sensor reports the system’s local user for “Installed By” information instead of the currently logged on user

  • DSEN-12808:Placing a machine into a sleep or suspended state can still show the device as active from the console

    Associated with: DSER-39219

Endpoint Standard

Known Issues

The following issues are known to affect the software. Each lists the sensor version when the issue was first reported. Issues are removed after they are resolved.

All

  • DSEN-26402: Sensor gets MAC Address during its initialization and does not update if subsequently the Physical Address Changes

    Associated with EA-23683.

  • DSEN-28098: Delays in software running on the terminal server when the sensor is active

    Workaround this by approving hashes of the affected executables via Policy: disable "Pause binary execution", disable "Delay execution for cloud scan"

  • DSEN-28183: When Windows update occurs, signature information gets reset to NOT_SIGNED

    After updating the binaries, Microsoft supplies the catalog file. Depending on the timing, the Sensor could pull the signature information before the catalog is updated resulting in the incorrect signature state being reported.

  • UAV-3229: AV signature updates may fail on VDI Instant Clones

    Associated with EA-23919, EA-24512, EA-23366.

  • DSEN-24871: In rare scenarios, two file drop events for the same hash can be sent from the same endpoint

  • DSEN-27167: A sharing violation may occur when sharing Excel worksheets on a mapped network drive

    The workaround is to use a UNC path to access the file, or run Excel first and then open the worksheet.

    Associated with EA-23784.

  • DSEN-27590: PSC threatType cannot be copied to clipboard in Sensor system tray pop up

    Associated with EA-24192.

  • DSEN-25191: Obfuscation of document filenames is not working as expected when using the Enable Private Logging sensor configuration

  • DSEN-22427: osquery might crash when querying windows_eventlogs in any sensor version that supports the windows_eventlog table

    The affected environment is for OS Windows 10 21H1 x64 and any sensor version with osquery 4.5.0 or higher.

  • DSEN-18389: The sensor can show misleading ProcessTamperAttempt alarms in RepCLI status output and log events

    These events do not constitute a true tamper attempt and indicate that the sensor blocked msmpeng.exe from accessing lsass.exe when Windows Defender is active.

Endpoint Standard

  • DSEN-12189: When a process is blocked from running, multiple block events can display in the console and local user interface

    Sensor version found: 3.7.0.1253.

  • DSEN-18307: In Endpoint Standard, TAU conflicts with the sensor

    Carbon Black Cloud’s TAU provided detections and preventions, such as credential theft alerts, can potentially conflict with the sensor’s own built-in detections and preventions and present multiple, conflicting events for the same endpoint operation. In this case, the sensor’s built-in logic takes precedence.

  • DSEN-9577: Fileless script termination rules

    Fileless script termination rules must be applied to the parent process of the fileless script process. The process executing the fileless script is the fileless script.

check-circle-line exclamation-circle-line close-line
Scroll to top icon