VMware Carbon Black EDR 7.3.0 | 22 MAR 2022 | Build 7.3.0.18311

Check for additions and updates to these release notes.

What's New

VMware Carbon Black EDR Windows Sensor v7.3.0 is intended to provide our new Event Exclusions feature for excluding specified Windows files and paths for more focused data collection and improved sensor performance. It includes rollback support for sensor upgrades to 7.3.0-win+ sensor versions, bug fixes, and other improvements. This sensor release also includes all changes and fixes from previous releases.

This document provides information for users upgrading to Carbon Black EDR Windows Sensor v7.3.0 from previous versions as well as users new to Carbon Black EDR.

  • Event Exclusions

    Event Exclusions - The EDR Windows sensor now supports Event Exclusions. This feature allows users to exclude specific Windows files and paths for more focused data collection and improved sensor performance. See the “Exclusion Settings” section of the VMware Carbon Black EDR User Guide for more information on how to enable the feature.

  • Rollback support for sensor upgrades

    Beginning with 7.3.0-win, the VMware Carbon Black EDR EDR Windows sensor now supports rollback on upgrades when the installation of the new sensor can not be completed successfully. This rollback support applies to upgrades of sensor versions post 7.3.0-win using a minimum sensor version of at least 7.3.0-win.

Server Compatibility

Carbon Black EDR sensors included with server releases are compatible with all server releases going forward. It is always recommended to use the latest server release with our latest sensors to utilize the full feature capabilities of our product; however, using earlier server versions with the latest sensor should not impact core product functionality.

Sensor Operating Systems

Carbon Black EDR sensors interoperate with multiple operating systems. For the most up-to-date list of supported operating systems for Carbon Black EDR sensors, see Sensor Operating Environment Requirements at https://docs.vmware.com/en/VMware-Carbon-Black-EDR/index.html.

Documentation

This document supplements other Carbon Black EDR documentation at https://docs.vmware.com/en/VMware-Carbon-Black-EDR/index.html.

Installation Instructions

To install the sensors on to your server, run through the following instructions:

  1. Ensure your Carbon Black EDR YUM repo is set appropriately:
    1. The Carbon Black EDR repository file to modify is /etc/yum.repos.d/CarbonBlack.repo
    2. Baseurl = https://yum.distro.carbonblack.io/enterprise/stable/$releasever/$basearch/
  2. On the Carbon Black EDR server, clear the YUM cache by running the following command:
    1. yum clean all
  3. After the YUM cache has been cleared, download the sensor install package by running the following command:
    1. Run yum install --downloadonly --downloaddir=<package local download directory> <package>
      1. Note: The <package local download directory> is a directory of your choice
      2. Note:<package> is replaced by cb-sensor-7.3.0.18311-win
  4. Install the new sensor package on the Carbon Black EDR server by running the command:
    1. rpm -i --force <package>
  5. Make the new installation package available in the server console UI by running the command:
    1. /usr/share/cb/cbcheck sensor-builds --update
      1. Note: If your groups have Automatic Update enabled, the sensors in that group will start to automatically update.

Your new sensor versions should now be available via the console. For any issues, please contact VMware Carbon Black Technical Support.

Important Note: It is always encouraged to conduct a reboot of the endpoint after installation (or restart) of our sensor to ensure the sensor properly captures the full historical data of all running processes and associated information.

Resolved Issues

  • CB-37464: Removed self-deletion functionality of the GPO/MSI installer

  • CB-37343: Fixed a bug with the sensor handling hosts files encoded with UTF-8-BOM

  • CB-37282: Fixed a bug with \000 corrupting entries in the AmsiEvent.log file

  • CB-37273: Fixed a bug with sensor misreporting Windows 11 and Windows Server 2022 versions as “Server 2019”

  • CB-37139: Updated osquery version to 5.0.1

  • CB-36829: Sensor.log files are now capped to store the 10 latest files

  • CB-36813: Updated protobuf version to 3.18.0

  • CB-37235: Binaries now linked with /CETCOMPAT opting into Control-flow Enforcement Technology (CET)

    On compatible modern hardware (Intel Tiger Lake CPU), this provides the capability to defend against return-oriented programming (ROP) based malware attacks.

  • CB-36489: Fixed an issue with the cbedrelam.sys driver’s classification of other boot-start drivers

  • CB-36296: Improved sensor’s handling of file operations to minimize stalling

  • CB-36022: Fixed an issue with NetConnEvents.log

    Fixed an issue with NetConnEvents.log updating network isolation packet counters and improved log to indicate blocked network connections as denoted through an “x” next to the Dir value.

  • CB-35097: Updated the sensor to limit binary hash upload requests to 30k logs at a time

  • CB-34972: Improved NetConnEvents.log

    Improved NetConnEvents.log file to list Network Isolation Exceptions that the sensor is allowed to communicate with while in Network Isolation.

  • CB-34952: Updated sensor to report ICMP/PING

  • CB-34752: Updated sensordiag.exe to collect live process dump of cb.exe

    Note - does not apply to sensors in any Tamper level enforcement.

  • CB-34725: Updated sensor to report named pipes for file create events

  • CB-34723: Updated sensor’s Network Isolation behavior to only allow DHCP/DNS to assigned servers

  • CB-34450: Improved sensor reporting of modloads

    Improved sensor reporting of modloads to better handle the loading and writing of a dll file in very close succession by a process or multiple processes.

  • CB-34437: Fixed a bug with the sensor’s ability to get/send files or run commands through a Live Response session

  • CB-34407: Improved FileStore behavior

    Improved FileStore behavior to use the default C:\Windows\CarbonBlack\Store directory if a location is not specified in the registry.

  • CB-34402: Fixed an issue with Tamper Protection of the FileStore

  • CB-34007: Sensor binaries are now compiled with /INTEGRITYCHECK forcing cert checks

  • CB-33637: Improved Strict Certificate Validation behavior of the sensor

    Improved Strict Certificate Validation behavior of the sensor to confirm certificate requirements are in place ahead of enforcement to prevent sensors going offline due to invalid certificate details.

  • CB-33348: Improved sensor’s handling of VPN and general network changes

  • CB-36867: Improved Sensor.log to avoid repetitive log entries pertaining to the same process

Known Issues

  • CB-36112: Sensor upgrades from 7.2.0-win with Tamper Protection enabled may fail

    Sensor upgrades from 7.2.0-win → 7.2.1-win (with Tamper Protection enabled) may fail to fully upgrade the sensor to the 7.2.1-win version. Users should instead upgrade to our 7.2.2-win sensor (directly from 7.2.0-win) or temporarily disable the Tamper Protection enforcement, per the sensor group, ahead of scheduling any sensor upgrades to 7.2.1-win. Tamper Protection can be reapplied after sensor upgrades are successfully completed. If Carbon Black EDR server communication with an endpoint in Tamper Protection enforcement is lost, the endpoint will have to be booted into Safe Mode to locally disable Tamper Protection functionality and restore Carbon Black EDR sensor-server communications.

  • CB-17552: Disabling DNS name resolution for netconn events

    Versions of the sensor prior to 7.1.1 (and 6.1.12 for XP/Server2003) were susceptible to high CPU utilization in the IP Address-to-Hostname resolution functionality of the sensor. This issue has been addressed; however, this registry key will still disable IP address name resolution for customers who want to do so:

    [HKEY_LOCAL_MACHINE\SOFTWARE\CarbonBlack\config]

    "DisableNetConnNameResolution"=dword:00000001

    N/A

  • CB-28062: Obfuscated Windows Sensors will not start after first reboot

    Windows sensors installed from an obfuscated sensor group will not start after first reboot. A second reboot will start the sensor service.

  • CB-28063: Carbon Black branding is different between MSI and EXE installers

    Customers using the Add/Remove Program window to manage their Carbon Black EDR Windows sensor installation should be aware that the Carbon Black branding between the MSI and EXE installers is different.

  • EP-11934: VMware Carbon Black App Control Tamper Protection Rapid Config update recommended

    For users running Carbon Black App Control (formerly “CB Protection”) to tamper protect the Carbon Black EDR Windows Sensor (and do not opt-in to CDC) it is recommended to update the tamper rule settings for Carbon Black App Control to the latest “Carbon Black EDR Tamper Protection” Rapid Config to avoid possible conflict with applying Tamper Protection enforcement on both Carbon Black EDR and Carbon Black App Control.

    Note: Enabling Tamper Protection on both Carbon Black App Control and Carbon Black EDR does not provide extra protection and it is recommended to disable Carbon Black App Control enforcement of Tamper Protection after Carbon Black EDR enforcement is confirmed to be in place. When running Carbon Black EDR in “Tamper Detection” mode, “Tamper Protection” through Carbon Black App Control is still recommended. Tamper Protection (for Carbon Black EDR) requires a minimum operating system version of Windows 10 v1703 (Desktop) or Windows Server v1709. In addition,Tamper Protection (for Carbon Black EDR) requires minimum versions of both the Windows 7.2.0 sensor and 7.4.0 EDR Server. Please contact technical support to obtain the latest Rapid Config for Carbon Black App Control if needed.

Contacting Technical Support

Carbon Black EDR server and sensor update releases are covered under the Customer Maintenance Agreement. Technical Support is available to assist with any issues that might develop during the installation or upgrade process. Our Professional Services organization is also available to assist to ensure a smooth and efficient upgrade or installation.

Use one of the following channels to request support or ask support questions:

Reporting Problems

When contacting Carbon Black Technical Support, provide the following required information:

  • Contact: Your name, company name, telephone number, and email address
  • Product version: Product name (Carbon Black EDR server and sensor versions)
  • Hardware configuration: Hardware configuration of the Carbon Black EDR server (processor, memory, and RAM)
  • Document version: For documentation issues, specify the version and/or date of the manual or document you are using
  • Problem: Action causing the problem, the error message returned, and event log output (as appropriate)
  • Problem Severity: Critical, serious, minor, or enhancement request

Note: Before performing an upgrade, Carbon Black recommends you review related content at the Carbon Black EDR section of docs.vmware.com.

check-circle-line exclamation-circle-line close-line
Scroll to top icon