VMware Carbon Black EDR Linux Sensor 7.1.2 introduces support for various operating system flavors and fixes critical customer issues.
Supported Operating Systems
RHEL/Oracle 9.0-9.1
RHEL/Oracle/CentOS 7.0-7.9, 8.0-8.7
SUSE 15.0-15.4
SUSE 12 SP5
Ubuntu 18.04, 20.04, 22.04
New Features
RHEL/Oracle 8.7, 9.0. 9.1 support
SUSE 12 SP5 support
Ubuntu 22.04 support
VMware Carbon Black EDR sensors operate with multiple operating systems. For the current list of supported operating systems, see the Linux Sensor OER.
This document provides information for users who are upgrading to VMware Carbon Black EDR Linux Sensor 7.1.2 from previous versions and users who are new to VMware Carbon Black EDR. This document supplements other VMware Carbon Black EDR documentation at https://docs.vmware.com/en/VMware-Carbon-Black-EDR/index.html.
Warning: EDR Linux Sensors versions 7.x do not support el6 distros (RHEL/CentOS 6.x). Attempting to upgrade el6 endpoints will result in a failed upgrade and the sensor will be offline.
To install the new sensor:
Set your yum repo appropriately: modify /etc/yum.repos.d/CarbonBlack.repo with the appropriate baseurl, if needed.
Baseurl= https://yum.distro.carbonblack.io/enterprise/stable/$releasever/$basearch/
Clear the yum cache.
yum clean all
Download the installer.
Substitute the cb-linux-sensor-installer name for cb-linux-sensor-installer-7.1.2.98050-1.
The <package local download directory> is a directory such as /tmp.
Run the following command to download the installer:
yum install --downloadonly --downloaddir=<package local download directory> <package>
Change your directory to the <package local download directory> from Step 3.
Run the following command to install the package:
rpm -i --force <package>
(current package to use: cb-linux-sensor-installer-7.1.2.98050-1.noarch.rpm)
Run the following command to make the new installation package available in the server console:
/usr/share/cb/cbcheck sensor-builds --update
Note: If your groups have Automatic Update enabled, the sensors in that group will automatically update.
The new sensor versions should now be available via the console. If the following warning occurs:
warning: /tmp/cb-linux-sensor-installer-7.1.2.98050-1.noarch.rpm: Header V4 RSA/SHA1 Signature, key ID 6ac57704: NOKEY
refer to this Knowledge Base Article: How to provide public key for Linux sensor package.
For any other issues, see Contacting Support.
CB-39292: Solved high memory usage seen by event collector process
CB-40214: Logs flooded
“DNS name not found” errors in event collector logs. Resolved the errors.
CB-40359: Failure to kill cbdaemon process
Code updated to properly lookup PID of cbdaemon process.
CB-40394: Module load failure on upgrade
Properly closed file handles during upgrade.
CB-40423: Introduced SIGSEGV handler in Sensor to avoid resource leaks
CB-40540: EDR Linux sensor health unhealthy
Updated upgrade script to check command return values properly.
CB-40555: Localhost seen as hostname in server
Changed the method to fetch when DNS is not available.
CB-40613: Preventive checks in code introduced to avoid sensor crash
CB-40617: Opened to Execute seen in server
Ignoring some of the File Read events to avoid false positive events.
CB-37514: Error logged at cbdaemon startup
An error related to cbresponse.modules is logged at cbdaemon startup.
CB-23866: Events from sensor can have an unknown parent
CB-30175: Custom TLS Certificate
Proxy setting in sensorsettings.ini will not work with a custom TLS certificate.
CB-18158: Oracle UEK
Oracle UEK is not supported. The RHCK kernel must be installed prior to installing cbsensor on Oracle Linux.
CB-17033: Installation Directory
This version of the Linux Sensor Installer does not respect the specification of a non-default installation directory in cb.conf on the server – the default directory is always used.
CB-18239, CB-29810: PID Re-use
PID reuse on the system can cause new processes to not be suppressed when they should be.
CB-6623: ICMP Traffic
ICMP traffic is allowed when a sensor is isolated.
CB-37627: Downgrades from 7.x.x-lnx to 6.x.x-lnx
Downgrades from 7.x.x-lnx to 6.x.x-lnx will require a manual uninstall and reinstall due to extensive architectural changes in the 7.0.0 version.
CB-37628: Downgrades from 7.1.0-lnx w/Kernel > 4.x
Downgrades from 7.1.0-lnx on systems running with kernel version greater than 4.x to any sensor version will need manual cleanup of 7.1.0-lnx packages. [CB-37628]
CB-37628: Downgrades from 7.1.0-lnx w/Kernel < 4.x
Downgrades from 7.1.0-lnx on systems running with kernel version less than 4.x to any sensor version require a manual uninstall and reinstall due to extensive architectural changes on the 7.1.0-lnx version.
CB-38504: Network Isolation does not work on eBPF sensors
CB-31008: Panic in d_path() due to current->fs being NULL
VMware Carbon Black EDR server and sensor update releases are covered under the Carbon Black Customer Maintenance Agreement. Technical Support can assist with any issues that might develop. Our Professional Services organization is also available to help ensure a smooth and efficient upgrade or installation.
Use one of the following channels to request support or ask support questions:
Web:User Exchange
Email: [email protected]
Phone: 877.248.9098
Reporting Problems
When contacting Carbon Black Technical Support, provide the following required information:
Contact: Your name, company name, telephone number, and email address
Product version: Product name (VMware Carbon Black EDR server and sensor versions)
Hardware configuration: Hardware configuration of the VMware Carbon Black EDR server (processor, memory, and RAM)
Document version: For documentation issues, specify the version and/or date of the manual or document you are using
Problem: Action causing the problem, the error message returned, and event log output (as appropriate)
Problem Severity: Critical, serious, minor, or enhancement request
Note: Before performing an upgrade, Carbon Black recommends you review related content on the User Exchange and the release documentation location, the Carbon Black EDR section of docs.vmware.com.
