VMware Carbon Black EDR Windows Sensor 7.4.1 | 11 JULY 2023 | Build 7.4.1.18957 Check for additions and updates to these release notes. |
VMware Carbon Black EDR Windows Sensor 7.4.1 | 11 JULY 2023 | Build 7.4.1.18957 Check for additions and updates to these release notes. |
VMware Carbon Black EDR Windows Sensor 7.4.1 is a Maintenance release that delivers Network Isolation Persistence, the Collection of powershell_ise.exe Fileless Script Load Events, and various bug fixes and general improvements.
This sensor release also includes all changes and fixes from previous releases.
This document provides information for users upgrading to Carbon Black EDR Windows Sensor 7.4.1 from previous versions as well as users who are new to Carbon Black EDR.
Network Isolation Persistence
This release delivers the persistence of network isolation through the interruption of sensor-server communication. The intent is that an isolated endpoint remains isolated until it is deliberately removed from isolation through the Remove Isolation command sent from the Carbon Black EDR Server. This approach prevents an isolated endpoint from accidentally reconnecting to the network and the Internet if the Carbon Black EDR Windows Sensor loses connection with the Carbon Black EDR Server, which could discontinue isolation in previous versions.
In the event that the Carbon Black EDR Window Sensor on an isolated endpoint loses connection with the Carbon Black EDR Server and therefore cannot receive the Remove Isolation command, the CBEdrCli.exe Carbon Black EDR Windows Sensor tool provides the local ability to temporarily disable network isolation until the sensor service restarts. This capability prevents the endpoint from getting stuck in an isolated state indefinitely.
See the Isolating an Endpoint section of the VMware Carbon Black EDR User Guide for more information.
Collection of powershell_ise.exe Fileless Script Load Events
This release delivers the ability to collect fileless script load events for powershell_ise.exe through an integration with Windows Antimalware Scan Interface (AMSI). In previous versions of the Carbon Black EDR Windows Sensor (7.1.0-win +), only fileless script load events triggered by powershell.exe are supported.
As of this release, when the collection of fileless script load events is enabled within the Event Collection section of Sensor Group Settings, fileless script load events triggered by powershell.exe and powershell_ise.exe are collected.
See the Antimalware Scan Interface section of the VMware Carbon Black EDR User Guide for more information.
Carbon Black EDR sensors included with server releases are compatible with all server releases going forward. It is always recommended to use the latest server release with our latest sensors to utilize the full feature capabilities of our product; however, using earlier server versions with the latest sensor should not impact core product functionality.
Carbon Black EDR sensors interoperate with multiple operating systems. For the most up-to-date list of supported operating systems for Carbon Black EDR sensors, see Sensor Operating Environment Requirements at https://docs.vmware.com/en/VMware-Carbon-Black-EDR/index.html.
This document supplements other Carbon Black EDR documentation at https://docs.vmware.com/en/VMware-Carbon-Black-EDR/index.html.
To install the sensors on to your server, run through the following instructions:
Ensure your Carbon Black EDR YUM repo is set appropriately:
The Carbon Black EDR repository file to modify is /etc/yum.repos.d/CarbonBlack.repo
Baseurl = https://yum.distro.carbonblack.io/enterprise/stable/$releasever/$basearch/
On the Carbon Black EDR server, clear the YUM cache by running the following command:
yum clean all
After the YUM cache has been cleared, download the sensor install package by running the following command:
Run yum install --downloadonly --downloaddir=<package local download directory> <package>
Note: The <package local download directory> is a directory of your choice
Note:<package> is replaced by cb-sensor-7.4.1.18957-win
Install the new sensor package on the Carbon Black EDR server by running the command:
rpm -i --force <package>
Make the new installation package available in the server console UI by running the command:
/usr/share/cb/cbcheck sensor-builds --update
Note: If your groups have Automatic Update enabled, the sensors in that group will start to automatically update.
Your new sensor versions should now be available via the console. For any issues, please contact VMware Carbon Black Technical Support.
Important Note: It is always encouraged to conduct a reboot of the endpoint after installation (or restart) of our sensor to ensure the sensor properly captures the full historical data of all running processes and associated information.
CB-42042, EA-22872: Resolved reboot hang issue in CmpLoadHiveThread call stack
Disable Network Isolation sensor tool
The following are the known limitations for the CBEdrCli.exe tool with respect to disabling network isolation:
When sensor-server communication is broken and CBEdrCli.exe is used to disable the network isolation, network isolation on the endpoint is disabled till the next sensor service restart. When sensor-server communication is reestablished, the sensor service must be restarted to enable the network isolation and accept the latest network isolation configuration.
When the sensor-server communication is working and CBEdrCli.exe is used to disable the network isolation, network isolation on the endpoint is disabled but the server console still shows the endpoint as network isolation enabled. Currently, the sensor-server does not sync in this case. The sensor service must restart to re-enable the network isolation and accept the latest network isolation configuration.
The CBEdrClie.exe tool is available from Windows build number 15063 onward.
CB-41194: Excluded events from collection
Events are excluded from collection even after the event exclusion setting is disabled from the Carbon Black EDR server console. This issue pertains to the event exclusions feature added in 7.3.0. This issue is observed with Carbon Black EDR server version 7.6.0 and it is not observed from Carbon Black EDR server versions 7.7.0 onwards.
To restore the event exclusion settings on the server console, perform the following steps on the Carbon Black EDR server:
Enable event exclusion by setting EventExclusionsEnabled=True in the server configuration file (/etc/cb/cb.conf). For more information about cb.conf, see the VMware EDR Server Configuration Guide.
Restart the server by executing the command service cb-enterprise restart and wait approximately 10 minutes to allow for the completion of the server restart.
Open the server console. Login and go to the Sensor Group Settings page. Click the Exclusions tab and remove the entries for which exclusion must be disabled. Click the OK button and save the group settings.
After following these steps, the sensor will honor the updated configuration when it checks in with the server.
CB-17552: Disabling DNS Name Resolution For NetConn Events
Versions of the sensor prior to 7.1.1 (and 6.1.12 for XP/Server 2003) were susceptible to high CPU utilization in the IP Address-to-Hostname resolution functionality of the sensor. This issue has been addressed; however, this registry key will still disable IP address name resolution if you want it to.
[HKEY_LOCAL_MACHINE\SOFTWARE\CarbonBlack\config]
"DisableNetConnNameResolution"=dword:00000001
CB-28062: Obfuscated Windows Sensors will not start after first reboot
Windows sensors installed from an obfuscated sensor group will not start after first reboot. A second reboot will start the sensor service.
CB-28063: Carbon Black branding is different between MSI and EXE installers
Customers using the Add/Remove Program window to manage their Carbon Black EDR Windows sensor installation should be aware that the Carbon Black branding between the MSI and EXE installers is different.
EP-11934: Carbon Black App Control Tamper Protection Rapid Config Update Recommended
If you are running VMware Carbon Black App Control to tamper-protect the Carbon Black EDR Windows Sensor (and do not opt-in to CDC), we recommend that you update the tamper rule settings for Carbon Black App Control to the latest Carbon Black EDR Tamper Protection Rapid Config to avoid possible conflict with applying Tamper Protection enforcement on both Carbon Black EDR and Carbon Black App Control. Enabling Tamper Protection on both Carbon Black App Control and Carbon Black EDR does not provide extra protection. We recommend that you disable Carbon Black App Control enforcement of Tamper Protection after Carbon Black EDR enforcement is in place. When running Carbon Black EDR in Tamper Detection mode, Tamper Protection through Carbon Black App Control is still recommended. Tamper Protection for Carbon Black EDR requires a minimum operating system version of Windows 10 v1703 (Desktop) or Windows Server v1709. In addition, Tamper Protection for Carbon Black EDR requires minimum versions of both the Windows 7.2.0 sensor and 7.4.0 EDR Server. Contact technical support to obtain the latest Rapid Config for Carbon Black App Control.
Carbon Black EDR server and sensor update releases are covered under the Customer Maintenance Agreement. Technical Support is available to assist with any issues that might develop during the installation or upgrade process. Our Professional Services organization is also available to assist to ensure a smooth and efficient upgrade or installation.
Use one of the following channels to request support or ask support questions:
Web:User Exchange
Email: [email protected]
Phone: 877.248.9098
Reporting Problems
When contacting Carbon Black Technical Support, provide the following required information:
Contact: Your name, company name, telephone number, and email address
Product version: Product name (Carbon Black EDR server and sensor versions)
Hardware configuration: Hardware configuration of the Carbon Black EDR server (processor, memory, and RAM)
Document version: For documentation issues, specify the version and/or date of the manual or document you are using
Problem: Action causing the problem, the error message returned, and event log output (as appropriate)
Problem Severity: Critical, serious, minor, or enhancement request
Note: Before performing an upgrade, Carbon Black recommends you review related content at the Carbon Black EDR section of docs.vmware.com.