VMware Carbon Black EDR Server 7.6.1 | 23 DEC 2021 | Build 7.6.1.211222

Check for additions and updates to these release notes.

What's New

VMware Carbon Black EDR 7.6.1 is a maintenance release of the VMware Carbon Black EDR (formerly CB Response) server and console. This release delivers the upgrade of Apache Log4J to 2.17.0, which implements the official mitigations for CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105.

See the Third Party Updates section for more details.

  • Components Included in this Release

    Each release of VMware Carbon Black EDR software is cumulative and includes changes and fixes from all previous releases.

Documentation

This document supplements other Carbon Black documentation. Supplemental release documentation can be found in the Carbon Black EDR section of docs.vmware.com.

In addition to this document, you should have access to the following key documentation for VMware Carbon Black EDR Server 7.6.1:

  • VMware Carbon Black EDR 7.6 User Guide: Describes how to use the Carbon Black EDR servers that collect information from endpoint sensors and correlate endpoint data with threat intelligence.
  • VMware Carbon Black EDR 7.6 Server / Cluster Management Guide: Describes installation, configuration, and upgrade of Carbon Black EDR servers.
  • VMware Carbon Black EDR 7.6 Unified View Guide: Describes the installation and use of the VMware Carbon Black EDR Unified View server. Information on server hardware sizing requirements and software platform support is included.

[On-Prem Only] Prepare for Server Installation or Upgrade

This section describes the requirements and key information that is needed before installing a VMware Carbon Black EDR server. All on-premises users, whether upgrading or installing a new server, should review this section before proceeding. See the appropriate section of the VMware Carbon Black EDR 7.6 Server/Cluster Management Guide for specific installation instructions for your situation:

  • To install a new VMware Carbon Black EDR server, see “Installing the VMware Carbon Black EDR Server”.
  • To upgrade an existing VMware Carbon Black EDR server, see “Upgrading the VMware Carbon Black EDR Server”.

Customers on Server 5.x, please note:

Direct upgrades from Server 5.x to Server 7.x are not supported. See the VMware Carbon Black EDR 7.6 Server/Cluster Management Guide and this VMware Carbon Black User Exchange announcement for more information.

Yum URLs

VMware Carbon Black EDR Server software packages are maintained at the Carbon Black yum repository (yum.distro.carbonblack.io). The links will not work until the on-prem General Availability (GA) date.

The following links use variables to make sure you install the correct version of VMware Carbon Black EDR, based on your machine’s operating system version and architecture.

Use caution when pointing to the yum repository. Different versions of the product are available on different branches, as follows:

  • Specific version: The 7.6.1 version is available from the Carbon Black yum repository, that is specified in the following base URL:

baseurl= https://yum.distro.carbonblack.io/enterprise/7.6.1-1/$releasever/$basearch

This link is available as long as this specific release is available. It can be used even after later versions have been released, and it can be useful if you want to add servers to your environment while maintaining the same version.

  • Latest version: The latest supported version of the VMware Carbon Black EDR server is available from the Carbon Black yum repository, that is specified in the following base URL:

baseurl= https://yum.distro.carbonblack.io/enterprise/stable/$releasever/$basearch/

This URL will point to version 7.6.1-1 until a newer release becomes available, at which time it will automatically point to the newer release.

Note:

Communication with this repository is over HTTPS and requires appropriate SSL keys and certificates. During the VMware Carbon Black EDR server install or upgrade process, other core CentOS packages can be installed to meet various dependencies. The standard mode of operation for the yum package manager in CentOS is to first retrieve a list of available mirror servers from http://mirror.centos.org:80, and then select a mirror from which to download the dependency packages. If a VMware Carbon Black EDR server is installed behind a firewall, local network and system administrators must make sure that the host machine can communicate with standard CentOS yum repositories.

[On-Prem Only] System Requirements

Operating system support for the server and sensors is listed here for your convenience. The VMware Carbon Black EDR 7.6 Operating Environment Requirements document describes the full hardware and software platform requirements for the VMware Carbon Black EDR server and provides the current requirements and recommendations for systems that are running the sensor.

Both upgrading and new customers must meet all of the requirements specified here and in the VMware Carbon Black EDR 7.6 Operating Environment Requirements document before proceeding.

Server / Console Operating Systems

For best performance, Carbon Black recommends running the latest supported software versions:

  • Red Hat Enterprise Linux (RHEL) / CentOS 6.7 - 6.10 (64-bit)
  • Red Hat Enterprise Linux (RHEL) / CentOS 7.3 - 7.9 (64-bit)
  • Red Hat Enterprise Linux (RHEL) / CentOS 8.1 - 8.4 (64-bit)

Installation and testing are performed on default install, using the minimal distribution and the distribution’s official package repositories. Customized Linux installations must be individually evaluated.

However, if the customers are pinning dependencies to a specific OS version, the product only supports the following software versions for the Carbon Black EDR Server and Unified View:

  • Red Hat Enterprise Linux (RHEL) / CentOS 6.7 - 6.10 (64-bit)
  • Red Hat Enterprise Linux (RHEL) / CentOS 7.5 - 7.9 (64-bit)
  • Red Hat Enterprise Linux (RHEL) / CentOS 8.2 - 8.4 (64-bit)

Note: Versions 7.3, 7.4, and 8.1 (64-bit) of CentOS/RHEL are not supported if customers are pinning dependencies.

Installation and testing are performed on default install, using the minimal distribution and the distribution’s official package repositories. Customized Linux installations must be individually evaluated.

Sensor Operating Systems (for Endpoints and Servers)

For the current list of supported operating systems for VMware Carbon Black EDR sensors, see https://community.carbonblack.com/docs/DOC-7991.

Note: Non-RHEL/CentOS distributions or modified RHEL/CentOS environments (those built on the RHEL platform) are not supported.

Configure Sensor Update Settings Before Upgrading Server

VMware Carbon Black EDR 7.6.1 comes with updated sensor versions. Servers and sensors can be upgraded independently, and sensors can be upgraded by sensor groups.

Decide whether you want the new sensor to be deployed immediately to existing sensor installations, or install only the server updates first. Carbon Black recommends a gradual upgrade of sensors to avoid network and server performance impact. We strongly recommend that you review your sensor group upgrade policies before upgrading your server, to avoid inadvertently upgrading all sensors at the same time. For detailed information on Sensor Group Upgrade Policy, see the Sensor Group section of the VMware Carbon Black EDR 7.6 User Guide.

To configure the deployment of new sensors by using the VMware Carbon Black EDR web console, follow the instructions in the VMware Carbon Black EDR 7.6 Sensor Installation Guide.

Third-Party Software Updates

Apache Log4J: 2.13.0 → 2.17.0

Resolved Issues

Known Issues

  • CB-33355: In some cases, a process Watchlist will produce more hits than alerts

    When a Watchlist query is executed using the original terms (e.g. process_name:notepad.exe), both the original segment (with events) and the tagged segment (without events) are returned, and both results appear on the Watchlists page. This makes it appear that there have been two hits, when in fact, there was only one. The result is two apparent hits, but only one alert, which is deceptive.

  • CB-37654: Query Requires Double Quotation Marks

    In Server 7.6.0, on the Process Search page, a process query built with Add search terms > Choose criteria > Fileless > Command line contents > [Insert text] only returns the proper results if the user encloses the query in double quotation marks (““ ””).

  • CB-33586: Red dot does not display

    In Server 7.5.0, on the Process Search page, a process that has a Threat Intelligence Feed hit tag in one segment may not display the feed hit icon (a red dot) when “Group by process” is selected.

  • CB-35139: Binary Search searches sometimes return zero results

    In Server 7.5.0, Binary Search searches can sometimes return zero results when there are matching results that should be returned.

  • CB-35147: Submitted child process events of type "2" (other exec) do not properly store the process PID

    In Server 7.5.0, when using the GET /v3/{guid}/event API (or GET /v5/{guid}/event), submitted child process events of type "2" (other exec) do not properly store the process PID

  • CB-35148: Process information not properly returned

    In Server 7.5.0, when using the GET/v1/process/{guid}/{segmentid}/preview API, process information is not properly returned.

  • CB-35335: A user with “No Access” to a particular sensor group will experience an infinite loading indicator on the Live Query page

    In Server 7.5.0, a user with “No Access” to a particular sensor group will experience an infinite loading indicator on the Live Query page when they try to execute a Live Query that includes that sensor group.

  • CB-35668: In the Configure Watchlist Expiration panel on the Watchlists page, a whole number must be entered to save

    In Server 7.5.0, in the Configure Watchlist Expiration panel on the Watchlists page, a whole number must be entered for the watchlist expiration duration in order to save, even when the first option, “Do not mark watchlists as expired if they have no hits.” is selected. The configuration should successfully save when “Do not mark watchlists as expired if they have no hits.” is selected and the “Notify me when watchlists have not received hits in” value is blank.

  • CB-35676: Searching for a range of IP addresses on the Search Threat Reports page is broken

    In Server 7.5.0, on the Search Threat Reports page, searching for a range of IP addresses (Add Criteria > IP address > enter a range of network addresses) is broken. The query attempt will repeat indefinitely but never successfully complete until the user forces it to stop or closes the browser.

  • CB-33352: cb-enterprise fails to install on RHEL/CentOS 8 with FIPS 140-2 enabled

    This issue is due to a change in Red Hat 8 that affected Paramiko (https://bugzilla.redhat.com/show_bug.cgi?id=1778939).

    Use RHEL/CentOS 7 if you enable FIPS 140-2.

  • CB-31136: Live Query fails to take the SensorInactiveFilterDays setting into account

    Live Query fails to take the SensorInactiveFilterDays setting into account when determining which sensors to target. The sensor count on the right side of the ‘Current query’ bar shows all targeted sensors, while the quantity of targeted sensors in the ‘Run New Query’ pop-up does account for SensorInactiveFilterDays, and will sometimes show a lower number.

  • CB-24519: Older files did not get SHA-256 values

    After an upgrade of server and sensor, older files did not get SHA-256 values. When an older file is executed, it creates a process event that contains SHA-256. When a user clicks the link, the binary store shows no SHA-256.

  • CB-20565: Cannot enable or disable Alliance Sharing

    When using a custom email server, you cannot enable or disable Alliance Sharing.

    Disable the custom email server, make the change, and re-enable the custom email server.

  • CB-18936: Malformed CSV Export

    The CSV export of the user activity audit is malformed in certain cases.

  • CB-18927: The CSV export of Recently Observed Hosts has no header row.

  • CB-37282: Large Scripts Can be Reported Incorrectly

    Large (>64KB) scripts in the Windows Sensor 7.2.0+ can be reported incorrectly, which causes corrupted fileless_scriptload_cmdline data to be sent to the Carbon Black EDR Server. The bug fix is targeted for inclusion in Windows Sensor 7.3.0. As a result, the Process Analysis page can present fileless_scriptload events with corrupted fileless_scriptload_cmdline content. In this case, the corrupted content is replaced with the error message: “<Corrupt command line data found>”.

Contacting Support

VMware Carbon Black EDR server and sensor update releases are covered under the Carbon Black Customer Maintenance Agreement. Technical Support can assist with any issues that might develop. Our Professional Services organization is also available to help ensure a smooth and efficient upgrade or installation.

Use one of the following channels to request support or ask support questions:

Reporting Problems

When contacting Carbon Black Technical Support, provide the following required information:

  • Contact: Your name, company name, telephone number, and email address
  • Product version: Product name (VMware Carbon Black EDR server and sensor versions)
  • Hardware configuration: Hardware configuration of the VMware Carbon Black EDR server (processor, memory, and RAM)
  • Document version: For documentation issues, specify the version and/or date of the manual or document you are using
  • Problem: Action causing the problem, the error message returned, and event log output (as appropriate)
  • Problem Severity: Critical, serious, minor, or enhancement request

Note: Before performing an upgrade, Carbon Black recommends you review the related content on the User Exchange and the release documentation location, the Carbon Black EDR section of docs.vmware.com.

check-circle-line exclamation-circle-line close-line
Scroll to top icon