Enterprise EDR hash banning
This feature provides Enterprise EDR customers with the ability to ban process execution by hash.
This feature enables a one-time scan of all files on an endpoint. Background scans can be enabled per policy or run on specific endpoints.
The VDI workflow is enabled with the Linux 2.12 sensor. VDI auto re-registration simplifies the VDI security process for Horizon and Carbon Black Cloud admins.
VDI clones and re-registered devices inherit the policy of the primary image if one exists. Otherwise, clones and re-registered devices are assigned the Virtual Desktop policy or the Standard policy, in that order.
If an organization is using sensor groups, the new device will be moved to the appropriate policy when the metadata matches. See the Sensor Installation Guide for full VDI considerations and see the in-product User Guide for more information about sensor groups.
This release adds additional installation options to the Linux sensor installer, including:
Learn more about these new installation options in the Sensor Installation Guide.
Verified sensor upgrade
This release enforces digital signature verification of future sensor upgrades. A sensor kit that cannot be verified will not be accepted as an upgrade by 2.12+ sensors. Sensors 2.11.2 and later are enabled for signature verification.
Distribution support changes
The 2.12 release ends support for the following Linux distribution versions:
VMware Carbon Black Cloud Linux sensor version 2.11.3 includes support for installing the sensor on Ubuntu 21 and major improvements/bug fixes.
You can install sensor version 2.11.3 on Ubuntu 21. All sensor features are supported on Ubuntu 21. See the support matrix at Carbon Black Cloud sensor: Linux sensor support.
VMware Carbon Black Cloud Linux sensor version 2.11.2 includes major improvements/bug fixes. We recommend that you upgrade to 2.11.2 on BPF-based systems (4.4+ kernels).
This release supports digital integrity verification of the Linux sensor tar-ball (TGZ) files. Both the RPM and DEB files are digitally signed; this allows customers to verify other file contents within the tar-ball (TGZ).
Carbon Black Cloud Linux sensor version 2.11.1 includes support for specify proxy server details such as Host and Port on the command line while installing the sensor. A new “-p or –proxy” option specifies the proxy server details. See the VMware Carbon Black Cloud Sensor Installation Guide for more information.
Carbon Black Cloud Linux sensor version 2.11.0 includes support for expanded distributions on Endpoint Standard, Debian Support, and other improvements/bug fixes.
Expanded Distribution Support
You can now benefit from uniform coverage across the VMware Carbon Black Cloud platform with expanded distribution coverage. The Linux sensor version 2.11.0 now supports the following distributions:
RHEL 8, CentOS 8, Oracle (RHCK and UEK kernels) 8, Amazon Linux, SUSE, Ubuntu and Debian. See Supported Linux Distributions for more information.
To expand to a wide number of distributions, the Linux sensor is leveraging Extended Berkeley Packet Filters (eBPF or BPF). See the 2.10.1 release for more information.
After the new sensor is installed, Endpoint Standard works as seamlessly as a kernel-based sensor. You can perform the following actions:
Endpoint Standard, Enterprise EDR, and Audit & Remediation
Debian is now officially supported on Endpoint Standard, Enterprise EDR, and Audit & Remediation. See Supported Linux Distributions for more information.
VMware Carbon Black Cloud Linux sensor version 2.10.3 includes sensor improvements and bug fixes.
VMware Carbon Black Cloud Linux sensor version 2.10.2 includes sensor improvements and bug fixes.
VMware Carbon Black Cloud Linux sensor version 2.10.1 includes support for expanded distributions on Enterprise EDR, and other improvements/bug fixes.
Expanded distribution support
The Enterprise EDR Linux sensor version 2.10.1 now supports the following distributions:
RHEL 8, CentOS 8, Oracle (RHCK and UEK kernels) 8, Amazon Linux, SUSE, and Ubuntu
See Supported Linux Distributions for more information.
To expand to a wide number of distributions, the Linux sensor is leveraging Extended Berkeley Packet Filters (eBPF or BPF).
BPF provides these key benefits:
After the new sensor is installed, Enterprise EDR can be expected to work as seamlessly as a kernel-based sensor. You can perform the following actions:
Note: Kernel headers are required for the sensor to function properly. See the Carbon Black Cloud Sensor Installation Guide for additional information.
Audit and Remediation
The Linux sensor version 2.10.1 now supports osquery v4.5.0.
VMware Carbon Black Cloud Linux sensor version 2.9.1 includes RHEL/Oracle 7.9 support and other improvements/bug fixes. This release also ends support for RHEL/CentOS/Oracle 6.5 and below for Audit and Remediation.
RHEL/Oracle 7.9 is now supported on all products. See Supported Linux Distributions.
VMware Carbon Black Cloud Linux sensor version 2.9.0 includes script load event collection on Enterprise EDR, the first version of the open source kernel module, and other improvements/bug fixes. See Supported Linux Distributions.
Script load collection
Script files are now reported as a scriptload event of the process that loaded the script. Like all process events on the Process Analysis page, each item is easily searchable and is expandable for more context.
Enterprise EDR and Endpoint Standard
Open Source Linux Kernel
With the release of the 2.9.0 sensor, the kernel module is now open source. Users can contribute and submit bugs through our GitHub page. Link to the Carbon Black Cloud kernel module: https://github.com/vmware/kernel-event-collector-module.
Carbon Black Cloud Linux sensor version 2.8.0 adds Oracle Linux Support to all products on the Carbon Black Cloud platform. It also adds a new event type for file creation events to Endpoint Standard (formerly CB Defense) on RHEL, CentOS and Oracle 6/7, and other improvements/bug fixes. See Supported Linux Distributions.
The Linux sensor supports collection of file creation events for Endpoint Standard.
Note: This feature will be available in prod05 by the end of day 07/01/2020 and 6/30/2020 in all other environments.
All Carbon Black Cloud Products
Oracle Linux Support
Carbon Black Cloud Linux sensor version 2.7.1 supports RHEL 7.8 and an update to OpenSSL version 1.1.1g. See Supported Linux Distributions.
RHEL 7.8 is now supported on all products.
Carbon Black Cloud Linux sensor version 2.7.0 supports the first iteration of Endpoint Standard (formerly CB Defense) on RHEL and CentOS 6/7 and other improvements/bug fixes. See Supported Linux Distributions.
VMware Carbon Black Cloud
Sensor diagnostic log collection script
Beginning with the 2.7.0 sensor, the installer now includes a diagnostic log collection script that gathers information. Your support engineer might request that you run the diagnostic log collection script as part of the troubleshooting process.
The diagnostic log collection script collects logs and configuration information from the VMWare Carbon Black Cloud Linux endpoint agent. It also collects various system identity, configuration, and state information. The collected information helps VMware Carbon Black to understand and remediate problems that occur at runtime or during agent installation.
After sensor installation, the script is located here:
Endpoint Standard (CB Defense) and Enterprise EDR (CB ThreatHunter)
The Linux sensor supports the ability to put the sensor into bypass. Bypass mode will turn off event collection and prevention. Live Response will still be functional. Policy level Permission rules (Allow & Log and targeted Bypass rules) are not supported in this version.
Adding to Company Blacklist
The Linux sensor supports the “runs or is running” policy action when a process reputation is added to the company blacklist.
The Linux sensor supports the “runs or is running” policy action when a process reputation is “Known Malware”.
Adding to Company Whitelist
The Linux sensor supports adding hashes to the company whitelist, so you can limit the number of alerts that are triggered from benign processes.
Carbon Black Cloud Linux Sensor version 2.6.0 includes event accuracy improvements and performance improvements for Enterprise EDR. See Supported Linux Distributions.
Enterprise EDR: Add hashes to the company blacklist
Processes that have the blacklisted hash loaded at the time that the hash is added to the blacklist are terminated shortly after the sensor receives the updated reputation.
Note: This functionality is enabled in the Linux 2.6.0 GA sensor, but will not be available for use until a future Carbon Black Cloud console release.
Direct User and Command Line installations
Known differences between Linux and other operating systems