VMware Carbon Black EDR 7.1.0 | 03 MAR 2022 | Build 7.1.0.98326

Check for additions and updates to these release notes.

What's New

VMware Carbon Black EDR Linux Sensor 7.1.0 introduces improved sensor diagnostics details, digital signature for EDR Linux binary and installer, and various bug fixes.

  • Increased level of detail captured by sensor diagnostics to include PID smaps, iostat (CPU & I/O utilization), and network interface configuration, for the purposes of gaining additional problem-case insight in an ongoing effort to reduce memory and CPU utilization footprint. [CB-20991].
  • Updated to use libcurl 7.78.0 for improved library security [CB-36938].
  • Improved memory and CPU performance [CB-36808].
  • A digital signature for the EDR Linux Binary and Installer [CB-35693].
  • Support for RHEL/CentOS 8.5.
  • Support for SUSE 15 (SP3).
  • evl_manager, cbebpfdaemon, and cbkernelupdate services are not running or needed for the 7.1.0 EDR Linux Sensor.
  • Linux Sensor 7.1.0 does not support SUSE 12.
  • Sensor Diagnostics Details

    Increased level of detail captured by sensor diagnostics to include PID smaps, iostat (CPU & I/O utilization), and network interface configuration, for the purposes of gaining additional problem-case insight in ongoing effort to reduce memory and CPU utilization footprint. [CB-20991].

  • Improved Library Security

    Updated to use libcurl 7.78.0 for improved library security [CB-36938].

  • Performance

    Improved memory and CPU performance [CB-16064, CB-19523, CB-21348]

  • Digital Signatures

    Digital signature for EDR Linux Binary and Installer[CB-35693]

    Manifest files are added as part of CarbonBlackClientSetup-linux-v7.1.0.98326.tgz and CarbonBlackSensorUpgrader-linux-v7.1.0.98326.tar.gz. These packages come with manifest.sha256 and manifest.sha256.asc.

    1. Verify manifest.sha256. The asc extension file is a detached signature of manifest.sha256. To verify, run the following command: gpg --verify manifest.sha256.asc manifest.sha256
    2. You can use sha256sum to check each package and compare it with the checksum in manifest.sha256. For example, here is the content of manifest.sha256 of CarbonBlackSensorUpgrader-linux-v7.1.0.98326.tar.gz

    ed53fa7a980342af5fcad5a5e8f2bfbdbf2f1c30fe3f8d4b8a93d8465a563bee pkgs/cbsensor-7.1.0.98326.x86_64.rpm

    873c9e00fa713c8b242ef1aa8ae0316c75794980db81bc9161f17af4bf208770 pkgs/cbsysd-7.1.0.98326.x86_64.rpm

    6220d0fd87bb92dd562148244948b43ec7d0de00bab68abb82caadcaaf5b41bf pkgs/cbsensor-7.1.0.98326.amd64.deb

    38f7df9087a530b103d245a9b88c7b7648f934f0be98542ef677ebedc4cebe63 pkgs/cbsysd-7.1.0.98326.amd64.deb

    a70bac0e80e51ffbe6386deb62754064af0560c4a0fda233a91fe736d475c4c9 upgrade.sh

    run command:

    sha256sum pkgs/cbsensor-7.1.0.98326.x86_64.rpm

    and it gets the result:

    ed53fa7a980342af5fcad5a5e8f2bfbdbf2f1c30fe3f8d4b8a93d8465a563bee pkgs/cbsensor-7.1.0.98326.x86_64.rpm

    Expected result is:

    ed53fa7a980342af5fcad5a5e8f2bfbdbf2f1c30fe3f8d4b8a93d8465a563bee

Sensor Operating Systems

VMware Carbon Black EDR sensors operate with multiple operating systems. For the current list of supported operating systems, see the Linux Sensor OER at https://docs.vmware.com/en/VMware-Carbon-Black-EDR/index.html.

Documentation

This document provides information for users who are upgrading to VMware Carbon Black EDR Linux Sensor v7.1.0 from previous versions and users who are new to VMware Carbon Black EDR. This document supplements other VMware Carbon Black EDR documentation at https://docs.vmware.com/en/VMware-Carbon-Black-EDR/index.html.

Installation Instructions

Warning: EDR Linux Sensors versions 7.x do not support el6 distros (RHEL/CentOS 6.x). Attempting to upgrade el6 endpoints will result in a failed upgrade and the sensor will be offline.

To install the new sensor:

  1. Set your yum repo appropriately: modify /etc/yum.repos.d/CarbonBlack.repo with the appropriate baseurl, if needed.
  2. Clear the yum cache.
    • yum clean all
  3. Download the installer.
    • Substitute the cb-linux-sensor-installer name for cb-linux-sensor-installer-7.1.0.98326-1.
    • The <package local download directory> is a directory such as /tmp.
    • Run the following command to download the installer:

      yum install --downloadonly --downloaddir=<package local download directory> <package>

  4. Change your directory to the <package local download directory> from Step 3.
  5. Run the following command to install the package:
    • rpm -i --force <package>

      (current package to use: cb-linux-sensor-installer-7.1.0.98326-1.noarch.rpm)

  6. Run the following command to make the new installation package available in the server console:
    • /usr/share/cb/cbcheck sensor-builds --update

Note: If your groups have Automatic Update enabled, the sensors in that group will automatically update.

The new sensor versions should now be available via the console. If the following warning occurs:

warning: /tmp/cb-linux-sensor-installer-7.1.0.98326-1.noarch.rpm: Header V4 RSA/SHA1 Signature, key ID 6ac57704: NOKEY

refer to this Knowledge Base Article: How to provide public key for Linux sensor package.

For any other issues, contact VMware Carbon Black Technical Support.

Resolved Issues

  • CB-20311: Sensor Metadata

    Includes metadata on events sent by the sensor.

  • CB-25675: Event Logs

    Event Logs that are missing or have errors for open/read are excluded from upload and retry attempts to prevent incorrect upload byte counts.

  • CB-21643, CB-36411, CB-36430: Event Log Quota

    Correctly applies event log quota and counting of event log files.

  • CB-32411: Banning attempts count

    Correctly counts total number of banning attempts for SUSE 15 platform.

  • CB-32463: Banned Binary Logging

    Logging attempts of execution of a banned binary on server's process search page and banned binary list page.

  • CB-35193: Installation and Upgrade Scripts

    Modified tool and package-format selection logic in installation and upgrade scripts to select based on identified operating system and prevent failure even if there are package management tools that may be present on the system.

  • CB-35552: Sensor ID Truncation

    Removed truncation when the value of Sensor ID is greater than 65535 so "SensorIdForDisplay" in the config.ini file matches the Sensor ID displayed in the console.

  • CB-36517: 6.x Upgrade to 7.1.0

    6.x.x-lnx can now upgrade to 7.1.0-lnx, and cbdaemon service will successfully restart after the upgrade.

  • CB-36528: Diagnostics

    Keeps process tracking table in synched to provide more diagnostic information about tracked processes details.

  • CB-36847: Installation/upgrade script logging

    Removed ambiguous and redundant messages in installation/upgrade script logging.

  • CB-26518: Binary Backlog

    The sensor could report an incorrect binary backlog.

  • CB-37560: Upgrade 7.0.3 Sensor with App Control

    When upgrading a 7.0.3 sensor with App Control installed on the machine and after the upgrade the sensor will show 50% health.The best option for resolution is to reboot the affected endpoint. In this case no further action is required.

    If it is not possible to reboot the endpoint, then the following manual resolution steps will correct the issue in most cases:

    As root-priv user:

    1. /opt/bit9/bin/b9cli --password <password> 0
    2. /opt/bit9/bin/b9cli --tamperprot 0
    3. /opt/bit9/bin/b9cli --shutdown
    4. lsmod to ident loaded modules for action
      1. b9k_*
      2. cbproxy_*
      3. cbsensor_*
    5. rmmod in reverse load order (highest version numbers first) to remove each, grouped by 4-1, 4-2, or 4-3
    6. lsmod to confirm modules removed as expected
    7. systemctl restart cbdaemon.service to return CB Response to normal operation
    8. dmesg review to confirm startup as expected
    9. /opt/bit9/b9daemon-restart to return AppC to normal operation
    10. dmesg review to confirm startup as expected

  • CB-26518: The sensor could report an incorrect binary backlog

  • CB-32913: Cbsensor module did not unload if hooks were modified

  • CB-35437: Install script failed if path to it contained a space

  • CB-36081: Upgrade from 6.2.2/6.34 to 7.0.3 failed to start cbdameon service

  • CB-37285: Sensor limits the number of times it tries to install kernel header package

  • CB-35143: Upgrade on CentOS platform broken by failure to remove old packages

Known Issues

  • CB-39216: Updating from a sensor version less than 7.1.0 to 7.1.0 can result in a system panic if other security software (for example, Tripwire, McAfee, TrendMicro, etc.) is also installed

    Two ways to safely upgrade are to:

    1. Unload all other security software kernel modules which are loaded on top of the cbsensor kmod. Use lsmod(8) to check if other security software kmods are loaded after cbsensor (they display before the cbsensor kmod in the lsmod output).
    2. Stop the cbdaemon sensor service and attempt to unload the cbsensor kernel module by executing rmmod(8) twice. Refer to the instructions in https://community.carbonblack.com/docs/DOC-15629 to unload the module. If the cbsensor kernel module unloads, then it is safe to do an upgrade to 7.1.0. If the cbsensor kernel fails to unload due to other security software kmods having loaded after it, then follow procedure #1.

  • CB-2825: EDR might be unable to disable cbsensor if hooks are too busy

  • CB-30175: Custom TLS Certificate

    Proxy setting in sensorsettings.ini will not work with a custom TLS certificate.

  • CB-18158: Oracle UEK

    Oracle UEK is not supported. The RHCK kernel must be installed prior to installing cbsensor on Oracle Linux.

  • CB-17033: Installation Directory

    This version of the Linux Sensor Installer does not respect the specification of a non-default installation directory in cb.conf on the server – the default directory is always used.

  • CB-18239, CB-29810: PID Re-use

    PID reuse on the system can cause new processes to not be suppressed when they should be.

  • CB-6623: ICMP Traffic

    ICMP traffic is allowed when a sensor is isolated.

  • CB-37627: Downgrades from 7.x.x-lnx to 6.x.x-lnx

    Downgrades from 7.x.x-lnx to 6.x.x-lnx will require a manual uninstall and reinstall due to extensive architectural changes in the 7.0.0 version.

  • CB-37628: Downgrades from 7.1.0-lnx w/Kernel > 4.x

    Downgrades from 7.1.0-lnx on systems running with kernel version greater than 4.x to any sensor version will need manual cleanup of 7.1.0-lnx packages. [CB-37628]

  • CB-12773: Updating from Sensor v6.1.6 and Earlier

    Updating from sensor version v6.1.6 and earlier can result in a system panic if certain other security software (Tripwire, McAfee) is also installed. v6.1.7 introduced a safety mechanism to prevent this panic. This safety mechanism can result in the sensor refusing to update to prevent a panic.

    An update will occur on the next system reboot. To upgrade without a reboot, review https://community.carbonblack.com/docs/DOC-15629 for alternate instructions and further technical analysis of the issue.

  • CB-37628: Downgrades from 7.1.0-lnx w/Kernel < 4.x

    Downgrades from 7.1.0-lnx on systems running with kernel version less than 4.x to any sensor version require a manual uninstall and reinstall due to extensive architectural changes on the 7.1.0-lnx version.

  • CB-38504: Network Isolation does not work on eBPF sensors

  • CB-31008: Panic in d_path() due to current->fs being NULL

  • CB-38505: On install of the sensor, the Kernel-devel package is required

Contacting Support

VMware Carbon Black EDR server and sensor update releases are covered under the Carbon Black Customer Maintenance Agreement. Technical Support can assist with any issues that might develop. Our Professional Services organization is also available to help ensure a smooth and efficient upgrade or installation.

Use one of the following channels to request support or ask support questions:

  • Web:User Exchange
  • Email: cb-support@vmware.com
  • Phone: 877.248.9098

Reporting Problems

When contacting Carbon Black Technical Support, provide the following required information:

  • Contact: Your name, company name, telephone number, and email address
  • Product version: Product name (VMware Carbon Black EDR server and sensor versions)
  • Hardware configuration: Hardware configuration of the VMware Carbon Black EDR server (processor, memory, and RAM)
  • Document version: For documentation issues, specify the version and/or date of the manual or document you are using
  • Problem: Action causing the problem, the error message returned, and event log output (as appropriate)
  • Problem Severity: Critical, serious, minor, or enhancement request

Note: Before performing an upgrade, Carbon Black recommends you review related content on the User Exchange and the release documentation location, the Carbon Black EDR section of docs.vmware.com.

check-circle-line exclamation-circle-line close-line
Scroll to top icon