What's New

• Components Included in this Release

  • Server version 7.6.2.220314
  • Windows Sensor version 7.2.2.17680: Release Notes
  • macOS Sensor version 7.2.1.16597: Release Notes
  • Linux Sensor version 7.1.0.98326: Release Notes

  Each release of VMware Carbon Black EDR software is cumulative and includes changes and fixes from all previous releases.

Documentation

[On-Prem Only] Prepare for Server Installation or Upgrade

Yum URLs

[On-Prem Only] System Requirements

Configure Sensor Update Settings Before Upgrading Server

Third-Party Software Updates

Resolved Issues

• CB-38345: In Server 7.6.0 and 7.6.1, some Threat Intelligence Feeds failed to render properly.

• CB-38090: The Carbon Black EDR Sensor was unable to check-in and/or register under certain rare conditions

• CB-38081: Process Search

  A Process Search that contained an empty space due to the copying of a carriage return character or other non-printable unicode character would return zero results.

• CB-38080: In Server 7.6.0 and 7.6.1, DatastoreEnableSensorPriority would crash if the sensor backlog exceeded 2GB

• CB-37866: Hosted EDR customers with clustered EDR Server nodes

  In Server 7.6.0 and 7.6.1, the /api/approvedlist/apply call to apply an approvedlisted value to a minion did not work for Hosted EDR customers with clustered EDR Server nodes.

• CB-37846: Process Analysis Page

  In Server 7.6.0 and 7.6.1, on the Process Analysis page, the count presented as “_ computer(s) have seen this in _ processes:” would always display, “0 computer(s) have seen this in 0 processes:”, even when, in fact, the count is greater than 0.

• CB-37811: In previous versions, the upgrade of EDR Server could lead to the creation of duplicate Solr writer cores

• CB-37809: CSV export of a Sensors list

  In Server 7.6.0 and 7.6.1, the CSV export of a Sensors list did not work properly if there were >1,000 sensors selected. In this case, a JSON file was downloaded instead and an error was indicated.

• CB-37715: In Server 7.6.0 and 7.6.1, datagrid could time-out during startup, causing startup to fail

• CB-37654: In Server 7.6.0 and 7.6.1, the error message presented as a result of an invalid process query could be inaccurate

• CB-37584: Add-node command failed due to a missing redis certificate

  If a cluster of EDR Server nodes was installed prior to Server 7.5.1 and then the customer upgrades to Server 7.5.1 or 7.5.2, the add-node command fails due to a missing redis certificate. New 7.5.1 or 7.5.2 server clusters would not encounter this issue because cbinit creates the redis certificate.

• CB-37555: In Server 7.5.0 - 7.6.1, on the Process Analysis page, the MD5 hash for a filemod action that modifies a file signature does not appear in the console

• CB-37475: In Server 7.5.0 - 7.6.1, on the Process Analysis page, filemod “Last wrote to” events do not appear in the console when they should

• CB-37416: invalid and empty Indicator of Compromise (IOC) queries could be added as a Threat Intelligence Feed Report IOC query

  Invalid and empty Indicator of Compromise (IOC) queries could be added as a Threat Intelligence Feed Report IOC query, which could result in data ingestion issues. This issue is resolved in Server 7.6.2: IOC queries must contain appropriately structured values, and if not, an attempt to add an improperly structured IOC query will result in an error.

• CB-37338: Negation of multiple terms that appear in both cbevents and cbmodules cores returned invalid data

• CB-37204: Some sensor facet queries produced results that could not be converted to JSON

• CB-37185: Cbcluster add-node command did not support offline cached installations of EDR

  The cbcluster add-node command did not support offline cached installations of EDR. Add-node assumes EDR pulls cb-enterprise and rsync from their repositories, not from cached files on the system. Server 7.6.2 supports offline, cached installations of the product.

• CB-37148: Sensor upgrades could fail following a server migration

• CB-36821: Specifying an IP address in a Process Search query

  In Server 7.6.0 and 7.6.1, when specifying an IP address in a Process Search query, where one of the quads contains non-octal values but has a leading 0 (i.e. "ipaddr:127.33.44.0209"), the resulting call returns a 500 error response. In Server 7.6.2 - a leading 0 in a non-octal IPv4 quad now results in a 400 error response.

• CB-36374: In Server 7.5.0 - 7.6.1, the Yara Manager icon did not display properly in the left-hand navigation panel when enabled on a Hosted EDR instance

• CB-32829: Netconn_count range searches could produce inconsistent results

• CB-27046: Watchlist notifications could be delayed.

  Watchlist notifications are now sent as they are collected, rather than in batches all at once.

• CB-38518: EDR Server stopped processing some events after submit

Known Issues

• CB-33355: In some cases, a process Watchlist will produce more hits than alerts

  When a Watchlist query is executed using the original terms (e.g. process_name:notepad.exe), both the original segment (with events) and the tagged segment (without events) are returned, and both results appear on the Watchlists page. This makes it appear that there have been two hits, when in fact, there was only one. The result is two apparent hits, but only one alert, which is deceptive.

• CB-37654: Query Requires Double Quotation Marks

  In Server 7.6.0, on the Process Search page, a process query built with Add search terms > Choose criteria > Fileless > Command line contents > [Insert text] only returns the proper results if the user encloses the query in double quotation marks (““ ””).

• CB-33586: Red dot does not display

  In Server 7.5.0, on the Process Search page, a process that has a Threat Intelligence Feed hit tag in one segment may not display the feed hit icon (a red dot) when “Group by process” is selected.

• CB-35139: Binary Search searches sometimes return zero results

  In Server 7.5.0, Binary Search searches can sometimes return zero results when there are matching results that should be returned.

• CB-35147: Submitted child process events of type "2" (other exec) do not properly store the process PID

  In Server 7.5.0, when using the GET /v3/{guid}/event API (or GET /v5/{guid}/event), submitted child process events of type "2" (other exec) do not properly store the process PID

• CB-35148: Process information not properly returned

  In Server 7.5.0, when using the GET/v1/process/{guid}/{segmentid}/preview API, process information is not properly returned.

• CB-35335: A user with “No Access” to a particular sensor group will experience an infinite loading indicator on the Live Query page

  In Server 7.5.0, a user with “No Access” to a particular sensor group will experience an infinite loading indicator on the Live Query page when they try to execute a Live Query that includes that sensor group.

• CB-35668: In the Configure Watchlist Expiration panel on the Watchlists page, a whole number must be entered to save

  In Server 7.5.0, in the Configure Watchlist Expiration panel on the Watchlists page, a whole number must be entered for the watchlist expiration duration in order to save, even when the first option, “Do not mark watchlists as expired if they have no hits.” is selected. The configuration should successfully save when “Do not mark watchlists as expired if they have no hits.” is selected and the “Notify me when watchlists have not received hits in” value is blank.

• CB-33352: cb-enterprise fails to install on RHEL/CentOS 8 with FIPS 140-2 enabled

  This issue is due to a change in Red Hat 8 that affected Paramiko (https://bugzilla.redhat.com/show_bug.cgi?id=1778939).

  Use RHEL/CentOS 7 if you enable FIPS 140-2.

• CB-31136: Live Query fails to take the SensorInactiveFilterDays setting into account

  Live Query fails to take the SensorInactiveFilterDays setting into account when determining which sensors to target. The sensor count on the right side of the ‘Current query’ bar shows all targeted sensors, while the quantity of targeted sensors in the ‘Run New Query’ pop-up does account for SensorInactiveFilterDays, and will sometimes show a lower number.

• CB-24519: Older files did not get SHA-256 values

  After an upgrade of server and sensor, older files did not get SHA-256 values. When an older file is executed, it creates a process event that contains SHA-256. When a user clicks the link, the binary store shows no SHA-256.

• CB-20565: Cannot enable or disable Alliance Sharing

  When using a custom email server, you cannot enable or disable Alliance Sharing.

  Disable the custom email server, make the change, and re-enable the custom email server.

• CB-18936: Malformed CSV Export

  The CSV export of the user activity audit is malformed in certain cases.

• CB-18927: The CSV export of Recently Observed Hosts has no header row.

• CB-37645: Process Analysis page can present fileless_scriptload events with corrupted fileless_scriptload_cmdline content

  Large (>64KB) scripts in Windows Sensor 7.2.0 - 7.2.2 can be reported incorrectly, which causes corrupted fileless_scriptload_cmdline data to be sent to the Carbon Black EDR Server. The bug is fixed in Windows Sensor 7.3.0 [CB-37282].The result of this bug is that the Process Analysis page can present fileless_scriptload events with corrupted fileless_scriptload_cmdline content. In this case, the corrupted content is replaced with the error message, “<Corrupt command line data found>”.

• CB-35669: On the Triage Alerts Page, an invalid search with malformed syntax fails silently, without an error message

  In Server 7.5.0 - 7.6.2, on the Triage Alerts Page, an invalid search with malformed syntax fails silently, without an error message. In previous versions, an invalid query would return an error message of “Malformed syntax in search query.” Via the API, a malformed query submitted on Server 7.5.0 or 7.5.1 returns a 500 error with no error message, whereas a malformed query submitted on previous versions returns a 400 error with the “Malformed syntax in search query.” error message.

Contacting Support