Carbon Black Cloud Windows Sensor Release Notes

Carbon Black Cloud Windows Sensor Known Issues

Carbon Black Cloud Windows Sensor Fixed Issues

Carbon Black Cloud Windows Sensor Release Notes

3.7.0.1411

 

This release updates osqueryi.exe to version 4.7.0, and includes bug fixes and improvements.


3.7.0.1253

Sensor Installer Rollback

Build-to-build, version-to-version upgrade rollback is now fully supported when upgrading from version 3.7 and later sensors. The following table describes rollbacks that various Carbon Black Cloud sensor versions support. rollbacks.png

For more details about rollback functionality, see the VMware Carbon Black Cloud Sensor Installation Guide.

Enterprise EDR Hash Banning

This feature provides Enterprise EDR users with the ability to ban files by hash, thus preventing files from:

  • Being opened with execute access
  • Starting a process from a file
  • Being loaded as a module in a process
  • Being loaded as a script
  • Being loaded as a driver

For more details, see https://community.carbonblack.com/t5/Enterprise-EDR-Discussions/Announcing-Hash-Banning-for-Enterprise-EDR/m-p/105098#M306

Ransomware Boot Record Protection

A new disk driver (cbdisk.sys) helps protect against the most dangerous types of ransomware that attempt to corrupt the boot record of an endpoint. This type of ransomware encrypts files and alters the master boot record (MBR) and partition boot record (PBR), rendering the device unusable.

Important Note: A reboot is required after install/upgrade/cloning a golden VM image to fully leverage our ransomware protection capabilities. This new disk driver should be added to any previously set AV exclusions.

SHA-2 Windows Updates Required for Continued Support of Windows 7 and Windows Server 2008 R2

Microsoft no longer allows code-signing using SHA1. To continue running VMware Carbon Black Cloud Windows sensor version 3.7+, the KB4474419 patch should be applied to applicable operating systems. Our Carbon Black Cloud sensor - OS Support article on UEX reflects this change.

Automatic re-registration of VMware Carbon Black Cloud Windows sensors in Citrix PVS environments

The 3.7 Windows sensor supports a new cfg.ini parameter AutoReRegisterForCitrix = True for automatically re-registering Windows sensor on VDI clones in Citrix PVS environments.


3.6.0.2127

SHA-2 Windows Updates Required for Continued Support of Windows 7 and Windows Server 2008 R2

Microsoft is no longer allowing code signing using SHA1. To continue running our latest Carbon Black Cloud Windows 3.6 sensor version (3.6.0.2127+), the KB4474419 patch should be applied to applicable operating systems. Our Carbon Black Cloud sensor - OS Support article on UEX has been updated to reflect this change.


3.6.0.2076

This updated Windows sensor version includes fixes and performance improvements.


3.6.0.1979

This updated Windows sensor version includes fixes and performance improvements.


3.6.0.1941

osquery version update 4.5.1

This updated Windows sensor includes the most recent version of osquery (4.5.1). See the Carbon Black Cloud Sensor Support for osquery document for a full list of sensor versions and supported schema versions.


3.6.0.1897 (This sensor is no longer available for download)

osquery version update 4.5.0

This updated Windows sensor includes the most recent version of osquery (4.5.0). See the Carbon Black Cloud Sensor Support for osquery document for a full breakdown of sensor versions and supported schema versions.

This update lets you query the Windows event log. Users can now craft custom queries or use new out-of-the-box queries from our Threat Analysis Unit to pull back artifacts from Windows event logs on demand. These artifacts include event ID, the time an event occurred, the source or channel of the event, the provider name and guid associated with an event, the severity level of an event, and more.

This version also includes Windows support for the yara table and no longer requires an on-disk signature to be present.


3.6

VMware Carbon Black Cloud sensor version 3.6 is for Windows only. See supported operating systems on the UEX: Carbon Black Cloud sensor support.

osquery 4.4.0

The 3.6 Windows sensor introduces osquery version 4.4.0. Learn more about version 4.4.0 here: https://github.com/osquery/osquery/releases/tag/4.4.0

Firewall exclusion

The 3.6 Windows sensor leverages a content management system to enable the dynamic configuration of prevention features. Prior to installing or upgrading to 3.6, if you have restrictive firewall policies active in your environment, you might need to add a new firewall/proxy exclusion for the sensor to be fully functional.

Add a new network/proxy exclusion for a direct connection over TCP/443 to https://content.carbonblack.io 

Enterprise EDR, AMSI Prevention, and Unified Binary Store require the exclusion to work with the 3.6 sensor. 

To learn more about the sensor communication requirements, see Carbon Black Cloud: What Ports must be opened on the Firewall and Proxy Servers? 

Sensor install/uninstall improvements

With the Carbon Black Cloud Windows 3.6 sensor, the install and uninstall experience is strengthened on the endpoint. If a failure occurs during an initial install of the product or during an uninstall, the endpoint will be returned to the state it was in prior to the attempt. 

To learn more about Windows sensor installation and uninstallation, see the Sensor Install Guide on the UEX or in your VMware Carbon Black Cloud Console under the Help menu in the top bar

AMSI Prevention and visibility (Endpoint Standard) 

VMware Carbon Black Cloud has extended its default prevention capabilities for script-based Windows attacks, built on Microsoft Anti-Malware Scan Interface (AMSI). This extension of the AMSI integration expands on existing PowerShell preventions with improved ease of use and a better security posture. 

This release includes the ability for the sensor to dynamically leverage AMSI metadata to define and configure prevention logic. These updated, high-fidelity prevention rules are being crafted by VMware Carbon Black’s Threat Analysis Unit to include frequently used off-the-shelf attacker frameworks that are regularly seen in script-based attacks.

AMSI prevention and visibility is only supported on Windows 10 and greater and requires sensor version 3.6+. AMSI prevention and visibility will be rolled out in a staggered manner to customers. No action is required by the customer. 

Sensors that are registered with the following backend instances can use the functionality on the listed date.

URL 

Date 

https://dashboard.confer.net 

8/31 

https://defense.conferdeploy.net/ 

8/31 

https://defense-eu.conferdeploy.net 

9/7 

https://defense-prodnrt.conferdeploy.net/ 

9/7 

https://defense-prod05.conferdeploy.net 

9/14 

 

Sensor logs locations

Previous versions of the sensor stored logs in the \Program Files\Confer\Logs\ directory. 

The Windows 3.6 sensor stores some logs in Program Files and some logs in ProgramData: 

  • \Program Files\Confer\Logs\ 
  • \ProgramData\CarbonBlack\Logs\

Throughout 3.6 maintenance releases, we will move all logs to ProgramData to better align with Microsoft guidelines.

VDI improvements

The VDI workflow is improved with the Windows 3.6 sensor. Re-registering is less restrictive and easier. VDI clones and re-registered devices inherit the policy of the primary image if one exists. Otherwise, clones and re-registered devices are assigned the Virtual Desktop policy or the Standard policy in that order. Additionally, if an organization is using sensor groupsthe new device will be moved to the appropriate policy when the metadata matches. See the Sensor Installation Guide for full VDI considerations and see the in-product User Guide for more information about sensor groups.  

 


 

3.5

VMware Carbon Black Cloud sensor version 3.5 is for Windows only. This release is Generally
Available.

Notes:

 

Disable services associated with malware

Malicious services that run at start-up have the potential to execute and impact the endpoint
before the sensor starts up. A new feature finds all malicious services associated with Known
Malware hashes and puts them in a disabled state. The services remain in disabled state across
reboots, and therefore cannot execute at startup. If a service binary in question was not
malicious or if some other tool is used to clean the malware, then the sensor will not
automatically enable the service again. To re-enable the service you must manually do so by
using LiveResponse or other standard tools. The feature is enabled by default and can be
disabled by a request to Support.

The command for the remediation through CB LiveResponse is:

  1. Query the service start type exec: execfg sc.exe qc <servicename>
  2. Change the start type using the command: execfg sc.exe config
    <servicename> start=<starttype>

The possible start types are: boot | system | auto | demand | disabled | delayed-auto

The event that is sent during the service disable contains the original start type and displays in
the user interface. The user needs this data to return the start type to its original value. If the
start type changes to boot, auto or delayed-auto, they must reboot.

Removal of registry keys during deletion

Deletion of files, both manual and through the Malware Removal workflow, previously did not
attempt to remove registry keys that were created by the malware. When requested to delete a
file, the Windows 3.5 sensor also removes RunOnce registry keys from the HKLM hive that reference the malicious binary that is being deleted. Other auto-start registry keys referencing the malware might remain.

Offline installer

The Windows 3.5 sensor supports offline installs to support machines that are configured in an offline environment. The feature is enabled during a command line installation by adding the flag “OFFLINE_INSTALL=1”. The sensor connects with the Carbon Black Cloud backend and accesses a policy when network connectivity is restored. The sensor does not provide any visibility or protection until it is connected to the backend.

To use the feature, ensure that there is a host or network level firewall rule in place to prevent the master image from connecting to the Carbon Black Cloud devices URL. Then, Install the sensor using the OFFLINE_INSTALL parameter and any other parameter that is typically used during a command line install (aside from PROXY). Clone or restore to snapshot. Each snapshot and clone appears as a new device in the backend console and are not treated as a VDI clone unless you explicitly install with VDI=1 or used the repCLI reregister command. Otherwise, console admins are responsible for cleaning up old clones, either manually or via API.

Note: If a user changes the company code in the backend, you can no longer make new clones that haven’t registered yet because those clones will continue to try to use the original company code. If you change the company code, you must create new images using the new company code.

Endpoint management improvements

The Windows 3.5 sensor effectively handles non-persistent domain disconnections. Previously, the sensor applied the default policy when the AD attribute was cleared (in instances such as off-network without VPN). Now, the sensor maintains the desired AD group and the desired policy. The distinguished name is not cleared unless the machine is not registered as part of the domain.

In the Endpoints page, the Windows 3.5 sensor reports who is logged into an endpoint every 8 hours instead of reporting the user who installed the sensor. If there is no interactive user logged in to the endpoint within the 8 hour window, you might get a non-interactive user name such as “Windows Manager\DWM-2”. In the case of multiple logged-in users, the most recently logged-in user is associated with the endpoint.

Improved capability to identify command interpreters

CB Defense has improved its methods for identifying a process as a command interpreter or as
a script host. By integrating with the yara binary pattern matching utility, the Windows 3.5 sensor
better protects against threats where an attacker brings their own copy of standard operating
system interpreters or tries to hide by running tools with non-standard names. Customers who
are already leveraging the Tries to invoke command interpreter rule immediately benefit from
this update.

As part of this update, Carbon Black’s Threat Analysis Unit (TAU) can dynamically update the
definition of what it means to be a command interpreter.

Improved Netconn detection for proxy servers

With the Windows 3.4 sensor, CB ThreatHunter customers who are using a proxy server in their
environment saw most (all) outbound network connections being reported with the proxy's address and host name as the destination. The Windows 3.5 sensor improves reporting of network events to report the actual destination IP and hostname, rather than those of the intermediate proxy.

Note: This functionality is enabled in the Windows 3.5 sensor, but will not be available for use until a future Carbon Black Cloud console release.

CB ThreatHunter hash blacklisting

The Windows 3.5 sensor enables blacklisting of files by hash for CB ThreatHunter. Once a hash is added to the company blacklist it is prevented from the following:

  • Being opened with execute access
  • Starting a process from a file
  • Being loaded as a module in a process
  • Being loaded as a script

Processes that have the blacklisted hash loaded at the time the hash is added to the blacklist are
terminated shortly after the sensor receives the updated reputation.

Note: This functionality is enabled in the Windows 3.5 sensor, but will not be available for use until a future Carbon Black Cloud console release.

Dynamic tamper protection

The Windows 3.5 sensor has improved methods for identifying tamper events. The improvements help prevent access to sensor files and reduce interoperability issues with third-party products.

AMSI logging

The Windows 3.5 sensor enables the collection of deobfuscated command line data through AMSI for CB ThreatHunter customers. For more information on AMSI, see https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal.

In the cloud console, this integration will manifest in the form of filess_scriptload events, which represents processes that executed commands in fileless execution context. More information will be provided in the backend release notes for the February 18th UI release.

Updated 09/02/2020:

Sensor check-in time update

The sensor check in time is reduced from 5 minutes to 1 minute. The maximum expected latency for establishing a Live Response session should now be 60 seconds (assuming the device is online and running a 3.5 or newer sensor version). Other operations might also complete faster.
The Last check in value in the console will not necessarily update faster because of performance/scale reasons.

 

Sensor Version Fixed Product Issue ID Description
3.7.0.1411

Endpoint Standard

UAV-2212, EA-19082, EA-19167

A large number of alerts were being generated with the CBC Windows 3.7.0.1253 sensor around explorer.exe injecting into iexplore.exe via NtQueueApcThread. See our UEX knowledge base for more information: Carbon Black Cloud: Observing a large number of alerts for code injection via NtQueueApcThread after upgrade to 3.7.0.1253

3.7.0.1411

Enterprise EDR

UAV-2206, EA-18589

A temp file could be left behind when saving a modified Excel file in Enterprise EDR (only) orgs.

3.7.0.1411

All

UAV-2201, EA-19048

A data-race issue could lead to a system crash.

3.7.0.1411

All

DSEN-15119, EA-19388

System crashed when attempting to format drives.

3.7.0.1411

All

DSEN-14950, EA-19195, EA-19313

System crashed on Windows Server 2008 R2 systems.

3.7.0.1411

Endpoint Standard

DSEN-14817

Fixed a bug when applying Endpoint Standard functionality immediately after switching from an Enterprise EDR (only) org.

3.7.0.1411

All

DSEN-14801, EA-19243

The 3.7.0.1253 CBC Windows sensor blocked MSI installations of software that required a registry modification of a disk drive upper filter value to complete installation.

3.7.0.1411

Endpoint Standard

DSEN-14787

Due to an unsafe location, tamper blocks occurred when osqueryi.exe attempted to load cbamsi.dll.

3.7.0.1411

All

DSEN-14690

The sensor misreported process privs when compared to Process Explorer.

3.7.0.1411

All

DSEN-14604

First time sensor installation required a reboot to remove the sensor from Bypass mode for sensors installed with ‘Bypass sensor after login’ enabled through the sensor’s policy settings.

3.7.0.1411

All

DSEN-14592, DSEN-12808, EA-16115

The sensor reported improper shutdown/sleep states in the console.

3.7.0.1411

All

DSEN-14584

The sensor now supports a config prop for leveraging BIOS UUID for re-registration of VDI clones.

3.7.0.1411

All

DSEN-14575, DSEN-13266

Logging now properly reports a failure due to an expired company code.

3.7.0.1411

All

DSEN-14574, DSEN-13926

The .msi installer precheck returned an error and failed to upgrade sensors due to missing sensor version information in MsiGetProductInfo.
3.7.0.1411

All

DSEN-14558

Added a pop-up error dialogue when CBC Windows sensor installation has detected a non-SHA256 patched Windows OS system.

For more information:
[CBC Windows] SHA-2 Windows

Updates Required for Continued Support of Windows 7 and Windows Server 2008 R2
Carbon Black Cloud sensor: Windows desktop support

Carbon Black Cloud sensor: Windows Server support  

3.7.0.1411

All

DSEN-14423

Fixed a bug in the ctinet.sys driver that would cause a system crash when processing specific network events.

3.7.0.1411

Endpoint Standard

DSEN-14326, EA-18664

The sensor allowed deleting of files that had the “readonly” attribute set.

3.7.0.1411

All

DSEN-14015, EA-17990

The sensor would not perform process classifications while in bypass. It required RepCLI commands issued through a Live Response session that require authentication to be sent to the sensor in an active state.

3.7.0.1411

Endpoint Standard

DSEN-13971, EA-18729, EA-19333

Files with hashes that were populated in the banned hash list could temporarily run for a short time.

3.7.0.1411

All

DSEN-13517, EA-18627

The sensor ignored bypass rules for .tmp files.

3.7.0.1411

All

DSEN-13281, EA-18012

Fixed an issue with shutting down the sensor service in hardened environments that could lead to failures with sensor upgrades.

3.7.0.1411

All

DSEN-13064

Now ship with osqueryi.exe version 4.7.0.

3.7.0.1411

Endpoint Standard

DSEN-12555, EA-18067, EA-18165, EA-18418, EA-18581, EA-18866

Fixed a bug where the sensor could hang Microsoft Software Shadow Copy Provider service on startup.

3.7.0.1411

Endpoint Standard

DSEN-12394

Sensor upgrades initiated outside the server console could result in failure due to msiexec.exe being blocked by tamper protection.

3.7.0.1411

All

DSEN-8545

RepCLI capture could only be used to save zip files to local directories. If you attempted to save the zip file to a network location, the file is written to the c:\programdata\carbonblack\logs\temp directory.

3.7.0.1411

All

DSEN-8123

Sensors running on Windows 10 Enterprise Multi-Session environments could display the OS version as “Windows Server 2019”.

3.6.0.2127

All

DSEN-14423,
EA-19046

Fixed a bug in ctinet driver that could lead to system crash.

3.6.0.2127

Endpoint Standard, Enterprise EDR

UAV-2191, UAV-2204, EA-18905, EA-18910, EA-18889, EA-18965, EA-18982, EA-18881

Non-ASCII characters in filenames (such as Chinese and Japanese) could cause the AMSI module to crash the process that was being inspected. Logging related to AMSI events generated from non-ASCII file names is also fixed.

 

3.6.0.2127

All

UAV-2201, EA-19048

A data-race issue that could lead to a bugcheck.

3.6.0.2127

Enterprise EDR

UAV-2206, EA-18589

A temp file was left behind when saving a modified excel file.

3.6.0.2127

All

DSEN-12043

We now allow the sensor to be uninstalled if the BackupPath key located under HKLM\SYSTEM\CurrentControlSet\Control\EarlyLaunch is not set.

3.6.0.2127

Endpoint Standard

DSEN-12555, EA-18067, EA-18165, EA-18418, EA-18581, EA-18866

The sensor could hang Microsoft Software Shadow Copy Provider service on startup.

3.6.0.2127

All

DSEN-13226, EA-17848

The sensor could time-out during upgrades on systems that had large amounts of applications and files in use.

3.6.0.2127

Endpoint Standard

DSEN-13250, EA-18515

Fixed a bug that could lead to a process deadlock on busy systems as described in this knowledge base article on UEX: https://community.carbonblack.com/t5/Knowledge-Base/Carbon-Black-Cloud-Windows-applications-randomly-hang-when/ta-p/102334

3.6.0.2127

All

DSEN-13429, EA-18403

Fixed a bug that could lead to a bugcheck if a process attempted to access a file residing on a network share.

3.6.0.2127

All

DSEN-13767, EA-18685

Error dialogs appeared when third-party apps attempted to inject into any of the sensor’s processes.

3.6.0.2127

Endpoint Standard

DSEN-13807, EA-18785, EA-18821

Fixed a bug triggering false positive AMSI alerts.

3.6.0.2127

All

DSEN-14127, DSEN-14133

Our CBC Windows builds are no longer signed with SHA1 code signing (only SHA2 and WHQL). As such, Windows Operating System updates may need to be applied in order to run our 3.6.0.2076+ CBC Windows sensor version. Please see our UEX posts for more information:
[CBC Windows] SHA-2 Windows Updates Required for Continued Support of Windows 7 and Windows Server 2008 R2

Carbon Black Cloud sensor: Windows desktop support

Carbon Black Cloud sensor: Windows Server support

3.6.0.2127

All

DSEN-14154

The sensor could remain in bypass mode after a system reboot. This only occurred if the sensor was configured to run as AMPPL, but was not actually AMPPL on startup. This only occurred when upgrading from v3.3 and earlier sensors or when config props to disable AMPPL exist.

3.6.0.2127

All

DSEN-13691, EA-18749, EA-18647

Sensor uninstall could fail if C:\Windows\ELAMBKUP\CbELAM.sys file was not present.

3.7.0.1253

Endpoint Standard, Enterprise EDR

CBC-2554

The 3.7 CBC Windows sensor now automatically registers the CBC Windows sensor on VDI clones in vSphere environments. This feature requires both the vSphere HostModule and the 3.7 CBC Windows sensor. Log information can be found at C:\ProgramData\CarbonBlack\Logs\vhostcomms.log. AV exclusions might be needed for C:\Program Files\Confer\VHostComms.exe.

3.7.0.1253 All

DSEN-13848

The 3.7 Windows sensor supports a new cfg.ini parameter AutoReRegisterForCitrix = True for automatically re-registering CBC Windows sensor on VDI clones in Citrix environments.

Note: A separate script to re-register the agent is not required after specifying this parameter in the cfg.ini file.

3.7.0.1253 All

CBC-831

Added alarms for installation, uninstallation and upgrade failures.

3.7.0.1253 All

CBC-1017

Various improvements to sensor services.
Examples include:

  • Potentially less delays for receiving Defense events from sensors
  • Faster LQ results
  • One request's timeout no longer delays other requests
3.7.0.1253 Endpoint Standard

CBC-1638, DSEN-11202

Defense API reports that used to be sourced from API hooking have been moved to Event Tracing For Windows Providers and the File System Driver for product stability reasons.

In addition we have added a new disk driver “cbdisk.sys” to protect against ransomware threat actors attempting to corrupt the boot records which live on disk and prevent machines from booting.

With the introduction of our new “cbdisk.sys” driver in 3.7, any API_BYPASS previously set will no longer allow processes that were blocked from writing to protected disk regions or accessing canary files. With 3.7, users should now set bypasses for processes performing activity detected as ransomware through a rule: "Application at path -> Performs ransomware-like behavior -> Allow.".

3.7.0.1253 Endpoint Standard

CBC-1925

The background status progress based on percentage complete is now visible via the RepCLI status output.

3.7.0.1253 Endpoint Standard, Enterprise EDR

UAV-2041, EA-17693, EA-18300

Reduced frequency of non-paged pool memory allocations to avoid memory fragmentation and help with system performance.

3.7.0.1253 Endpoint Standard

UAV-2191,
EA-18905,
EA-18910,
EA-18889,
EA-18965,
EA-18982,
EA-18881

Fixed a bug where non-ASCII characters (such as Chinese and Japanese) in filenames caused the AMSI module to crash the process that Endpoint Standard was inspecting.

3.7.0.1253 Endpoint Standard

DSEN-5758, EA-18469

Fixed a bug where the length of the alert details message could impact CPU performance.

3.7.0.1253 Endpoint Standard

DSEN-5833, DSEN-7252, DSEN-7253, EA-14620, EA-15335, EA-15649

Detect and prevent malicious lnk chains.

3.7.0.1253 All

DSEN-5870, EA-18220

Sensor installation/uninstallation failed if the BackupPath registry key was missing from “HKLM\SYSTEM\CurrentControlSet\Control\EarlyLaunch\”

3.7.0.1253 Endpoint Standard, Enterprise EDR

DSEN-7246, EA-17566, EA-15975

Fixed a bug capturing certificate information from jar files.

3.7.0.1253 Endpoint Standard

DSEN-7266, EA-15600

Windows sensor endpoint details will now append a “YYYYMMDD” date to Scan Engine information to specify the date the signature pack was collected. 

Note: On upgrades from older versions of the CBC Windows sensor, a signature pack update might be needed to display this information.

 

3.7.0.1253 Endpoint Standard

DSEN-8198, EA-18133, EA-17388, EA-16521, EA-18124

Intermittent failures with RDP connections.

3.7.0.1253 All

DSEN-8262, EA-17682

Fixed a bug with reporting the last interactive logged-on user on Windows Server 2019 as WDM instead of the local user account.

3.7.0.1253 Endpoint Standard

DSEN-8340

CBC Windows sensor now allows updating signature packs while in network quarantine.

3.7.0.1253 Audit & Remediation

DSEN-10001, EA-16517

Fixed a bug with closing Live Response sessions.

3.7.0.1253 Endpoint Standard

DSEN-10427, EA-16855

Improved performance with launching Office 365 applications.

3.7.0.1253 All

DSEN-10677, EA-17112

Fixed a bug with the sensor removal tool cleaning up registry entries after uninstallation of the sensor.

3.7.0.1253 Endpoint Standard, Enterprise EDR

DSEN-10830, EA-17223

Improved pruning of the DB_REP file to prevent excessive growth.

3.7.0.1253 Endpoint Standard, Enterprise EDR

DSEN-11084, EA-17416

The sensor did not recover gracefully when it lost connection to the kernel.

3.7.0.1253 Endpoint Standard, Enterprise EDR

DSEN-11181, EA-17345

Fixed a bug with displaying protection state information via RepCLI and the console when DelayProtectionAtBoot or DelayProtectionAtLogin are applied.

3.7.0.1253 Endpoint Standard

DSEN-11290, EA-17462, EA-16703

Fixed a bug with excess process handles causing performance degradation.

3.7.0.1253 Endpoint Standard

DSEN-11413, EA-17335

Fixed a bug with processes running in a container being falsely marked as “hidden”.

Can manifest as alerts with the TTP: HIDDEN_PROCESS after installing sensor version 3.6.0.1719.

3.7.0.1253 Endpoint Standard, Enterprise EDR

DSEN-11731, EA-17882

Fixed a bug causing registration issues with sensors upgraded through the command line interface that incorrectly specified OFFLINE_INSTALL=1.

3.7.0.1253 Endpoint Standard, Enterprise EDR

DSEN-12164, EA-18080

Fixed a bug causing an error message to appear when clicking “VMware, Inc” from the “About” section under CBC Windows tray icon.

3.7.0.1253 Endpoint Standard

DSEN-12447, EA-18230, EA-18064

Fixed a bug with script interpreters being wrongfully terminated when applied rules were set to only deny.

Can manifest as a console alert showing that an Office document was denied opening another Office document.

3.7.0.1253 Endpoint Standard

DSEN-12526, EA-18264

Fixed a bug causing Repmgr to crash when an access violation on a buffer occurs.

3.7.0.1253 All

DSEN-13201

Fixed a bug with sensors connecting to the backend through a proxy when a default WinHTTP proxy is configured in the registry, such as if you configured through netsh.

3.7.0.1253 Endpoint Standard

DSEN-13429, EA-18403

Fixed a bug that could lead to a bug check if a process attempted to access a file residing on a network share.

3.7.0.1253 Endpoint Standard, Enterprise EDR

DSEN-13518, EA-18633

Fixed a bug with incorrect MAC addresses being returned if no local area connection adapter is found.

3.7.0.1253 Endpoint Standard, Enterprise EDR

DSEN-13742, EA-18213

Missing parent information on the process tree page for hashban terminate alert.

3.7.0.1253 Endpoint Standard

DSEN-14058, UAV-2140

Repmgr service crashed during log collection when an invalid memory access was encountered.

3.7.0.1253 All

DSEN-14127, DSEN-14133

Our CBC Windows builds are no longer signed with SHA1 code signing (only SHA2 and WHQL). As such, Windows Operating System updates may need to be applied in order to run our 3.7+ CBC Windows sensor version. Please see our UEX posts for more information:

[CBC Windows] SHA-2 Windows Updates Required for Continued Support of Windows 7 and Windows Server 2008 R2

Carbon Black Cloud sensor: Windows desktop support

Carbon Black Cloud sensor: Windows Server support

3.7.0.1253 All 

DSEN-14154

Fixed a bug where the sensor could remain in bypass mode after system reboots.

3.6.0.2076 Endpoint Standard

DSEN-12449, EA-18064, EA-18230, EA-18270, EA-18324, EA-18429

Microsoft Office processes were terminated if the Invokes an untrusted process rule was applied.

3.6.0.2076 Endpoint Standard

DSEN-12571, EA-18105

Corrected RepMgr scan behavior during certificate reputation updates.

3.6.0.2076 Endpoint Standard

DSEN-12613, EA-18202

Fixed a registration issue with Windows Security Center after a Windows update.

3.6.0.2076 Endpoint Standard

UAV-1936, EA-17503

Improved sensor performance in a number of scenarios. You should see increased performance in a number of scenarios, such as when reading files over the network or when logging out.

3.6.0.2076 Endpoint Standard

UAV-1943

When the Citrix Virtual Memory Optimization service is present, the Windows sensor did not block all executions from Alternate Data Streams. See the following KB article for more information: https://community.carbonblack.com/t5/Knowledge-Base/Endpoint-Standard-Citrix-Virtual-Memory-Optimization-Service/ta-p/99222 

3.6.0.2076 Endpoint Standard

DSEN-11432, EA-17439

Signature pack updates were not respecting the CurlCrlCheck config property.

3.6.0.2076 Endpoint Standard

DSEN-11615

Ransomware blocks were not always generating console alerts.

3.6.0.2076 Endpoint Standard

DSEN-11626

Added the ability to skip blocking executions from alternate data streams if the content hash is on the company approved reputation list.

3.6.0.2076 Endpoint Standard

DSEN-11654, EA-17667

Improved performance of Live Queries that leverage Yara to scan directories that have a lot of files.

3.6.0.2076 Endpoint Standard

DSEN-11710, EA-17591, EA-17693, EA-17877

Improved performance on machines that have a high frequency of short lived processes.

3.6.0.2076 Endpoint Standard

DSEN-11732

Rules were not being updated while the sensor was in bypass mode.

3.6.0.2076 Endpoint Standard

DSEN-11805, EA-17554, EA-17841

Improved hashing performance when large files are executed on the network.

3.6.0.2076 Endpoint Standard

DSEN-11814, EA-16261, EA-17121

Improved sensor performance during boot time.

3.6.0.2076 Endpoint Standard

DSEN-11927, EA-17912

Not trusted policy enforcement was being applied on approved files. Under Policy > Sensor, if Scan execute on network drives is off and a never seen before hash is executed that should be approved, an unwanted block could occur.

3.6.0.2076 Endpoint Standard

DSEN-12048, EA-17649

Improved sensor detection of  auto-generated Microsoft PowerShell scripts.

3.6.0.2076 Endpoint Standard

DSEN-12095

A local user interface alert was generated for known malware services. In some circumstances, when a service backed by malicious files was discovered and blocked, a local user interface alert would not occur.

3.6.0.2076 Endpoint Standard

DSEN-12129

Invalidly signed files that matched certificate approval rules using wildcard patterns might have been incorrectly approved despite the signature being untrustworthy.

3.6.0.2076 Endpoint Standard

DSEN-12143, EA-18020, EA-18064, EA-18092, EA-18148, EA-18205

Some recent Windows Updates resulted in Microsoft OS files being delivered before their external catalog that is used to verify their digital signature was registered. This resulted in the files appearing as not signed on first inspection, which could lead to tamper protection blocks and user visible errors when launching repux. The CB sensor now reinspects operating system files that appear unsigned to reverify their digital signature and avoid the tamper blocks.

Note: You can still experience blocks

See the following KB article for more information: https://community.carbonblack.com/t5/Knowledge-Base/Carbon-Black-Cloud-Repux-exe-or-Scanhost-exe-unable-to-start/ta-p/99249

3.6.0.2076 Endpoint Standard

DSEN-12211

Live Response was prevented from launching non-Microsoft executables by a tamper policy error.

3.6.0.1979 Endpoint Standard

UAV-1941, EA-17514, EA-17627, EA-17765

Performance issues arose across various assets such as Excel, video files, and USB printers. This fix improves hashing logic to make the process more efficient.

 

3.6.0.1979 Endpoint Standard

DSEN-11514, EA-17653

Uninstall rollback during upgrades did not bring the system to protected state until reboot, causing a failure during upgrades.

3.6.0.1979 Endpoint Standard

UAV-1853, EA-16874, EA-17503

Improved network file operations performance.

3.6.0.1979 Endpoint Standard

DSEN-11461, EA-17152

Delays while closing some applications.

3.6.0.1979 Endpoint Standard

DSEN-11477

In Endpoint Standard-only organizations, device control alerts could take hours to appear in the Alerts page because low event volume delayed reporting to the cloud.

3.6.0.1979 Endpoint Standard

DSEN-11617, EA-17780

One reported occurrence of a BSOD on a 32-bit Windows 7 machine.

3.6.0.1979 Endpoint Standard

UAV-1951, EA-17567, EA-17571

One documented case of ERP software running slowly on ERP servers.

3.6.0.1979 Endpoint Standard

DSEN-11639, EA-17572, EA-17811, EA-17831

Latency on file open operations on local drives and network shares.

3.6.0.1941 Endpoint Standard DSEN-11146, EA-17629

A reboot of a Domain Controller server during sensor uninstall is now resolved.

3.6.0.1941 Endpoint Standard

DSEN-11217, EA-17431

One customer reported a crash on a clustered SQL instance.

3.6.0.1941 Endpoint Standard

DSEN-10927, EA-17214

Excel terminated with error "attempted to modify the next instruction to execute in the process".

3.6.0.1941 Endpoint Standard

DSEN-11192,
EA-17439

The local scanner was not updating endpoints that use proxy connections.

3.6.0.1941 Endpoint Standard

DSEN-11203

With Device Control on, users might see a slow down when accessing files on Google Drive with the Google Drive app running locally and mounting a volume in Windows Explorer.

3.6.0.1941 Endpoint Standard

DSEN-11229

The following error appeared after upgrading the sensor; then rebooting:
"Carbon Black Cloud Sensor: RepUx.exe - Bad Image”

3.6.0.1941 Endpoint Standard

DSEN-11107, EA-17416

Tableau server hung up on sensor install.

3.6.0.1941 Endpoint Standard

DSEN-11019

An issue was identified and fixed that could lead to background scan consuming excessive CPU. The background scan is executed upon sensor install.

3.6.0.1941 Endpoint Standard

DSEN-10847

Wavefront’s telegraph service would not start when the sensor was installed. This issue was found internally only.

3.6.0.1941 Endpoint Standard

DSEN-11338, EA-16703, EA-16977

High CPU usage by SVChost service.

3.6.0.1941 Endpoint Standard

DSEN-10968, EA-17653

Uninstall might have failed in some scenarios. 

3.6.0.1941 Endpoint Standard

DSEN-11344, EA-17590

Thread handle leak in Repmgr led to hang on domain controllers.

3.6.0.1941 Endpoint Standard

DSEN-11220

General performance improvements.

3.6.0.1941 Endpoint Standard

UAV-1847, EA-15161

Normalization LRUCache has inconsistent key format if the key is a folder.

3.6.0.1941 Endpoint Standard

DSEN-11216, EA-15031

Sensor was not sending the endpoint’s MAC address to the backend.

3.6.0.1941 Endpoint Standard

DSEN-11217, EA-17431

A crash occurred on a clustered SQL instance - 0x22_CsvFs!CsvFsExceptionFilter

3.6.0.1941 Endpoint Standard

UAV-1893, EA-17269, EA-17446

A large number of registry operations showed high rule engine match overhead.

3.6.0.1897 Endpoint Standard

DSEN-11344, EA-17590

Systems with a high occurrence of network connection attempts running Windows sensor versions 3.6.0.1791 and 3.6.0.1897 may experience degraded performance. These sensor versions are no longer available for download. This issue is resolved in Windows sensor version 3.6.0.1941.

3.6.0.1897 Endpoint Standard UAV-1852, EA-15616

Sensor ignored Endpoint Standard processing of network files that were not opened for execution.

3.6.0.1897 Endpoint Standard DSEN-10981, EA-17152

Performance improvement where applications such as Microsoft Word make heavy use of NtReadVirtualMemory.

3.6.0.1897 Endpoint Standard

DSEN-10922, EA-17214

Applications making a copy of themselves caused false positive code injection alerts in the console.

3.6.0.1897 Endpoint Standard

DSEN-10822,
EA-17223

Improved performance for file reads on the endpoint when a file is quarantined in place.

3.6.0.1897 Endpoint Standard

DSEN-10778,
EA-16874

Incremental performance improvements for moving network files.

3.6.0.1897 Endpoint Standard

DSEN-10699,
EA-17060

Sensors did not move to the correct group because metadata changes were not reported.

3.6.0.1897 Endpoint Standard

DSEN-10676,
EA-17075

Resolved hang issue while inflating OneDrive files.

3.6.0.1897 Endpoint Standard

DSEN-10494,
EA-17479

Sensors will now use new static proxy settings even if previously persisted ones are succeeding.

3.6.0.1897 Endpoint Standard

DSEN-10212,
EA-16659

Customers might have experienced false positives for processes which had already been terminated.

3.6.0.1897 Endpoint Standard

DSEN-10154,
EA-16866

Signatures did not always get re-evaluated on an upgrade from older sensor versions. This might have resulted in users seeing an alert that a file was unsigned and the process terminated.

3.6.0.1897 Endpoint Standard

DSEN-10043,
EA-17060

After a sensor was cloned, the sensor might have updated the golden images endpoints check-in time prior to registering as a new cloned endpoint. This might have resulted in duplicated DeviceIDs in the console.

3.6.0.1897 Endpoint Standard

DSEN-10217

The sensor upgrade might have failed when Windows Security Center was disabled.

3.5.0.1813
Endpoint Standard DSEN-10655

This fix improves the execution of kernel mode code.

3.5.0.1813 Endpoint Standard DSEN-10334

This fix resolves an intermittent issue during sensor upgrades after a fresh install. The upgrade sometimes hung while removing the old CB Defense service.

3.5.0.1813 Endpoint Standard DSEN-10246

Resolved an issue that caused applications to crash with ctiuser.dll as a faulting module after upgrading sensor version from 3.5.0.1680 to 3.5.0.1756.

3.6.0.1791 Endpoint Standard DSEN-10154

Improved signature evaluation logic on upgrade.

3.6.0.1791 Endpoint Standard DSEN-10370

Rare case where cert reputation did not persist.

3.6.0.1791 Endpoint Standard DSEN-10104

Performance improvement around caching volumes.

3.6.0.1791 Endpoint Standard DSEN-10555

Need to check for null content manager on shutdown.

3.6.0.1791 Endpoint Standard DSEN-10089

Performance improvement: not caching normalized in post-create when rules trigger the normalization.

3.6.0.1791 Endpoint Standard DSEN-10507

Fixed small performance inefficiency in CbdFileEventObjectBase::GetFileSize.

3.6.0.1791 Endpoint Standard DSEN-10466

REG_CREATE_KEY event included both new key creation events and existing key open events.

3.6.0.1791 Endpoint Standard DSEN-10489

Overlapping PROC_RECORD flags caused inaccurate breached alerts.

3.6.0.1791 Endpoint Standard DSEN-7715

Banned scripts failed to be blocked on Box cloud file sharing app. The issue did not occur on Google Drive or OneDrive.

3.6.0.1791 Endpoint Standard DSEN-10458

Inconsistent Storage of pscinfo in db_rep led to query failures.

3.6.0.1791 Endpoint Standard UAV-1813

Protobuf definitions of IPv4 and IPv6 addresses now include a human-readable format.

3.6.0.1791 Endpoint Standard DSEN-10246

Application crashes were due to members of SuspendInfo struct not being aligned on a 16 byte boundary.

3.6.0.1791 Endpoint Standard DSEN-10453

Delete code set the publisher/issuer name to VERIFIED.

3.6.0.1791 Endpoint Standard DSEN-10069

Major Windows upgrade did not migrate Our ELAM Backup.

3.6.0.1791 Endpoint Standard DSEN-10068

siUtil_IsProcessRunning did not take action on STATUS_ACCESS_DENIED; it now creates better log prints.

3.6.0.1791 Endpoint Standard DSEN-10198

Performance improvements: FQDN lookup optimizations.

3.6.0.1791 Endpoint Standard DSEN-10403

Performance improvement: Avoid acquiring exclusive file record lock to set process file type.

3.6.0.1791 Endpoint Standard DSEN-10158

Performance improvement: Cache process record references in handle context.

3.6.0.1791 Endpoint Standard DSEN-10334

CTINET: Unload prevented due to inaccurate flow counters [EA].

3.6.0.1791 Endpoint Standard DSEN-10308

CTINET: Unload prevented due to inaccurate flow counters [EA].

3.6.0.1791 Endpoint Standard UAV-1808

Did not refresh PSC policy upon datafile2 update.

3.6.0.1791 Endpoint Standard DSEN-10158

Cache process record references in handle context led to performance issues.

3.6.0.1791 Endpoint Standard DSEN-10134

TLS configprops input validation was inconsistent.

3.6.0.1791 Endpoint Standard DSEN-9952

CHashObject::DetermineIntendedSourceMask accessed DB without holding lock.

3.6.0.1791 Endpoint Standard DSEN-10309

Added a sensor alarm for failure disabling LSP.

3.6.0.1791 Endpoint Standard DSEN-10248

Error in confer.log of WARNING GetRegStringValue: Failed to read registry key Software\VMware, Inc.\ViewComposer\ga\AgentIntegration\CustomizationStarted 

3.6.0.1791 Endpoint Standard DSEN-10153

Sigpack update caused on-access scan to effectively become enabled even if it was disabled in policy.

3.6.0.1791 Endpoint Standard DSEN-10091

ctifile blocked pre-write by RepMgr and confer.log logging stopped.

3.6.0.1791 Endpoint Standard DSEN-10246

Application crashes were due to members of SuspendInfo struct not being aligned on a 16 byte boundary.

3.6.0 All DSEN-9774

Hyper-V host blue-screened when accessing CSV file system.

3.6.0 All DSEN-6963

Sensor installation now supports both the user code provided in the email and the company code.

3.6.0 All UAV-1586

The ASP page took 20 seconds to return with AmsiEnabled in the 3.5 sensor.

3.6.0 All UAV-1421

The LiveResponse memdump command caused crashes. It was disabled by default on Windows sensors 3.3 and 3.4. It is now enabled by default and no longer causes crashes.

3.6.0 All UAV-1415

The sensor wrote large amounts of extra data to the confer.log file. The extraneous data that is written to confer.log has been reduced.

3.6.0 All UAV-1400

The sensor allowed non-execute access to quarantined files. Now, quarantined files are not accessible. This can prevent other security applications from scanning and alerting on the file, but will prevent files from being copied to other locations.

3.6.0 All UAV-1396

Intermittent delays occurred when opening Office files and navigating file systems on Windows 10.

3.6.0 All UAV-1302

Sensor install failed on Windows Server 2019 machines where there was a missing directory value for registry key HKLM\SYSTEM\CurrentControlSet\Control\EarlyLaunch value "BackupPath". The value is typically C:\Windows\ELAMBKUP.

3.6.0 All DSEN-8597

During updates to Windows 19H1, the system either blocked the update or crashed during the update. This issue was only reproduced and identified internally, and the issue did not reproduce if the sensor was in Bypass mode.

3.6.0 All DSEN-8502

Previously, if a user executed an unattended install with the flag and argument "INSTALLFOLDER=<path>", the sensor installed but was non-functional. Now, an installation failure occurs if a user tries to use a non-standard installation folder.

3.6.0 All DSEN-8501

Under high load, repmgr.exe handle counts grew very large, causing minor performance issues.

3.6.0 All DSEN-7592

If the sensor's background scan changed from disabled (either via install arguments or cloud policy) to expedited, a race condition could put the background scan into disabled state.

3.6.0 All DSEN-7119

Windbg was observed to crash.

3.6.0 All DSEN-6405

RepMgr.exe crashed upon running any process from a path with Japanese Characters (c:\見る)

3.6.0 Enterprise EDR DSEN-6056

If the customer turned off Scan On Network Read/Scan on Network Execute in the policy, the sensor still tried to normalize a network path even if Enterprise EDR wasn't enabled.

3.6.0 All DSEN-5043

TTPs: ACCESS_EMAIL_DATA was assigned to an event.

The application C:\Windows\System32\taskhost.exe attempted to access the email file "C:\Users\mosesveroy\AppData\Local\Microsoft\Internet Explorer\Indexed DB\Internet.edb"

C:\Users\mosesveroy\AppData\Local\Microsoft\Internet Explorer\Indexed DB\Internet.edb looked like an Internet Explorer data file, not an email data file.

Expected behavior:

Clarify or correct TTP ACCESS_EMAIL_DATA for internet.edb.

 

3.6.0 All DSEN-4873

WinSSL CRL checking caused friction in POC environments that required a proxy configuration.

3.6.0 All DSEN-4720

The API hook for GetAsyncKeyState (and a small number of other functions) were in GetCallingDll. The fix for DSEN-2810 avoided an expensive call to GetLongPathNameW by checking if the pathname contained any tilde ("~") characters. If the path contained a tilde character, the call to GetLongPathNameW was made, resulting in a noticeable slowdown. Customer was using an IME-like Active-X control, called GetAsyncKeyState, and the dll was installed below C:\Program Files (x86). This resulted in having a short name with a tilde in it.

3.6.0 All DSEN-4682

Having a rule to deny memory scraping by TaskMgr does not work in Windows 10. Ctiuser is not injected into taskmgr.exe on Windows 10, so ctiuser cannot prevent memory scraping of any process (that is, creating a dump file) by taskmgr. Ctiuser was not loaded into taskmgr.exe. This behavior did not occur in Windows 7, where ctiuser is loaded through AppInit_DLLs, and creating a dump from taskmgr is successfully blocked.

3.6.0 All DSEN-4580

Occasionally, the local scan misclassified a file with a malware reputation. If repmgr requests a scan of the file, this AV rep persists in dbrep. If the local scan corrected this reputation in a subsequent signature update, RepMgr did not rescan the file, and the AV reputation was not corrected in dbrep. If there is no higher priority reputation from other rep sources, including from the cloud, this AV reputation persisted. The work-around was to add the hash to the Approved list.

3.6.0 All DSEN-4154

IT_TOOLs rule was still enforced after removing the rule on a long running process.

3.6.0 All DSEN-3099

Known malware executed and remained running.

3.6.0 All DSEN-2480

Agent Core Installer separated the installer directory from the data directory.

3.6.0 All DSEN-2167

When trying to pull down an AV pack update, the proxy information in the curl request was not set up.

3.6.0 All DSEN-1755

The sensor was in bypass mode for around 3 hours. When the sensor was taken off of bypass mode, it remained in bypass for 25 minutes, at which time the machine rebooted and the sensor checked in.

3.6.0 All DSEN-1077

Powershell_ise.exe is a CLR process. In Windows 10, Carbon Black does not inject into the process because it doesn't meet the following criteria:

  • It does not have an .exe file extension
  • The CLR process launches itself
3.5.0.1801 All DSEN-10230, EA-16950, EA-16957, EA-16961

An earlier maintenance release of the 3.5 CBC Windows Sensor (3.5.0.1786) resulted in a system crash/BSOD for endpoints that hit a specific non-common code path. There were three reported cases against about 175,000 endpoints across all environments. Please note that this was introduced in 3.5.0.1786 and that is the only version in which the problem exists. It is now fixed in 3.5.0.1801

3.5.0.1801 All UAV-1779, EA-16903

Due to an interaction with third-party proxy management software called Open Text Socks Client, one customer experienced RepCLI (local command line interface) breaking by returning error message "RepCLIClient: Failed to open socket". This issue was found in 3.5.0.1680 and fixed in 3.5.0.1801.

3.5.0.1801 All UAV-1755, EA-16865

One customer reported a system crash. This issue was found in 3.5.0.1627 and fixed in 3.5.0.1801.

3.5.0.1786
All UAV-1724, EA-16649, EA-16526, EA-16702, EA-16761

The sensor caused slowness, freezing on the endpoint, and the domain controller to enter an unresponsive state.

3.5.0.1786 All DSEN-9760, EA-16641

A RepMgr.exe crash created performance degradation and a high number of event ID 1 and 1000 in Windows application logs.

3.5.0.1786 All UAV-1646

Startup performance improvements alleviate slow start and/or logon type issues. Performance improvements will remain a focus in future releases.

3.5.0.1786 All DSEN-5266, UAV-1678, EA-14291

Fixed performance issues using Windows Explorer to navigate to locations in SharePoint.

3.5.0.1786 All DSEN-9612, EA-15998

Upon reboot, a customer experienced the following error condition: "Carbon Black Cloud Sensor: RepUx.exe - Bad Image. C:\Program Files (x86)\Common Files\Microsoft Shared\INK\PENUSA.DLL is either not designed to run on Windows or it contains an error. Try installing the program again using the original installation media or contact your system administrator or the software vendor for support. Error status 0xc0000022."

3.5.0.1756 All DSEN-9434, EA-16297

Issue connecting to the proxy server.

3.5.0.1756 All DSEN-8645, EA-16130, EA-16208

When using OFFLINE_INSTALL=1 and providing PROXY_SERVER on the command line, the sensor never registered with the backend.

3.5.0.1756 CB Defense DSEN-8950, EA-14957, EA-16471

Customers allow listing IT Tools might have seen the feature fail if wildcard characters were not used in the allow-listed string. This issue is now fixed and non-wildcard strings match.

3.5.0.1756 CB Defense DSEN-8307, EA-16479, EA-16509

Bypass rules were not properly applied in certain cases.

3.5.0.1756 All DSEN-8562, EA-15614

Alerts were surfaced for a file that was already deleted from the system.

3.5.0.1756 All UAV-1595, EA-16261

Log on performance has been improved.

3.5.0.1756 CB LiveOps DSEN-8768, EA-16504

The Live Response exec command failed in some cases.

3.5.0.1756 All DSEN-8291, EA-16578

Intermittent issues with login delays causing RDP session timeouts.

3.5.0.1756 All DSEN-8507, EA-16068

Issues contributing to slow log in are now addressed.

3.5.0.1680 CB Defense DSEN-8605, EA-16214, EA-16283

Two customers experienced a deadlock between a sensor process and system process, which could cause the endpoint to freeze up.

3.5.0.1680 LiveOps DSEN-8537, EA-15636, EA-16147

Customer might have experienced greater than expected resource consumption on their endpoints upon LiveQuery usage. Previously, the back end cancelled queries after they were outstanding for a week. This fix introduces configurable thresholds in runtime and memory consumption that, if crossed, cancel the query and prevent excessive resource consumption.

3.5.0.1680 All DSEN-8440, EA-16086

Customers might have experienced greater than expected resource consumption when installing large files.

3.5.0.1680 All DSEN-8405, EA-16014

Users may have noticed a larger pagefile size which generated volmgr errors in windows event viewer. The sensor now auto-configures the memory dump settings on the machine unless you opt of that by setting the msi command line arg "AUTO_CONFIG_MEM_DUMP=0" during a command line install.

3.5.0.1680 CB ThreatHunter DSEN-8331

CB ThreatHunter might not have reported scriptloads for scripts that had VB scripts office docs, python, or perl file extensions.

3.5.0.1627 All DSEN-7254

Creating a folder on a network file share might have taken up to 15 seconds. The initial folder creation occurred within a normal time frame.

3.5.0.1590 All UAV-1415

Uninstall on a machine that is serving an RDP session could hang/fail if the RDP client machine was sharing local drives with the RDP server. Note that an upgrade from Windows sensor 3.4 to an earlier 3.5 version requires an uninstall, and can cause this issue if the previous criteria are met. To resolve the issue in this case, use the sensor removal tool.

3.5.0.1627 All DSEN-7565

An internal observation of the sensor crashing while being taken out of bypass during system startup. This issue was not reported externally.

3.5.0.1627 All DSEN-7760, EA-15839

In one case, the sensor service stopped repeatedly, generating errors such as this in the event log: "The CB Defense service terminated unexpectedly. It has done this 4 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service." This was a result of a service crash.

3.5.0.1627 All DSEN-7831, EA-15341, EA-15810, EA-15403

In some cases, the sensor did not honor bypass rules as they were configured in the policy, which led to unexpected blocks, interoperability issues, or poor application performance.

3.5.0.1627 All DSEN-7759

Endpoints exited network quarantine after upgrading from 3.4 to 3.5. Upgrades and uninstalls are no longer permitted in quarantine.

3.5.0.1627 CB LiveOps DSEN-7576

As of version 3.5.0.1627, the Windows sensor supports osQuery 4.1.2.

3.5.0.1590
All DSEN-7344, EA-15076 Customers can experience performance issues if end users access many files over a network drive. The specific issue in EA-15076 is resolved.
3.5.0.1590 All DSEN-7358 Support staff might have requested additional logs and diagnostic information during troubleshooting in certain cases due to log messages being dropped.
3.5.0.1590 All DSEN-7391, EA-14361 Windows Event Security Logs surface a message that reads: "Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error. File Name: \Device\HarddiskVolume4\Windows\System32\ctiuser.dll." This suggest ctiuser.dll might be corrupted, which is not the case.
3.5.0.1590 All EA-15784, DSEN-7488 A customer observed a recurrence of event ID 49 in the Windows Application Event logs.
3.5.0.1590 All DSEN-7565 An internal observation of the sensor crashing while being taken out of bypass during system startup. This issue was not reported externally.
3.5.0.1590 All DSEN-7592 The sensor will now log windows events whenever backend requests a deregister/uninstall. Additionally, we will log to Windows events whenever sensor enter/exits bypass or server maintenance modes.
3.5.0.1590 All DSEN-7759 Users reported endpoints exiting network quarantine after upgrading from 3.4 to 3.5. Upgrades and uninstalls are no longer permitted in quarantine.
3.5.0.1590 All DSEN-7837, EA-15874 One customer observed that the backend did not display events for up to two hours.
3.5.0.1590 All DSEN-7208 In VDI environments, the uninstaller kept an old device's uninstall code. This issue is now fixed and the uninstall process in VDI environments is improved.
3.5.0.1590 All UAV-1393 Folder creation on network paths might have taken up to 25 seconds to complete.
3.5.0.1590 All DSEN-6985 Any path based rule that started with \ and not \\ was not enforced on Windows. This prevented users from creating path rules for files that had no system-wide drive letter.
3.5.0.1590 All DSEN-7446 In some cases, the Endpoints page did not reflect Active Directory or Organizational Unit data.
3.5.0.1590 All UAV-1386, DSEN-7326 This release introduces several fixes to memory leaks (none of which were reported by customers).
3.5.0.1590 All DSEN-5225 When a process (.bat or .cmd) was executed via a command interpreter via "cmd.exe /c", the process might have been blocked. This issue is now resolved for .bat and .cmd processes.
3.5.0.1590 All DSEN-7358 The sensor dropped log messages, resulting in Carbon Black support reaching out more frequently for diagnostic information.
3.5.0.1590 All DSEN-7275 If the background scan was running, the sensor might have uninstalled very slowly. Users would encounter this only if they had attempted to uninstall shortly after install because, if configured, background scan executes upon install.
3.5.0.1590 CB ThreatHunter UAV-1396, EA-15835
In one case, a server hung up during boot.
3.5.0.1523 All DSEN-6534/EA-14866 Customers might have seen an increase in false positive blocks. One customer reported Excel and Outlook as blocked.
3.5.0.1523 All DSEN-3992 Subkeys could be created under the CBDefense key in the Windows registry. 
3.5.0.1523 CB Defense DSEN-5332, EA-12882 Sensor might have terminated a process due to an attempt "to modify the next instruction to execute in the process" when the process belongs to the application.
3.5.0.1523 All DSEN-4054, DSEN-4033 The LiveResponse memdump command was previously observed to cause crashes. It was disabled by default on Windows sensors 3.3 and 3.4. It is now enabled by default and no longer causes crashes.
3.5.0.1523 All DSEN-4375 The sensor wrote large amounts of extra data to the confer.log file. Numbers vary across environments, but the issue is resolved so that the extraneous data written to confer.log is reduced.
The actual size of confer.log can increase because although extraneous data is reduced, valuable log data remains over a longer course of time due to a seperate change.
3.5.0.1523 All DSEN-5626 Previously, the sensor allowed non-execute access to quarantined files. Now, quarantined files are not accessible. This can prevent other security applications from scanning and alerting on the file, but prevents files from spreading to other locations. 
3.5.0.1523 All DSEN-6322, EA-14880 There were reports of intermittent delays when opening various Office files and navigating file systems on Windows 10. 
3.5.0.1523 All DSEN-5995, EA-14707, EA-14723, EA-14729 Customers who were using Windows sensor versions from 3.4.0.1047 to 3.4.0.1077 had Office applications such as Word and Excel hang when updating a file on Google File Stream and similar products (Box, Citrix Cloud, etc.). This issue is fixed in 3.5 and 3.4.0.1086 versions of the sensor.
3.5.0.1523 All EA-14455, DSEN-5699 Sensor install failed on Windows Server 2019 machines where there is a missing directory value for registry key HKLM\SYSTEM\CurrentControlSet\Control\EarlyLaunch value "BackupPath". The value is typically C:\Windows\ELAMBKUP.
3.5.0.1523 All DSEN-5493, DSEN-5491 During updates to Windows 1H19, the system either blocked the update or potentially crashed during the update. This issue was only reproduced and identified internally, and the issue did not reproduce if the sensor was in Bypass mode.
3.5.0.1523 All DSEN-4050 Previously, if a user executed an unattended install with the flag and argument "INSTALLFOLDER=<path>", the sensor installed but was non-functional. Carbon Black now forces an install failure if a user tries to use a non-standard install folder.
3.5.0.1523 All DSEN-4043 Under high load, repmgr.exe’s handle counts grew very large, which could cause minor performance issues.
3.5.0.1523 All DSEN-6372 If the sensor's background scan changed from Disabled (either via install arguments or cloud policy) to Expedited, a race condition could put the background scan into disabled state. This issue was not observed externally.
3.5.0.1523 CB Defense DSEN-6077 Windbg was observed to crash. 
3.5.0.1523 All DSEN-3061 The sensor did not whitelist files by certificate if the certificate was signed with multi-byte characters. A backend fix was implemented for this issue.
3.5.0.1523 All EA-15148, DSEN-6552 A crash could inconsistently occur on file renames on network drives.
3.5.0.1523 All DSEN-6535, DSEN-6591 Sensor upgrades failed with error 1603 when attempting to perform the upgrade at the same time as a Windows upgrade to Redstone 5.
3.5.0.1523 CB ThreatHunter DSEN-4756, DSER-14090, EA-13906 Customers running CB ThreatHunter standalone might have seen Windows Security Center Real Time protection feature disabled. This issue was resolved by navigating to the Policies page, clicking the Sensor tab, and unchecking Use Windows Security Center.
3.5.0.1523 All DSEN-6057 Previously, release notes stated that banned scripts execute if the policy is refreshed on the backend after being banned. Only scripts executing when the sensor was coming out of bypass were not blocked. Banned scripts executed after bypass is disabled are blocked. This issue is functioning as designed.
3.5.0.1523 CB ThreatHunter DSEN-6487 In Sensor environments 3.4.0.1070 and 3.4.0.1077 (and 3.4.0.1016), the sensor crashed upon running any process from a path with multibyte characters (c:\見る) when UBS for CB ThreatHunter customers was enabled.
3.5.0.1523 All DSEN-6490 HTML file load and open and close performance degraded in 3.5 compared to 3.4. This fix was implemented in 3.5.0.1402.
3.5.0.1523 All DSEN-6653 When the Windows sensor 3.5 was in bypass mode, the sensor uninstall failed.
3.5.0.1523 All DSEN-6876, EA-15319, EA-15301 Some customers observed latency associated with Microsoft office applications.
3.5.0.1523 All DSEN-6871 Users could deregister the sensor from Windows Security Center in conflict with the policy setting.
3.5.0.1523 All DSEN-6826 3.5 beta users might have experienced a performance problem on a Windows 10 19H2 environment with CB Defense and CB ThreatHunter enabled. A 50% performance spike in repmgr.exe usage was identified when the system is idle.
3.5.0.1523 All DSEN-6867 The CB LiveResponse API previously defaulted to UTF-16LE encoding rather than UTF-8. Because many customers rely on the latter, the default setting is restored to UTF-8. This issue only impacted 3.5 beta users.
3.5.0.1523 CB ThreatHunter DSEN-6145 Customers who had moved from CB ThreatHunter standalone to
CB ThreatHunter with CB Defense experienced false positive blocks. This issue was only reported internally. 
3.5.0.1523 All DSEN-6491 Some users experienced a minor delay in loading common applications.
3.5.0.1523 All DSEN-6569 When running a Carbon Black-signed msi in Windows sensor 3.5 beta, cmd.exe was granted full bypass.The cmd.exe was only placed in bypass if the sensor msi was executed in cmd.exe.
3.5.0.1523 All DSEN-6625 The Windows sensor did not support multi-byte characters in
Osquery results in version 3.4.0.1016.
3.5.0.1523 All DSEN-6660 One internal user experienced a crash on Windows sensor 3.5.0.1346 running on Windows 8.1 x86.
3.5.0.1523 All DSEN-6691 In earlier 3.5 builds, if a file had a bypass rule that was removed after the file was deleted, then copies of that file would not be quarantined in place.
3.5.0.1523 All DSEN-6706 Explorer.exe hung indefinitely on an attempt to run any process in the confer install folder as administrator in the Windows sensor 3.5.0.1357.
3.5.0.1523  All DSEN-5163 The sensor did not prohibit downgrades from existing Windows 3.5 versions to older Windows 3.5 versions. This issue is resolved in all released 3.5 builds except for 3.5.0.1278. Carbon Black does not recommend or support downgrades, but the downgrade to 3.5.0.1278 is not prevented.
3.5.0.1523 All DSEN-5934, EA-14272, EA-14956 Customers could not open attachments while using applications
such as KnowBe4 Second Chance or Digital Guardian’s Outlook plug-in.
3.5.0.1523 All DSEN-6540 The sensor user interface might have shown the sensor in bypass
when it is active. This issue was only reproduced internally and was considered a rare event.
3.5.0.1523 All DSEN-6543 False positive blocks might have occurred due to sharing violations while retrieving signature information.
3.5.0.1523 All DSEN-6941 Application launch performance degraded in the Windows 3.5 sensor compared to the Windows 3.4 sensor.
3.5.0.1523 All DSEN-6899, DSEN-7134 Customers experienced delays of up to 35 seconds associated
with copying files to remote network drives. The sensor no longer reporting signature or reputation information at the time of "last write" (i.e. close of handle that modified an executable file). The sensor will still collect and report that info if the file was executed but will not stall to collect it at time of modification.
3.5.0.1523 All DSEN-7005, DSEN-6990 Files that had no logical drive mapping (such as some Google drive files) might not have been reported to the cloud.This issue impacted beta sensors only.
3.5.0.1523 All DSEN-6315 Some sub-processes were left in a suspended state after their
parents were terminated. This was only observed internally.
3.5.0.1523 All DSEN-7026 One customer had observed a crash on some machines during the 3.5 beta program.
3.5.0.1523 All DSEN-7099 Internal observations of timeouts that led to reputation
mismatch, which could have resulted in false positive blocks.

 

 

Sensor Version Found Product Issue ID Description
3.7.0.1411 All DSEN-15629

If an internal template VM created during the instant clone pool process in Horizon gets network access, this can result in the template's sensor contacting the backend using the same Device ID as the parent image, overwriting the hostname of the parent image with that of the internal VM in the Carbon Black Cloud console. In this scenario, the parent VM would show up with a name like "<Domain>\itXXXXXX" in the console. This does not impact the overall functionality. This issue will be resolved in 3.7 MR2.

3.7.0.1411
Endpoint Standard DSEN-13482

Events show NT file path of dropped files.

3.7.0.1411 Endpoint Standard DSEN-13464

Missing FopsId for executing file prevents user mode from running Local Scanner.

3.7.0.1411 Endpoint Standard DSEN-12202

Uninstalling through the “sensor removal tool” can leave behind the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityCenter\Provider\AV\ registry entry.

3.7.0.1411 Endpoint Standard DSEN-12189

When a process is blocked from running, multiple block events can display in the console and local user interface.

3.7.0.1411 Endpoint Standard, Enterprise EDR DSEN-11116

Banned file names and paths are not captured correctly when launched through a WebDAV path.

3.7.0.1253 Endpoint Standard DSEN-13482

Events showing NT file path of dropped files.

3.7.0.1253 Endpoint Standard DSEN-13464

Missing FopsId for executing file prevents user mode from running Local Scanner.

3.7.0.1253 All DSEN-13266

Installer log is not providing a specific error message for attempts to install the CBC Windows sensor using an expired Company Code.

3.7.0.1253 Endpoint Standard DSEN-12202

Uninstalling through the “sensor removal tool” may still leave behind the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityCenter\Provider\AV\ registry entry.

3.7.0.1253 Endpoint Standard DSEN-12189

When a process is blocked from running, multiple block events can display in the console and local user interface.

3.7.0.1253 Endpoint Standard, Enterprise EDR DSEN-11116

Banned file names and paths are not captured correctly when launched through a WebDAV path.

3.6.0.1979 Endpoint Standard DSEN-11563

When ransomware-like behavior is terminated by the sensor, the event shown on the Investigate page in the Carbon Black Cloud console no longer indicates the operation was blocked and that the application was terminated by the Window sensor. However, an alert on the Alerts page shows that the application was terminated.

3.6.0.1897 Endpoint Standard DSEN-10058,
EA-16698

The sensor has experienced an interoperability issue with Webroot that can cause Internet Explorer to crash. This issue is targeting the November maintenance release for a fix.

3.6.0.1791 All DSEN-10763

Upgraded sensors will not accept datafile2 changes when no psc rules are received.

3.6.0.1791 All DSEN-10674

Although docker and windows containers are not fully supported, they should be able to run uninterrupted.

3.6.0.1791 All DSEN-10058

Webroot interop issue needs rules-driven API specific bypass.

3.6.0.1791 All DSEN-7586

ForcePoint uninstall fails even with a sensor in bypass. ForcePoint uninstall succeeds only when the sensor is uninstalled.

3.6.0.1791 All DSEN-10547

Repmgr: continuous service crash alarms (ARM specific).

3.6.0.1791 All DSEN-10665

Purging a bad record from rep_db does not set the needed hash object flag.

3.6.0 All DSEN-7586

ForcePoint uninstall fails even when the sensor is in bypass. ForcePoint uninstall succeeds only when the sensor is uninstalled.

3.6.0 All DSEN-10058

Webroot interop issue needs rules-driven API specific bypass.

3.6.0 All DSEN-10069

Major Windows upgrade does not migrate ELAM backup.

3.6.0 All DSEN-10264

Sensor blocks Airwatch Service.

3.6.0 All UAV-1776

Missing "Reason" data in some AMSI alerts.

3.5.0.1627
All DSEN-9621, EA-16219

After an endpoint is placed into quarantine, the device cannot be taken out of quarantine through the console or API.

3.5.0.1756 All DSEN-8380

Upgrade from 2.1.x to 3.x sensor fails on Windows Server due to CbDefenseWSC service failing to stop. To work around the issue, reboot the machine before installing a new build.

3.5.0.1523 All DSEN-8445

One customer could not copy and paste unless the sensor was in bypass. This was due to an interoperability issue with SecureCircle. This product must be running together with the sensor for the issue to occur.

  All DSEN-8366

The sensor reported a status message 15 minutes after install which could have shown the sensor being Active during that time frame even if the sensor was originally installed in Bypass.

3.5.0.1627 CB Defense DSEN-8493

IT Tools did not normalize file names. To use IT tools, you should wildcard the volume name and remove any symlinks from the name as a temporary workaround.

3.5.0.1523 All DSEN-8551

Tamper protection blocked Explorer from accessing \ProgramData\CarbonBlack\ before going into bypass, but not after coming out of bypass if the folder is accessed while in bypass.

Customers are encouraged to have a set of RepCLI users authenticated, and use those users for support sessions if there is a need to inspect this folder.
These users could successfully access %programdata%\CarbonBlack through Explorer.exe.

3.5.0.1627 All DSEN-8052, EA-14696, EA-15605, EA-15653, EA-15688

A previous release note stated that as of 3.5.0.1627, customer can apply the configuration settings SkipNetworkConversionToPhysical=false
OnlyAttemptDFSForPhysicalDeviceNames=true locally in the configuration setting file to improve performance in DFS access scenarios. These values are configured using the repCLI updateconfig command.  See the Knowledge Base article https://community.carbonblack.com/t5/Knowledge-Base/PSC-How-To-Change-ConfigProps-Via-Cfgi-ini-Using-RepCLI/ta-p/88513.

However, applying these configurations can crash the endpoint. This problem was observed internally and will be fixed in the next maintenance release. In the future, the sensor will support cloud configuration management.

3.5.0.1523 All DSEN-8405 Due to a previous change to assist with diagnostics, the size of pagefile gets increased from 2 GB to more than 15 GB. This can also generate errors from volmgr in Windows Event Viewer.
3.5.0.1523 All DSEN-7416 After upgrading from Windows 7 x64 to 19H1, the endpoint might still report that the machine is running Windows 7.
3.3 All DSEN-7727 In some cases, the installer dialog requests an email address. To complete the install, an uninstall code is actually required.
3.5.0.1523 CB Defense DSEN-6985 CB Defense might not parse path-based rules beginning with a potential backslash. Most commonly, this affects cloud file sharing apps like Box and Google File Stream. A potential workaround is to add wildcards before the backslash, although that will match any subfolder that has that partial path. This issue will be fixed in an upcoming maintenance release.
3.5.0.1523 All DSEN-1987 False positive alert when the [application name] attempts to access raw disk on the file. See https://community.carbonblack.com/docs/DOC-10730.
3.5.0.1523 All DSEN-1180, DSEN-3065 When using CB LiveResponse, users can terminate the sensor if they terminate RepMgr.exe. Terminating this process means that the sensor cannot connect to the backend, and the CB LiveResponse session ends. The sensor does not recover until after a reboot. Users can also delete certain files in the confer directory. Users are advised to use caution during CB LiveResponse sessions.
3.5.0.1523 All DSEN-2378 During an attended install, the Windows installer shows a blank error dialogue when attempting to install on an unsupported operating system.
3.5.0.1523 All DSEN-1387 Background scan remains disabled on devices where VDI=1 was used. See
https://community.carbonblack.com/docs/DOC-12001.
3.5.0.1523 All DSEN-4216 The Windows 3.4 sensor accumulates deleted files within the sensor cache and does not remove them when the files are removed from disk. This can lead to the sensor reporting that malware is still on disk when it has been
removed.
3.5.0.1523 All DSEN-4143

Users might experience blocks of Microsoft OS upgrades if an upgrade is attempted shortly after release, before the Carbon Black Cloud product has established a reputation for the operating system.

An administrator can work around this issue by either placing the sensor in Bypass or adding the following paths to bypass:

**\windows\servicing\**
**\$windows.~b\**

Make sure that the policy configuration: When an unknown application tries to run - deny/terminate is disabled when you upgrade.

3.5.0.1523 All DSEN-4591, EA-13682 Arcmap files are corrupted or missing in certain environments.
3.5.0.1523 All DSEN-4581, DSEN-4694 A terminate action might be applied to wmiprvse.exe, showing an alert in the Carbon Black Cloud console during machine start-up. At the time, wmiprvse has an unknown reputation and is scraping lsass.exe. This
commonly happens during Windows updates. Wmiprvse.exe should execute after the reputation resolves, and the update should succeed.
3.5.0.1523 All DSEN-4924, EA-13414 Some customers have reported interoperability issues with Skype, Lync, and Windbg on Windows 7. Other operating systems are unaffected.
3.5.0.1523 All DSEN-3408 The CLI_USERS=<Sid> command line option works correctly when you install non-interactively using a COMPANY_CODE, but it doesn't work if you use the direct end user installer using the activation code.
3.5.0.1523 All DSEN-6654 A Windows freeze was reported during the first login with a domain account during a Group Policy upgrade from Windows sensor 3.4.0.1077 to Windows sensor 3.5.0.1339.
3.5.0.1523 All DSEN-6622 The Group Policy upgrade from Windows sensor 3.2.1.51 to Windows sensor 3.5.0.1332 failed. The steps to resolve this are documented internally and will be
provided in an update of the Carbon Black Cloud User Guide.
3.5.0.1523 All DSEN-6136 Non-executable file reads, writes, and deletes are 40% slower on Windows sensor 3.5.0.1160 than Windows sensor 3.4.0.1078.
3.5.0.1523 All DSEN-4924 One customer observed windbg and Lync crash.
3.5.0.1523 All DSEN-7144 When “"disable services of known malware” is enabled, some endpoints have observed a spike in CPU every ~5 minutes.
3.5.0.1523 All DSEN-5881 In some cases, metadata associated with blacklisted files is not present in the UI. This has only been reproduced internally.