VMware Carbon Black EDR 7.3.0 | 22 MAR 2022 | Build 188.8.131.5211
Check for additions and updates to these release notes.
VMware Carbon Black EDR Windows Sensor v7.3.0 is intended to provide our new Event Exclusions feature for excluding specified Windows files and paths for more focused data collection and improved sensor performance. It includes rollback support for sensor upgrades to 7.3.0-win+ sensor versions, bug fixes, and other improvements. This sensor release also includes all changes and fixes from previous releases.
This document provides information for users upgrading to Carbon Black EDR Windows Sensor v7.3.0 from previous versions as well as users new to Carbon Black EDR.
Event Exclusions - The EDR Windows sensor now supports Event Exclusions. This feature allows users to exclude specific Windows files and paths for more focused data collection and improved sensor performance. See the “Exclusion Settings” section of the VMware Carbon Black EDR User Guide for more information on how to enable the feature.
Rollback support for sensor upgrades
Beginning with 7.3.0-win, the VMware Carbon Black EDR EDR Windows sensor now supports rollback on upgrades when the installation of the new sensor can not be completed successfully. This rollback support applies to upgrades of sensor versions post 7.3.0-win using a minimum sensor version of at least 7.3.0-win.
Carbon Black EDR sensors included with server releases are compatible with all server releases going forward. It is always recommended to use the latest server release with our latest sensors to utilize the full feature capabilities of our product; however, using earlier server versions with the latest sensor should not impact core product functionality.
Carbon Black EDR sensors interoperate with multiple operating systems. For the most up-to-date list of supported operating systems for Carbon Black EDR sensors, see Sensor Operating Environment Requirements at https://docs.vmware.com/en/VMware-Carbon-Black-EDR/index.html.
This document supplements other Carbon Black EDR documentation at https://docs.vmware.com/en/VMware-Carbon-Black-EDR/index.html.
To install the sensors on to your server, run through the following instructions:
Your new sensor versions should now be available via the console. For any issues, please contact VMware Carbon Black Technical Support.
Important Note: It is always encouraged to conduct a reboot of the endpoint after installation (or restart) of our sensor to ensure the sensor properly captures the full historical data of all running processes and associated information.
CB-37464: Removed self-deletion functionality of the GPO/MSI installer
CB-37343: Fixed a bug with the sensor handling hosts files encoded with UTF-8-BOM
CB-37282: Fixed a bug with \000 corrupting entries in the AmsiEvent.log file
CB-37273: Fixed a bug with sensor misreporting Windows 11 and Windows Server 2022 versions as “Server 2019”
CB-37139: Updated osquery version to 5.0.1
CB-36829: Sensor.log files are now capped to store the 10 latest files
CB-36813: Updated protobuf version to 3.18.0
CB-37235: Binaries now linked with /CETCOMPAT opting into Control-flow Enforcement Technology (CET)
On compatible modern hardware (Intel Tiger Lake CPU), this provides the capability to defend against return-oriented programming (ROP) based malware attacks.
CB-36489: Fixed an issue with the cbedrelam.sys driver’s classification of other boot-start drivers
CB-36296: Improved sensor’s handling of file operations to minimize stalling
CB-36022: Fixed an issue with NetConnEvents.log
Fixed an issue with NetConnEvents.log updating network isolation packet counters and improved log to indicate blocked network connections as denoted through an “x” next to the Dir value.
CB-35097: Updated the sensor to limit binary hash upload requests to 30k logs at a time
CB-34972: Improved NetConnEvents.log
Improved NetConnEvents.log file to list Network Isolation Exceptions that the sensor is allowed to communicate with while in Network Isolation.
CB-34952: Updated sensor to report ICMP/PING
CB-34752: Updated sensordiag.exe to collect live process dump of cb.exe
Note - does not apply to sensors in any Tamper level enforcement.
CB-34725: Updated sensor to report named pipes for file create events
CB-34723: Updated sensor’s Network Isolation behavior to only allow DHCP/DNS to assigned servers
CB-34450: Improved sensor reporting of modloads
Improved sensor reporting of modloads to better handle the loading and writing of a dll file in very close succession by a process or multiple processes.
CB-34437: Fixed a bug with the sensor’s ability to get/send files or run commands through a Live Response session
CB-34407: Improved FileStore behavior
Improved FileStore behavior to use the default C:\Windows\CarbonBlack\Store directory if a location is not specified in the registry.
CB-34402: Fixed an issue with Tamper Protection of the FileStore
CB-34007: Sensor binaries are now compiled with /INTEGRITYCHECK forcing cert checks
CB-33637: Improved Strict Certificate Validation behavior of the sensor
Improved Strict Certificate Validation behavior of the sensor to confirm certificate requirements are in place ahead of enforcement to prevent sensors going offline due to invalid certificate details.
CB-33348: Improved sensor’s handling of VPN and general network changes
CB-36867: Improved Sensor.log to avoid repetitive log entries pertaining to the same process
CB-36112: Sensor upgrades from 7.2.0-win with Tamper Protection enabled may fail
Sensor upgrades from 7.2.0-win → 7.2.1-win (with Tamper Protection enabled) may fail to fully upgrade the sensor to the 7.2.1-win version. Users should instead upgrade to our 7.2.2-win sensor (directly from 7.2.0-win) or temporarily disable the Tamper Protection enforcement, per the sensor group, ahead of scheduling any sensor upgrades to 7.2.1-win. Tamper Protection can be reapplied after sensor upgrades are successfully completed. If Carbon Black EDR server communication with an endpoint in Tamper Protection enforcement is lost, the endpoint will have to be booted into Safe Mode to locally disable Tamper Protection functionality and restore Carbon Black EDR sensor-server communications.
CB-17552: Disabling DNS name resolution for netconn events
Versions of the sensor prior to 7.1.1 (and 6.1.12 for XP/Server2003) were susceptible to high CPU utilization in the IP Address-to-Hostname resolution functionality of the sensor. This issue has been addressed; however, this registry key will still disable IP address name resolution for customers who want to do so:
CB-28062: Obfuscated Windows Sensors will not start after first reboot
Windows sensors installed from an obfuscated sensor group will not start after first reboot. A second reboot will start the sensor service.
CB-28063: Carbon Black branding is different between MSI and EXE installers
Customers using the Add/Remove Program window to manage their Carbon Black EDR Windows sensor installation should be aware that the Carbon Black branding between the MSI and EXE installers is different.
EP-11934: VMware Carbon Black App Control Tamper Protection Rapid Config update recommended
For users running Carbon Black App Control (formerly “CB Protection”) to tamper protect the Carbon Black EDR Windows Sensor (and do not opt-in to CDC) it is recommended to update the tamper rule settings for Carbon Black App Control to the latest “Carbon Black EDR Tamper Protection” Rapid Config to avoid possible conflict with applying Tamper Protection enforcement on both Carbon Black EDR and Carbon Black App Control.
Note: Enabling Tamper Protection on both Carbon Black App Control and Carbon Black EDR does not provide extra protection and it is recommended to disable Carbon Black App Control enforcement of Tamper Protection after Carbon Black EDR enforcement is confirmed to be in place. When running Carbon Black EDR in “Tamper Detection” mode, “Tamper Protection” through Carbon Black App Control is still recommended. Tamper Protection (for Carbon Black EDR) requires a minimum operating system version of Windows 10 v1703 (Desktop) or Windows Server v1709. In addition,Tamper Protection (for Carbon Black EDR) requires minimum versions of both the Windows 7.2.0 sensor and 7.4.0 EDR Server. Please contact technical support to obtain the latest Rapid Config for Carbon Black App Control if needed.
Carbon Black EDR server and sensor update releases are covered under the Customer Maintenance Agreement. Technical Support is available to assist with any issues that might develop during the installation or upgrade process. Our Professional Services organization is also available to assist to ensure a smooth and efficient upgrade or installation.
Use one of the following channels to request support or ask support questions:
When contacting Carbon Black Technical Support, provide the following required information:
Note: Before performing an upgrade, Carbon Black recommends you review related content at the Carbon Black EDR section of docs.vmware.com.