VMware Carbon Black EDR Server 7.6.0 | 11 DEC 2021 | Build 7.6.0.211210

Check for additions and updates to these release notes.

What's New

VMware Carbon Black EDR 7.6.0 is a feature release of the VMware Carbon Black EDR (formerly CB Response) server and console. This release delivers visibility into PowerShell-based fileless_scriptload events in the UI and API via integration with Microsoft Antimalware Scan Interface (AMSI), an update to the UI, configuration of VDI via the UI and API, and various small-scale enhancements and bug fixes.

Carbon Black EDR Server 7.6.0 mitigates the Critical vulnerability in Apache Log4J versions prior to 2.15.0 (CVE-2021-44228) by the addition of a JVM parameter -Dlog4j2.formatMsgNoLookups=true to the Solr process in EDR backend.

  • Components Included in this Release

    Each release of VMware Carbon Black EDR software is cumulative and includes changes and fixes from all previous releases.

  • Greater Visibility into PowerShell-based fileless_scriptload Events

    VMware Carbon Black EDR 7.6.0 introduces visibility into PowerShell-based fileless_scriptload events in the console and API via an integration with Microsoft Antimalware Scan Interface (AMSI). Collection of fileless_scriptload events was introduced in VMware Carbon Black EDR 7.2.0 as a beta feature that was limited to optional forwarding of fileless_scriptload events to an external storage destination through the Event Forwarder. This release delivers storage of fileless_scriptload events in the product, so you can now search for, analyze, and investigate these events, just as you can with other event types. See the VMware Carbon Black 7.6 User Guide for more information.

    Note:

    Due to Solr indexing limits (32,766 bytes per text field), when an AMSI fileless_scriptload_cmdline event is stored, it will be truncated to Solr's limit if necessary. The fileless_scriptload_cmdline_length field will always contain the value of the full length of the PowerShell script, so a fileless_scriptload event may have a fileless_scriptload_cmdline_length value that is greater than the number of characters stored in the fileless_scriptload_cmdline field. Note that fileless_scriptload_cmdline_length refers to characters, not bytes.

    PowerShell file script executions also generate fileless_scriptload events. These events originate from the Windows AMSI interface after PowerShell reads the file and starts executing the script. They do not have any reference to a file that they were read from, so the Carbon Black EDR product displays them as fileless.

    The Results list on the Process Search page does not yet include a column for fileless_scriptload event counts. We intend to add this in a future release.

    Additionally, be aware that collection of fileless_scriptload events remains disabled by default and must be enabled on a per-sensor group basis.

    See CB-37645 and CB-37654 in Known Issues for information about bugs related to this feature.

  • User Interface Update

    VMware Carbon Black EDR 7.6.0 introduces an update to the user interface (UI) to improve and modernize the visual experience of the product. This update improves the user accessibility of the product by adhering to Web Content Accessibility Guidelines (WCAG) 2.0 AA criteria by color contrast ratio and being mindful of users with halation astigmatism. Also, a scrollbar has been added to the Sensor Groups page for easier navigation when modifying settings.

  • VDI Enablement & Configuration through the console and API

    VMware Carbon Black EDR 7.6.0 introduces the ability to enable, disable, and configure the settings of your Virtual Desktop Infrastructure (VDI) through the UI and API. On-premise EDR customers no longer need to manage VDI endpoints via the cb.conf file, and Hosted EDR customers no longer need to submit a Support case to modify VDI endpoints. See the VMware Carbon Black 7.6 User Guide for more information.

Documentation

This document supplements other Carbon Black documentation. Supplemental release documentation can be found in the Carbon Black EDR section of docs.vmware.com.

In addition to this document, you should have access to the following key documentation for VMware Carbon Black EDR Server 7.6.0:

  • VMware Carbon Black EDR 7.6 User Guide: Describes how to use the Carbon Black EDR servers that collect information from endpoint sensors and correlate endpoint data with threat intelligence.
  • VMware Carbon Black EDR 7.6 Server / Cluster Management Guide: Describes installation, configuration, and upgrade of Carbon Black EDR servers.
  • VMware Carbon Black EDR 7.6 Unified View Guide: Describes the installation and use of the VMware Carbon Black EDR Unified View server. Information on server hardware sizing requirements and software platform support is included.

[On-Prem Only] Prepare for Server Installation or Upgrade

This section describes the requirements and key information that is needed before installing a VMware Carbon Black EDR server. All on-premises users, whether upgrading or installing a new server, should review this section before proceeding. See the appropriate section of the VMware Carbon Black EDR 7.6 Server/Cluster Management Guide for specific installation instructions for your situation:

  • To install a new VMware Carbon Black EDR server, see “Installing the VMware Carbon Black EDR Server”.
  • To upgrade an existing VMware Carbon Black EDR server, see “Upgrading the VMware Carbon Black EDR Server”.

Customers on Server 5.x, please note:

Direct upgrades from Server 5.x to Server 7.x are not supported. See the VMware Carbon Black EDR 7.6 Server/Cluster Management Guide and this VMware Carbon Black User Exchange announcement for more information.

Yum URLs

VMware Carbon Black EDR Server software packages are maintained at the Carbon Black yum repository (yum.distro.carbonblack.io). The links will not work until the on-prem General Availability (GA) date.

The following links use variables to make sure you install the correct version of VMware Carbon Black EDR, based on your machine’s operating system version and architecture.

Use caution when pointing to the yum repository. Different versions of the product are available on different branches, as follows:

  • Specific version: The 7.6.0 version is available from the Carbon Black yum repository, that is specified in the following base URL:

baseurl= https://yum.distro.carbonblack.io/enterprise/7.6.0-1/$releasever/$basearch

This link is available as long as this specific release is available. It can be used even after later versions have been released, and it can be useful if you want to add servers to your environment while maintaining the same version.

  • Latest version: The latest supported version of the VMware Carbon Black EDR server is available from the Carbon Black yum repository, that is specified in the following base URL:

baseurl= https://yum.distro.carbonblack.io/enterprise/stable/$releasever/$basearch/

This URL will point to version 7.6.0-1 until a newer release becomes available, at which time it will automatically point to the newer release.

Note:

Communication with this repository is over HTTPS and requires appropriate SSL keys and certificates. During the VMware Carbon Black EDR server install or upgrade process, other core CentOS packages can be installed to meet various dependencies. The standard mode of operation for the yum package manager in CentOS is to first retrieve a list of available mirror servers from http://mirror.centos.org:80, and then select a mirror from which to download the dependency packages. If a VMware Carbon Black EDR server is installed behind a firewall, local network and system administrators must make sure that the host machine can communicate with standard CentOS yum repositories.

[On-Prem Only] System Requirements

Operating system support for the server and sensors is listed here for your convenience. The VMware Carbon Black EDR 7.6 Operating Environment Requirements document describes the full hardware and software platform requirements for the VMware Carbon Black EDR server and provides the current requirements and recommendations for systems that are running the sensor.

Both upgrading and new customers must meet all of the requirements specified here and in the VMware Carbon Black EDR 7.6 Operating Environment Requirements document before proceeding.

Server / Console Operating Systems

For best performance, Carbon Black recommends running the latest supported software versions:

  • CentOS 6.7 - 6.10 (64-bit)
  • CentOS 7.3 - 7.9 (64-bit)
  • CentOS 8.1 - 8.3 (64-bit)
  • Red Hat Enterprise Linux (RHEL) 6.7 - 6.10 (64-bit)
  • Red Hat Enterprise Linux (RHEL) 7.3 - 7.9 (64-bit)
  • Red Hat Enterprise Linux (RHEL) 8.1 - 8.4 (64-bit)

Installation and testing are performed on default install, using the minimal distribution and the distribution’s official package repositories. Customized Linux installations must be individually evaluated.

However, if the customers are pinning dependencies to a specific OS version, the product only supports the following software versions for the Carbon Black EDR Server and Unified View:

  • CentOS 6.7 - 6.10 (64-bit)
  • CentOS 7.5 - 7.9 (64-bit)
  • CentOS 8.2 - 8.3 (64-bit)
  • Red Hat Enterprise Linux (RHEL) 6.7 - 6.10 (64-bit)
  • Red Hat Enterprise Linux (RHEL) 7.5 - 7.9 (64-bit)
  • Red Hat Enterprise Linux (RHEL) 8.2 - 8.4 (64-bit)

Note: Versions 7.3, 7.4, and 8.1 (64-bit) of CentOS/RHEL are not supported if customers are pinning dependencies.

Installation and testing are performed on default install, using the minimal distribution and the distribution’s official package repositories. Customized Linux installations must be individually evaluated.

Sensor Operating Systems (for Endpoints and Servers)

For the current list of supported operating systems for VMware Carbon Black EDR sensors, see https://community.carbonblack.com/docs/DOC-7991.

Note: Non-RHEL/CentOS distributions or modified RHEL/CentOS environments (those built on the RHEL platform) are not supported.

Configure Sensor Update Settings Before Upgrading Server

VMware Carbon Black EDR 7.6.0 comes with updated sensor versions. Servers and sensors can be upgraded independently, and sensors can be upgraded by sensor groups.

Decide whether you want the new sensor to be deployed immediately to existing sensor installations, or install only the server updates first. Carbon Black recommends a gradual upgrade of sensors to avoid network and server performance impact. We strongly recommend that you review your sensor group upgrade policies before upgrading your server, to avoid inadvertently upgrading all sensors at the same time. For detailed information on Sensor Group Upgrade Policy, see the Sensor Group section of the VMware Carbon Black EDR 7.6 User Guide.

To configure the deployment of new sensors by using the VMware Carbon Black EDR web console, follow the instructions in the VMware Carbon Black EDR 7.6 Sensor Installation Guide.

Third-Party Software Updates

  1. Apache Solr: 8.6.3 → 8.9.0
  2. Axios: 0.21.1 → 0.21.4
  3. Erlang: → 23.1.4 (RHEL/CentOS 6), 23.3.4.7 (RHEL/CentOS 7 & 8)
  4. jQuery: 2.1.4 → 3.6.0
  5. PostgreSQL: 10.17 → 13.4
  6. RabbitMQ: 3.7.28 → 3.8.23 (RHEL/CentOS 6), 3.9.8 (RHEL/CentOS 7 & 8)
  7. Redis: 6.0.13 → 6.0.16

Resolved Issues

  • CB-35675: Export of Process Analysis events did not work properly for an export of a large number of events (> ~50)

    If a user clicked the Actions drop-down menu and clicked Export events with ~50 or more events selected, the CSV export contained no data or very limited, incomplete data.

  • CB-34964: Red dots not displaying properly in Process Analysis events or Process Search

    Beginning in Server 7.4.0, in the Process Analysis events list, “Crossproc” events that are marked with the tamper flag should also display a red dot, like other tamper events, but they do not. Also, in Process Search, there should be a red dot in the process’ Hits column for a process that has a tamper flag, but there is not.

  • CB-36879: Search Threats Reports Page IP Address Search

    In Server 7.4.2, 7.5.0, and 7.5.1, on the Search Threat Reports page, searching for a range of IP addresses (Add Criteria > IP address > enter a range of network addresses) was broken. The query attempt would repeat indefinitely, but never successfully complete until the user forced it to stop or closed the browser.

  • CB-36544: Sensors Page Scroll Bar

    In previous versions, on the Sensors page, there was a single scroll bar for the entire page. When the list of Sensor Groups was very long, the user had to scroll down past the Sensors panel in order to view/select a Sensor Group far down on the list, and then the user had to scroll back to the top of the page to select from the “Actions” drop-down, for example. This user experience inefficiency is addressed in Server 7.6.0: the Sensor Groups and Sensors panels are fixed-height and have independent vertical scrollbars (when needed), providing a more pleasant user experience.

  • CB-35313: Process Analysis page navigation to Process Search Results

    In Server 7.5.0 and 7.5.1, when clicking on a link in the header of the Process Analysis page to go to the corresponding Process Search result, the Process Search did not execute automatically upon entering the Process Search page. The user had to click the Search button for the Process Search to execute.

  • CB-27698: Tamper Alerts with Empty Tamper Type Fields

    Any modification, creation or deletion of files inside C:\Windows\CarbonBlack created Tamper Alerts with empty Tamper Type fields on the Triage Alerts page due to file modifications inside the Windows sensor’s working directory.

  • CB-37384: Process Analysis Page Failed to Load

    In Server 7.5.1 and 7.5.2, the Process Analysis page could fail to load properly or crash when attempting to load certain events from the 7.1.0-lnx Sensor.

  • CB-37323: Process Preview Modal Failed to Load

    In Server 7.5.0, 7.5.1, and 7.5.2, when selecting a Process Search result, the Process Preview modal could fail to load properly, leading to an infinite loading spinner.

  • CB-37299, CB-37292, CB-37046: Revoked Certificates

    Server 7.6.0 contains fixes for multiple bugs related to revoked certificates.

  • CB-36957: Sensor Upgrades Failed

    In Server 7.5.1 and 7.5.2, sensor upgrades could fail following the migration of the sensor from one server to another.

  • CB-36929: Datagrid

    In Server 7.5.1 and 7.5.2, when starting services, datagrid can take an excessive amount of time to start.

  • CB-36843: Slow API Requests

    In Server versions 7.4.2 and greater, API requests to /api/v1/sensor or /api/v2/sensor can be slow for a large quantity of sensors and potentially timeout if no pagination parameters are set. This issue is resolved in Server 7.6.0 via enforcement of a new configuration setting, SensorUnpagedFetchLimit: if the limit of unpaginated results is hit, a 400 error message of “Unpaged request has [N] results, exceeds the limit of [M]. Please consider using paging.” will be returned, where N is the sensor count and M is the configured limit.

  • CB-36467: Watchlists Limitation

    In previous versions, there is no limit on the number of Watchlists that can be created per Threat Intelligence Feed nor is there a limit on the overall number of Watchlists allowed per instance. An overly high number of Watchlists can lead to performance issues. Server 7.6.0 introduces configurable limits in cb.conf via the following new configuration options: FeedSyncEnforceQueryLimits, FeedSyncPerFeedQueryLimit, FeedSyncGlobalQueryLimit.

  • CB-36231: Sorting Sensors by Tamper Protection Level

    In Server 7.5.1 and 7.5.2, on the Sensors page, sorting Windows sensors by Tamper Protection Level does not work properly.

  • CB-36004: NginxSplitOutSensorLogs=True Does not Work Properly

    In Server versions 7.5.0, 7.5.1, and 7.5.2, NginxSplitOutSensorLogs=True does not work properly.

  • CB-35696: IPv4 Addresses Embedded within IPv6 Addresses

    In Server versions 7.4.1 and greater, IPv4 addresses embedded within IPv6 addresses are incorrectly treated as IPv4 addresses and are not searchable in the console.

  • CB-30460: API Token

    In alignment with security best practices, a user's API token is only shown on the User Settings page when it is generated. If forgotten, the user’s API token must be regenerated.

  • CB-36585: Threat Intelligence Feed Sync Error

    In previous versions, the syncing of a Threat Intelligence Feed could error out, resulting in an incomplete feed sync in which the update was reflected in the UI but not actually stored in the backend.

  • CB-37696: Mitigation for the Apache Log4J vulnerability (CVE-2021-44228)

    Server 7.6.0 mitigates the critical vulnerability in Apache Log4J (CVE-2021-44228) via the addition of the JVM parameter -Dlog4j2.formatMsgNoLookups=true to the Apache Solr process in EDR backend.

Known Issues

  • CB-35676: Searching for a range of IP addresses on the Search Threat Reports page is broken

    In Server 7.5.0, on the Search Threat Reports page, searching for a range of IP addresses (Add Criteria > IP address > enter a range of network addresses) is broken. The query attempt will repeat indefinitely but never successfully complete until the user forces it to stop or closes the browser.

  • CB-35668: In the Configure Watchlist Expiration panel on the Watchlists page, a whole number must be entered to save

    In Server 7.5.0, in the Configure Watchlist Expiration panel on the Watchlists page, a whole number must be entered for the watchlist expiration duration in order to save, even when the first option, “Do not mark watchlists as expired if they have no hits.” is selected. The configuration should successfully save when “Do not mark watchlists as expired if they have no hits.” is selected and the “Notify me when watchlists have not received hits in” value is blank.

  • CB-35335: A user with “No Access” to a particular sensor group will experience an infinite loading indicator on the Live Query page

    In Server 7.5.0, a user with “No Access” to a particular sensor group will experience an infinite loading indicator on the Live Query page when they try to execute a Live Query that includes that sensor group.

  • CB-35148: Process information not properly returned

    In Server 7.5.0, when using the GET/v1/process/{guid}/{segmentid}/preview API, process information is not properly returned.

  • CB-35147: Submitted child process events of type "2" (other exec) do not properly store the process PID

    In Server 7.5.0, when using the GET /v3/{guid}/event API (or GET /v5/{guid}/event), submitted child process events of type "2" (other exec) do not properly store the process PID

  • CB-35139: Binary Search searches sometimes return zero results

    In Server 7.5.0, Binary Search searches can sometimes return zero results when there are matching results that should be returned.

  • CB-33586: Red dot does not display

    In Server 7.5.0, on the Process Search page, a process that has a Threat Intelligence Feed hit tag in one segment may not display the feed hit icon (a red dot) when “Group by process” is selected.

  • CB-33355: In some cases, a process Watchlist will produce more hits than alerts

    When a Watchlist query is executed using the original terms (e.g. process_name:notepad.exe), both the original segment (with events) and the tagged segment (without events) are returned, and both results appear on the Watchlists page. This makes it appear that there have been two hits, when in fact, there was only one. The result is two apparent hits, but only one alert, which is deceptive.

  • CB-33352: cb-enterprise fails to install on RHEL/CentOS 8 with FIPS 140-2 enabled

    This issue is due to a change in Red Hat 8 that affected Paramiko (https://bugzilla.redhat.com/show_bug.cgi?id=1778939).

    Use RHEL/CentOS 7 if you enable FIPS 140-2.

  • CB-31136: Live Query fails to take the SensorInactiveFilterDays setting into account

    Live Query fails to take the SensorInactiveFilterDays setting into account when determining which sensors to target. The sensor count on the right side of the ‘Current query’ bar shows all targeted sensors, while the quantity of targeted sensors in the ‘Run New Query’ pop-up does account for SensorInactiveFilterDays, and will sometimes show a lower number.

  • CB-24519: Older files did not get SHA-256 values

    After an upgrade of server and sensor, older files did not get SHA-256 values. When an older file is executed, it creates a process event that contains SHA-256. When a user clicks the link, the binary store shows no SHA-256.

  • CB-20565: Cannot enable or disable Alliance Sharing

    When using a custom email server, you cannot enable or disable Alliance Sharing.

    Disable the custom email server, make the change, and re-enable the custom email server.

  • CB-18936: Malformed CSV Export

    The CSV export of the user activity audit is malformed in certain cases.

  • CB-18927: The CSV export of Recently Observed Hosts has no header row.

  • CB-37654: Query Requires Double Quotation Marks

    In Server 7.6.0, on the Process Search page, a process query built with Add search terms > Choose criteria > Fileless > Command line contents > [Insert text] only returns the proper results if the user encloses the query in double quotation marks (““ ””).

  • CB-37282: Large Scripts Can be Reported Incorrectly

    Large (>64KB) scripts in the Windows Sensor 7.2.0+ can be reported incorrectly, which causes corrupted fileless_scriptload_cmdline data to be sent to the Carbon Black EDR Server. The bug fix is targeted for inclusion in Windows Sensor 7.3.0. As a result, the Process Analysis page can present fileless_scriptload events with corrupted fileless_scriptload_cmdline content. In this case, the corrupted content is replaced with the error message: “<Corrupt command line data found>”.

Contacting Support

VMware Carbon Black EDR server and sensor update releases are covered under the Carbon Black Customer Maintenance Agreement. Technical Support can assist with any issues that might develop. Our Professional Services organization is also available to help ensure a smooth and efficient upgrade or installation.

Use one of the following channels to request support or ask support questions:

  • Web: User Exchange
  • Email: cb-support@vmware.com
  • Phone: 877.248.9098

Reporting Problems

When contacting Carbon Black Technical Support, provide the following required information:

  • Contact: Your name, company name, telephone number, and email address
  • Product version: Product name (VMware Carbon Black EDR server and sensor versions)
  • Hardware configuration: Hardware configuration of the VMware Carbon Black EDR server (processor, memory, and RAM)
  • Document version: For documentation issues, specify the version and/or date of the manual or document you are using
  • Problem: Action causing the problem, the error message returned, and event log output (as appropriate)
  • Problem Severity: Critical, serious, minor, or enhancement request

Note: Before performing an upgrade, Carbon Black recommends you review the related content on the User Exchange and the release documentation location, the Carbon Black EDR section of docs.vmware.com.

check-circle-line exclamation-circle-line close-line
Scroll to top icon