VMware Carbon Black EDR 7.1.1 | 24 AUG 2022 | Build 7.1.1.92158

Check for additions and updates to these release notes.

What's New

VMware Carbon Black EDR Linux Sensor 7.1.1 introduces the following updates:

  • Improved sensor diagnostics details
  • A digital signature for the Carbon Black EDR Linux Sensor binary and installer
  • RHEL/CentOS/Oracle 8.6 support, Ubuntu 20.04.4 support
  • Updated to use OpenSSL 1.1.1n for improved library security
  • Various bug fixes and other small changes

New Features and OS Support

  • RHEL/CentOS/Oracle 8.6 support
  • Ubuntu 20.04.4 support

Supported Operating Systems

  • RHEL/CentOS/Oracle 7.0-7.9, 8.0-8.6
  • SUSE 15.0-15.3
  • Ubuntu 18.04, 20.04

Sensor Operating Systems

VMware Carbon Black EDR sensors operate with multiple operating systems. For the current list of supported operating systems, see the Linux Sensor OER at https://docs.vmware.com/en/VMware-Carbon-Black-EDR/services/cb-edr-oer-linux-sensor/GUID-5AB0EBAE-172F-40D1-82D9-1C54CCFC964B.html.

Documentation

This document provides information for users who are upgrading to VMware Carbon Black EDR Linux Sensor 7.1.1 from previous versions and users who are new to VMware Carbon Black EDR. This document supplements other VMware Carbon Black EDR documentation at https://docs.vmware.com/en/VMware-Carbon-Black-EDR/index.html.

Installation Instructions

Warning: EDR Linux Sensors versions 7.x do not support el6 distros (RHEL/CentOS 6.x). Attempting to upgrade el6 endpoints will result in a failed upgrade and the sensor will be offline.

To install the new sensor:

  1. Set your yum repo appropriately: modify /etc/yum.repos.d/CarbonBlack.repo with the appropriate baseurl, if needed.
  2. Clear the yum cache.
    • yum clean all
  3. Download the installer.
    • Substitute the cb-linux-sensor-installer name for cb-linux-sensor-installer-7.1.1.92158-1.
    • The <package local download directory> is a directory such as /tmp.
    • Run the following command to download the installer:

      yum install --downloadonly --downloaddir=<package local download directory> <package>

  4. Change your directory to the <package local download directory> from Step 3.
  5. Run the following command to install the package:
    • rpm -i --force <package>

      (current package to use: cb-linux-sensor-installer-7.1.1.92158-1..noarch.rpm)

  6. Run the following command to make the new installation package available in the server console:
    • /usr/share/cb/cbcheck sensor-builds --update

Note: If your groups have Automatic Update enabled, the sensors in that group will automatically update.

The new sensor versions should now be available via the console. If the following warning occurs:

warning: /tmp/cb-linux-sensor-installer-7.1.1.92158-1..noarch.rpm: Header V4 RSA/SHA1 Signature, key ID 6ac57704: NOKEY

refer to this Knowledge Base Article: How to provide public key for Linux sensor package.

For any other issues, see Contacting Support.

Resolved Issues

  • CB-39216: Updating from a sensor version less than 7.1.0 to 7.1.0 could result in a system panic if other security software (for example, Tripwire, McAfee, TrendMicro, etc.) is also installed

  • CB-38524: Missing MD5 in binary information

    MD5 missing in binary information when the binary had a long path

  • CB-37044: Diagnostic Logs

    Sensordiag result structure mismatch on kmod vs eBPF

  • CB-32193: Long Process Name

    Set path to process name if its length is greater than 4096

  • CB-24841: Sensor Live Response

    CbLiveResponse::_doExec() failed if working directory was not specified

  • CB-32190: Sensor Crash

    cbdaemon segv in libcurl while uploading an eventlog

  • CB-37486: Sensor Information on Server UI

    Sensor Page Shows Incorrect Sensor Commit Charge

  • CB-38065: File Upload

    Delete eventlog/binary files rejected by the backend 

  • CB-38541: Event Collector

    Multiple “filemod” events were seen when long dir structure is being built on kmod

  • CB-38975: Event Logs

    Ended/Exited/RprtExit processes in process_log.log, removed to improve performance

  • CB-38517: Event Logs

    Discard the “Ignore sending binary over 25 MB" messages which can fill up the daemon log file

  • CB-38516: MD5 generation

    Generating MD5 on files larger than 2GB can cause cbdaemon to crash. Instead of computing MD5 locally, sensor copies MD5 information from Event Collector.

  • CB-37984: Sensor Offline

    Sensor going offline due to file descriptor limit reached

  • CB-38411: Networking Pods Crash

    Network hook failure could cause networking pods crash and restart in K8s environment

  • CB-28254: Event Collector Unload

    Unable to unload cbsensor if hooks were too busy

Known Issues

  • CB-23866: Events from sensor can have an unknown parent

  • CB-30175: Custom TLS Certificate

    Proxy setting in sensorsettings.ini will not work with a custom TLS certificate.

  • CB-18158: Oracle UEK

    Oracle UEK is not supported. The RHCK kernel must be installed prior to installing cbsensor on Oracle Linux.

  • CB-17033: Installation Directory

    This version of the Linux Sensor Installer does not respect the specification of a non-default installation directory in cb.conf on the server – the default directory is always used.

  • CB-18239, CB-29810: PID Re-use

    PID reuse on the system can cause new processes to not be suppressed when they should be.

  • CB-6623: ICMP Traffic

    ICMP traffic is allowed when a sensor is isolated.

  • CB-37627: Downgrades from 7.x.x-lnx to 6.x.x-lnx

    Downgrades from 7.x.x-lnx to 6.x.x-lnx will require a manual uninstall and reinstall due to extensive architectural changes in the 7.0.0 version.

  • CB-37628: Downgrades from 7.1.0-lnx w/Kernel > 4.x

    Downgrades from 7.1.0-lnx on systems running with kernel version greater than 4.x to any sensor version will need manual cleanup of 7.1.0-lnx packages. [CB-37628]

  • CB-37628: Downgrades from 7.1.0-lnx w/Kernel < 4.x

    Downgrades from 7.1.0-lnx on systems running with kernel version less than 4.x to any sensor version require a manual uninstall and reinstall due to extensive architectural changes on the 7.1.0-lnx version.

  • CB-38504: Network Isolation does not work on eBPF sensors

  • CB-31008: Panic in d_path() due to current->fs being NULL

Contacting Support

VMware Carbon Black EDR server and sensor update releases are covered under the Carbon Black Customer Maintenance Agreement. Technical Support can assist with any issues that might develop. Our Professional Services organization is also available to help ensure a smooth and efficient upgrade or installation.

Use one of the following channels to request support or ask support questions:

  • Web:User Exchange
  • Email: cb-support@vmware.com
  • Phone: 877.248.9098

Reporting Problems

When contacting Carbon Black Technical Support, provide the following required information:

  • Contact: Your name, company name, telephone number, and email address
  • Product version: Product name (VMware Carbon Black EDR server and sensor versions)
  • Hardware configuration: Hardware configuration of the VMware Carbon Black EDR server (processor, memory, and RAM)
  • Document version: For documentation issues, specify the version and/or date of the manual or document you are using
  • Problem: Action causing the problem, the error message returned, and event log output (as appropriate)
  • Problem Severity: Critical, serious, minor, or enhancement request

Note: Before performing an upgrade, Carbon Black recommends you review related content on the User Exchange and the release documentation location, the Carbon Black EDR section of docs.vmware.com.

check-circle-line exclamation-circle-line close-line
Scroll to top icon