Attention: As of 28 February 2022, Carbon Black Cloud Release Notes are published on VMware Docs. This UEX site will remain but no longer be updated.
Enterprise EDR hash banning
This feature provides Enterprise EDR customers with the ability to ban process execution by hash.
This feature enables a one-time scan of all files on an endpoint. Background scans can be enabled per policy or run on specific endpoints.
The VDI workflow is enabled with the Linux 2.12 sensor. VDI auto re-registration simplifies the VDI security process for Horizon and Carbon Black Cloud admins.
VDI clones and re-registered devices inherit the policy of the primary image if one exists. Otherwise, clones and re-registered devices are assigned the Virtual Desktop policy or the Standard policy, in that order.
If an organization is using sensor groups, the new device will be moved to the appropriate policy when the metadata matches. See the Sensor Installation Guide for full VDI considerations and see the in-product User Guide for more information about sensor groups.
This release adds additional installation options to the Linux sensor installer, including:
Placing the sensor in bypass after installation
Disabling Live Response
Only registering the sensor and not starting
Setting the sensor policy during installation
Providing proxy server and port parameters to the install script.
This release enforces digital signature verification of future sensor upgrades. A sensor kit that cannot be verified will not be accepted as an upgrade by 2.12+ sensors. Sensors 2.11.2 and later are enabled for signature verification.
Distribution support changes
The 2.12 release ends support for the following Linux distribution versions:
SLES 12 (SP2, SP3)
OpenSUSE 42.2, 42.3
VMware Carbon Black Cloud Linux sensor version 2.11.3 includes support for installing the sensor on Ubuntu 21 and major improvements/bug fixes.
VMware Carbon Black Cloud Linux sensor version 2.11.2 includes major improvements/bug fixes. We recommend that you upgrade to 2.11.2 on BPF-based systems (4.4+ kernels).
This release supports digital integrity verification of the Linux sensor tar-ball (TGZ) files. Both the RPM and DEB files are digitally signed; this allows customers to verify other file contents within the tar-ball (TGZ).
Carbon Black Cloud Linux sensor version 2.11.1 includes support for specify proxy server details such as Host and Port on the command line while installing the sensor. A new “-p or –proxy” option specifies the proxy server details. See the VMware Carbon Black Cloud Sensor Installation Guide for more information.
Carbon Black Cloud Linux sensor version 2.11.0 includes support for expanded distributions on Endpoint Standard, Debian Support, and other improvements/bug fixes.
Expanded Distribution Support
You can now benefit from uniform coverage across the VMware Carbon Black Cloud platform with expanded distribution coverage. The Linux sensor version 2.11.0 now supports the following distributions: RHEL 8, CentOS 8, Oracle (RHCK and UEK kernels) 8, Amazon Linux, SUSE, Ubuntu and Debian. See Supported Linux Distributions for more information.
To expand to a wide number of distributions, the Linux sensor is leveraging Extended Berkeley Packet Filters (eBPF or BPF). See the 2.10.1 release for more information.
After the new sensor is installed, Endpoint Standard works as seamlessly as a kernel-based sensor. You can perform the following actions:
Detect and block known malware
Add hashes to a custom company banlist
Add hashes to a custom company allowlist
Put a sensor into bypass
Endpoint Standard, Enterprise EDR, and Audit & Remediation
Debian is now officially supported on Endpoint Standard, Enterprise EDR, and Audit & Remediation. SeeSupported Linux Distributions for more information.
VMware Carbon Black Cloud Linux sensor version 2.10.3 includes sensor improvements and bug fixes.
VMware Carbon Black Cloud Linux sensor version 2.10.2 includes sensor improvements and bug fixes.
VMware Carbon Black Cloud Linux sensor version 2.10.1 includes support for expanded distributions on Enterprise EDR, and other improvements/bug fixes.
Expanded distribution support
The Enterprise EDR Linux sensor version 2.10.1 now supports the following distributions: RHEL 8, CentOS 8, Oracle (RHCK and UEK kernels) 8, Amazon Linux, SUSE, and Ubuntu SeeSupported Linux Distributions for more information.
VMware Carbon Black Cloud Linux sensor version 2.9.0 includes script load event collection on Enterprise EDR, the first version of the open source kernel module, and other improvements/bug fixes. See Supported Linux Distributions.
Script load collection
Script files are now reported as a scriptload event of the process that loaded the script. Like all process events on the Process Analysis page, each item is easily searchable and is expandable for more context.
Carbon Black Cloud Linux sensor version 2.8.0 adds Oracle Linux Support to all products on the Carbon Black Cloud platform. It also adds a new event type for file creation events to Endpoint Standard (formerly CB Defense) on RHEL, CentOS and Oracle 6/7, and other improvements/bug fixes. See Supported Linux Distributions.
The Linux sensor supports collection of file creation events for Endpoint Standard.
Note: This feature will be available in prod05 by the end of day 07/01/2020 and 6/30/2020 in all other environments.
All Carbon Black Cloud Products
Oracle Linux Support
Audit and Remediation (formerly CB LiveOps) is supported on Oracle Linux 6.0-8.2 on both the RHCK kernel and UEK kernel.
Endpoint Standard (formerly CB Defense) is supported on Oracle Linux 6.6-7.8 on the RHCK kernel.
Enterprise EDR (formerly CB ThreatHunter) is supported on Oracle Linux 6.6-7.8 on the RHCK kernel.
Carbon Black Cloud Linux sensor version 2.7.0 supports the first iteration of Endpoint Standard (formerly CB Defense) on RHEL and CentOS 6/7 and other improvements/bug fixes. See Supported Linux Distributions.
VMware Carbon Black Cloud
Sensor diagnostic log collection script
Beginning with the 2.7.0 sensor, the installer now includes a diagnostic log collection script that gathers information. Your support engineer might request that you run the diagnostic log collection script as part of the troubleshooting process.
The diagnostic log collection script collects logs and configuration information from the VMWare Carbon Black Cloud Linux endpoint agent. It also collects various system identity, configuration, and state information. The collected information helps VMware Carbon Black to understand and remediate problems that occur at runtime or during agent installation.
After sensor installation, the script is located here: /opt/carbonblack/psc/bin/collectdiags.sh
Endpoint Standard (CB Defense) and Enterprise EDR (CB ThreatHunter)
The Linux sensor supports the ability to put the sensor into bypass. Bypass mode will turn off event collection and prevention. Live Response will still be functional. Policy level Permission rules (Allow & Log and targeted Bypass rules) are not supported in this version.
Adding to Company Deny-list
The Linux sensor supports the “runs or is running” policy action when a process reputation is added to the company deny-list.
The Linux sensor supports the “runs or is running” policy action when a process reputation is “Known Malware”.
Adding to Company Allow-list
The Linux sensor supports adding hashes to the company allow-list, so you can limit the number of alerts that are triggered from benign processes.
Carbon Black Cloud Linux Sensor version 2.6.0 includes event accuracy improvements and performance improvements for Enterprise EDR. See Supported Linux Distributions.
Enterprise EDR: Add hashes to the company deny-list
The Linux 2.6.0 sensor enables Enterprise EDR customers to add hashes to their company deny-list. After a hash is added to the company deny-list, it is prevented from the following:
Being opened with execute access
Starting a process from a file
Processes that have the deny-listed hash loaded at the time that the hash is added to the deny-list are terminated shortly after the sensor receives the updated reputation.
Note: This functionality is enabled in the Linux 2.6.0 GA sensor, but will not be available for use until a future Carbon Black Cloud console release.
Direct User and Command Line installations
For direct end user installs, an install.sh script is provided to input the company code. Command Line Installation is also supported via the use of the native RPM installer (assuming prerequisite steps are taken). See the Carbon Black Cloud Sensor Installation Guide for instructions. Please note that install.sh should not be used to upgrade sensors.
Known differences between Linux and other operating systems
The User field on the Endpoints page is typically populated with the email address of the user who installed the sensor on the endpoint. We’ve intentionally left this field blank for Linux sensors because there can be multiple logged-in users and multiple simultaneous desktop users.