VMware Carbon Black Cloud | 23 JUN 2022

Check for additions and updates to these release notes.

What's New - 23 June 2022

Note: To see changes made in previous releases, see Archive of 2022 Improvements and Resolved Issues.

  • Container Essentials

    Enforce Compliance without Compromising Security

    The Auto Enforce feature was created to help with misconfigurations of Kubernetes Workloads and Containers. SecOps teams can audit workload vulnerabilities and misconfigurations and use VMware Carbon Black Container to mutate the workload to the desired state. The tool uses automation to mitigate and enforce policy management across environments at the cluster layer.  

    This feature allows users to: 

    • Enforce compliance without compromising security 
    • Regain control of K8s 
    • Quickly remediate misconfigurations and deviations from compliance standards 

    Reducing Friction for DevOps Teams

    Carbon Black is releasing two new features to help reduce friction for DevOps teams regarding deployments.

    • Cbctl: - cbctl is now available as a container. With the newly released container, you can easily integrate Carbon Black image scanning to your CI of choice. This includes Tanzu Application Platform.
    • Helm Chart: The Carbon Black agent is now available as Helm chart and allows the DevOps team to keep the Carbon Black installation process on par with all other infrastructure tools and processes.

Resolved Issues - 23 June 2022

Container Essentials

  • GRC-2395: Upgraded Operator SDK

    Follow the operator SDK upgrade documentation to fix vulnerabilities found by Github.

  • GRC-2169: Added support for alternative ways for configuration via cbctl: via global CLI parameters and environment variables

  • GRC-2144: Implemented presets management in guardrails-apis

    This includes:

    • API changes to navigate the client, which rules support enforce action, and what are their "preset" configs 
    • CRUD APIs for the presets themselves 
    • Policy APIs changes to validate enforce rules and the selected presets

  • GRC-2140: Implemented label-based exceptions

    Changes include:

    • Support label exception in the exception/policy API for adding/removing/editing exception
    • Support the exception in the agent and policy engine
    • Support calculating violations by taking the new exception into account (for the Policy violations modal where violations are shown)

  • GRC-2083: cbctl publicly available as docker image

  • GRC-1996: Added ability to deploy dataplane using Helm chart

  • GRC-1599: Changed the operator so it does not use its own ClusterRole for the deployed agent components

    Created a dedicated role for the agent components that has only the needed permissions.

  • GRC-1171: Changed imagePullPolicy for DP services to IfNotPresent


  • DSER-40966: Fixed misaligned bullets when viewing permissions on the Roles page, due to a recent Chrome browser update

  • CBCUI-959: Users can now create and edit a data forwarder without having to set a filter

Known Issues - All

The following issues are known to affect the software. Each lists the date when the issue was first reported. Issues are removed after they are resolved.

  • DSER-4390: Devices only show the status of Eligible for Upgrade if the sensor version is lower than any versions that are available in the Endpoints > Download Sensor Kits window (first listed: 18 September 2019)

  • DSER-24196: API search might return different results based on field filtering order (first listed: 16 July 2020)

  • DSER-25244: If an org removes Enterprise EDR, Watchlist alerts can still occur (first listed: 16 July 2020)

  • DSER-25244: Watchlist deletion is not tracked in the audit log (first listed: 16 July 2020)

  • DSER-25329: Facet searches can report as completed before the search completes (first listed: 16 July 2020)

  • DSER-23471: Exporting individual widgets sometimes times out in dashboard Export (first listed: 3 August 2020)

  • DSER-25397: Watchlist report does not port to the Investigate query page (first listed: 17 August 2020)

  • DSER-27969: The Process Analysis graph might display a process as both parent and child of the same process (first listed: 11 November 2020)

  • DSER-28814: The process tree on the Alerts Triage page might include blank entries (first listed: 16 December 2020)

  • DSER-29898: Case sensitive-email checks on SAML login flow (first listed: 2 March 2021)

  • DSER-29646: Sensors might not be assigned to the expected sensor group when subnet rules are configured (first listed: 18 March 2021)

  • DSER-30497: Enabling the Auto Ban feature at any threshold changes the default action of the Application on the company banned list rule from Terminate if Runs or is Running to Terminate when Communicates over the network (first listed: 26 April 2021)

    This change is applied to any policies that have the banned list rule enabled.

  • DSER-31444: The Uninstall Sensor action does not apply to all sensors matching the current search on the Endpoints page (first listed: 26 April 2021)

  • DSER-32012: The Sensor group “Processing” message can continue to display if the job has not completed successfully (first listed: 27 May 2021)

  • DSER-32209: When exporting to CSV from the Investigate page, the resultant CSV can have missing fields (first listed: 27 May 2021)

  • DSER-32293: When viewing the Investigate page, the Effective Reputation displays two dashes ("--") instead of a valid reputation (first listed: 27 May 2021)

  • DSER-32381: The Alert Triage process tree does not include the processes listed in the alert, although these process events are displayed when searched in the console (first listed: 25 June 2021)

  • DSER-32398: Some alerts display blank nodes on the Alert Triage page process graph (first listed: 25 June 2021)

  • DSER-32435: Sensor groups configured to include devices based on minor OS names can include devices that match the major OS name (first listed: 25 June 2021)

    For example, a group configured to include Windows 7 x64 devices can include other Windows 7 devices. This issue affects Windows, macOS, and Linux devices.

  • DSER-33425: Audit Log export to CSV is timing out after 60 seconds without any error or message in the user interface to notify the user (first listed: 16 July 2021)

  • DSER-33621: The Alerts detail panel does not show notes for grouped alerts even though the Alert status displays “Notes Added” (first listed: 26 August 2021)

    You can still view the Alert notes when searching for the corresponding Threat ID.

  • DSER-33682: When viewing the Process Analysis page, the wrong file path for the process can be displayed (first listed: 26 August 2021)

  • DSER-36023: Linux VDI parent/child hierarchy may be reported incorrectly in environments where an appliance is installed (first listed: 27 October 2021)

    There is no known workaround for this issue, but it will be resolved in a future sensor release.

  • DSER-36314: Data Forwarder filtering throws an error for the process_path field when the : character is not escaped, but not if \ or / characters are not escaped (first listed: 8 November 2021)

  • CBC-8443: Actions taken by VMware users are not visible in customer’s audit logs (first listed: 1 December 2021)

    Work around: Logs are available upon request with a support ticket.  

  • CWP-10433: Export for large data sets under Vulnerabilities (where the exported file size > 5 GB) times out (first listed: 17 December 2021)

    Workaround is to export a reduced number of records by applying filters to the affected table.

Known Issues - Endpoint Standard

  • DSER-30385: When viewing the Alerts page, the user value can show the user that installed the sensor instead of the user logged in at the time of the Alert (first listed: 18 March 2021)

Known Issues - Enterprise EDR

  • TPLAT-9183: Signature status is UNKNOWN for valid signatures (first listed: 31 August 2020)

  • DSER-26035: The /tree Search API endpoint returns "resource does not exist" for known process_guid (first listed: 21 August 2020)

  • DSER-26185: When using arrow keys to select a suggested query term or value, the search bar on some pages replaced the existing search bar contents instead of inserting (first listed: 21 August 2020)

  • DSER-25929: Link from Watchlist Alert to Investigate does not show all relevant metadata (first listed: 17 August 2020)

  • DSER-25981: Search API facet requests do not process range parameters (first listed: 17 August 2020)

  • DSER-25536: The Process Analysis button on the Investigate page does not work when Investigate is opened from the Watchlists page (first listed: 03 August 2020)

Known Issues - Container Essentials

  • GRC-2222: CLI-created API keys are not deleted after the CLI instance is deleted (first listed: 14 April 2022)

  • KRS-606: Network map shows no activity on GKE v2 dataplane cluster (first listed: 27 October 2021)

  • CBC-6468: Numbers for images and vulnerabilities under the All filter do not reflect the correct status (first listed: 29 April 2021)

    On the container image vulnerabilities page, the numbers for images and vulnerabilities under the All filter do not reflect the status of the Running in Kubernetes filter in the table.

  • CBC-6540: On the Kubernetes images page, the number of workloads displayed can occasionally fall out of sync with the most recent value (first listed: 29 April 2021)

    On the Kubernetes images page, the number of workloads displayed can occasionally fall out of sync with the most recent value. The corresponding Workloads window displays up-to-date information.

  • CBC-6388: Exceptions tab on a CVE modal window (first listed: 29 April 2021)

    In the exceptions tab on a CVE’s modal window, there is a slight delay between when an exception is deleted and when the exceptions table reflects the updated status. As a result, the table can show stale or invalid exception data for up to a second after the deletion.

    Refreshing the table resolves this issue.

  • N/A: Searching for literal strings containing regular expression modifiers may yield unexpected search results (first listed: 29 April 2021)

    All search boxes for container image search tables support regular expression queries; searching for literal strings containing regular expression modifiers may yield unexpected search results. Characters such as “+” and “*” must be prefixed with a “\” (the regular expression escape character) to search for those actual characters.

  • GRC-328: Searching Kubernetes resources using a MAPL rule with no conditions returns no results (first listed: 22 December 2020)

  • GRC-320: When updating a template, rules search fields are disabled and rules cannot be searched (first listed: 22 December 2020)

  • GRC-345: Some violations appear under the unknown resource group (first listed: 22 December 2020)

  • GRC-418: On data-planes running Kubernetes version 1.15 or lower, the workload name might be empty (first listed: 22 December 2020)

  • KRS-902: Clicking on a policy's side panel and opening another policy's alerts modal (while the first one is still in focus) disrupts rules (first listed: 28 February 2022)

  • KRS-903: Workload summary Runtime tab fails to load the workload baseline when opened in a modal mode through the Alerts page (first listed: 28 February 2022)

  • KRS-904: RuntimePolicyModal fetches twice the policy data (first listed: 28 February 2022)

  • KRS-919: RuntimePoliciesTableSidePanel closes on policies change. This should happen on delete only (first listed: 28 February 2022)

  • KRS-975: SimpleSelect does not support disabled options (first listed: 28 February 2022)

Known Issues - Workloads

  • DSER-28998: Audit & Remediation queries are still running after Audit & Remediation is disabled

    Although Audit & Remediation is disabled, previously scheduled live queries continue as per their schedule. It is expected that if the feature is no longer available, the query runs should stop.

  • DSER-39330: CBC Recommendations Page: "Unknown" values display for all signature CA fields

Archive of 2022 Improvements and Resolved Issues

This section contains the information regarding all 2022 releases prior to this release.

What's New - 8 June 2022

The 8 June 2022 release includes:

  • Allow users to export CSV from Endpoints - Sensor Update Status for in-progress jobs
  • No longer creates duplicate Alerts through historical evaluation on selected Watchlist when adding new Query to existing Watchlist

Resolved Issues - 8 June 2022

Endpoint Standard

  • DSER-29616: Allows clients to download CSV of processing jobs and allows export of logs while sensor update is processing

Enterprise EDR

  • DSER-39270: Adding IOC query to existing Watchlist

    Adding IOC query to existing Watchlist is evaluating on all existing data. Fixes an issue where a user selection can be erroneously retained when updating a watchlist, thereby resulting in the watchlist being evaluated on all existing data.

What's New - 26 April 2022

Note: To see changes made in previous releases, see Archive of 2022 Improvements and Resolved Issues.

The 26 April 2022 release includes bug fixes and enhancements.

  • Improved testing LR for invalid device session

  • Data Forwarder Improvements

    There are two improvements to the Data Forwarder:

    • Simplified Policies
    • Data Forwarder-compatible KMS encryption of an AWS S3 bucket

    Simplified Policies:

    We have simplified the Data Forwarder to require fewer permissions. The following actions are no longer required in the bucket policy:

    • “s3:AbortMultipartUpload”
    • “s3:GetObjectAcl”
    • “s3:ListMultipartUploadParts”

    Data Forwarder-compatible KMS encryption of an AWS S3 bucket

    You can now enable KMS encryption on any AWS S3 bucket used to store data sent from the Carbon Black Cloud Data Forwarder. For detailed instructions, see:

  • New Policy Service API Release

    You can now use the new Policy Service API to manage your Policies for endpoints and workloads with a single CUSTOM API key. This allows more granular permission controls when creating API keys to manage Policies. This iteration of the Policies API also aligns many field names with those used elsewhere in the product. Policy Service API will serve as the primary API to manage policies in the Carbon Black Cloud going forward and will be updated with additional features as we work to simplify the Policy experience.

    For more information, please visit the Policy Service API documentation on the Developer Network.

Resolved Issues - 26 April 2022

  • CBCUI-668: Test LR for invalid device session

  • CBCUI-743: User with non-admin role grant cannot change role

What's New - 14 April 2022

The 14 April 2022 release includes bug fixes and enhancements.

  • Major Documentation Update: Sensor-Specific OERs

    As part of our continuing effort to consolidate key content onto VMware Docs, we have moved and consolidated sensor-specific information from the Carbon Black User Exchange (UEX) to VMware Docs. Each Carbon Black Cloud sensor now has a unique Operating Environment Requirements (OER) document. Specifics regarding the new content:

  • Under the Console Help menu, added a link to the Carbon Black Tech Zone (CB TechZone)

  • Container Essentials: Image Vulnerability Dashboard

    The dynamic nature of Vulnerability management in cloud-native environments can make it difficult to control the state of different areas or applications, and can require pulling data from multiple sources. With the new image vulnerability, the active dashboard is improved. The new dashboard helps you continuously analyze the vulnerability state of your environment based on scan status, severity, and it highlights fixes. With the new Vulnerability widget, you can easily detect new vulnerabilities introduced in the last 24 hours to ensure nothing slips. Combined with the Kubernetes-driven filters, where you can focus your view on the important areas like clusters, namespaces, or different repositories, your vulnerability management is now easier.

    See Container images -> Overview tab.

    For a video regarding recent changes to VMware Carbon Black Cloud Container, see What's New with Vulnerability Dashboard, Backend Version 0.77.

Resolved Issues - 14 April 2022

The following issues were fixed in this version of the software.

Note: To see issues resolved in previous releases, see Archive of 2022 Improvements and Resolved Issues.


  • DSER-34381: Alert Triage Process Tree Blank Processes

  • DSER-38817: Added more sensor state/bypass descriptions to side panel

  • DSER-38810: Assigned policy modal defaults to Automatic assignment selection instead of showing current selection

  • CBCUI-663: Fixed log exception: Cannot read properties of undefined (reading 'get'):\


  • CBCUI-669: Reduced footprint of momentJS date-time library

  • CBCUI-573: Fixed selection of Policy on new Live Query and its scheduling

  • CBCUI-508: Sidepanel process card displays IOCs using TTP components

  • CBCUI-633: Adjusted the Sensor release link (Endpoints->Download kits)

  • CBCUI-637: While signing In, Sign-in button gets disabled with loading icon

  • DSER-39468: Fixed Grouping Result search issue

Endpoint Standard

  • DETECT-2643: Efficacy Improvement - low severity score macOS and Linux monitored detections

    Changed some low severity score macOS and Linux monitored detections to not alert, but tag events with relevant TTPs to reduce unwanted alerts.

  • EA-20637: Efficacy Improvement - Windows code injection monitored detections

    Changed some Windows code injection monitored detections to no longer alert, but still tag events with relevant TTPs to reduce unwanted alerts.

  • N/A - Efficacy Improvement - Added a new detection related to Jupyter Infostealer

Container Essentials

  • GRC-1884: Improvements in scope selection in the policy creation flow

  • GRC-2003: Workloads violation details did not show disabled policy violations

  • GRC-2022: Fixed counter mismatches in the facet in the K8s clusters page

  • KRS-1054: Rules started learning even when saved as draft

  • KRS-1068: Reset policy learning period upon enabling the policy

What's New - 17 March 2022

Note: To see changes made in previous releases, see Archive of 2022 Improvements and Resolved Issues.

The 17 March 2022 release includes bug fixes and enhancements.

  • Audit and Remediation

    Two new Recommended Queries have been added to the New Query page.

    Sensor Manifest Download Errors

    This query locates sensors that encounter errors while downloading content from content.carbonblack.io. This query requires Windows sensor version 3.8 and higher. 

    macOS Disk Encryption Status

    The query will list macOS disk devices and their current encryption status.

Resolved Issues - 17 March 2022

The following issues were fixed in this version of the software.

Note: To see issues resolved in previous releases, see Archive of 2022 Improvements and Resolved Issues.


  • DSER-38259: Enhanced bulk device policy change to properly report operation status using Notifications for Success and Failure

  • DSER-34842: Improved clarity in the Policy section of the Endpoints page's filter panel when an endpoint has been deregistered and its policy has been deleted

  • DSER-38481: Endpoints UI Export: blank email column

  • DSER-38481: Fixed CSV exported from Endpoints page to contain proper User Information in the loginUserName column

  • DSER-35501: Fixed sensor logs data retention to meet the GDPR requirements

  • DSER-39177: Endpoints UI Export: not exporting "deploymentType": "AWS"

  • DSER-39177: Fixed AWS Instances not appearing in Export CSV results in Endpoints

Endpoint Standard

  • DETECT-2612: Efficacy improvement - Endpoint Standard cloud detections now set MITRE ATT&CK v10 TTPs

  • DETECT-2640: Efficacy improvement - Raised the threshold on when to create alerts for scanning behavior

    Raised the threshold on when to create alerts for scanning behavior. This should reduce the volume of alerts while still tagging the events with relevant TTPs.

  • EA-20809: Efficacy improvement - Fileless behavior

    Adjusted the severity scores for monitored Fileless behavior to account for the expanded definition of fileless on the Windows 3.8 sensor.

Audit and Remediation

  • DSER-37931: Free Disk Space on Linux/macOS

    The recommended query for "Free Disk Space on Linux/macOS" sometimes returned inaccurate numbers. The query now shows accurate numbers. Used and remaining space values are returned as a percentage.

What's New - 28 February 2022

  • Managed Detection

    VMware Carbon Black Cloud Managed Detection and Managed Detection and Response customers can now subscribe to a daily report through email. The report outlines all Endpoint Standard or Workload Advanced alerts within the service level objective (SLO) for Managed Detection.

    Alerts are classified into 4 categories:

    • Likely Threats - A likely true threat in your environment that may require your remediation.
    • Unlikely Threats - An unlikely threat in your environment. Alerts in this category are often trusted applications that operate similarly to malicious actors (such as vulnerability scanners).
    • Not Reviewed - Alerts within the SLO that were not reviewed by Managed Detection and may require your remediation.
    • No Threat - Does not represent a true threat within your environment. Alerts in this category are grouped. Search for the Threat ID on the Alerts page in the Carbon Black Cloud to return all alerts within the group. Action can be taken to refine policy or reputation configurations to reduce future instances of these alerts.

    To configure the report, enable the Daily Summary for recipients on the Settings > Managed Detection page.

  • Container Essentials

    We are announcing the general availability of Container Runtime Security for VMware Carbon Black Container. This release includes many new features and capabilities, which are available with the Container Advanced bundle. With this new release, you can quickly identify any network anomaly that happens in the cluster and get alerts on a consolidated alert page. The primary detected anomalies are Egress, Internal, and Ingress in a workload level, and Egress connections with IP reputation in a cluster and scope level. In addition, you can detect malicious activity such as internal or external port scanning.

    New Container Advanced security capabilities include:

    • Kubernetes Visibility Mapping: Allows DevOps and security teams to quickly understand the architecture of an application that was set pre-deployment to better identify egress destination connections, potential workload policy violations, and vulnerable images.
    • Anomaly Detection: Leverages artificial intelligence to standardize networking modules and alert SecOps teams on any deviation from that module, which is critical when setting up new workloads.
    • Egress and Ingress Security: Provides security teams with added visibility into the external source that is reaching out to the Kubernetes service and easier detection of malicious egress connectivity based on the IP address and the behavioral data.
    • Threat Detection: Allows customers to scan open ports to check for vulnerabilities and quickly see if there is a lateral attack in progress. If an attacker tries to exploit a vulnerability to find the next lateral move, the internal port scan and egress port scan will raise an alert.
    • Integrated Alerts Dashboard: Provides a single pane of glass for security teams to view events and address anomalies in their runtime environment.

    New Container Essentials capabilities include:

    • Runtime Cluster Image Scanning: To ensure that your container image doesn’t contain any vulnerabilities, images must be scanned throughout the entire application lifecycle. Our new image scanning feature is not just limited to CI/CD scanning but also allows you to scan images in production. The ability to scan through the runtime layer gives security and DevOps teams visibility to vulnerable images in images that were not previously scanned, and images deployed from any third-party registries.
    • Workload Deployment Controls Policy: Kubernetes is the de facto developer platform that helps delegate many of the responsibilities previously owned by operation teams that empower developers to deliver in their own cadence. But how can you make sure this power is not abused by adversaries? The addition to the workload deployment control rules allows you to deny deployment of new resources to sensitive areas such as kube-systems or default namespace to follow best practices. This feature is at Kubernetes Policies > Hardening Policies in the console.
    • User Exception Policy: The new user exception rule allows for the admin to create exceptions for a specific user based on their account username. This feature will help teams mitigate alerts coming from ClusterRoleBinding in GKE.
    • PowerShell Script for the Operator Installation: A sensor installation script is now available with PowerShell to enable sensor configuration from a Windows-based OS.
    • Workload Count for Scope Cards: Scopes are dynamically selected groups of workloads used for policies and filtering. The dynamic nature of the allocation of these scopes can be confusing or even misleading. The newly added scope card is designed to provide more information about the different policy allocation and workload to bring all the relevant information to you exactly when you need it. This feature can be accessed by going to Inventory > Kubernetes > Scopes.

    • Sensor Component Additions: The introduction of Kubernetes DaemonSet highlights the need to fine-tune the agent’s pod scheduling across the different nodes in the environment. With the ability to add tolerations, affinity, and the nodeSelector to your sensor components, you can easily configure the agent to fit your needs. You can read more details on GitHub here.
    • Export Vulnerability information by PDF/CSV: To increase visibility and improve operational efficiency, you can now export vulnerability information into a PDF or CSV file directly in the console.
    • Runtime Cluster Image Scanning: To ensure that your container image doesn’t contain any vulnerabilities, images must be scanned throughout the entire application lifecycle. Our new image scanning feature is not just limited to CI/CD scanning but also allows you to scan images in production. The ability to scan through the cluster layer gives security and DevOps teams visibility to vulnerable images in images that were not previously scanned, and images deployed from any third-party registries.
    • List go modules and find their vulnerabilities:Not only does our image scanning feature now include runtime cluster image scanning capabilities, but also includes the ability to list and identify go module vulnerabilities.


    The cbctl command-line tool, based on the open source syft, is now up to date to the latest version with the following noticeable enhancements:

    • Add Pipenv support (Pipfile.lock) #242
    • Enhance CPE generation to improve downstream matching in grype #471
    • Allow syft to populate distro data for all types #499
    • Updated the distro package to include SLES #489
    • Modify CPE vendor candidate generation approach #484
    • Catalog Go modules used in Go binaries #434
    • Capture additional go package data #540
    • Stabilize package identifier based on contents #363
    • Support for PHP/composer installed.json files #642
    • Adding AlmaLinux OS Support #652
    • pip should support vcs url #679
    • support .par for java ecosystems #727
    • Add support for searching for jars within archives #734
    • Add lpkg as java package format #682
    • Add additional PHP metadata #753
    • Remove strong distro type #342
    • Support more java artifact extensions #728
    • Add distro information to package URLs for OS packages #754
    • Encode upstream qualifier on OS package pURLs #769


    The latest release of Carbon Black Cloud introduces new MITRE TTPs, both new techniques and sub techniques, throughout the platform as specified in MITRE ATT&CK v10. Starting in early March 2022, Carbon Black Cloud will begin to emit the successor MITRE TTPs whenever we set their corresponding deprecated MITRE TTPs.

    On March 6th, 2023, we will remove the deprecated MITRE TTPs from our products completely. Deprecated MITRE TTPs will no longer be emitted from the Carbon Black Cloud and will no longer be selectable when creating or editing a notification from Settings > Notifications page in Carbon Black Cloud. For more information see our full update.

  • Bypass mode

    Additional bypass reasons have been added to the user interface. For a complete list, see https://community.carbonblack.com/t5/Knowledge-Base/Carbon-Black-Cloud-What-are-the-Sensor-Bypass-Reasons-and/ta-p/111310.

Resolved Issues - 28 February 2022

The following issues were fixed in this version of the software.

  • DSER-33425: Audit log entries for removal of Reputation Trust overrides on the Reputation user interface lacked sufficient detail to review the action

  • DSER-36029: Audit log entries for removal of Reputation Trust overrides on the Reputation user interface lacked sufficient detail to review the action

  • DSER-34605: Could not edit users without a grant

    Prior to this change, if a user was missing a grant, they would not be able to log in or be edited by another user. This would result in the user having to be deleted. Now the user can be edited to assign a role and create a grant upon save.

  • DSER-32435: Inconsistent OS Criteria in Sensor Group Rules

    Sensor groups including endpoints did not match the group criteria when the OS limit was more specific than Windows/macOS/Linux.

  • DSER-35514: Export DeviceId on Endpoints page was not working

  • DSER-35390: Endpoint Standard - Brought the Windows sensor and Cloud detections into alignment to improve fileless behavior detection

  • CWP-9462: Workloads - Not Enabled Tab Facet filter selection no longer marks other values as 0

  • GRC-1748: Container Essentials - User data was missing from violation details (Harden > K8s Violations)

  • GRC-1876: Container Essentials - Fixed errors when editing notification hooks (Settings > Notifications > Kubernetes tab)

  • GRC-1899: Container Essentials - Fixed a bug in policy rule enforcement of workloads with an owner

  • GRC-1719: Container Essentials - Digested images could not be scanned with runtime cluster-scanner

  • GRC-1994: Container Essentials - Compress SBOM to scan large images

What's New - 24 January 2022

The 24 January 2022 console release includes various bug fixes.

Resolved Issues - 24 January 2022

The following issues were fixed in this version of the software.

  • DSER-38285: Dashboard to Vulnerability filters were not showing properly

  • DSER-35926: Modified email notifications to include an Alert Type selector, which includes a new container runtime option

  • DSER-37462: "Equality" type IOCs for certain fields (for example, process hash, netconn_ipv6, etc.) are combined for optimized evaluation

    Before this fix, only one IOC would trigger a hit, even if there were more IOCs for the same field with the same value. After the fix, all IOCs for the same field with the same normalized value will produce a hit, regardless of whether the IOCs are in different reports or the same report.

What's New - 13 January 2022

  • VMware Carbon Black Cloud

    The Dashboard now supports modeless editing. There is no longer a need to click Edit before moving and resizing widgets; it can be done without entering an edit mode.

  • Endpoint Standard

    API decommissioning - v3 Alerts, Events and Process APIs

    After 31 January 2022, the v3 Alerts, Events and Process APIs will be decommissioned. After this date, they will return an HTTP Response of "410 GONE" and will no longer return previously available data.

    For more information, see this October 2021 announcement on the Carbon Black User Exchange: https://community.carbonblack.com/t5/Developer-Relations/Upcoming-API-shutdowns-Carbon-Black-Cloud-v3-Events-Alerts-and/td-p/107722

    Efficacy Improvements

    Endpoint Standard customers will see an increase in default prevention value. TAU provides improved detections and fixes for AMSI Threat Intelligence, Privilege Escalation, CarbonBlack Threat Intelligence, and Credential Theft.

    • AMSI Detection - Inhibit System Recovery behaviors – Filebacked
    • AMSI Detection - Inhibit System Recovery behaviors – Fileless
    • Detect Suspect SAM Credential Access – Filebacked
    • Detect Suspect SAM Credential Access – Fileless
    • Detect Suspect Browser Credential Access
    • Detect bitsadmin file transfer
    • Detect bitsadmin execution
    • Detect Suspect Startup Modifications
    • Detect parent process identifier (PPID) spoofing
    • Detect suspect registry changes

  • Container Essentials

    New Policy and Scope Experience

    Policy Rule Selector

    To address the continuing growing number of policy rules, we are introducing an enhanced rule selection experience. With the new design, you can easily browse through all available rules using filters, and organize and manage the selected rules to better understand policy impact. Check it out in Enforce -> K8s policies.

    K8 Policies

    Scope Page

    What is the workload scope type? How many namespaces are included in the scope and which workloads? What is the policy assigned to the scope? These are questions we often get when trying to manage the scope. With the newly designed page, we addressed it all! With a new modern look, you can easily identify the scope by its type, the assigned policy, and even the clusters, namespaces, and workloads assigned to it. Check it out at Inventory-> Kubernetes-> Scope.


Resolved Issues - 13 January 2022

The following issues were fixed in this version of the software.

  • DSER-37956: Data Forwarder user interface inaccurately reported connection test was successful

  • DSER-37701: Endpoints page crashed when updating all sensors without a proper searchDef

  • DSER-36396: Clicking on the Basic button twice toggled the Filter Data section between Basic and Custom Query

check-circle-line exclamation-circle-line close-line
Scroll to top icon