Attention: As of February 28, 2022 the Carbon Black Cloud Release Notes will be published on VMware Docs. This UEX release notes space will remain, but will no longer be updated.

Carbon Black Cloud Windows Sensor Release Notes

Carbon Black Cloud Windows Sensor Known Issues

Carbon Black Cloud Windows Sensor Fixed Issues

Carbon Black Cloud Windows Sensor Release Notes

Attention: As of 28 February 2022, Carbon Black Cloud Release Notes are published on VMware Docs. This UEX site will remain but no longer be updated.

VMware Carbon Black Cloud Windows Sensor includes the following improvements:

  • Enterprise EDR (EEDR) Windows sensors now detect and report associated API information relating to Windows cross process events (previously available in Endpoint Standard-enabled environments only). Users can now search on crossproc_api events within the admin console in EEDR-only environments.
  • New OSquery extensions are added for improved collection of sensor diagnostics and endpoint configuration information. New tables include information pertaining to sensor counters, sensor files, sensor processes, sensor status, known devices, and much more. See the VMware Carbon Black Cloud User Guide for more information on our Live Query Extension Tables.
  • Sensor Upgrade Limit Increase - The number of concurrent updates is 25% of the total organization size, with a minimum of 25 sensors and a maximum of 500 sensors. For more information please see the View Progress of Sensor Updates section of the VMware Carbon Black Cloud User Guide. This applies to all Windows sensor upgrades going forward regardless of sensor version. As of the (MR1) build, Windows sensors will respond to upgrade requests in a more timely and prompt manner.
  • VDI Improvements - File hashes calculated on Golden VM images are reused for associated VDI clones, which saves host resources (disk IO and CPU) and generally improves VM boot and login times. This feature can be enabled in VDI environments using the FileCachePersistenceState config prop with a specified value of "3". See the VMware Carbon Black Cloud Sensor Installation Guide for more information on Horizon Golden Image Considerations for Carbon Black Windows Sensors.

This release updates osqueryi.exe to version 4.8.0, and includes bug fixes and improvements.

This release updates osqueryi.exe to version 4.7.0, and includes bug fixes and improvements.

Sensor Installer Rollback

Build-to-build, version-to-version upgrade rollback is now fully supported when upgrading from version 3.7 and later sensors. The following table describes rollbacks that various Carbon Black Cloud sensor versions support. rollbacks.png

For more details about rollback functionality, see the VMware Carbon Black Cloud Sensor Installation Guide.

Enterprise EDR Hash Banning

This feature provides Enterprise EDR users with the ability to ban files by hash, thus preventing files from:

  • Being opened with execute access
  • Starting a process from a file
  • Being loaded as a module in a process
  • Being loaded as a script
  • Being loaded as a driver

For more details, see

Ransomware Boot Record Protection

A new disk driver (cbdisk.sys) helps protect against the most dangerous types of ransomware that attempt to corrupt the boot record of an endpoint. This type of ransomware encrypts files and alters the master boot record (MBR) and partition boot record (PBR), rendering the device unusable.

Important Note: A reboot is required after install/upgrade/cloning a golden VM image to fully leverage our ransomware protection capabilities. This new disk driver should be added to any previously set AV exclusions.

SHA-2 Windows Updates Required for Continued Support of Windows 7 and Windows Server 2008 R2

Microsoft no longer allows code-signing using SHA1. To continue running VMware Carbon Black Cloud Windows sensor version 3.7+, the KB4474419 patch should be applied to applicable operating systems. Our Carbon Black Cloud sensor - OS Support article on UEX reflects this change.

Automatic re-registration of VMware Carbon Black Cloud Windows sensors in Citrix PVS environments

The 3.7 Windows sensor supports a new cfg.ini parameter AutoReRegisterForCitrix = True for automatically re-registering Windows sensor on VDI clones in Citrix PVS environments.

SHA-2 Windows Updates Required for Continued Support of Windows 7 and Windows Server 2008 R2

Microsoft is no longer allowing code signing using SHA1. To continue running our latest Carbon Black Cloud Windows 3.6 sensor version (, the KB4474419 patch should be applied to applicable operating systems. Our Carbon Black Cloud sensor - OS Support article on UEX has been updated to reflect this change.

This updated Windows sensor version includes fixes and performance improvements.

This updated Windows sensor version includes fixes and performance improvements.

osquery version update 4.5.1

This updated Windows sensor includes the most recent version of osquery (4.5.1). See the Carbon Black Cloud Sensor Support for osquery document for a full list of sensor versions and supported schema versions. (This sensor is no longer available for download)

osquery version update 4.5.0

This updated Windows sensor includes the most recent version of osquery (4.5.0). See the Carbon Black Cloud Sensor Support for osquery document for a full breakdown of sensor versions and supported schema versions.

This update lets you query the Windows event log. Users can now craft custom queries or use new out-of-the-box queries from our Threat Analysis Unit to pull back artifacts from Windows event logs on demand. These artifacts include event ID, the time an event occurred, the source or channel of the event, the provider name and guid associated with an event, the severity level of an event, and more.

This version also includes Windows support for the yara table and no longer requires an on-disk signature to be present.


VMware Carbon Black Cloud sensor version 3.6 is for Windows only. See supported operating systems on the UEX: Carbon Black Cloud sensor support.

osquery 4.4.0

The 3.6 Windows sensor introduces osquery version 4.4.0. Learn more about version 4.4.0 here:

Firewall exclusion

The 3.6 Windows sensor leverages a content management system to enable the dynamic configuration of prevention features. Prior to installing or upgrading to 3.6, if you have restrictive firewall policies active in your environment, you might need to add a new firewall/proxy exclusion for the sensor to be fully functional.

Add a new network/proxy exclusion for a direct connection over TCP/443 to 

Enterprise EDR, AMSI Prevention, and Unified Binary Store require the exclusion to work with the 3.6 sensor. 

To learn more about the sensor communication requirements, see Carbon Black Cloud: What Ports must be opened on the Firewall and Proxy Servers? 

Sensor install/uninstall improvements

With the Carbon Black Cloud Windows 3.6 sensor, the install and uninstall experience is strengthened on the endpoint. If a failure occurs during an initial install of the product or during an uninstall, the endpoint will be returned to the state it was in prior to the attempt. 

To learn more about Windows sensor installation and uninstallation, see the Sensor Install Guide on the UEX or in your VMware Carbon Black Cloud Console under the Help menu in the top bar

AMSI Prevention and visibility (Endpoint Standard) 

VMware Carbon Black Cloud has extended its default prevention capabilities for script-based Windows attacks, built on Microsoft Anti-Malware Scan Interface (AMSI). This extension of the AMSI integration expands on existing PowerShell preventions with improved ease of use and a better security posture. 

This release includes the ability for the sensor to dynamically leverage AMSI metadata to define and configure prevention logic. These updated, high-fidelity prevention rules are being crafted by VMware Carbon Black’s Threat Analysis Unit to include frequently used off-the-shelf attacker frameworks that are regularly seen in script-based attacks.

AMSI prevention and visibility is only supported on Windows 10 and greater and requires sensor version 3.6+. AMSI prevention and visibility will be rolled out in a staggered manner to customers. No action is required by the customer. 

Sensors that are registered with the following backend instances can use the functionality on the listed date.









Sensor logs locations

Previous versions of the sensor stored logs in the \Program Files\Confer\Logs\ directory. 

The Windows 3.6 sensor stores some logs in Program Files and some logs in ProgramData: 

  • \Program Files\Confer\Logs\ 
  • \ProgramData\CarbonBlack\Logs\

Throughout 3.6 maintenance releases, we will move all logs to ProgramData to better align with Microsoft guidelines.

VDI improvements

The VDI workflow is improved with the Windows 3.6 sensor. Re-registering is less restrictive and easier. VDI clones and re-registered devices inherit the policy of the primary image if one exists. Otherwise, clones and re-registered devices are assigned the Virtual Desktop policy or the Standard policy in that order. Additionally, if an organization is using sensor groupsthe new device will be moved to the appropriate policy when the metadata matches. See the Sensor Installation Guide for full VDI considerations and see the in-product User Guide for more information about sensor groups.  




VMware Carbon Black Cloud sensor version 3.5 is for Windows only. This release is Generally



Turn off services associated with malware

Malicious services that run at start-up have the potential to execute and impact the endpoint
before the sensor starts up. A new feature finds all malicious services associated with Known
Malware hashes and puts them in a un-enabled state. The services remain in off across
reboots, and therefore cannot execute at startup. If a service binary in question was not
malicious or if some other tool is used to clean the malware, then the sensor will not
automatically enable the service again. To re-enable the service you must manually do so by
using LiveResponse or other standard tools. The feature is enabled by default and can be
turned off by a request to Support.

The command for the remediation through CB LiveResponse is:

  1. Query the service start type exec: execfg sc.exe qc <servicename>
  2. Change the start type using the command: execfg sc.exe config
    <servicename> start=<starttype>

The possible start types are: boot | system | auto | demand | disabled | delayed-auto

The event that is sent during the service un-enable contains the original start type and displays in
the user interface. The user needs this data to return the start type to its original value. If the
start type changes to boot, auto or delayed-auto, they must reboot.

Removal of registry keys during deletion

Deletion of files, both manual and through the Malware Removal workflow, previously did not
attempt to remove registry keys that were created by the malware. When requested to delete a
file, the Windows 3.5 sensor also removes RunOnce registry keys from the HKLM hive that reference the malicious binary that is being deleted. Other auto-start registry keys referencing the malware might remain.

Offline installer

The Windows 3.5 sensor supports offline installs to support machines that are configured in an offline environment. The feature is enabled during a command line installation by adding the flag “OFFLINE_INSTALL=1”. The sensor connects with the Carbon Black Cloud backend and accesses a policy when network connectivity is restored. The sensor does not provide any visibility or protection until it is connected to the backend.

To use the feature, ensure that there is a host or network level firewall rule in place to prevent the master image from connecting to the Carbon Black Cloud devices URL. Then, Install the sensor using the OFFLINE_INSTALL parameter and any other parameter that is typically used during a command line install (aside from PROXY). Clone or restore to snapshot. Each snapshot and clone appears as a new device in the backend console and are not treated as a VDI clone unless you explicitly install with VDI=1 or used the repCLI reregister command. Otherwise, console admins are responsible for cleaning up old clones, either manually or via API.

Note: If a user changes the company code in the backend, you can no longer make new clones that haven’t registered yet because those clones will continue to try to use the original company code. If you change the company code, you must create new images using the new company code.

Endpoint management improvements

The Windows 3.5 sensor effectively handles non-persistent domain disconnections. Previously, the sensor applied the default policy when the AD attribute was cleared (in instances such as off-network without VPN). Now, the sensor maintains the desired AD group and the desired policy. The distinguished name is not cleared unless the machine is not registered as part of the domain.

In the Endpoints page, the Windows 3.5 sensor reports who is logged into an endpoint every 8 hours instead of reporting the user who installed the sensor. If there is no interactive user logged in to the endpoint within the 8 hour window, you might get a non-interactive user name such as “Windows Manager\DWM-2”. In the case of multiple logged-in users, the most recently logged-in user is associated with the endpoint.

Improved capability to identify command interpreters

CB Defense has improved its methods for identifying a process as a command interpreter or as
a script host. By integrating with the yara binary pattern matching utility, the Windows 3.5 sensor
better protects against threats where an attacker brings their own copy of standard operating
system interpreters or tries to hide by running tools with non-standard names. Customers who
are already leveraging the Tries to invoke command interpreter rule immediately benefit from
this update.

As part of this update, Carbon Black’s Threat Analysis Unit (TAU) can dynamically update the
definition of what it means to be a command interpreter.

Improved Netconn detection for proxy servers

With the Windows 3.4 sensor, CB ThreatHunter customers who are using a proxy server in their
environment saw most (all) outbound network connections being reported with the proxy's address and host name as the destination. The Windows 3.5 sensor improves reporting of network events to report the actual destination IP and hostname, rather than those of the intermediate proxy.

Note: This functionality is enabled in the Windows 3.5 sensor, but will not be available for use until a future Carbon Black Cloud console release.

CB ThreatHunter hash deny-listing

The Windows 3.5 sensor enables deny-listing of files by hash for CB ThreatHunter. Once a hash is added to the company deny-list it is prevented from the following:

  • Being opened with execute access
  • Starting a process from a file
  • Being loaded as a module in a process
  • Being loaded as a script

Processes that have the deny-listed hash loaded at the time the hash is added to the deny-list are
terminated shortly after the sensor receives the updated reputation.

Note: This functionality is enabled in the Windows 3.5 sensor, but will not be available for use until a future Carbon Black Cloud console release.

Dynamic tamper protection

The Windows 3.5 sensor has improved methods for identifying tamper events. The improvements help prevent access to sensor files and reduce interoperability issues with third-party products.

AMSI logging

The Windows 3.5 sensor enables the collection of deobfuscated command line data through AMSI for CB ThreatHunter customers. For more information on AMSI, see

In the cloud console, this integration will manifest in the form of filess_scriptload events, which represents processes that executed commands in fileless execution context. More information will be provided in the backend release notes for the February 18th UI release.

Updated 09/02/2020:

Sensor check-in time update

The sensor check in time is reduced from 5 minutes to 1 minute. The maximum expected latency for establishing a Live Response session should now be 60 seconds (assuming the device is online and running a 3.5 or newer sensor version). Other operations might also complete faster.
The Last check in value in the console will not necessarily update faster because of performance/scale reasons.


Sensor Version Fixed Product Issue ID Description


UAV-2154, EA-18733, EA-19153

AMSI rules were being bypassed in Windows Terminal and other containerized applications.


DSEN-16642, EA-19844

Sensors could not exit Quarantine mode after losing network connectivity.


DSEN-16429, DSEN-12463

Upgrades conducted by non-admin users could leave the sensor in an inoperable state if the Windows registry was corrupted from a previous install or upgrade failure.


DSEN-16231, DSEN-14832

Windows 11 devices (running build 10.0.2200) displayed as Windows 10 in the Carbon Black Cloud console.


DSEN-15324, EA-19302, EA-19398

Sensor misreported files being executed from Recycle Bin.

Endpoint Standard

DSEN-15157, EA-19374

A rare crash in repmgr could occur when the sensor was scanning files.


DSEN-15013, DSEN-6805, EA-19223

Improved command line script detection.

Endpoint Standard

DSEN-14799, EA-19232

The sensor was not checking for bypass when enforcing Process Doppelgänging protections.


DSEN-14721, EA-19615

The sensor could cause system crashes to occur with ctifile.sys.


DSEN-14550, EA-18912

Updated default zip/compression settings for sensor events being stored on disk to reduce CPU consumption of the sensor. This settings change is intended to mitigate potential event loss due to proxy errors. However, sensor events being written to disk can see a 70% increase in file size/bandwidth compared to previous sensor versions. Event batch disk space usage remains 1GB by default.


DSEN-14184, EA-18800

End-user License Agreement has been updated to indicate the creation of canary files on successful sensor installations.


DSEN-14134, EA-18111, EA-19331

Deleting a file failed in a redirected folder setup in Horizon VDI with DEM folder redirection.


DSEN-13173, EA-17975, EA-18052

CbAMSI.dll is now WHQL signed to resolve issues where the sensor was blocked from loading CbAMSI.dll in svchost.exe processes if the "Enable svchost.exe mitigation policy" setting was turned on.


DSEN-12801, EA-19124

Improved suppression of “RepUx.exe - Bad Image” prompts when third party apps are blocked from injection attempts.


DSEN-11416, EA-17516

The sensor was unable to decrypt proxy_creds with installations performed from system account context.


DSEN-7625, EA-18519

Added ability to protect against aspx files executing on IIS.

Endpoint Standard


Improved sensor behavior to check for policy updates prior to blocking actions to ensure long-running processes are enforced via new policy rules set after process launch.



Fixed an issue where upon creation of an instant clone pool, the internal template got network access, which resulted in the internal template's sensor contacting the backend with the same Device ID as the golden image. This resulted in duplicate Device IDs.


UAV-2292, EA-19483

Fixed an issue causing system crashes to occur due to ctifile.sys.


UAV-2267, EA-19384

Fixed an issue causing a large number of alerts to be generated with previous 3.7 Windows sensors around wordpad.exe attempting to inject code into other processes via SetWindowsHookEx.


DSEN-16174, EA-19890

Fixed an issue where any Non-RepMgr process logging that goes through FileLogger grew unbounded causing multiple sensor logs to grow excessively large.  


DSEN-16109, EA-19823, EA-19826

Fixed an issue where RepMgr could be deadlocked and render the endpoint unresponsive and spike the sensor’s memory usage. All

DSEN-16024, EA-19263

Improved Tamper Protection policy to improve performance for Endpoint Standard. All

DSEN-15958, EA-19799

Fixed an issue with sensor upgrades from v3.6 → v3.7 where the reference count of ctiuser.dll was not being properly reset and could lead to a missing ctiuser.dll file if a failure occurs on sensor upgrade. All

DSEN-15889, EA-19561, EA-19723

Fixed an issue causing effective reputation applied to allowed certificates to change after sensor upgrades to previous 3.7 sensors. All

DSEN-15667, EA-19586

Fixed an issue with the sensor applying a policy deny rule for applications signed with allowed listed certificates. All

DSEN-15618, EA-19564

Fixed an issue with missing serial number information associated with attached devices. All

DSEN-15505, EA-19390, EA-19454, EA-19504, EA-1991

Fixed an issue where sensor management operations, such as sensor uninstall or sensor upgrades, would not work if CbELAM files are missing on Windows operating systems supporting Microsoft Early Launch AntiMalware (ELAM) drivers. All


Updated osqueryi.exe to version 4.8.0. All

DSEN-14942, EA-19404

Fixed an issue with the simple hash table of ctifile.sys. All

DSEN-12932, EA-17866

Fixed an issue where ctiuser.dll could be loaded twice.

Endpoint Standard

UAV-2212, EA-19082, EA-19167

A large number of alerts were being generated with the CBC Windows sensor around explorer.exe injecting into iexplore.exe via NtQueueApcThread. See our UEX knowledge base for more information: Carbon Black Cloud: Observing a large number of alerts for code injection via NtQueueApcThread after upgrade to

Enterprise EDR

UAV-2206, EA-18589

A temp file could be left behind when saving a modified Excel file in Enterprise EDR (only) orgs.


UAV-2201, EA-19048

A data-race issue could lead to a system crash.


DSEN-15119, EA-19388

System crashed when attempting to format drives.


DSEN-14950, EA-19195, EA-19313

System crashed on Windows Server 2008 R2 systems.

Endpoint Standard


Fixed a bug when applying Endpoint Standard functionality immediately after switching from an Enterprise EDR (only) org.


DSEN-14801, EA-19243

The CBC Windows sensor blocked MSI installations of software that required a registry modification of a disk drive upper filter value to complete installation.

Endpoint Standard


Due to an unsafe location, tamper blocks occurred when osqueryi.exe attempted to load cbamsi.dll.



The sensor misreported process privs when compared to Process Explorer.



First time sensor installation required a reboot to remove the sensor from Bypass mode for sensors installed with ‘Bypass sensor after login’ enabled through the sensor’s policy settings.


DSEN-14592, DSEN-12808, EA-16115

The sensor reported improper shutdown/sleep states in the console.



The sensor now supports a config prop for leveraging BIOS UUID for re-registration of VDI clones.


DSEN-14575, DSEN-13266

Logging now properly reports a failure due to an expired company code.


DSEN-14574, DSEN-13926

The .msi installer precheck returned an error and failed to upgrade sensors due to missing sensor version information in MsiGetProductInfo.



Added a pop-up error dialogue when CBC Windows sensor installation has detected a non-SHA256 patched Windows OS system.

For more information:
[CBC Windows] SHA-2 Windows

Updates Required for Continued Support of Windows 7 and Windows Server 2008 R2
Carbon Black Cloud sensor: Windows desktop support

Carbon Black Cloud sensor: Windows Server support



Fixed a bug in the ctinet.sys driver that would cause a system crash when processing specific network events.

Endpoint Standard

DSEN-14326, EA-18664

The sensor allowed deleting of files that had the “readonly” attribute set.


DSEN-14015, EA-17990

The sensor would not perform process classifications while in bypass. It required RepCLI commands issued through a Live Response session that require authentication to be sent to the sensor in an active state.

Endpoint Standard

DSEN-13971, EA-18729, EA-19333

Files with hashes that were populated in the banned hash list could temporarily run for a short time.


DSEN-13517, EA-18627

The sensor ignored bypass rules for .tmp files.


DSEN-13281, EA-18012

Fixed an issue with shutting down the sensor service in hardened environments that could lead to failures with sensor upgrades.



Now ship with osqueryi.exe version 4.7.0.

Endpoint Standard

DSEN-12555, EA-18067, EA-18165, EA-18418, EA-18581, EA-18866

Fixed a bug where the sensor could hang Microsoft Software Shadow Copy Provider service on startup.

Endpoint Standard


Sensor upgrades initiated outside the server console could result in failure due to msiexec.exe being blocked by tamper protection.



RepCLI capture could only be used to save zip files to local directories. If you attempted to save the zip file to a network location, the file is written to the c:\programdata\carbonblack\logs\temp directory.



Sensors running on Windows 10 Enterprise Multi-Session environments could display the OS version as “Windows Server 2019”.



Fixed a bug in ctinet driver that could lead to system crash.

Endpoint Standard, Enterprise EDR

UAV-2191, UAV-2204, EA-18905, EA-18910, EA-18889, EA-18965, EA-18982, EA-18881

Non-ASCII characters in filenames (such as Chinese and Japanese) could cause the AMSI module to crash the process that was being inspected. Logging related to AMSI events generated from non-ASCII file names is also fixed.


UAV-2201, EA-19048

A data-race issue that could lead to a bugcheck.

Enterprise EDR

UAV-2206, EA-18589

A temp file was left behind when saving a modified excel file.



We now allow the sensor to be uninstalled if the BackupPath key located under HKLM\SYSTEM\CurrentControlSet\Control\EarlyLaunch is not set.

Endpoint Standard

DSEN-12555, EA-18067, EA-18165, EA-18418, EA-18581, EA-18866

The sensor could hang Microsoft Software Shadow Copy Provider service on startup.


DSEN-13226, EA-17848

The sensor could time-out during upgrades on systems that had large amounts of applications and files in use.

Endpoint Standard

DSEN-13250, EA-18515

Fixed a bug that could lead to a process deadlock on busy systems as described in this knowledge base article on UEX:


DSEN-13429, EA-18403

Fixed a bug that could lead to a bugcheck if a process attempted to access a file residing on a network share.


DSEN-13767, EA-18685

Error dialogs appeared when third-party apps attempted to inject into any of the sensor’s processes.

Endpoint Standard

DSEN-13807, EA-18785, EA-18821

Fixed a bug triggering false positive AMSI alerts.


DSEN-14127, DSEN-14133

Our CBC Windows builds are no longer signed with SHA1 code signing (only SHA2 and WHQL). As such, Windows Operating System updates may need to be applied in order to run our CBC Windows sensor version. Please see our UEX posts for more information:
[CBC Windows] SHA-2 Windows Updates Required for Continued Support of Windows 7 and Windows Server 2008 R2

Carbon Black Cloud sensor: Windows desktop support

Carbon Black Cloud sensor: Windows Server support



The sensor could remain in bypass mode after a system reboot. This only occurred if the sensor was configured to run as AMPPL, but was not actually AMPPL on startup. This only occurred when upgrading from v3.3 and earlier sensors or when config props to disable AMPPL exist.


DSEN-13691, EA-18749, EA-18647

Sensor uninstall could fail if C:\Windows\ELAMBKUP\CbELAM.sys file was not present.

Endpoint Standard, Enterprise EDR


The 3.7 CBC Windows sensor now automatically registers the CBC Windows sensor on VDI clones in vSphere environments. This feature requires both the vSphere HostModule and the 3.7 CBC Windows sensor. Log information can be found at C:\ProgramData\CarbonBlack\Logs\vhostcomms.log. AV exclusions might be needed for C:\Program Files\Confer\VHostComms.exe. All


The 3.7 Windows sensor supports a new cfg.ini parameter AutoReRegisterForCitrix = True for automatically re-registering CBC Windows sensor on VDI clones in Citrix environments.

Note: A separate script to re-register the agent is not required after specifying this parameter in the cfg.ini file. All


Added alarms for installation, uninstallation and upgrade failures. All


Various improvements to sensor services.
Examples include:

  • Potentially less delays for receiving Defense events from sensors
  • Faster LQ results
  • One request's timeout no longer delays other requests Endpoint Standard

CBC-1638, DSEN-11202

Defense API reports that used to be sourced from API hooking have been moved to Event Tracing For Windows Providers and the File System Driver for product stability reasons.

In addition we have added a new disk driver “cbdisk.sys” to protect against ransomware threat actors attempting to corrupt the boot records which live on disk and prevent machines from booting.

With the introduction of our new “cbdisk.sys” driver in 3.7, any API_BYPASS previously set will no longer allow processes that were blocked from writing to protected disk regions or accessing canary files. With 3.7, users should now set bypasses for processes performing activity detected as ransomware through a rule: "Application at path -> Performs ransomware-like behavior -> Allow.". Endpoint Standard


The background status progress based on percentage complete is now visible via the RepCLI status output. Endpoint Standard, Enterprise EDR

UAV-2041, EA-17693, EA-18300

Reduced frequency of non-paged pool memory allocations to avoid memory fragmentation and help with system performance. Endpoint Standard


Fixed a bug where non-ASCII characters (such as Chinese and Japanese) in filenames caused the AMSI module to crash the process that Endpoint Standard was inspecting. Endpoint Standard

DSEN-5758, EA-18469

Fixed a bug where the length of the alert details message could impact CPU performance. Endpoint Standard

DSEN-5833, DSEN-7252, DSEN-7253, EA-14620, EA-15335, EA-15649

Detect and prevent malicious lnk chains. All

DSEN-5870, EA-18220

Sensor installation/uninstallation failed if the BackupPath registry key was missing from “HKLM\SYSTEM\CurrentControlSet\Control\EarlyLaunch\” Endpoint Standard, Enterprise EDR

DSEN-7246, EA-17566, EA-15975

Fixed a bug capturing certificate information from jar files. Endpoint Standard

DSEN-7266, EA-15600

Windows sensor endpoint details will now append a “YYYYMMDD” date to Scan Engine information to specify the date the signature pack was collected. 

Note: On upgrades from older versions of the CBC Windows sensor, a signature pack update might be needed to display this information. Endpoint Standard

DSEN-8198, EA-18133, EA-17388, EA-16521, EA-18124

Intermittent failures with RDP connections. All

DSEN-8262, EA-17682

Fixed a bug with reporting the last interactive logged-on user on Windows Server 2019 as WDM instead of the local user account. Endpoint Standard


CBC Windows sensor now allows updating signature packs while in network quarantine. Audit & Remediation

DSEN-10001, EA-16517

Fixed a bug with closing Live Response sessions. Endpoint Standard

DSEN-10427, EA-16855

Improved performance with launching Office 365 applications. All

DSEN-10677, EA-17112

Fixed a bug with the sensor removal tool cleaning up registry entries after uninstallation of the sensor. Endpoint Standard, Enterprise EDR

DSEN-10830, EA-17223

Improved pruning of the DB_REP file to prevent excessive growth. Endpoint Standard, Enterprise EDR

DSEN-11084, EA-17416

The sensor did not recover gracefully when it lost connection to the kernel. Endpoint Standard, Enterprise EDR

DSEN-11181, EA-17345

Fixed a bug with displaying protection state information via RepCLI and the console when DelayProtectionAtBoot or DelayProtectionAtLogin are applied. Endpoint Standard

DSEN-11290, EA-17462, EA-16703

Fixed a bug with excess process handles causing performance degradation. Endpoint Standard

DSEN-11413, EA-17335

Fixed a bug with processes running in a container being falsely marked as “hidden”.

Can manifest as alerts with the TTP: HIDDEN_PROCESS after installing sensor version Endpoint Standard, Enterprise EDR

DSEN-11731, EA-17882

Fixed a bug causing registration issues with sensors upgraded through the command line interface that incorrectly specified OFFLINE_INSTALL=1. Endpoint Standard, Enterprise EDR

DSEN-12164, EA-18080

Fixed a bug causing an error message to appear when clicking “VMware, Inc” from the “About” section under CBC Windows tray icon. Endpoint Standard

DSEN-12447, EA-18230, EA-18064

Fixed a bug with script interpreters being wrongfully terminated when applied rules were set to only deny.

Can manifest as a console alert showing that an Office document was denied opening another Office document. Endpoint Standard

DSEN-12526, EA-18264

Fixed a bug causing Repmgr to crash when an access violation on a buffer occurs. All


Fixed a bug with sensors connecting to the backend through a proxy when a default WinHTTP proxy is configured in the registry, such as if you configured through netsh. Endpoint Standard

DSEN-13429, EA-18403

Fixed a bug that could lead to a bug check if a process attempted to access a file residing on a network share. Endpoint Standard, Enterprise EDR

DSEN-13518, EA-18633

Fixed a bug with incorrect MAC addresses being returned if no local area connection adapter is found. Endpoint Standard, Enterprise EDR

DSEN-13742, EA-18213

Missing parent information on the process tree page for hashban terminate alert. Endpoint Standard

DSEN-14058, UAV-2140

Repmgr service crashed during log collection when an invalid memory access was encountered. All

DSEN-14127, DSEN-14133

Our CBC Windows builds are no longer signed with SHA1 code signing (only SHA2 and WHQL). As such, Windows Operating System updates may need to be applied in order to run our 3.7+ CBC Windows sensor version. Please see our UEX posts for more information:

[CBC Windows] SHA-2 Windows Updates Required for Continued Support of Windows 7 and Windows Server 2008 R2

Carbon Black Cloud sensor: Windows desktop support

Carbon Black Cloud sensor: Windows Server support All 


Fixed a bug where the sensor could remain in bypass mode after system reboots. Endpoint Standard

DSEN-12449, EA-18064, EA-18230, EA-18270, EA-18324, EA-18429

Microsoft Office processes were terminated if the Invokes an untrusted process rule was applied. Endpoint Standard

DSEN-12571, EA-18105

Corrected RepMgr scan behavior during certificate reputation updates. Endpoint Standard

DSEN-12613, EA-18202

Fixed a registration issue with Windows Security Center after a Windows update. Endpoint Standard

UAV-1936, EA-17503

Improved sensor performance in a number of scenarios. You should see increased performance in a number of scenarios, such as when reading files over the network or when logging out. Endpoint Standard


When the Citrix Virtual Memory Optimization service is present, the Windows sensor did not block all executions from Alternate Data Streams. See the following KB article for more information: Endpoint Standard

DSEN-11432, EA-17439

Signature pack updates were not respecting the CurlCrlCheck config property. Endpoint Standard


Ransomware blocks were not always generating console alerts. Endpoint Standard


Added the ability to skip blocking executions from alternate data streams if the content hash is on the company approved reputation list. Endpoint Standard

DSEN-11654, EA-17667

Improved performance of Live Queries that leverage Yara to scan directories that have a lot of files. Endpoint Standard

DSEN-11710, EA-17591, EA-17693, EA-17877

Improved performance on machines that have a high frequency of short lived processes. Endpoint Standard


Rules were not being updated while the sensor was in bypass mode. Endpoint Standard

DSEN-11805, EA-17554, EA-17841

Improved hashing performance when large files are executed on the network. Endpoint Standard

DSEN-11814, EA-16261, EA-17121

Improved sensor performance during boot time. Endpoint Standard

DSEN-11927, EA-17912

Not trusted policy enforcement was being applied on approved files. Under Policy > Sensor, if Scan execute on network drives is off and a never seen before hash is executed that should be approved, an unwanted block could occur. Endpoint Standard

DSEN-12048, EA-17649

Improved sensor detection of  auto-generated Microsoft PowerShell scripts. Endpoint Standard


A local user interface alert was generated for known malware services. In some circumstances, when a service backed by malicious files was discovered and blocked, a local user interface alert would not occur. Endpoint Standard


Invalidly signed files that matched certificate approval rules using wildcard patterns might have been incorrectly approved despite the signature being untrustworthy. Endpoint Standard

DSEN-12143, EA-18020, EA-18064, EA-18092, EA-18148, EA-18205

Some recent Windows Updates resulted in Microsoft OS files being delivered before their external catalog that is used to verify their digital signature was registered. This resulted in the files appearing as not signed on first inspection, which could lead to tamper protection blocks and user visible errors when launching repux. The CB sensor now reinspects operating system files that appear unsigned to reverify their digital signature and avoid the tamper blocks.

Note: You can still experience blocks

See the following KB article for more information: Endpoint Standard


Live Response was prevented from launching non-Microsoft executables by a tamper policy error. Endpoint Standard

UAV-1941, EA-17514, EA-17627, EA-17765

Performance issues arose across various assets such as Excel, video files, and USB printers. This fix improves hashing logic to make the process more efficient. Endpoint Standard

DSEN-11514, EA-17653

Uninstall rollback during upgrades did not bring the system to protected state until reboot, causing a failure during upgrades. Endpoint Standard

UAV-1853, EA-16874, EA-17503

Improved network file operations performance. Endpoint Standard

DSEN-11461, EA-17152

Delays while closing some applications. Endpoint Standard


In Endpoint Standard-only organizations, device control alerts could take hours to appear in the Alerts page because low event volume delayed reporting to the cloud. Endpoint Standard

DSEN-11617, EA-17780

One reported occurrence of a BSOD on a 32-bit Windows 7 machine. Endpoint Standard

UAV-1951, EA-17567, EA-17571

One documented case of ERP software running slowly on ERP servers. Endpoint Standard

DSEN-11639, EA-17572, EA-17811, EA-17831

Latency on file open operations on local drives and network shares. Endpoint Standard DSEN-11146, EA-17629

A reboot of a Domain Controller server during sensor uninstall is now resolved. Endpoint Standard

DSEN-11217, EA-17431

One customer reported a crash on a clustered SQL instance. Endpoint Standard

DSEN-10927, EA-17214

Excel terminated with error "attempted to modify the next instruction to execute in the process". Endpoint Standard


The local scanner was not updating endpoints that use proxy connections. Endpoint Standard


With Device Control on, users might see a slow down when accessing files on Google Drive with the Google Drive app running locally and mounting a volume in Windows Explorer. Endpoint Standard


The following error appeared after upgrading the sensor; then rebooting:
"Carbon Black Cloud Sensor: RepUx.exe - Bad Image” Endpoint Standard

DSEN-11107, EA-17416

Tableau server hung up on sensor install. Endpoint Standard


An issue was identified and fixed that could lead to background scan consuming excessive CPU. The background scan is executed upon sensor install. Endpoint Standard


Wavefront’s telegraph service would not start when the sensor was installed. This issue was found internally only. Endpoint Standard

DSEN-11338, EA-16703, EA-16977

High CPU usage by SVChost service. Endpoint Standard

DSEN-10968, EA-17653

Uninstall might have failed in some scenarios. Endpoint Standard

DSEN-11344, EA-17590

Thread handle leak in Repmgr led to hang on domain controllers. Endpoint Standard


General performance improvements. Endpoint Standard

UAV-1847, EA-15161

Normalization LRUCache has inconsistent key format if the key is a folder. Endpoint Standard

DSEN-11216, EA-15031

Sensor was not sending the endpoint’s MAC address to the backend. Endpoint Standard

DSEN-11217, EA-17431

A crash occurred on a clustered SQL instance - 0x22_CsvFs!CsvFsExceptionFilter Endpoint Standard

UAV-1893, EA-17269, EA-17446

A large number of registry operations showed high rule engine match overhead. Endpoint Standard

DSEN-11344, EA-17590

Systems with a high occurrence of network connection attempts running Windows sensor versions and may experience degraded performance. These sensor versions are no longer available for download. This issue is resolved in Windows sensor version Endpoint Standard UAV-1852, EA-15616

Sensor ignored Endpoint Standard processing of network files that were not opened for execution. Endpoint Standard DSEN-10981, EA-17152

Performance improvement where applications such as Microsoft Word make heavy use of NtReadVirtualMemory. Endpoint Standard

DSEN-10922, EA-17214

Applications making a copy of themselves caused false positive code injection alerts in the console. Endpoint Standard


Improved performance for file reads on the endpoint when a file is quarantined in place. Endpoint Standard


Incremental performance improvements for moving network files. Endpoint Standard


Sensors did not move to the correct group because metadata changes were not reported. Endpoint Standard


Resolved hang issue while inflating OneDrive files. Endpoint Standard


Sensors will now use new static proxy settings even if previously persisted ones are succeeding. Endpoint Standard


Customers might have experienced false positives for processes which had already been terminated. Endpoint Standard


Signatures did not always get re-evaluated on an upgrade from older sensor versions. This might have resulted in users seeing an alert that a file was unsigned and the process terminated. Endpoint Standard


After a sensor was cloned, the sensor might have updated the golden images endpoints check-in time prior to registering as a new cloned endpoint. This might have resulted in duplicated DeviceIDs in the console. Endpoint Standard


The sensor upgrade might have failed when Windows Security Center was disabled.
Endpoint Standard DSEN-10655

This fix improves the execution of kernel mode code. Endpoint Standard DSEN-10334

This fix resolves an intermittent issue during sensor upgrades after a fresh install. The upgrade sometimes hung while removing the old CB Defense service. Endpoint Standard DSEN-10246

Resolved an issue that caused applications to crash with ctiuser.dll as a faulting module after upgrading sensor version from to Endpoint Standard DSEN-10154

Improved signature evaluation logic on upgrade. Endpoint Standard DSEN-10370

Rare case where cert reputation did not persist. Endpoint Standard DSEN-10104

Performance improvement around caching volumes. Endpoint Standard DSEN-10555

Need to check for null content manager on shutdown. Endpoint Standard DSEN-10089

Performance improvement: not caching normalized in post-create when rules trigger the normalization. Endpoint Standard DSEN-10507

Fixed small performance inefficiency in CbdFileEventObjectBase::GetFileSize. Endpoint Standard DSEN-10466

REG_CREATE_KEY event included both new key creation events and existing key open events. Endpoint Standard DSEN-10489

Overlapping PROC_RECORD flags caused inaccurate breached alerts. Endpoint Standard DSEN-7715

Banned scripts failed to be blocked on Box cloud file sharing app. The issue did not occur on Google Drive or OneDrive. Endpoint Standard DSEN-10458

Inconsistent Storage of pscinfo in db_rep led to query failures. Endpoint Standard UAV-1813

Protobuf definitions of IPv4 and IPv6 addresses now include a human-readable format. Endpoint Standard DSEN-10246

Application crashes were due to members of SuspendInfo struct not being aligned on a 16 byte boundary. Endpoint Standard DSEN-10453

Delete code set the publisher/issuer name to VERIFIED. Endpoint Standard DSEN-10069

Major Windows upgrade did not migrate Our ELAM Backup. Endpoint Standard DSEN-10068

siUtil_IsProcessRunning did not take action on STATUS_ACCESS_DENIED; it now creates better log prints. Endpoint Standard DSEN-10198

Performance improvements: FQDN lookup optimizations. Endpoint Standard DSEN-10403

Performance improvement: Avoid acquiring exclusive file record lock to set process file type. Endpoint Standard DSEN-10158

Performance improvement: Cache process record references in handle context. Endpoint Standard DSEN-10334

CTINET: Unload prevented due to inaccurate flow counters [EA]. Endpoint Standard DSEN-10308

CTINET: Unload prevented due to inaccurate flow counters [EA]. Endpoint Standard UAV-1808

Did not refresh PSC policy upon datafile2 update. Endpoint Standard DSEN-10158

Cache process record references in handle context led to performance issues. Endpoint Standard DSEN-10134

TLS configprops input validation was inconsistent. Endpoint Standard DSEN-9952

CHashObject::DetermineIntendedSourceMask accessed DB without holding lock. Endpoint Standard DSEN-10309

Added a sensor alarm for failure disabling LSP. Endpoint Standard DSEN-10248

Error in confer.log of WARNING GetRegStringValue: Failed to read registry key Software\VMware, Inc.\ViewComposer\ga\AgentIntegration\CustomizationStarted Endpoint Standard DSEN-10153

Sigpack update caused on-access scan to effectively become enabled even if it was disabled in policy. Endpoint Standard DSEN-10091

ctifile blocked pre-write by RepMgr and confer.log logging stopped. Endpoint Standard DSEN-10246

Application crashes were due to members of SuspendInfo struct not being aligned on a 16 byte boundary.

3.6.0 All DSEN-9774

Hyper-V host blue-screened when accessing CSV file system.

3.6.0 All DSEN-6963

Sensor installation now supports both the user code provided in the email and the company code.

3.6.0 All UAV-1586

The ASP page took 20 seconds to return with AmsiEnabled in the 3.5 sensor.

3.6.0 All UAV-1421

The LiveResponse memdump command caused crashes. It was disabled by default on Windows sensors 3.3 and 3.4. It is now enabled by default and no longer causes crashes.

3.6.0 All UAV-1415

The sensor wrote large amounts of extra data to the confer.log file. The extraneous data that is written to confer.log has been reduced.

3.6.0 All UAV-1400

The sensor allowed non-execute access to quarantined files. Now, quarantined files are not accessible. This can prevent other security applications from scanning and alerting on the file, but will prevent files from being copied to other locations.

3.6.0 All UAV-1396

Intermittent delays occurred when opening Office files and navigating file systems on Windows 10.

3.6.0 All UAV-1302

Sensor install failed on Windows Server 2019 machines where there was a missing directory value for registry key HKLM\SYSTEM\CurrentControlSet\Control\EarlyLaunch value "BackupPath". The value is typically C:\Windows\ELAMBKUP.

3.6.0 All DSEN-8597

During updates to Windows 19H1, the system either blocked the update or crashed during the update. This issue was only reproduced and identified internally, and the issue did not reproduce if the sensor was in Bypass mode.

3.6.0 All DSEN-8502

Previously, if a user executed an unattended install with the flag and argument "INSTALLFOLDER=<path>", the sensor installed but was non-functional. Now, an installation failure occurs if a user tries to use a non-standard installation folder.

3.6.0 All DSEN-8501

Under high load, repmgr.exe handle counts grew very large, causing minor performance issues.

3.6.0 All DSEN-7592

If the sensor's background scan changed from disabled (either via install arguments or cloud policy) to expedited, a race condition could put the background scan into disabled state.

3.6.0 All DSEN-7119

Windbg was observed to crash.

3.6.0 All DSEN-6405

RepMgr.exe crashed upon running any process from a path with Japanese Characters (c:\見る)

3.6.0 Enterprise EDR DSEN-6056

If the customer turned off Scan On Network Read/Scan on Network Execute in the policy, the sensor still tried to normalize a network path even if Enterprise EDR wasn't enabled.

3.6.0 All DSEN-5043

TTPs: ACCESS_EMAIL_DATA was assigned to an event.

The application C:\Windows\System32\taskhost.exe attempted to access the email file "C:\Users\mosesveroy\AppData\Local\Microsoft\Internet Explorer\Indexed DB\Internet.edb"

C:\Users\mosesveroy\AppData\Local\Microsoft\Internet Explorer\Indexed DB\Internet.edb looked like an Internet Explorer data file, not an email data file.

Expected behavior:

Clarify or correct TTP ACCESS_EMAIL_DATA for internet.edb.


3.6.0 All DSEN-4873

WinSSL CRL checking caused friction in POC environments that required a proxy configuration.

3.6.0 All DSEN-4720

The API hook for GetAsyncKeyState (and a small number of other functions) were in GetCallingDll. The fix for DSEN-2810 avoided an expensive call to GetLongPathNameW by checking if the pathname contained any tilde ("~") characters. If the path contained a tilde character, the call to GetLongPathNameW was made, resulting in a noticeable slowdown. Customer was using an IME-like Active-X control, called GetAsyncKeyState, and the dll was installed below C:\Program Files (x86). This resulted in having a short name with a tilde in it.

3.6.0 All DSEN-4682

Having a rule to deny memory scraping by TaskMgr does not work in Windows 10. Ctiuser is not injected into taskmgr.exe on Windows 10, so ctiuser cannot prevent memory scraping of any process (that is, creating a dump file) by taskmgr. Ctiuser was not loaded into taskmgr.exe. This behavior did not occur in Windows 7, where ctiuser is loaded through AppInit_DLLs, and creating a dump from taskmgr is successfully blocked.

3.6.0 All DSEN-4580

Occasionally, the local scan misclassified a file with a malware reputation. If repmgr requests a scan of the file, this AV rep persists in dbrep. If the local scan corrected this reputation in a subsequent signature update, RepMgr did not rescan the file, and the AV reputation was not corrected in dbrep. If there is no higher priority reputation from other rep sources, including from the cloud, this AV reputation persisted. The work-around was to add the hash to the Approved list.

3.6.0 All DSEN-4154

IT_TOOLs rule was still enforced after removing the rule on a long running process.

3.6.0 All DSEN-3099

Known malware executed and remained running.

3.6.0 All DSEN-2480

Agent Core Installer separated the installer directory from the data directory.

3.6.0 All DSEN-2167

When trying to pull down an AV pack update, the proxy information in the curl request was not set up.

3.6.0 All DSEN-1755

The sensor was in bypass mode for around 3 hours. When the sensor was taken off of bypass mode, it remained in bypass for 25 minutes, at which time the machine rebooted and the sensor checked in.

3.6.0 All DSEN-1077

Powershell_ise.exe is a CLR process. In Windows 10, Carbon Black does not inject into the process because it doesn't meet the following criteria:

  • It does not have an .exe file extension
  • The CLR process launches itself All DSEN-10230, EA-16950, EA-16957, EA-16961

An earlier maintenance release of the 3.5 CBC Windows Sensor ( resulted in a system crash/BSOD for endpoints that hit a specific non-common code path. There were three reported cases against about 175,000 endpoints across all environments. Please note that this was introduced in and that is the only version in which the problem exists. It is now fixed in All UAV-1779, EA-16903

Due to an interaction with third-party proxy management software called Open Text Socks Client, one customer experienced RepCLI (local command line interface) breaking by returning error message "RepCLIClient: Failed to open socket". This issue was found in and fixed in All UAV-1755, EA-16865

One customer reported a system crash. This issue was found in and fixed in
All UAV-1724, EA-16649, EA-16526, EA-16702, EA-16761

The sensor caused slowness, freezing on the endpoint, and the domain controller to enter an unresponsive state. All DSEN-9760, EA-16641

A RepMgr.exe crash created performance degradation and a high number of event ID 1 and 1000 in Windows application logs. All UAV-1646

Startup performance improvements alleviate slow start and/or logon type issues. Performance improvements will remain a focus in future releases. All DSEN-5266, UAV-1678, EA-14291

Fixed performance issues using Windows Explorer to navigate to locations in SharePoint. All DSEN-9612, EA-15998

Upon reboot, a customer experienced the following error condition: "Carbon Black Cloud Sensor: RepUx.exe - Bad Image. C:\Program Files (x86)\Common Files\Microsoft Shared\INK\PENUSA.DLL is either not designed to run on Windows or it contains an error. Try installing the program again using the original installation media or contact your system administrator or the software vendor for support. Error status 0xc0000022." All DSEN-9434, EA-16297

Issue connecting to the proxy server. All DSEN-8645, EA-16130, EA-16208

When using OFFLINE_INSTALL=1 and providing PROXY_SERVER on the command line, the sensor never registered with the backend. CB Defense DSEN-8950, EA-14957, EA-16471

Customers allow listing IT Tools might have seen the feature fail if wildcard characters were not used in the allow-listed string. This issue is now fixed and non-wildcard strings match. CB Defense DSEN-8307, EA-16479, EA-16509

Bypass rules were not properly applied in certain cases. All DSEN-8562, EA-15614

Alerts were surfaced for a file that was already deleted from the system. All UAV-1595, EA-16261

Log on performance has been improved. CB LiveOps DSEN-8768, EA-16504

The Live Response exec command failed in some cases. All DSEN-8291, EA-16578

Intermittent issues with login delays causing RDP session timeouts. All DSEN-8507, EA-16068

Issues contributing to slow log in are now addressed. CB Defense DSEN-8605, EA-16214, EA-16283

Two customers experienced a deadlock between a sensor process and system process, which could cause the endpoint to freeze up. LiveOps DSEN-8537, EA-15636, EA-16147

Customer might have experienced greater than expected resource consumption on their endpoints upon LiveQuery usage. Previously, the back end cancelled queries after they were outstanding for a week. This fix introduces configurable thresholds in runtime and memory consumption that, if crossed, cancel the query and prevent excessive resource consumption. All DSEN-8440, EA-16086

Customers might have experienced greater than expected resource consumption when installing large files. All DSEN-8405, EA-16014

Users may have noticed a larger pagefile size which generated volmgr errors in windows event viewer. The sensor now auto-configures the memory dump settings on the machine unless you opt of that by setting the msi command line arg "AUTO_CONFIG_MEM_DUMP=0" during a command line install. CB ThreatHunter DSEN-8331

CB ThreatHunter might not have reported scriptloads for scripts that had VB scripts office docs, python, or perl file extensions. All DSEN-7254

Creating a folder on a network file share might have taken up to 15 seconds. The initial folder creation occurred within a normal time frame. All UAV-1415

Uninstall on a machine that is serving an RDP session could hang/fail if the RDP client machine was sharing local drives with the RDP server. Note that an upgrade from Windows sensor 3.4 to an earlier 3.5 version requires an uninstall, and can cause this issue if the previous criteria are met. To resolve the issue in this case, use the sensor removal tool. All DSEN-7565

An internal observation of the sensor crashing while being taken out of bypass during system startup. This issue was not reported externally. All DSEN-7760, EA-15839

In one case, the sensor service stopped repeatedly, generating errors such as this in the event log: "The CB Defense service terminated unexpectedly. It has done this 4 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service." This was a result of a service crash. All DSEN-7831, EA-15341, EA-15810, EA-15403

In some cases, the sensor did not honor bypass rules as they were configured in the policy, which led to unexpected blocks, interoperability issues, or poor application performance. All DSEN-7759

Endpoints exited network quarantine after upgrading from 3.4 to 3.5. Upgrades and uninstalls are no longer permitted in quarantine. CB LiveOps DSEN-7576

As of version, the Windows sensor supports osQuery 4.1.2.
All DSEN-7344, EA-15076 Customers can experience performance issues if end users access many files over a network drive. The specific issue in EA-15076 is resolved. All DSEN-7358 Support staff might have requested additional logs and diagnostic information during troubleshooting in certain cases due to log messages being dropped. All DSEN-7391, EA-14361 Windows Event Security Logs surface a message that reads: "Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error. File Name: \Device\HarddiskVolume4\Windows\System32\ctiuser.dll." This suggest ctiuser.dll might be corrupted, which is not the case. All EA-15784, DSEN-7488 A customer observed a recurrence of event ID 49 in the Windows Application Event logs. All DSEN-7565 An internal observation of the sensor crashing while being taken out of bypass during system startup. This issue was not reported externally. All DSEN-7592 The sensor will now log windows events whenever backend requests a deregister/uninstall. Additionally, we will log to Windows events whenever sensor enter/exits bypass or server maintenance modes. All DSEN-7759 Users reported endpoints exiting network quarantine after upgrading from 3.4 to 3.5. Upgrades and uninstalls are no longer permitted in quarantine. All DSEN-7837, EA-15874 One customer observed that the backend did not display events for up to two hours. All DSEN-7208 In VDI environments, the uninstaller kept an old device's uninstall code. This issue is now fixed and the uninstall process in VDI environments is improved. All UAV-1393 Folder creation on network paths might have taken up to 25 seconds to complete. All DSEN-6985 Any path based rule that started with \ and not \\ was not enforced on Windows. This prevented users from creating path rules for files that had no system-wide drive letter. All DSEN-7446 In some cases, the Endpoints page did not reflect Active Directory or Organizational Unit data. All UAV-1386, DSEN-7326 This release introduces several fixes to memory leaks (none of which were reported by customers). All DSEN-5225 When a process (.bat or .cmd) was executed via a command interpreter via "cmd.exe /c", the process might have been blocked. This issue is now resolved for .bat and .cmd processes. All DSEN-7358 The sensor dropped log messages, resulting in Carbon Black support reaching out more frequently for diagnostic information. All DSEN-7275 If the background scan was running, the sensor might have uninstalled very slowly. Users would encounter this only if they had attempted to uninstall shortly after install because, if configured, background scan executes upon install. CB ThreatHunter UAV-1396, EA-15835
In one case, a server hung up during boot. All DSEN-6534/EA-14866 Customers might have seen an increase in false positive blocks. One customer reported Excel and Outlook as blocked. All DSEN-3992 Subkeys could be created under the CBDefense key in the Windows registry. CB Defense DSEN-5332, EA-12882 Sensor might have terminated a process due to an attempt "to modify the next instruction to execute in the process" when the process belongs to the application. All DSEN-4054, DSEN-4033 The LiveResponse memdump command was previously observed to cause crashes. It was disabled by default on Windows sensors 3.3 and 3.4. It is now enabled by default and no longer causes crashes. All DSEN-4375 The sensor wrote large amounts of extra data to the confer.log file. Numbers vary across environments, but the issue is resolved so that the extraneous data written to confer.log is reduced.
The actual size of confer.log can increase because although extraneous data is reduced, valuable log data remains over a longer course of time due to a seperate change. All DSEN-5626 Previously, the sensor allowed non-execute access to quarantined files. Now, quarantined files are not accessible. This can prevent other security applications from scanning and alerting on the file, but prevents files from spreading to other locations. All DSEN-6322, EA-14880 There were reports of intermittent delays when opening various Office files and navigating file systems on Windows 10. All DSEN-5995, EA-14707, EA-14723, EA-14729 Customers who were using Windows sensor versions from to had Office applications such as Word and Excel hang when updating a file on Google File Stream and similar products (Box, Citrix Cloud, etc.). This issue is fixed in 3.5 and versions of the sensor. All EA-14455, DSEN-5699 Sensor install failed on Windows Server 2019 machines where there is a missing directory value for registry key HKLM\SYSTEM\CurrentControlSet\Control\EarlyLaunch value "BackupPath". The value is typically C:\Windows\ELAMBKUP. All DSEN-5493, DSEN-5491 During updates to Windows 1H19, the system either blocked the update or potentially crashed during the update. This issue was only reproduced and identified internally, and the issue did not reproduce if the sensor was in Bypass mode. All DSEN-4050 Previously, if a user executed an unattended install with the flag and argument "INSTALLFOLDER=<path>", the sensor installed but was non-functional. Carbon Black now forces an install failure if a user tries to use a non-standard install folder. All DSEN-4043 Under high load, repmgr.exe’s handle counts grew very large, which could cause minor performance issues. All DSEN-6372 If the sensor's background scan changed from Disabled (either via install arguments or cloud policy) to Expedited, a race condition could put the background scan into disabled state. This issue was not observed externally. CB Defense DSEN-6077 Windbg was observed to crash. All DSEN-3061 The sensor did not whitelist files by certificate if the certificate was signed with multi-byte characters. A backend fix was implemented for this issue. All EA-15148, DSEN-6552 A crash could inconsistently occur on file renames on network drives. All DSEN-6535, DSEN-6591 Sensor upgrades failed with error 1603 when attempting to perform the upgrade at the same time as a Windows upgrade to Redstone 5. CB ThreatHunter DSEN-4756, DSER-14090, EA-13906 Customers running CB ThreatHunter standalone might have seen Windows Security Center Real Time protection feature disabled. This issue was resolved by navigating to the Policies page, clicking the Sensor tab, and unchecking Use Windows Security Center. All DSEN-6057 Previously, release notes stated that banned scripts execute if the policy is refreshed on the backend after being banned. Only scripts executing when the sensor was coming out of bypass were not blocked. Banned scripts executed after bypass is disabled are blocked. This issue is functioning as designed. CB ThreatHunter DSEN-6487 In Sensor environments and (and, the sensor crashed upon running any process from a path with multibyte characters (c:\見る) when UBS for CB ThreatHunter customers was enabled. All DSEN-6490 HTML file load and open and close performance degraded in 3.5 compared to 3.4. This fix was implemented in All DSEN-6653 When the Windows sensor 3.5 was in bypass mode, the sensor uninstall failed. All DSEN-6876, EA-15319, EA-15301 Some customers observed latency associated with Microsoft office applications. All DSEN-6871 Users could deregister the sensor from Windows Security Center in conflict with the policy setting. All DSEN-6826 3.5 beta users might have experienced a performance problem on a Windows 10 19H2 environment with CB Defense and CB ThreatHunter enabled. A 50% performance spike in repmgr.exe usage was identified when the system is idle. All DSEN-6867 The CB LiveResponse API previously defaulted to UTF-16LE encoding rather than UTF-8. Because many customers rely on the latter, the default setting is restored to UTF-8. This issue only impacted 3.5 beta users. CB ThreatHunter DSEN-6145 Customers who had moved from CB ThreatHunter standalone to
CB ThreatHunter with CB Defense experienced false positive blocks. This issue was only reported internally. All DSEN-6491 Some users experienced a minor delay in loading common applications. All DSEN-6569 When running a Carbon Black-signed msi in Windows sensor 3.5 beta, cmd.exe was granted full bypass.The cmd.exe was only placed in bypass if the sensor msi was executed in cmd.exe. All DSEN-6625 The Windows sensor did not support multi-byte characters in
Osquery results in version All DSEN-6660 One internal user experienced a crash on Windows sensor running on Windows 8.1 x86. All DSEN-6691 In earlier 3.5 builds, if a file had a bypass rule that was removed after the file was deleted, then copies of that file would not be quarantined in place. All DSEN-6706 Explorer.exe hung indefinitely on an attempt to run any process in the confer install folder as administrator in the Windows sensor  All DSEN-5163 The sensor did not prohibit downgrades from existing Windows 3.5 versions to older Windows 3.5 versions. This issue is resolved in all released 3.5 builds except for Carbon Black does not recommend or support downgrades, but the downgrade to is not prevented. All DSEN-5934, EA-14272, EA-14956 Customers could not open attachments while using applications
such as KnowBe4 Second Chance or Digital Guardian’s Outlook plug-in. All DSEN-6540 The sensor user interface might have shown the sensor in bypass
when it is active. This issue was only reproduced internally and was considered a rare event. All DSEN-6543 False positive blocks might have occurred due to sharing violations while retrieving signature information. All DSEN-6941 Application launch performance degraded in the Windows 3.5 sensor compared to the Windows 3.4 sensor. All DSEN-6899, DSEN-7134 Customers experienced delays of up to 35 seconds associated
with copying files to remote network drives. The sensor no longer reporting signature or reputation information at the time of "last write" (i.e. close of handle that modified an executable file). The sensor will still collect and report that info if the file was executed but will not stall to collect it at time of modification. All DSEN-7005, DSEN-6990 Files that had no logical drive mapping (such as some Google drive files) might not have been reported to the cloud.This issue impacted beta sensors only. All DSEN-6315 Some sub-processes were left in a suspended state after their
parents were terminated. This was only observed internally. All DSEN-7026 One customer had observed a crash on some machines during the 3.5 beta program. All DSEN-7099 Internal observations of timeouts that led to reputation
mismatch, which could have resulted in false positive blocks.



Sensor Version Found Product Issue ID Description All DSEN-16957

In rare instances, the sensor can switch to bypass mode post-upgrade. This is due to an issue unloading one of the drivers and has been seen more frequently on Windows Server 2019 systems. In such cases, a reboot is required to complete the upgrade and remove the bypass sensor state.
All DSEN-17019, DSEN-16602

Beginning with, after install or upgrade you might see events or alerts where repmgr.exe's parent process is a hash of all zeroes. This goes away after a reboot. All DSEN-16573

If you have an open Explorer window that contains banned or malicious binaries, the Explorer window might be closed due to Explorer having those binaries mapped. All DSEN-15424

Performance issues on Windows 11 systems where WindowsSearch service is actively indexing files. All DSEN-14236, EA-18878

Issue with code integrity where the image hash of some Carbon Black files being loaded are determined to not be valid and create Windows events with error ID 5038. All DSEN-9577

Fileless script termination rules should be applied to the parent process of the fileless script process, as the process executing the fileless script is the fileless script. All

Trying to access the sensor installation directories in non-elevated Explorer windows may be blocked if the user is not a member of the authenticated RepCLI users.

Customers are encouraged to have a set of RepCLI users authenticated, and use those users for support sessions if there is a need to inspect this folder.

These users could successfully access %programdata%\CarbonBlack through Explorer.exe. Endpoint Standard DSEN-13482

Events showing NT file path of dropped files. Endpoint Standard DSEN-12202

Uninstalling through the “sensor removal tool” may still leave behind the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityCenter\Provider\AV\ registry entry. Endpoint Standard DSEN-12189

When a process is blocked from running, multiple block events can display in the console and local user interface. Endpoint Standard, Enterprise EDR DSEN-11116

Banned file names and paths are not captured correctly when launched through a WebDAV path. All DSEN-7416 After upgrading from Windows 7 x64 to 19H1, the endpoint might still report that the machine is running Windows 7. All DSEN-1387 Background scan remains disabled on devices where VDI=1 was used. See