VMware Carbon Black EDR Server 7.7.1 Release Notes

VMware Carbon Black EDR 7.7.1 \| 18 SEP 2022 \| Build 7.7.1.220913 Check for additions and updates to these release notes.

VMware Carbon Black EDR 7.7.1 | 18 SEP 2022 | Build 7.7.1.220913

Check for additions and updates to these release notes.

What's New

VMware Carbon Black EDR 7.7.1 is a Maintenance release of the VMware Carbon Black EDR server and console. This release delivers bug fixes and other minor enhancements.

See Resolved Issues and Third-Party Software Updates for more details.

CBC Cipher Suites for TLS Communication

Due to security enhancements, Carbon Black EDR backend 7.7.1 will not allow CBC cipher suites for TLS communication between Sensor and Backend. If this creates a connectivity issue for you, see how to revert this change by using the UseWeakCBCSecurityCiphers parameter as documented in the VMware Carbon Black EDR Server Configuration Guide.
Components Included in this Release
- Server version 7.7.1.220913
- Windows Sensor version 7.3.1.18323: Release Notes
- macOS Sensor version 7.2.2.16783: Release Notes
- Linux Sensor version 7.1.1.92158: Release Notes
Each release of Carbon Black EDR software is cumulative and includes changes and fixes from all previous releases.

Documentation

This document supplements other Carbon Black documentation. Supplemental release documentation can be found in the Carbon Black EDR section of docs.vmware.com.

In addition to this document, you should have access to the following key documentation for VMware Carbon Black EDR Server 7.7.1:

VMware Carbon Black EDR 7.7.1 User Guide: Describes how to use the Carbon Black EDR servers that collect information from endpoint sensors and correlate endpoint data with threat intelligence.
VMware Carbon Black EDR 7.7.1 Server / Cluster Management Guide: Describes installation, configuration, and upgrade of RPM-based Carbon Black EDR servers.
VMware Carbon Black EDR 7.7 Containerized Server Guide: Describes installation and migration of Carbon Black EDR containerized servers.
VMware Carbon Black EDR 7.7.1 Server Configuration Guide: Contains details about cb.conf parameters.
VMware Carbon Black EDR 7.7.1 Integration Guide: Contains details about integrating Carbon Black EDR with tools and applications.
VMware Carbon Black EDR 7.7 Unified View Guide: Describes the installation and use of the Carbon Black EDR Unified View server. Information on server hardware sizing requirements and software platform support is included.
VMware Carbon Black EDR Operating Environment Requirements: Describes base requirements and scalability information for installing Carbon Black EDR on-prem servers.

[On-Prem Only] Prepare for Server Installation or Upgrade

This section describes the requirements and key information that is needed before installing a VMware Carbon Black EDR server. All on-premises users, whether upgrading or installing a new server, should review this section before proceeding. See the appropriate section of the VMware Carbon Black EDR 7.7.1 Server/Cluster Management Guide for specific installation instructions for your situation:

To install a new VMware Carbon Black EDR server, see “Installing the VMware Carbon Black EDR Server”.
To upgrade an existing VMware Carbon Black EDR server, see “Upgrading the VMware Carbon Black EDR Server”.
To install and migrate to Containerized Carbon Black EDR Server (Server 7.7.0+), see the VMware Carbon Black EDR Containerized Server Guide.

Customers on Server 5.x, please note:

Direct upgrades from Server 5.x to Server 7.x are not supported. See the VMware Carbon Black EDR 7.7 Server/Cluster Management Guide and this VMware Carbon Black User Exchange announcement for more information.

Yum URLs

Carbon Black EDR Server software packages are maintained at the Carbon Black yum repository (yum.distro.carbonblack.io). The links will not work until the on-prem General Availability (GA) date.

The following links use variables to make sure you install the correct version of Carbon Black EDR, based on your machine’s operating system version and architecture.

Use caution when pointing to the yum repository. Different versions of the product are available on different branches, as follows:

Specific version: The 7.7.1 version is available from the Carbon Black yum repository that is specified in the following base URL:

baseurl=https://yum.distro.carbonblack.io/enterprise/7.7.1-1/$releasever/$basearch

This link is available as long as this specific release is available. It can be used even after later versions have been released, and it can be useful if you want to add servers to your environment while maintaining the same version.

Latest version: The latest supported version of the Carbon Black EDR server is available from the Carbon Black yum repository that is specified in the following base URL:

baseurl=https://yum.distro.carbonblack.io/enterprise/stable/$releasever/$basearch/

This URL will point to version 7.7.1-1 until a newer release becomes available, at which time it will automatically point to the newer release.

Note:

Communication with this repository is over HTTPS and requires appropriate SSL keys and certificates. During the Carbon Black EDR server install or upgrade process, other core CentOS packages can be installed to meet various dependencies. The standard mode of operation for the yum package manager in CentOS is to first retrieve a list of available mirror servers from http://mirror.centos.org:80, and then select a mirror from which to download the dependency packages. If a Carbon Black EDR server is installed behind a firewall, local network and system administrators must make sure that the host machine can communicate with standard CentOS yum repositories.

Installing Containerized Carbon Black EDR

See the VMware Carbon Black EDR Containerized Server Guide for instructions on how to download and install the Carbon Black EDR Server container image.

[On-Prem Only] System Requirements

Operating system support for the server and sensors is listed here for your convenience. The VMware Carbon Black EDR Operating Environment Requirements document describes the full hardware and software platform requirements for the Carbon Black EDR server and provides the current requirements and recommendations for systems that are running the sensor.

Both upgrading and new customers must meet all of the requirements specified here and in the VMware Carbon Black EDR Operating Environment Requirements document before proceeding.

Server / Console Operating Systems

Note: Carbon Black EDR no longer supports Red Hat Enterprise Linux (RHEL) / CentOS 6.x.

For best performance, Carbon Black recommends running the latest supported software versions for RPM-based Carbon Black EDR installations:

Red Hat Enterprise Linux (RHEL) / CentOS 7.3 - 7.9 (64-bit)
Red Hat Enterprise Linux (RHEL) / CentOS 8.1 - 8.6 (64-bit)
CentOS 8.2 - 8.4 (64-bit)

However, if the customers are pinning dependencies to a specific OS version, the product only supports the following software versions for RPM-based Carbon Black EDR Server and Unified View:

Red Hat Enterprise Linux (RHEL) / CentOS 7.5 - 7.9 (64-bit)
Red Hat Enterprise Linux (RHEL) / CentOS 8.2 - 8.6 (64-bit)
CentOS 8.2 - 8.4 (64-bit)

Note: Versions 7.3, 7.4, and 8.1 (64-bit) of CentOS/RHEL are not supported if customers are pinning dependencies.

Installation and testing are performed on default install, using the minimal distribution and the distribution’s official package repositories. Customized Linux installations must be individually evaluated.

For containerized on-prem Carbon Black EDR Server installations, the product supports any operating system that is capable of running:

Docker 1.13
Docker CE 20.10.14

Sensor Operating Systems (for Endpoints and Servers)

For the current list of supported operating systems for VMware Carbon Black EDR sensors, see https://docs.vmware.com/en/VMware-Carbon-Black-EDR/index.html.

Note: Non-RHEL/CentOS distributions or modified RHEL/CentOS environments (those built on the RHEL platform) are not supported.

Configure Sensor Update Settings Before Upgrading Server

VMware Carbon Black EDR 7.7.1 comes with updated sensor versions. Servers and sensors can be upgraded independently, and sensors can be upgraded by sensor groups.

Decide whether you want the new sensor to be deployed immediately to existing sensor installations, or install only the server updates first. Carbon Black recommends a gradual upgrade of sensors to avoid network and server performance impact. We strongly recommend that you review your sensor group upgrade policies before upgrading your server, to avoid inadvertently upgrading all sensors at the same time. For detailed information on Sensor Group Upgrade Policy, see the Sensor Group section of the VMware Carbon Black EDR 7.7.1 User Guide.

To configure the deployment of new sensors by using the VMware Carbon Black EDR web console, follow the instructions in the VMware Carbon Black EDR Sensor Installation Guide.

Third-Party Software Updates

Apache Solr 8.11.1 -> 8.11.2
OpenResty 1.19.3.2 -> 1.21.4.1
PostgreSQL Database Server 13.7 -> 13.8
PostgreSQL JDBC Driver 42.3.4 -> 42.5.0
Python 3.10.4 -> 3.10.6
Redis 7.0.0 -> 7.0.4
moment npmjs 2.29.3 -> 2.29.4
sanitize-html 2.3.3 -> 2.7.1
terser 5.10.0 -> 5.15.0

Resolved Issues

CB-15680, EA-9999: Live Response encountered an error when attempting to parse binary data from a reg query command
N/A: Improper 500 error response

A fix for an issue in previous versions, in which an attempt to delete a non-existent entry from nginx_approvedlist (formerly known as nginx_whitelist) results in an improper 500 error response. This issue is resolved in Server 7.7.1: an appropriate 400 error response.
CB-24981, EA-13947: Triage Alerts and Binary Search

A fix for an issue in previous versions, on the Triage Alerts and Binary Search pages, in which the “Created at” button in the Add Criteria dropdown menu and the calendar utility could malfunction.
CB-27949: Investigations page, sort by Hostname in descending order

A fix for an issue in previous versions, on the Investigations page, in which the modification of a tagged event’s description causes the list of events to be sorted by Hostname in descending order, when the sorting should remain the same.
CB-29207: Activity Audit page displayed times in the local time zone

A fix for an issue in previous versions, in which the Activity Audit page within User Management displayed times in the local timezone, not GMT, to match the rest of the product.
CB-35669: Triage Alerts Page, an invalid search with malformed syntax fails silently

In Server 7.5.0 - 7.7.0, on the Triage Alerts Page, an invalid search with malformed syntax fails silently, without an error message. This issue is resolved in Server 7.7.1: the expected “Malformed syntax in search query” error message is now presented when an invalid search with malformed syntax is entered.
CB-35966: Server URL and Auth Token values set on the VMware Carbon Black App Control Server page could not be cleared from the backend

A fix for an issue in previous versions, in which once the Server URL and Auth Token values are set on the VMware Carbon Black App Control Server page within Settings, they cannot be cleared from the backend, resulting in an “Unable to connect to VMware Carbon Black App Control Server” warning, even when the fields have been cleared in the UI.
CB-36036: Attempting to modify an ingress filter that was added through the API through the UI failed silently without an error message

A fix for an issue in previous versions, in which attempting to modify an ingress filter, that was added via the API, through the UI fails silently without an error message. This issue is resolved in Server 7.7.1: modifying an ingress filter works properly, regardless of whether the ingress filter was added via UI or API. Also, three filter ingress filter types are accepted: MD5, File Path, and Command Line.
CB-36915: String-based event type contained embedded double quotes

A fix for an issue in previous versions, in which, if a string-based event type contains embedded double quotes, the string is stored with extra quotes, resulting in the string of text being improperly presented in the UI or failing to render in the UI entirely.
CB-37189, EA-19479: Certain reg query commands in Live Response returned an Internal Server Error
CB-37867, EA-19975: Live Response was unable to query REG_BINARY values using the reg query command
CB-38311, EA-20669: Running /usr/share/cb/cbcheck selinux --mismatch results in several rabbitmq mnesia directories and files showing a mismatch

A fix for an issue in previous versions, in which running /usr/share/cb/cbcheck selinux --mismatch results in several rabbitmq mnesia directories and files showing a mismatch. Also, running /usr/share/cb/cbcheck selinux --apply did not apply any changes to provide a fix for mismatches.
CB-39144, EA-21225: Site Throttling modifications required a services restart

A fix for an issue in previous versions, in which Site Throttling modifications required a services restart (specifically, a restart of datastore) to be applied. This issue is resolved in Server 7.7.1: Site Throttling modifications are applied without a restart of datastore.
CB-39284: Live Response was unable to properly query REG_QWORD values using the reg query command
CB-39319: Migrating RPM-based installation of Carbon Black EDR Server to a containerized installation of Carbon Black EDR Server

In Server 7.7.0, after migrating an RPM-based installation of EDR Server to a containerized installation of EDR Server, the original, RPM-based installation can still be started. Starting the RPM-based installation while the containerized installation is active can result in interoperability issues. In Server 7.7.1, startup of the original, RPM-based installation is prevented when a containerized installation is active.
CB-39336: Threat Intelligence Feeds

A fix for an issue in Server 7.7.0, in which the cbfeed_airgap import of existing Threat Intelligence Feeds fails when ValidateApiPayloadSchema is enabled.
CB-39347: AD Integration feature, users cannot connect to an AD server via LDAP using the default user

In Server 7.7.0, in the AD Integration feature, users cannot connect to an AD server via LDAP using the default user, ‘cn’. The leading ‘cn=’ is hard-coded, when it should be configurable to allow ‘cn=’ to be replaced with ‘uid=’ for connection with an LDAP server, for example. The user identifier attribute is now configurable in Server 7.7.1: ldap_user_name_attr: This is to specify the user identifier attribute (default value is 'cn'). See the Active Directory Authentication section of the VMware Carbon Black EDR Integration Guide for more information.
CB-39348, EA-21294: DataStore GetStatistics Servlet

A fix for an issue in previous versions, in which the DataStore GetStatistics Servlet (called using admin/statistics) collates all information from all mount points, including restricted mount points, which can lead to an AccessDeniedException error, which is not returned to the caller. As a result, the UI does not display these statistics and the logs can be filled with errors. This issue is resolved in Server 7.7.1 via exception handling check, which ensures the execution does not break.
CB-39356, EA-21393: Process Analysis page, “Unable to retrieve process details” error message

A fix for an issue in Server 7.7.0 and 7.6.2, on the Process Analysis page, in which an “Unable to retrieve process details” error message is displayed when the user attempts to view the details (Process Metadata) for a suppressed child process (ChildProc) event. This issue is resolved in Server 7.7.1 by changing the sequencing of fetching process details and suppression status. Beginning in Server 7.7.1, suppression status is checked before process details, and process details are only fetched if the event is not suppressed, which eliminates the occurrence of this error message.
CB-39384: In the AD Integration feature of Server 7.7.0, EDR Server incorrectly queried group membership

In Server 7.7.0, in the AD Integration feature, EDR Server queries group membership using the “memberOf” attribute for integration with Active Directory and the “member” attribute for integration with LDAP. However, a different group membership attribute, “memberUid”, must be used for integration with OpenLDAP or FreeIPA. Group membership is now configurable in Server 7.7.1: ldap_group_members_attr: This is to specify the group membership attribute (default value is 'member'). See the Active Directory Authentication section of the VMware Carbon Black EDR Integration Guide for more information.
CB-39593, EA-21437: A fix for an issue in Server 7.7.0, in which certain APIs did not have sufficient input validation
CB-39602: In the Active Directory feature, we provide an incorrect example of an LDAP group

A fix for a documentation issue in Server 7.7.0, in the Active Directory feature, in which we provided an incorrect example of an LDAP group with no specified team in attr_map.example.ldap. In this example, a ‘teams’ value should be specified for the users in this group in order for those users to have access to the sensor groups associated with the specified ‘teams’ value(s) in EDR.
CB-39649: Active Directory Integration EDR services failed to start if ldap_user_org is not specified

A fix for an issue in Server 7.7.0, in the Active Directory Integration feature, in which EDR services fail to start if ldap_user_org is not specified, even when the LDAP provider should not be required for AD authentication.
CB-39707: Empty Server URL and/or Auth Token fields triggers an API call

A fix for an issue in Server 7.7.0 and 7.6.2, on the VMware Carbon Black App Control Server page within Settings, in which an attempt to save the page when the Server URL and/or Auth Token fields are empty still triggers an API call, resulting in an “Unable to connect to VMware Carbon Black App Control Server” UI error.
CB-39726: Tag description entries on the Investigations page

A fix for an issue in Server 7.7.0 and 7.6.2, on the Investigations page, in which tag description entries submitted in HTML or JavaScript are accepted, when they should not be, which can result in an infinite spinner and UI errors.
CB-39746: URL contained in an email alert was previously in the form of the hostname

A fix for an issue, in which the URL contained in an email alert was previously in the form of the hostname, not the fully qualified domain name (FQDN), meaning the URL might not successfully link to the alert in the EDR console for emails that are reviewed outside of a locally-resolving DNS zone. The URL contained in the email alert is now in the form of the FQDN to resolve this potential issue.
CB-39770, EA-21498: Event Forwarder encountered an error when a syslog port was not provided via the Event Forwarder UI

A fix for a bug in Server 7.7.0 (and Event Forwarder 3.8.1), in which Event Forwarder encounters an error when a syslog port is not provided via the Event Forwarder UI. This issue is resolved in Server 7.7.1 and Event Forwarder 3.8.3 (which is yet to be released): Beginning in Server 7.7.1, when syslog is selected as the Destination type, Syslog destination (a port value is required - it cannot be left blank). Also, the User Guide has been updated to accurately reflect the correct syslog destination format.
CB-39838: Migrating from RPM-based EDR Server to containerized EDR Server

A fix for an issue in Server 7.7.0 that can occur after migrating from RPM-based EDR Server to containerized EDR Server, in which on-demand threat intelligence requests for hash and/or network reputation can fail, even when enabled in cb.conf.
CB-39888: Search Threat Reports, Triage Alerts, and Search Binaries pages

A fix for an issue in Server 7.7.0, on the Search Threat Reports, Triage Alerts, and Search Binaries pages, where the calendar utility is present, in which clicking on the calendar utility to select a date or range of dates resulted in a UI browser error.
CB-39972, EA-21625: nginx_approvedlist did not accept IP addresses and IP address ranges in CIDR notation

A fix for an issue in Server 7.7.0, in which nginx_approvedlist no longer accepts IP addresses and IP address ranges in CIDR notation, as it did in previous versions. This issue is resolved in Server 7.7.1: nginx_approvedlist once again accepts IP addresses and IP address ranges in CIDR notation.
CB-39977, EA-21606: Windows command line data can be captured in URL-encoded format

A fix for an issue in Server 7.7.0 and 7.6.2, in which, under some circumstances, Windows command line data can be captured in URL-encoded format, which can result in searches and Watchlist queries no longer matching the expected command line content. This issue is resolved in Server 7.7.1: URL-encoded strings are always decoded before being tokenized and stored.
CB-39996, EA-21635: Attempted additions of IP addresses to nginx_approvedlist could fail

A fix for an issue in Server 7.7.0, in which attempted additions of IP addresses to nginx_approvedlist could fail if the primary Key (id) already existed due to the sequence improperly restarting at (1), rather than incrementing from the greatest previous value. This issue is resolved in Server 7.7.1: the Key (id) will continue incrementing from the previous value to avoid Key (id) collision.
CB-40015, EA-21657: Redis cache persists through restart of service cb-redis

In RPM-based Server 7.7.0 (not containerized Server 7.7.0), the Redis cache persists through restart of service cb-redis, causing any active browser sessions to persist through server restart. Prior to Server 7.7.0, a restart to the service cb-redis would discard the cache and reset any active console sessions. Server 7.7.1 resolves this issue: a restart of service cb-redis discards the cache and refreshes the browser session.
CB-40211, CB-39854: Invalid or duplicate entries to nginx_approvedlist

In Server 7.7.0, the addition of invalid or duplicate entries to nginx_approvedlist resulted in an HTTP 400 error. In Server 7.7.1, an appropriate error message, “Invalid/duplicate IP address(es) found in the request: [a.b.c.d]”, is displayed for the attempted addition of an invalid or duplicate IP address to nginx_approvedlist.

Known Issues

CB-39786: In Carbon Black EDR Server 7.7.0, attempting a large, bulk resolution of Alerts can result in a timeout
CB-39497: In Carbon Black EDR Server 7.7.0, on the Investigations page, events of different types that occurred around the same time can be improperly overlaid instead of stacked
CB-39411: Yara Manager UI Configuration in Containerized Carbon Black EDR

Yara Manager UI configuration for the Yara connector does not work in Containerized Carbon Black EDR Server because Yara Manager code is not included in the Carbon Black EDR Server container image. The Yara Connector and Yara Manager will exist in their own container image, which does not yet exist as of the Server 7.7.0 release. Containerized Carbon Black EDR Server must be connected to containerized Yara Connector and Yara Manager (after they are released) for Yara Manager UI configuration to work.
CB-39413, EA-19397: In Carbon Black EDR Server 7.7.0, on the Binary Search page, the bars in the Host Count graph can appear improperly thin
CB-33355: In some cases, a process Watchlist will produce more hits than alerts

When a Watchlist query is executed using the original terms (e.g. process_name:notepad.exe), both the original segment (with events) and the tagged segment (without events) are returned, and both results appear on the Watchlists page. This makes it appear that there have been two hits, when in fact, there was only one. The result is two apparent hits, but only one alert, which is deceptive.
CB-35668: In Carbon Black EDR Server 7.5.0 - 7.7.0, in the Configure Watchlist Expiration panel on the Watchlists page, a whole number must be entered for the watchlist expiration duration

In Carbon Black EDR Server 7.5.0 - 7.7.0, in the Configure Watchlist Expiration panel on the Watchlists page, a whole number must be entered for the watchlist expiration duration in order to save, even when the first option, “Do not mark watchlists as expired if they have no hits.” is selected. The configuration should successfully save when “Do not mark watchlists as expired if they have no hits.” is selected and the “Notify me when watchlists have not received hits in” value is blank.
CB-35335: In Carbon Black EDR Server 7.5.0 - 7.7.0, Live Query page

In Carbon Black EDR Server 7.5.0 - 7.7.0, a user with “No Access” to a particular sensor group will experience an infinite loading indicator on the Live Query page when they try to execute a Live Query that includes that sensor group.
CB-31662: Watchlist query in the Create Watchlist modal does not properly wrap text if the text starts with “-”

When creating a Watchlist, the Watchlist query in the Create Watchlist modal does not properly wrap text if the text starts with “-”. The “-” creates a line break; thus, the subsequent text is displayed on the following line. This is an issue on Google Chrome/Chromium.
CB-33586: Red dot does not display

In Server 7.5.0, on the Process Search page, a process that has a Threat Intelligence Feed hit tag in one segment may not display the feed hit icon (a red dot) when “Group by process” is selected.
CB-35139: Binary Search searches sometimes return zero results

In Server 7.5.0, Binary Search searches can sometimes return zero results when there are matching results that should be returned.
CB-35147: Submitted child process events of type "2" (other exec) do not properly store the process PID

In Server 7.5.0, when using the GET /v3/{guid}/event API (or GET /v5/{guid}/event), submitted child process events of type "2" (other exec) do not properly store the process PID
CB-35148: Process information not properly returned

In Server 7.5.0, when using the GET/v1/process/{guid}/{segmentid}/preview API, process information is not properly returned.
CB-33352: cb-enterprise fails to install on RHEL/CentOS 8 with FIPS 140-2 enabled

This issue is due to a change in Red Hat 8 that affected Paramiko (https://bugzilla.redhat.com/show_bug.cgi?id=1778939).

Use RHEL/CentOS 7 if you enable FIPS 140-2.
CB-31136: Live Query fails to take the SensorInactiveFilterDays setting into account

Live Query fails to take the SensorInactiveFilterDays setting into account when determining which sensors to target. The sensor count on the right side of the ‘Current query’ bar shows all targeted sensors, while the quantity of targeted sensors in the ‘Run New Query’ pop-up does account for SensorInactiveFilterDays, and will sometimes show a lower number.
CB-20565: Cannot enable or disable Alliance Sharing

When using a custom email server, you cannot enable or disable Alliance Sharing.

Disable the custom email server, make the change, and re-enable the custom email server.

Contacting Support

VMware Carbon Black EDR server and sensor update releases are covered under the Carbon Black Customer Maintenance Agreement. Technical Support can assist with any issues that might develop. Our Professional Services organization is also available to help ensure a smooth and efficient upgrade or installation.

Use one of the following channels to request support or ask support questions:

Web:User Exchange
Email: [email protected]
Phone: 877.248.9098

Reporting Problems

When contacting Carbon Black Technical Support, provide the following required information:

Contact: Your name, company name, telephone number, and email address
Product version: Product name (VMware Carbon Black EDR server and sensor versions)
Hardware configuration: Hardware configuration of the VMware Carbon Black EDR server (processor, memory, and RAM)
Document version: For documentation issues, specify the version and/or date of the manual or document you are using
Problem: Action causing the problem, the error message returned, and event log output (as appropriate)
Problem Severity: Critical, serious, minor, or enhancement request

Note: Before performing an upgrade, Carbon Black recommends you review the related content on the User Exchange and the release documentation location, the Carbon Black EDR section of docs.vmware.com.