|Sensor Version||Product||Issue ID||Description|
|2.11.2||All||PSCLNX-8738, EA-18940||Linux BPF-based (4.4+ kernels) sensors could cause high memory usage and miss start event data (command line args and/or path).|
|2.11.2||All||PSCLNX-8614||Fixed an issue where file handles were being leaked.|
|2.11.1||All||PSCLNX-106||Live Response icon now only displays when the sensor has Live Response enabled in the policy.|
|2.11.1||All||PSCLNX-8399||OpenSSL upgraded to version 1.1.1k.|
|2.11.1||All||PSCLNX-7876||Connectivity issues that caused up to a 20 second communications delay are resolved.|
|2.11.1||All||PSCLNX-8486||Policy remained unassigned despite auto assignment rule.|
|2.11.1||All||PSCLNX-8310||Exempted processes are no longer terminated on Ubuntu systems.|
|2.11.1||All||PSCLNX-8538||Linux sensor clears old policy GUIDs.|
|2.11.1||All||PSCLNX-8613||The sensor could become unstable if thousands of sensors were being consecutively installed or uninstalled.|
|2.11.0||All||PSCLNX-7480||Scriptloads now report hashes.|
|2.11.0||All||PSCLNX-7698||A small memory leak is fixed.|
|2.11.0||All||PSCLNX-7682||Resolves BTRFS file paths for SUSE.|
|2.11.0||All||PSCLNX-8153||Agent registration for RHEL/CentOS/Oracle 6.9 and earlier versions does not fail on restart.|
|2.11.0||All||PSCLNX-7089||Linux sensor sends the MAC address to the backend.|
|2.11.0||All||PSCLNX-7976||Disabling Live Response on the sensor now updates in 60 seconds or less.|
|2.11.0||All||PSCLNX-8354||Added BPF events-detail and events-average to agent diagnostics.|
|2.10.3||All||PSCLNX-8098||The BPF event_collector lost connection on overloaded systems.|
|2.10.3||All||PSCLNX-7913||Improves CPU Utilization by improving kernel module event tracking.|
|2.10.2||All||PSCLNX-7706||Fixed a hang in the event_collector process.|
|2.10.2||Endpoint Standard||PSCLNX-7505||Events are now throttled to 50 events per second after an extended period of disconnect from backend.|
|2.10.2||All||PSCLNX-4628||Fixed a race condition in per-process file-tracking when a process exits.|
|2.9.3||All||EA-17779, PSCLNX-4628||Fixes race condition that can cause unexpected hangs and reboots.|
|2.10.1||All||EA-17307, PSCLNX-7408||High delay in NFS NetApp directories in CentOS 6 and RHEL 6.|
|2.10.1||All||PSCLNX-7315||A hard deadlock can occur if an endpoint uses a large portion of its RAM.|
|2.10.1||All||PSCLNX-7106||A banned file might not be unbanned if a user wants to remove it from the banlist.|
|2.10.1||All||PSCLNX-7034||The agent failed to configure one of the SQL settings after a long downtime.|
|2.9.2||All||PSCLNX-7494||Fixed a potential crash in the 2.9.1 sensor on an endpoint that had a high load.|
|2.9.2||All||PSCLNX-7408, EA-17307||Fixed a high delay in NFS NetApp directories in RHEL/CentOS 6.|
|2.9.2||All||PSCLNX-7237||Fixed a race condition that could cause a kernel panic.|
|2.9.2||All||PSCLNX-7231, EA-17373||Fixed a hang in the sensor could cause a spike in CPU usage.|
|2.9.1||All||EA-17370||The sensor caused a long delay in file transfers in NFS directories.|
|2.9.1||All||CBC-404||When an interpreter loaded multiple scripts, only the first script loaded was reported.|
|2.9.1||All||PSCLNX-7162||If sensor files were moved by a user while the sensor was running, the sensor could exceed its disk usage limits. Limits are now more strictly tracked and enforced by the sensor.|
|2.9.1||All||PSCLNX-7117||There was a hang up during uninstall or while enabling bypass.|
|2.9.1||All||PSCLNX-7245||A Segfault occurred during uninstall or while enabling bypass.|
BulkBehaviorHighDiskUsageMb can now be set without also configuring BulkBehaviorMaxDiskUsageMb. For more information, see Carbon Black Cloud for Linux How to Restrict the Disk.
Handles bad request error cases better so LiveQuery can continue to function normally.
Fixes a kernel panic when allocating a new slab.
|2.9.0||All||EA-16621, EA-16854||Fixed an issue where a fork of banned process was not killed.|
|2.9.0||All||PSCLNX-6827||Agent upgrade from 22.214.171.124774 to 126.96.36.1995105 failed due to timeout.|
|2.8.3||All||EA-17142||In some cases, the sensor can misinterpret the available disk space because of a missing decrementation. If this occurs, the sensor might not return defense events to the cloud. The issue is fixed by updating this counter to properly decrement when messages are sent; the disk space metric used by the bulk storage manager is accurate.|
|2.8.2||All||EA-16729||Improves the agent’s ability to handle NFS.|
|2.8.2||All||PSCLNX-6479||Fixes a kernel panic for a race condition with task exits.|
|2.8.2||All||PSCLNX-6476||A specific script would hang with the agent installed.|
|2.8.2||All||PSCLNX-6787||A deadlock occurred during certain memory allocations.|
|2.8.2||All||PSCLNX-6530||Server initiated upgrades failed on Oracle.|
|2.8.1||All||EA-16425||The installation failed when /opt was symlinked to another directory.|
|2.8.1||All||PSCLNX-6680||Fixed an issue in a TCP response and removes the following error message from the logs: event_collector_1_9_8988: Error copying UDP DNS response data.|
|2.8.0||All||EA-16006||Adds low disk space warning to installer.|
|2.8.0||All||EA-16405||Fixes memory leak in the kernel module.|
|2.8.0||All||EA-16335||Linux policy was not updating properly.|
|2.8.0||All||EA-16249||Fixed crash in the kernel module.|
|2.8.0||All||PSCLNX-6305||Made updates to install.sh to allow for installation on unsupported rpm-based distros without modifications to the script.|
|2.7.1||All||PSCLNX-6065||OpenSSL is updated to 1.1.1g that fixes CVE-2020-1967.|
|2.7.0||CB LiveOps||PSCLNX-4956||osqueryi was updated from 3.3.2 to 4.1.2.|
|2.7.0||All||EA-15956||Linux sensor was stuck in Admin Bypass.|
|2.6.0||All||PSCLNX-4464||Empty paths were reported frequently in event data.|
|2.6.0||All||PSCLNX-4467||Process data was sometimes missing cmdline or binary details.|
|2.6.0||All||PSCLNX-4370||Bad paths could be reported in event data.|
||PSCLNX-4086||Incorrect local and remote addresses were sometimes reported for UDP netconn events.|
|2.6.0||All||PSCLNX-4085||Outgoing TCP netconn events could be duplicated in the console.|
|2.6.0||All||PSCLNX-954||Event throughout increased 2.75x (from 2.5.0 to 2.6.0).|
|Sensor Version||Product||Issue ID||Description|
If kptr_restrict is set to 2, then the probe will go into bypass.
Some Linux distributions with SElinux might have a default policy that blocks services making BPF calls. See Carbon Black Cloud: How to allow BPF event collection on SELinux.
File rename and move operations are not collected.
On SUSE12, file paths sometimes have BTRFS subvolume name pre-fixed onto the actual path. For example: /tmp/dir will look like @/.snapper/1/snapshot/tmp/dir.
Scriptload collection is not working on the following distribution versions: Oracle RHCK 8.2, CentOS/RHEL 8.0, 8.2 and 8.3.
During a successful rpm-based upgrade on RHEL/CentOS/Oracle 6, the log shows the following warning that can be ignored:
Stopping cbagentd: Agent failed to exit, killing with SIGTERM
The User field is empty for alerts/events.
Endpoint Standard does not collect filemod, netconns, or scriptloads.
The sensor does not support uninstall from the Carbon Black Cloud. To uninstall, issue the following commands:
Note: The agent will still be listed in the Registered Devices list on the backend after running the command unless you choose Take Action > Uninstall.
The sensor only supports unauthenticated proxies.
When the agent restarts successfully, Error[00000002 (00000002)] is reported.
Deploying the Carbon Black Cloud Linux sensor and the CB Response Linux sensor to the same endpoint is not recommended. There are no known interoperability issues when running both sensors; however, higher performance utilization occurs if both sensors are running on an endpoint.