| VMware Carbon Black EDR 7.4.0 | 21 FEB 2023 | Build 7.4.0.18931 Check for additions and updates to these release notes. |
IMPORTANT ADDITION 26 APRIL 2023
Due to changes made to support IPv6 network addresses, this sensor version will modify the /etc/hosts file on your endpoint. When the /etc/hosts file is modified, a backup of the original version is taken and stored in the sensor directory.
VMware Carbon Black EDR Windows Sensor 7.4.0 is a Minor release that delivers support of IPv6 communication with Carbon Black EDR Server and various bug fixes and general improvements.
However, please note that corresponding backend IPv6 Support is necessary for communication between Carbon Black EDR Server and the Carbon Black EDR Windows Sensor on an endpoint with an IPv6 address. Backend IPv6 Support is not available as of the publishing date of these release notes; backend IPv6 Support will be released in a future version of Carbon Black EDR Server.
This sensor release also includes all changes and fixes from previous releases.
This document provides information for users upgrading to Carbon Black EDR Windows Sensor v7.4.0 from previous versions as well as users new to Carbon Black EDR.
IPv6 Support
This release delivers the ability to run the Carbon Black EDR Windows Sensor on an endpoint that has an IPv6 address.
Note:
This release delivers IPv6 Support; however, complementary backend changes are required to run the Carbon Black EDR Windows Sensor on an endpoint that has an IPv6 address and connect it with VMware Carbon Black EDR Server. Backend support of IPv6 communication is planned for an upcoming release of Carbon Black EDR Server. When backend support of IPv6 becomes available, you can run the Carbon Black EDR Windows Sensor on an IPv4 or IPv6 endpoint and connect it with a Carbon Black EDR Server using IPv4 or IPv6.
Carbon Black EDR sensors included with server releases are compatible with all server releases going forward. It is always recommended to use the latest server release with our latest sensors to utilize the full feature capabilities of our product; however, using earlier server versions with the latest sensor should not impact core product functionality.
Carbon Black EDR sensors interoperate with multiple operating systems. For the most up-to-date list of supported operating systems for Carbon Black EDR sensors, see Sensor Operating Environment Requirements at https://docs.vmware.com/en/VMware-Carbon-Black-EDR/index.html.
This document supplements other Carbon Black EDR documentation at https://docs.vmware.com/en/VMware-Carbon-Black-EDR/index.html.
To install the sensors on to your server, run through the following instructions:
Ensure your Carbon Black EDR YUM repo is set appropriately:
The Carbon Black EDR repository file to modify is /etc/yum.repos.d/CarbonBlack.repo
Baseurl = https://yum.distro.carbonblack.io/enterprise/stable/$releasever/$basearch/
On the Carbon Black EDR server, clear the YUM cache by running the following command:
yum clean all
After the YUM cache has been cleared, download the sensor install package by running the following command:
Run yum install --downloadonly --downloaddir=<package local download directory> <package>
Note: The <package local download directory> is a directory of your choice
Note:<package> is replaced by cb-sensor-7.4.0.18931-win
Install the new sensor package on the Carbon Black EDR server by running the command:
rpm -i --force <package>
Make the new installation package available in the server console UI by running the command:
/usr/share/cb/cbcheck sensor-builds --update
Note: If your groups have Automatic Update enabled, the sensors in that group will start to automatically update.
Your new sensor versions should now be available via the console. For any issues, please contact VMware Carbon Black Technical Support.
Important Note: It is always encouraged to conduct a reboot of the endpoint after installation (or restart) of our sensor to ensure the sensor properly captures the full historical data of all running processes and associated information.
CB-38035: Server certificate
Fixed a bug in which changing the server certificate while the sensor was not running disrupted the communication between sensor and server.
CB-40029: Reported uptime of the Windows sensor
Fixed a bug in which the reported uptime of the Windows sensor could be an impossibly large value.
CB-35295: Optimized system host file writing logic to avoid duplicate file updates
CB-35351: Network connection reporting driver
Fixed a bug in the network connection reporting driver that could cause a BSOD.
CB-40583: Last write and deleted events
Fixed a bug in which the sensor was sending last write and deleted events even after collection of non-binary file writes was set to disabled.
CB-40387: Network connection reporting
Fixed a bug in which network connection reporting was not occurring for TCP connections that had no data exchange.
CB-40321: Sensor file hashing logic
Optimized sensor file hashing logic to avoid hash calculation when files are just selected in Windows Explorer.
CB-40310: Tamper Detection improvements
CB-42042, EA-22872: Windows Sensor 7.4.0 running on Windows Server 2016 or Windows Server 2012 R2 can cause the Windows reboot cycle to hang
CB-17552: Disabling DNS Name Resolution For NetConn Events
Versions of the sensor prior to 7.1.1 (and 6.1.12 for XP/Server 2003) were susceptible to high CPU utilization in the IP Address-to-Hostname resolution functionality of the sensor. This issue has been addressed; however, this registry key will still disable IP address name resolution if you want it to.
[HKEY_LOCAL_MACHINE\SOFTWARE\CarbonBlack\config]
"DisableNetConnNameResolution"=dword:00000001
CB-41194: Excluded events from collection
Events are getting excluded from collection even after the event exclusion setting is disabled from Carbon Black EDR server UI. This issue pertains to the event exclusions feature added in 7.3.0. This issue is observed with Carbon Black EDR server version 7.6.0 and it is not observed from Carbon Black EDR server versions 7.7.0 onwards.
To restore the event exclusion settings on the server console, perform the following steps on the Carbon Black EDR server:
Enable event exclusion by setting EventExclusionsEnabled=True in the server configuration file (/etc/cb/cb.conf). For more information about cb.conf, see the VMware EDR Server Configuration Guide.
Restart the server by executing the command service cb-enterprise restart and wait approximately 10 minutes to allow for the completion of the server restart.
Open the server console. Login and go to the Sensor Group Settings page. Click the Exclusions tab and remove the entries for which exclusion must be disabled. Click the OK button and save the group settings.
After following these steps, when the sensor checks in with the server, it will honor the updated configuration.
CB-28062: Obfuscated Windows Sensors will not start after first reboot
Windows sensors installed from an obfuscated sensor group will not start after first reboot. A second reboot will start the sensor service.
CB-28063: Carbon Black branding is different between MSI and EXE installers
Customers using the Add/Remove Program window to manage their Carbon Black EDR Windows sensor installation should be aware that the Carbon Black branding between the MSI and EXE installers is different.
EP-11934: VMware Carbon Black App Control Tamper Protection Rapid Config update recommended
For users running Carbon Black App Control (formerly “CB Protection”) to tamper protect the Carbon Black EDR Windows Sensor (and do not opt-in to CDC) it is recommended to update the tamper rule settings for Carbon Black App Control to the latest “Carbon Black EDR Tamper Protection” Rapid Config to avoid possible conflict with applying Tamper Protection enforcement on both Carbon Black EDR and Carbon Black App Control.
Note: Enabling Tamper Protection on both Carbon Black App Control and Carbon Black EDR does not provide extra protection and it is recommended to disable Carbon Black App Control enforcement of Tamper Protection after Carbon Black EDR enforcement is confirmed to be in place. When running Carbon Black EDR in “Tamper Detection” mode, “Tamper Protection” through Carbon Black App Control is still recommended. Tamper Protection (for Carbon Black EDR) requires a minimum operating system version of Windows 10 v1703 (Desktop) or Windows Server v1709. In addition,Tamper Protection (for Carbon Black EDR) requires minimum versions of both the Windows 7.2.0 sensor and 7.4.0 EDR Server. Please contact technical support to obtain the latest Rapid Config for Carbon Black App Control if needed.
Carbon Black EDR server and sensor update releases are covered under the Customer Maintenance Agreement. Technical Support is available to assist with any issues that might develop during the installation or upgrade process. Our Professional Services organization is also available to assist to ensure a smooth and efficient upgrade or installation.
Use one of the following channels to request support or ask support questions:
Web:User Exchange
Email: [email protected]
Phone: 877.248.9098
Reporting Problems
When contacting Carbon Black Technical Support, provide the following required information:
Contact: Your name, company name, telephone number, and email address
Product version: Product name (Carbon Black EDR server and sensor versions)
Hardware configuration: Hardware configuration of the Carbon Black EDR server (processor, memory, and RAM)
Document version: For documentation issues, specify the version and/or date of the manual or document you are using
Problem: Action causing the problem, the error message returned, and event log output (as appropriate)
Problem Severity: Critical, serious, minor, or enhancement request
Note: Before performing an upgrade, Carbon Black recommends you review related content at the Carbon Black EDR section of docs.vmware.com.
