VMware Carbon Black EDR 7.3.1 | 12 JUL 2022 | Build 188.8.131.5223
Check for additions and updates to these release notes.
VMware Carbon Black EDR Windows Sensor v7.3.1 is a maintenance release intended to address a deadlock issue with the prior 7.3.0-win sensor. This sensor release also includes all changes and fixes from previous releases.
This document provides information for users upgrading to Carbon Black EDR Windows Sensor v7.3.1 from previous versions as well as users new to Carbon Black EDR.
Carbon Black EDR sensors included with server releases are compatible with all server releases going forward. It is always recommended to use the latest server release with our latest sensors to utilize the full feature capabilities of our product; however, using earlier server versions with the latest sensor should not impact core product functionality.
Carbon Black EDR sensors interoperate with multiple operating systems. For the most up-to-date list of supported operating systems for Carbon Black EDR sensors, see Sensor Operating Environment Requirements at https://docs.vmware.com/en/VMware-Carbon-Black-EDR/index.html.
This document supplements other Carbon Black EDR documentation at https://docs.vmware.com/en/VMware-Carbon-Black-EDR/index.html.
To install the sensors on to your server, run through the following instructions:
Your new sensor versions should now be available via the console. For any issues, please contact VMware Carbon Black Technical Support.
Important Note: It is always encouraged to conduct a reboot of the endpoint after installation (or restart) of our sensor to ensure the sensor properly captures the full historical data of all running processes and associated information.
CB-39363: Fixed a bug with the sensor causing deadlocks and leaving the system in an inoperable state
CB-39591: Updated internal compression library to zlib 1.2.12; performance and security improvements
CB-36112: Sensor upgrades from 7.2.0-win with Tamper Protection enabled may fail
Sensor upgrades from 7.2.0-win → 7.2.1-win (with Tamper Protection enabled) may fail to fully upgrade the sensor to the 7.2.1-win version. Users should instead upgrade to our 7.2.2-win sensor (directly from 7.2.0-win) or temporarily disable the Tamper Protection enforcement, per the sensor group, ahead of scheduling any sensor upgrades to 7.2.1-win. Tamper Protection can be reapplied after sensor upgrades are successfully completed. If Carbon Black EDR server communication with an endpoint in Tamper Protection enforcement is lost, the endpoint will have to be booted into Safe Mode to locally disable Tamper Protection functionality and restore Carbon Black EDR sensor-server communications.
CB-17552: Disabling DNS name resolution for netconn events
Versions of the sensor prior to 7.1.1 (and 6.1.12 for XP/Server2003) were susceptible to high CPU utilization in the IP Address-to-Hostname resolution functionality of the sensor. This issue has been addressed; however, this registry key will still disable IP address name resolution for customers who want to do so:
CB-28062: Obfuscated Windows Sensors will not start after first reboot
Windows sensors installed from an obfuscated sensor group will not start after first reboot. A second reboot will start the sensor service.
CB-28063: Carbon Black branding is different between MSI and EXE installers
Customers using the Add/Remove Program window to manage their Carbon Black EDR Windows sensor installation should be aware that the Carbon Black branding between the MSI and EXE installers is different.
EP-11934: VMware Carbon Black App Control Tamper Protection Rapid Config update recommended
For users running Carbon Black App Control (formerly “CB Protection”) to tamper protect the Carbon Black EDR Windows Sensor (and do not opt-in to CDC) it is recommended to update the tamper rule settings for Carbon Black App Control to the latest “Carbon Black EDR Tamper Protection” Rapid Config to avoid possible conflict with applying Tamper Protection enforcement on both Carbon Black EDR and Carbon Black App Control.
Note: Enabling Tamper Protection on both Carbon Black App Control and Carbon Black EDR does not provide extra protection and it is recommended to disable Carbon Black App Control enforcement of Tamper Protection after Carbon Black EDR enforcement is confirmed to be in place. When running Carbon Black EDR in “Tamper Detection” mode, “Tamper Protection” through Carbon Black App Control is still recommended. Tamper Protection (for Carbon Black EDR) requires a minimum operating system version of Windows 10 v1703 (Desktop) or Windows Server v1709. In addition,Tamper Protection (for Carbon Black EDR) requires minimum versions of both the Windows 7.2.0 sensor and 7.4.0 EDR Server. Please contact technical support to obtain the latest Rapid Config for Carbon Black App Control if needed.
Carbon Black EDR server and sensor update releases are covered under the Customer Maintenance Agreement. Technical Support is available to assist with any issues that might develop during the installation or upgrade process. Our Professional Services organization is also available to assist to ensure a smooth and efficient upgrade or installation.
Use one of the following channels to request support or ask support questions:
When contacting Carbon Black Technical Support, provide the following required information:
Note: Before performing an upgrade, Carbon Black recommends you review related content at the Carbon Black EDR section of docs.vmware.com.