What's New

• Components Included in this Release

  • Server version 7.8.0.230722

  • Windows Sensor version 7.4.1.18957: Release Notes

  • macOS Sensor version 7.2.3.90160: Release Notes

  • Linux Sensor version 7.1.2.98050: Release Notes

  Each release of Carbon Black EDR software is cumulative and includes changes and fixes from all previous releases.

• FIPS 140-2 Support on RHEL 8

  The Federal Information Processing Standard (FIPS) Publication 140-2 is a U.S. government standard that defines the minimum security requirements for cryptographic modules in information technology products. Carbon Black EDR Server 7.8.0 introduces the ability to run Carbon Black EDR Server in FIPS-enabled mode on a FIPS-enabled RHEL 8.2, 8.6, 8.7, or 8.8 server to comply with FIPS 140-2 requirements.

  See the FIPS 140-2 on RHEL 8 section of the VMware Carbon Black EDR Server Cluster Management Guide for more information.

• Migration from Legacy to System OpenSSL on EL 8

  With the release of Carbon Black EDR Server 7.8.0, we highly recommend that you use a system-provided OpenSSL version of at least 1.1.1 in combination with OpenResty, built with Nginx version 1.21.4 on EL 8 systems. This recommended configuration ensures optimal compatibility and performance for your Carbon Black EDR deployment. By utilizing a system-provided OpenSSL version of at least 1.1.1, you can take advantage of the latest security enhancements and cryptographic protocols offered by OpenSSL. This ensures the secure transmission and encryption of data within your Carbon Black EDR environment, aligning with industry best practices.

  Additionally, Carbon Black EDR Server 7.8.0 includes utility scripts specifically designed to facilitate the regeneration of certificates, making them compatible with OpenSSL 1.1.1. These utility scripts streamline the process of updating and renewing certificates to meet the new standards, ensuring a smooth transition to the recommended OpenSSL version.

  See the Migration from Legacy to System OpenSSL on EL 8 section of the VMware Carbon Black EDR Server Cluster Management Guide for more information.

  Note: The migration to a system-provided OpenSSL version of at least 1.1.1 is required to run Carbon Black EDR Server in FIPS-enabled mode on a FIPS-enabled RHEL 8.2, 8.6, 8.7, or 8.8 server.

• Process Analysis Event Search

  Carbon Black EDR Server 7.8.0 introduces the ability to search through process event results on the Process Analysis page to find process events of interest. Search and Filters criteria can be used in conjunction to refine the process event results.

  See the Process Event Search section of the VMware Carbon Black EDR User Guide for more information.

• YARA Manager for Analyst Users

  In previous versions of Carbon Black EDR, only users who are assigned with the Administrator (on-prem EDR) and Global Administrator (Hosted EDR) roles could access YARA Manager to configure and manage rules in YARA Connector. Beginning in Carbon Black EDR Server 7.8.0, users assigned with the Analyst role can also use YARA Manager to configure and manage rules in YARA Connector.

  See the YARA Manager section of the VMware Carbon Black EDR User Guide and YARA Connector and Manager User Guide for EDR for more information.

Document Contents

Additional Documentation

[On-Prem Only] Prepare for Server Installation or Upgrade

Yum URLs

Installing Containerized Carbon Black EDR

[On-Prem Only] System Requirements

Configure Sensor Update Settings Before Upgrading Server

Third-Party Software Updates

Resolved Issues

• CB-29178: Server 7.8.0 resolves an issue on the Watchlists page in which a selected Watchlist is not highlighted in the list of Watchlists to distinguish it from unselected Watchlists

  The selected Watchlist is now highlighted.

• CB-30040: Server 7.8.0 resolves an issue in which users would not be redirected to the login page on session timeout

  Includes EA-17715, EA-16149, and EA-14715.

  The page would become blank aside from the left and top navigation panels, which could still be used to navigate to other blank pages. As of Server 7.8.0, users are automatically redirected to the login page upon session timeout.

• CB-30957, EA-15958: Server 7.8.0 resolves an issue in which the ampersand character (&) could be improperly handled in queries

• CB-31948, EA-15429: Server 7.8.0 resolves an issue in which the API call /api/v1/process/host/count?cb.freqver=1&name= is overly slow and could result in an HTTP 500 Internal Server Error

• CB-34192, EA-18106: Server 7.8.0 removes the deprecated and nonfunctional sharing setting, EDR Event Data with VMware Carbon Black

• CB-36216, EA-18899: Server 7.8.0 resolves an issue in which Binary Search queries that include host_count do not accurately account for multiple hosts with the same hostname

  Now, Binary Search results for queries that include host_count accurately reflect different sensors with the same hostname and host counts in the product. For example, on the Binary Details page and Binary Info section of an event of the Process Analysis page, results are reported accurately.

• CB-40060, EA-21632: Server 7.8.0 resolves an issue in which the default sorting and pagination behavior for /api/v2/sensor is not adequately documented

  The default field used for sorting for api/v1/sensor and api/v2/sensor is last_checkin_time. While the API is being used to page through all sensors with this default sorting, it is possible that sensors will continue to check in, which will update the results. This means that as successive pages of data are retrieved, new sensors may have moved to the top of the list, thereby pushing sensors from a previous page of results into the next page of results and causing it to appear that those sensors are being duplicated in the results. To overcome this possible source of confusion, a different sorting mechanism can be specified (for example, "sort.col=computer_name").

• CB-36412, CB-29216: Server 7.8.0 resolves an issue in which clicking on the ‘Analyze’ link for an old event included in an Investigation would fail to properly load the Process Analysis page

• CB-36496: Modification (regmod) events do not display any host hits (__ computer(s) have seen this regmod in __ processes) and registry key paths are not searchable

  Includes EA-22927, EA-21630, EA-20650, EA-19022.

  Server 7.8.0 resolves an issue in which certain registry modification (regmod) events do not display any host hits (__ computer(s) have seen this regmod in __ processes) and registry key paths are not searchable via Process Search when the registry key value is clicked on from a regmod event on the Process Analysis page.

• CB-37187, EA-19258: Server 7.8.0 resolves an issue in which the DUO 2FA secrets.ini file can be overwritten during Carbon Black EDR Server installation or upgrade

• CB-37691: Data ingestion can slow significantly or potentially stop entirely

  Includes EA-21889, EA-20801, EA-20662, EA-20334.

  Server 7.8.0 resolves an issue in which data ingestion can slow significantly or potentially stop entirely if one or more long, command-line-based Ingress Filters, especially involving the use of regular expressions, is enforced.

• CB-37711, EA-19972: Server 7.8.0 resolves an issue in the Validate_Feed.py utility that could cause it to fail

• CB-37716, EA-20347: CBFeeds Readme.md instructions improvement

  Server 7.8.0 improves the instructions provided in the CBFeeds ReadMe.md file (https://github.com/carbonblack/cbfeeds).

• CB-37812, EA-20132: Duplicate Solr writer core

  Server 7.8.0 resolves an issue in which the solr-up command can create a duplicate Solr writer core following the upgrade of EDR Server if a Solr reader core does not exist at Solr startup.

• CB-38340, EA-20674, EA-16050: Server 7.8.0 resolves an issue in which export of Hostnames on the Binary Search page could fail with a 400 error when filtering was applied

• CB-38578, CB-41105, EA-20874: Alliance Server certificate improvements. Contact Technical Support for more information

• CB-40005: Server 7.8.0 resolves an issue in which Ingress Filters that contain MD5 hashes with uppercase letters were ignored

  Ingress Filters only accepted lowercase letters in MD5 hash values in previous versions. Ingress Filters are now case insensitive to accept lowercase and uppercase letters.

• CB-39467, EA-21357: SAML authentication error message

  Server 7.8.0 improves the error message that is displayed when a SAML authentication error occurs during a Hosted EDR login attempt from Doh! invalid_response to Error! Invalid SAML Response, please try again. Server 7.8.0 also improves the debug logging of SAML authentication errors.

• CB-40248, EA-21791: Server Communication Status

  Server 7.8.0 resolves an issue in which, in the Server Communication Status section of the Server Dashboard page, an Unable to connect to VMware Carbon Black App Control Server error can be improperly displayed, even if Carbon Black EDR Server’s connection with the VMware Carbon Black App Control Server is successful.

• CB-40324, EA-21809: Server 7.8.0 resolves an issue in which an ingress filter ID that has a name that ends with a space could not be modified or deleted through the console

• CB-40376: Server 7.8.0 resolves an issue in which an overly long error message could be reported on the Event Forwarder Settings page when an attempt to save an Event Forwarder configuration change fails due to connection refusal

  The error message is now improved.

• CB-40398: Migration from RPM-based Carbon Black EDR Server to Containerized Carbon Black EDR Server

  Server 7.8.0 resolves an issue in which, upon migration from RPM-based EDR Server to containerized EDR Server, the copied on_demand feeds directory could lack adequate permissions, which prevents the ‘cb’ user in containerized EDR Server from reading the ‘threatintel.json’ file, resulting in the following error: Error while loading feed ‘threatintel', which was specified in TicFeeds.

• CB-40399: Server 7.8.0 resolves an issue in which password expired error messages could be incorrectly displayed during the installation of containerized Carbon Black EDR Server

• CB-40449, EA-21965: Server 7.8.0 resolves an issue in which the FQDN reported in an email alert could be incorrect

• CB-40568, EA-22044: Synchronization failures

  Server 7.8.0 resolves an issue in which the synchronization of a third-party threat intelligence feed would fail entirely if any of the reports within the feed contained unsupported formatting.

• CB-40778, EA-21964: Server 7.8.0 resolves an issue in which the binary_purge command could fail to delete binary files

• CB-41706, EA-22750: Containerized Carbon Black EDR Server and Alliance Server failures

  Carbon Black EDR Server 7.8.0 resolves an issue in which communication between a containerized instance of Carbon Black EDR Server and Alliance Server could fail, causing threat intelligence feeds sourced from Alliance Server to stop working.

• CB-35335: In Carbon Black EDR Server 7.5.0-7.7.2, Live Query page

  In Carbon Black EDR Server 7.5.0-7.7.2, a user with “No Access” to a particular sensor group will experience an infinite loading indicator on the Live Query page when they try to execute a Live Query that includes that sensor group.

Known Issues

• CB-39786: In Carbon Black EDR Server 7.7.0-7.7.2, attempting a large, bulk resolution of Alerts can result in a timeout

• CB-39497: In Carbon Black EDR Server 7.7.0-7.7.2, on the Investigations page, events of different types that occurred around the same time can be improperly overlaid instead of stacked

• CB-39411: Yara Manager UI Configuration in Containerized Carbon Black EDR

  Yara Manager UI configuration for the Yara connector does not work in Containerized Carbon Black EDR Server because Yara Manager code is not included in the Carbon Black EDR Server container image. The Yara Connector and Yara Manager will exist in their own container image, which does not yet exist as of the Server 7.7.2 release. Containerized Carbon Black EDR Server must be connected to containerized Yara Connector and Yara Manager (after they are released) for Yara Manager UI configuration to work.

• CB-39413, EA-19397: In Carbon Black EDR Server 7.7.0-7.7.2, on the Binary Search page, the bars in the Host Count graph can appear improperly thin

• CB-33355: In some cases, a process Watchlist will produce more hits than alerts

  When a Watchlist query is executed using the original terms (e.g. process_name:notepad.exe), both the original segment (with events) and the tagged segment (without events) are returned, and both results appear on the Watchlists page. This makes it appear that there have been two hits, when in fact, there was only one. The result is two apparent hits, but only one alert, which is deceptive.

• CB-35668: In Carbon Black EDR Server 7.5.0-7.7.2, in the Configure Watchlist Expiration panel on the Watchlists page, a whole number must be entered for the watchlist expiration duration

  In Carbon Black EDR Server 7.5.0-7.7.2, in the Configure Watchlist Expiration panel on the Watchlists page, a whole number must be entered for the watchlist expiration duration in order to save, even when the first option, “Do not mark watchlists as expired if they have no hits.” is selected. The configuration should successfully save when “Do not mark watchlists as expired if they have no hits.” is selected and the “Notify me when watchlists have not received hits in” value is blank.

• CB-31662: Watchlist query in the Create Watchlist modal does not properly wrap text if the text starts with “-”

  When creating a Watchlist, the Watchlist query in the Create Watchlist modal does not properly wrap text if the text starts with “-”. The “-” creates a line break; thus, the subsequent text is displayed on the following line. This is an issue on Google Chrome/Chromium.

• CB-33586: Red dot does not display

  In Server 7.5.0, on the Process Search page, a process that has a Threat Intelligence Feed hit tag in one segment may not display the feed hit icon (a red dot) when “Group by process” is selected.

• CB-35139: Binary Search searches sometimes return zero results

  In Server 7.5.0-7.7.2, Binary Search searches can sometimes return zero results when there are matching results that should be returned.

• CB-35147: Submitted child process events of type "2" (other exec) do not properly store the process PID

  In Server 7.5.0-7.7.2, when using the GET /v3/{guid}/event API (or GET /v5/{guid}/event), submitted child process events of type "2" (other exec) do not properly store the process PID

• CB-35148: Process information not properly returned

  In Server 7.5.0, when using the GET/v1/process/{guid}/{segmentid}/preview API, process information is not properly returned.

• CB-31136: Live Query fails to take the SensorInactiveFilterDays setting into account

  Live Query fails to take the SensorInactiveFilterDays setting into account when determining which sensors to target. The sensor count on the right side of the ‘Current query’ bar shows all targeted sensors, while the quantity of targeted sensors in the ‘Run New Query’ pop-up does account for SensorInactiveFilterDays, and will sometimes show a lower number.

• CB-20565: Cannot enable or disable Alliance Sharing

  When using a custom email server, you cannot enable or disable Alliance Sharing.

  Disable the custom email server, make the change, and re-enable the custom email server.

Contacting Support