What's New

• Sensor Diagnostics Details

  Increased level of detail captured by sensor diagnostics to include PID smaps, iostat (CPU & I/O utilization), and network interface configuration, for the purposes of gaining additional problem-case insight in ongoing effort to reduce memory and CPU utilization footprint. [CB-20991].

• Improved Library Security

  Updated to use libcurl 7.78.0 for improved library security [CB-36938].

• Performance

  Improved memory and CPU performance [CB-16064, CB-19523, CB-21348]

• Digital Signatures

  Digital signature for EDR Linux Binary and Installer[CB-35693]

  Manifest files are added as part of CarbonBlackClientSetup-linux-v7.1.0.98326.tgz and CarbonBlackSensorUpgrader-linux-v7.1.0.98326.tar.gz. These packages come with manifest.sha256 and manifest.sha256.asc.

  1. Verify manifest.sha256. The asc extension file is a detached signature of manifest.sha256. To verify, run the following command: gpg --verify manifest.sha256.asc manifest.sha256
  2. You can use sha256sum to check each package and compare it with the checksum in manifest.sha256. For example, here is the content of manifest.sha256 of CarbonBlackSensorUpgrader-linux-v7.1.0.98326.tar.gz

  ed53fa7a980342af5fcad5a5e8f2bfbdbf2f1c30fe3f8d4b8a93d8465a563bee pkgs/cbsensor-7.1.0.98326.x86_64.rpm

  873c9e00fa713c8b242ef1aa8ae0316c75794980db81bc9161f17af4bf208770 pkgs/cbsysd-7.1.0.98326.x86_64.rpm

  6220d0fd87bb92dd562148244948b43ec7d0de00bab68abb82caadcaaf5b41bf pkgs/cbsensor-7.1.0.98326.amd64.deb

  38f7df9087a530b103d245a9b88c7b7648f934f0be98542ef677ebedc4cebe63 pkgs/cbsysd-7.1.0.98326.amd64.deb

  a70bac0e80e51ffbe6386deb62754064af0560c4a0fda233a91fe736d475c4c9 upgrade.sh

  run command:

  sha256sum pkgs/cbsensor-7.1.0.98326.x86_64.rpm

  and it gets the result:

  ed53fa7a980342af5fcad5a5e8f2bfbdbf2f1c30fe3f8d4b8a93d8465a563bee pkgs/cbsensor-7.1.0.98326.x86_64.rpm

  Expected result is:

  ed53fa7a980342af5fcad5a5e8f2bfbdbf2f1c30fe3f8d4b8a93d8465a563bee

Sensor Operating Systems

Documentation

Installation Instructions

Resolved Issues

• CB-20311: Sensor Metadata

  Includes metadata on events sent by the sensor.

• CB-25675: Event Logs

  Event Logs that are missing or have errors for open/read are excluded from upload and retry attempts to prevent incorrect upload byte counts.

• CB-21643, CB-36411, CB-36430: Event Log Quota

  Correctly applies event log quota and counting of event log files.

• CB-32411: Banning attempts count

  Correctly counts total number of banning attempts for SUSE 15 platform.

• CB-32463: Banned Binary Logging

  Logging attempts of execution of a banned binary on server's process search page and banned binary list page.

• CB-35193: Installation and Upgrade Scripts

  Modified tool and package-format selection logic in installation and upgrade scripts to select based on identified operating system and prevent failure even if there are package management tools that may be present on the system.

• CB-35552: Sensor ID Truncation

  Removed truncation when the value of Sensor ID is greater than 65535 so "SensorIdForDisplay" in the config.ini file matches the Sensor ID displayed in the console.

• CB-36517: 6.x Upgrade to 7.1.0

  6.x.x-lnx can now upgrade to 7.1.0-lnx, and cbdaemon service will successfully restart after the upgrade.

• CB-36528: Diagnostics

  Keeps process tracking table in synched to provide more diagnostic information about tracked processes details.

• CB-36847: Installation/upgrade script logging

  Removed ambiguous and redundant messages in installation/upgrade script logging.

• CB-26518: Binary Backlog

  The sensor could report an incorrect binary backlog.

• CB-37560: Upgrade 7.0.3 Sensor with App Control

  When upgrading a 7.0.3 sensor with App Control installed on the machine and after the upgrade the sensor will show 50% health.The best option for resolution is to reboot the affected endpoint. In this case no further action is required.

  If it is not possible to reboot the endpoint, then the following manual resolution steps will correct the issue in most cases:

  As root-priv user:

  1. /opt/bit9/bin/b9cli --password <password> 0
  2. /opt/bit9/bin/b9cli --tamperprot 0
  3. /opt/bit9/bin/b9cli --shutdown
  4. lsmod to ident loaded modules for action
     1. b9k_*
     2. cbproxy_*
     3. cbsensor_*
  5. rmmod in reverse load order (highest version numbers first) to remove each, grouped by 4-1, 4-2, or 4-3
  6. lsmod to confirm modules removed as expected
  7. systemctl restart cbdaemon.service to return CB Response to normal operation
  8. dmesg review to confirm startup as expected
  9. /opt/bit9/b9daemon-restart to return AppC to normal operation
  10. dmesg review to confirm startup as expected

• CB-26518: The sensor could report an incorrect binary backlog

• CB-32913: Cbsensor module did not unload if hooks were modified

• CB-35437: Install script failed if path to it contained a space

• CB-36081: Upgrade from 6.2.2/6.34 to 7.0.3 failed to start cbdameon service

• CB-37285: Sensor limits the number of times it tries to install kernel header package

• CB-35143: Upgrade on CentOS platform broken by failure to remove old packages

Known Issues

• CB-39216: Updating from a sensor version less than 7.1.0 to 7.1.0 can result in a system panic if other security software (for example, Tripwire, McAfee, TrendMicro, etc.) is also installed

  Two ways to safely upgrade are to:

  1. Unload all other security software kernel modules which are loaded on top of the cbsensor kmod. Use lsmod(8) to check if other security software kmods are loaded after cbsensor (they display before the cbsensor kmod in the lsmod output).
  2. Stop the cbdaemon sensor service and attempt to unload the cbsensor kernel module by executing rmmod(8) twice. Refer to the instructions in https://community.carbonblack.com/docs/DOC-15629 to unload the module. If the cbsensor kernel module unloads, then it is safe to do an upgrade to 7.1.0. If the cbsensor kernel fails to unload due to other security software kmods having loaded after it, then follow procedure #1.

• CB-2825: EDR might be unable to disable cbsensor if hooks are too busy

• CB-30175: Custom TLS Certificate

  Proxy setting in sensorsettings.ini will not work with a custom TLS certificate.

• CB-18158: Oracle UEK

  Oracle UEK is not supported. The RHCK kernel must be installed prior to installing cbsensor on Oracle Linux.

• CB-17033: Installation Directory

  This version of the Linux Sensor Installer does not respect the specification of a non-default installation directory in cb.conf on the server – the default directory is always used.

• CB-18239, CB-29810: PID Re-use

  PID reuse on the system can cause new processes to not be suppressed when they should be.

• CB-6623: ICMP Traffic

  ICMP traffic is allowed when a sensor is isolated.

• CB-37627: Downgrades from 7.x.x-lnx to 6.x.x-lnx

  Downgrades from 7.x.x-lnx to 6.x.x-lnx will require a manual uninstall and reinstall due to extensive architectural changes in the 7.0.0 version.

• CB-37628: Downgrades from 7.1.0-lnx w/Kernel > 4.x

  Downgrades from 7.1.0-lnx on systems running with kernel version greater than 4.x to any sensor version will need manual cleanup of 7.1.0-lnx packages. [CB-37628]

• CB-12773: Updating from Sensor v6.1.6 and Earlier

  Updating from sensor version v6.1.6 and earlier can result in a system panic if certain other security software (Tripwire, McAfee) is also installed. v6.1.7 introduced a safety mechanism to prevent this panic. This safety mechanism can result in the sensor refusing to update to prevent a panic.

  An update will occur on the next system reboot. To upgrade without a reboot, review https://community.carbonblack.com/docs/DOC-15629 for alternate instructions and further technical analysis of the issue.

• CB-37628: Downgrades from 7.1.0-lnx w/Kernel < 4.x

  Downgrades from 7.1.0-lnx on systems running with kernel version less than 4.x to any sensor version require a manual uninstall and reinstall due to extensive architectural changes on the 7.1.0-lnx version.

• CB-38504: Network Isolation does not work on eBPF sensors

• CB-31008: Panic in d_path() due to current->fs being NULL

• CB-38505: On install of the sensor, the Kernel-devel package is required

Contacting Support