VMware Carbon Black EDR 7.1.0 | 03 MAR 2022 | Build 184.108.40.206326
Check for additions and updates to these release notes.
VMware Carbon Black EDR Linux Sensor 7.1.0 introduces improved sensor diagnostics details, digital signature for EDR Linux binary and installer, and various bug fixes.
Sensor Diagnostics Details
Increased level of detail captured by sensor diagnostics to include PID smaps, iostat (CPU & I/O utilization), and network interface configuration, for the purposes of gaining additional problem-case insight in ongoing effort to reduce memory and CPU utilization footprint. [CB-20991].
Improved Library Security
Updated to use libcurl 7.78.0 for improved library security [CB-36938].
Improved memory and CPU performance [CB-16064, CB-19523, CB-21348]
Digital signature for EDR Linux Binary and Installer[CB-35693]
Manifest files are added as part of CarbonBlackClientSetup-linux-v220.127.116.11326.tgz and CarbonBlackSensorUpgrader-linux-v18.104.22.168326.tar.gz. These packages come with manifest.sha256 and manifest.sha256.asc.
and it gets the result:
Expected result is:
VMware Carbon Black EDR sensors operate with multiple operating systems. For the current list of supported operating systems, see the Linux Sensor OER at https://docs.vmware.com/en/VMware-Carbon-Black-EDR/index.html.
This document provides information for users who are upgrading to VMware Carbon Black EDR Linux Sensor v7.1.0 from previous versions and users who are new to VMware Carbon Black EDR. This document supplements other VMware Carbon Black EDR documentation at https://docs.vmware.com/en/VMware-Carbon-Black-EDR/index.html.
Warning: EDR Linux Sensors versions 7.x do not support el6 distros (RHEL/CentOS 6.x). Attempting to upgrade el6 endpoints will result in a failed upgrade and the sensor will be offline.
To install the new sensor:
yum install --downloadonly --downloaddir=<package local download directory> <package>
(current package to use: cb-linux-sensor-installer-22.214.171.124326-1.noarch.rpm)
Note: If your groups have Automatic Update enabled, the sensors in that group will automatically update.
The new sensor versions should now be available via the console. If the following warning occurs:
warning: /tmp/cb-linux-sensor-installer-126.96.36.199326-1.noarch.rpm: Header V4 RSA/SHA1 Signature, key ID 6ac57704: NOKEY
refer to this Knowledge Base Article: How to provide public key for Linux sensor package.
For any other issues, contact VMware Carbon Black Technical Support.
CB-20311: Sensor Metadata
Includes metadata on events sent by the sensor.
CB-25675: Event Logs
Event Logs that are missing or have errors for open/read are excluded from upload and retry attempts to prevent incorrect upload byte counts.
CB-21643, CB-36411, CB-36430: Event Log Quota
Correctly applies event log quota and counting of event log files.
CB-32411: Banning attempts count
Correctly counts total number of banning attempts for SUSE 15 platform.
CB-32463: Banned Binary Logging
Logging attempts of execution of a banned binary on server's process search page and banned binary list page.
CB-35193: Installation and Upgrade Scripts
Modified tool and package-format selection logic in installation and upgrade scripts to select based on identified operating system and prevent failure even if there are package management tools that may be present on the system.
CB-35552: Sensor ID Truncation
Removed truncation when the value of Sensor ID is greater than 65535 so "SensorIdForDisplay" in the config.ini file matches the Sensor ID displayed in the console.
CB-36517: 6.x Upgrade to 7.1.0
6.x.x-lnx can now upgrade to 7.1.0-lnx, and cbdaemon service will successfully restart after the upgrade.
Keeps process tracking table in synched to provide more diagnostic information about tracked processes details.
CB-36847: Installation/upgrade script logging
Removed ambiguous and redundant messages in installation/upgrade script logging.
CB-26518: Binary Backlog
The sensor could report an incorrect binary backlog.
CB-37560: Upgrade 7.0.3 Sensor with App Control
When upgrading a 7.0.3 sensor with App Control installed on the machine and after the upgrade the sensor will show 50% health.The best option for resolution is to reboot the affected endpoint. In this case no further action is required.
If it is not possible to reboot the endpoint, then the following manual resolution steps will correct the issue in most cases:
As root-priv user:
CB-26518: The sensor could report an incorrect binary backlog
CB-32913: Cbsensor module did not unload if hooks were modified
CB-35437: Install script failed if path to it contained a space
CB-36081: Upgrade from 6.2.2/6.34 to 7.0.3 failed to start cbdameon service
CB-37285: Sensor limits the number of times it tries to install kernel header package
CB-35143: Upgrade on CentOS platform broken by failure to remove old packages
CB-39216: Updating from a sensor version less than 7.1.0 to 7.1.0 can result in a system panic if other security software (for example, Tripwire, McAfee, TrendMicro, etc.) is also installed
Two ways to safely upgrade are to:
CB-2825: EDR might be unable to disable cbsensor if hooks are too busy
CB-30175: Custom TLS Certificate
Proxy setting in sensorsettings.ini will not work with a custom TLS certificate.
CB-18158: Oracle UEK
Oracle UEK is not supported. The RHCK kernel must be installed prior to installing cbsensor on Oracle Linux.
CB-17033: Installation Directory
This version of the Linux Sensor Installer does not respect the specification of a non-default installation directory in cb.conf on the server – the default directory is always used.
CB-18239, CB-29810: PID Re-use
PID reuse on the system can cause new processes to not be suppressed when they should be.
CB-6623: ICMP Traffic
ICMP traffic is allowed when a sensor is isolated.
CB-37627: Downgrades from 7.x.x-lnx to 6.x.x-lnx
Downgrades from 7.x.x-lnx to 6.x.x-lnx will require a manual uninstall and reinstall due to extensive architectural changes in the 7.0.0 version.
CB-37628: Downgrades from 7.1.0-lnx w/Kernel > 4.x
Downgrades from 7.1.0-lnx on systems running with kernel version greater than 4.x to any sensor version will need manual cleanup of 7.1.0-lnx packages. [CB-37628]
CB-12773: Updating from Sensor v6.1.6 and Earlier
Updating from sensor version v6.1.6 and earlier can result in a system panic if certain other security software (Tripwire, McAfee) is also installed. v6.1.7 introduced a safety mechanism to prevent this panic. This safety mechanism can result in the sensor refusing to update to prevent a panic.
An update will occur on the next system reboot. To upgrade without a reboot, review https://community.carbonblack.com/docs/DOC-15629 for alternate instructions and further technical analysis of the issue.
CB-37628: Downgrades from 7.1.0-lnx w/Kernel < 4.x
Downgrades from 7.1.0-lnx on systems running with kernel version less than 4.x to any sensor version require a manual uninstall and reinstall due to extensive architectural changes on the 7.1.0-lnx version.
CB-38504: Network Isolation does not work on eBPF sensors
CB-31008: Panic in d_path() due to current->fs being NULL
CB-38505: On install of the sensor, the Kernel-devel package is required
VMware Carbon Black EDR server and sensor update releases are covered under the Carbon Black Customer Maintenance Agreement. Technical Support can assist with any issues that might develop. Our Professional Services organization is also available to help ensure a smooth and efficient upgrade or installation.
Use one of the following channels to request support or ask support questions:
When contacting Carbon Black Technical Support, provide the following required information: