What's New

• Components Included in this Release

  • Server version 7.6.0.211210
  • Windows Sensor version 7.2.2.17680: Release Notes
  • macOS Sensor version 7.2.1.16597: Release Notes
  • Linux Sensor version 7.0.3.15275: Release Notes

  Each release of VMware Carbon Black EDR software is cumulative and includes changes and fixes from all previous releases.

• Greater Visibility into PowerShell-based fileless_scriptload Events

  VMware Carbon Black EDR 7.6.0 introduces visibility into PowerShell-based fileless_scriptload events in the console and API via an integration with Microsoft Antimalware Scan Interface (AMSI). Collection of fileless_scriptload events was introduced in VMware Carbon Black EDR 7.2.0 as a beta feature that was limited to optional forwarding of fileless_scriptload events to an external storage destination through the Event Forwarder. This release delivers storage of fileless_scriptload events in the product, so you can now search for, analyze, and investigate these events, just as you can with other event types. See the VMware Carbon Black 7.6 User Guide for more information.

  Note:

  Due to Solr indexing limits (32,766 bytes per text field), when an AMSI fileless_scriptload_cmdline event is stored, it will be truncated to Solr's limit if necessary. The fileless_scriptload_cmdline_length field will always contain the value of the full length of the PowerShell script, so a fileless_scriptload event may have a fileless_scriptload_cmdline_length value that is greater than the number of characters stored in the fileless_scriptload_cmdline field. Note that fileless_scriptload_cmdline_length refers to characters, not bytes.

  PowerShell file script executions also generate fileless_scriptload events. These events originate from the Windows AMSI interface after PowerShell reads the file and starts executing the script. They do not have any reference to a file that they were read from, so the Carbon Black EDR product displays them as fileless.

  The Results list on the Process Search page does not yet include a column for fileless_scriptload event counts. We intend to add this in a future release.

  Additionally, be aware that collection of fileless_scriptload events remains disabled by default and must be enabled on a per-sensor group basis.

  See CB-37645 and CB-37654 in Known Issues for information about bugs related to this feature.

• User Interface Update

  VMware Carbon Black EDR 7.6.0 introduces an update to the user interface (UI) to improve and modernize the visual experience of the product. This update improves the user accessibility of the product by adhering to Web Content Accessibility Guidelines (WCAG) 2.0 AA criteria by color contrast ratio and being mindful of users with halation astigmatism. Also, a scrollbar has been added to the Sensor Groups page for easier navigation when modifying settings.

• VDI Enablement & Configuration through the console and API

  VMware Carbon Black EDR 7.6.0 introduces the ability to enable, disable, and configure the settings of your Virtual Desktop Infrastructure (VDI) through the UI and API. On-premise EDR customers no longer need to manage VDI endpoints via the cb.conf file, and Hosted EDR customers no longer need to submit a Support case to modify VDI endpoints. See the VMware Carbon Black 7.6 User Guide for more information.

Documentation

[On-Prem Only] Prepare for Server Installation or Upgrade

Yum URLs

[On-Prem Only] System Requirements

Configure Sensor Update Settings Before Upgrading Server

Third-Party Software Updates

Resolved Issues

• CB-35675: Export of Process Analysis events did not work properly for an export of a large number of events (> ~50)

  If a user clicked the Actions drop-down menu and clicked Export events with ~50 or more events selected, the CSV export contained no data or very limited, incomplete data.

• CB-34964: Red dots not displaying properly in Process Analysis events or Process Search

  Beginning in Server 7.4.0, in the Process Analysis events list, “Crossproc” events that are marked with the tamper flag should also display a red dot, like other tamper events, but they do not. Also, in Process Search, there should be a red dot in the process’ Hits column for a process that has a tamper flag, but there is not.

• CB-36879: Search Threats Reports Page IP Address Search

  In Server 7.4.2, 7.5.0, and 7.5.1, on the Search Threat Reports page, searching for a range of IP addresses (Add Criteria > IP address > enter a range of network addresses) was broken. The query attempt would repeat indefinitely, but never successfully complete until the user forced it to stop or closed the browser.

• CB-36544: Sensors Page Scroll Bar

  In previous versions, on the Sensors page, there was a single scroll bar for the entire page. When the list of Sensor Groups was very long, the user had to scroll down past the Sensors panel in order to view/select a Sensor Group far down on the list, and then the user had to scroll back to the top of the page to select from the “Actions” drop-down, for example. This user experience inefficiency is addressed in Server 7.6.0: the Sensor Groups and Sensors panels are fixed-height and have independent vertical scrollbars (when needed), providing a more pleasant user experience.

• CB-35313: Process Analysis page navigation to Process Search Results

  In Server 7.5.0 and 7.5.1, when clicking on a link in the header of the Process Analysis page to go to the corresponding Process Search result, the Process Search did not execute automatically upon entering the Process Search page. The user had to click the Search button for the Process Search to execute.

• CB-27698: Tamper Alerts with Empty Tamper Type Fields

  Any modification, creation or deletion of files inside C:\Windows\CarbonBlack created Tamper Alerts with empty Tamper Type fields on the Triage Alerts page due to file modifications inside the Windows sensor’s working directory.

• CB-37384: Process Analysis Page Failed to Load

  In Server 7.5.1 and 7.5.2, the Process Analysis page could fail to load properly or crash when attempting to load certain events from the 7.1.0-lnx Sensor.

• CB-37323: Process Preview Modal Failed to Load

  In Server 7.5.0, 7.5.1, and 7.5.2, when selecting a Process Search result, the Process Preview modal could fail to load properly, leading to an infinite loading spinner.

• CB-37299, CB-37292, CB-37046: Revoked Certificates

  Server 7.6.0 contains fixes for multiple bugs related to revoked certificates.

• CB-36957: Sensor Upgrades Failed

  In Server 7.5.1 and 7.5.2, sensor upgrades could fail following the migration of the sensor from one server to another.

• CB-36929: Datagrid

  In Server 7.5.1 and 7.5.2, when starting services, datagrid can take an excessive amount of time to start.

• CB-36843: Slow API Requests

  In Server versions 7.4.2 and greater, API requests to /api/v1/sensor or /api/v2/sensor can be slow for a large quantity of sensors and potentially timeout if no pagination parameters are set. This issue is resolved in Server 7.6.0 via enforcement of a new configuration setting, SensorUnpagedFetchLimit: if the limit of unpaginated results is hit, a 400 error message of “Unpaged request has [N] results, exceeds the limit of [M]. Please consider using paging.” will be returned, where N is the sensor count and M is the configured limit.

• CB-36467: Watchlists Limitation

  In previous versions, there is no limit on the number of Watchlists that can be created per Threat Intelligence Feed nor is there a limit on the overall number of Watchlists allowed per instance. An overly high number of Watchlists can lead to performance issues. Server 7.6.0 introduces configurable limits in cb.conf via the following new configuration options: FeedSyncEnforceQueryLimits, FeedSyncPerFeedQueryLimit, FeedSyncGlobalQueryLimit.

• CB-36231: Sorting Sensors by Tamper Protection Level

  In Server 7.5.1 and 7.5.2, on the Sensors page, sorting Windows sensors by Tamper Protection Level does not work properly.

• CB-36004: NginxSplitOutSensorLogs=True Does not Work Properly

  In Server versions 7.5.0, 7.5.1, and 7.5.2, NginxSplitOutSensorLogs=True does not work properly.

• CB-35696: IPv4 Addresses Embedded within IPv6 Addresses

  In Server versions 7.4.1 and greater, IPv4 addresses embedded within IPv6 addresses are incorrectly treated as IPv4 addresses and are not searchable in the console.

• CB-30460: API Token

  In alignment with security best practices, a user's API token is only shown on the User Settings page when it is generated. If forgotten, the user’s API token must be regenerated.

• CB-36585: Threat Intelligence Feed Sync Error

  In previous versions, the syncing of a Threat Intelligence Feed could error out, resulting in an incomplete feed sync in which the update was reflected in the UI but not actually stored in the backend.

• CB-37696: Mitigation for the Apache Log4J vulnerability (CVE-2021-44228)

  Server 7.6.0 mitigates the critical vulnerability in Apache Log4J (CVE-2021-44228) via the addition of the JVM parameter -Dlog4j2.formatMsgNoLookups=true to the Apache Solr process in EDR backend.

Known Issues

• CB-35676: Searching for a range of IP addresses on the Search Threat Reports page is broken

  In Server 7.5.0, on the Search Threat Reports page, searching for a range of IP addresses (Add Criteria > IP address > enter a range of network addresses) is broken. The query attempt will repeat indefinitely but never successfully complete until the user forces it to stop or closes the browser.

• CB-35668: In the Configure Watchlist Expiration panel on the Watchlists page, a whole number must be entered to save

  In Server 7.5.0, in the Configure Watchlist Expiration panel on the Watchlists page, a whole number must be entered for the watchlist expiration duration in order to save, even when the first option, “Do not mark watchlists as expired if they have no hits.” is selected. The configuration should successfully save when “Do not mark watchlists as expired if they have no hits.” is selected and the “Notify me when watchlists have not received hits in” value is blank.

• CB-35335: A user with “No Access” to a particular sensor group will experience an infinite loading indicator on the Live Query page

  In Server 7.5.0, a user with “No Access” to a particular sensor group will experience an infinite loading indicator on the Live Query page when they try to execute a Live Query that includes that sensor group.

• CB-35148: Process information not properly returned

  In Server 7.5.0, when using the GET/v1/process/{guid}/{segmentid}/preview API, process information is not properly returned.

• CB-35147: Submitted child process events of type "2" (other exec) do not properly store the process PID

  In Server 7.5.0, when using the GET /v3/{guid}/event API (or GET /v5/{guid}/event), submitted child process events of type "2" (other exec) do not properly store the process PID

• CB-35139: Binary Search searches sometimes return zero results

  In Server 7.5.0, Binary Search searches can sometimes return zero results when there are matching results that should be returned.

• CB-33586: Red dot does not display

  In Server 7.5.0, on the Process Search page, a process that has a Threat Intelligence Feed hit tag in one segment may not display the feed hit icon (a red dot) when “Group by process” is selected.

• CB-33355: In some cases, a process Watchlist will produce more hits than alerts

  When a Watchlist query is executed using the original terms (e.g. process_name:notepad.exe), both the original segment (with events) and the tagged segment (without events) are returned, and both results appear on the Watchlists page. This makes it appear that there have been two hits, when in fact, there was only one. The result is two apparent hits, but only one alert, which is deceptive.

• CB-33352: cb-enterprise fails to install on RHEL/CentOS 8 with FIPS 140-2 enabled

  This issue is due to a change in Red Hat 8 that affected Paramiko (https://bugzilla.redhat.com/show_bug.cgi?id=1778939).

  Use RHEL/CentOS 7 if you enable FIPS 140-2.

• CB-31136: Live Query fails to take the SensorInactiveFilterDays setting into account

  Live Query fails to take the SensorInactiveFilterDays setting into account when determining which sensors to target. The sensor count on the right side of the ‘Current query’ bar shows all targeted sensors, while the quantity of targeted sensors in the ‘Run New Query’ pop-up does account for SensorInactiveFilterDays, and will sometimes show a lower number.

• CB-24519: Older files did not get SHA-256 values

  After an upgrade of server and sensor, older files did not get SHA-256 values. When an older file is executed, it creates a process event that contains SHA-256. When a user clicks the link, the binary store shows no SHA-256.

• CB-20565: Cannot enable or disable Alliance Sharing

  When using a custom email server, you cannot enable or disable Alliance Sharing.

  Disable the custom email server, make the change, and re-enable the custom email server.

• CB-18936: Malformed CSV Export

  The CSV export of the user activity audit is malformed in certain cases.

• CB-18927: The CSV export of Recently Observed Hosts has no header row.

• CB-37654: Query Requires Double Quotation Marks

  In Server 7.6.0, on the Process Search page, a process query built with Add search terms > Choose criteria > Fileless > Command line contents > [Insert text] only returns the proper results if the user encloses the query in double quotation marks (““ ””).

• CB-37282: Large Scripts Can be Reported Incorrectly

  Large (>64KB) scripts in the Windows Sensor 7.2.0+ can be reported incorrectly, which causes corrupted fileless_scriptload_cmdline data to be sent to the Carbon Black EDR Server. The bug fix is targeted for inclusion in Windows Sensor 7.3.0. As a result, the Process Analysis page can present fileless_scriptload events with corrupted fileless_scriptload_cmdline content. In this case, the corrupted content is replaced with the error message: “<Corrupt command line data found>”.

Contacting Support