Attention: As of 28 February 2022, Carbon Black Cloud Release Notes are published on VMware Docs. This UEX site will remain but no longer be updated.
3.8.0.398
VMware Carbon Black Cloud Windows Sensor 3.8.0.398 includes the following improvements:
3.7.0.1503
This release updates osqueryi.exe to version 4.8.0, and includes bug fixes and improvements.
3.7.0.1411
This release updates osqueryi.exe to version 4.7.0, and includes bug fixes and improvements.
3.7.0.1253
Sensor Installer Rollback
Build-to-build, version-to-version upgrade rollback is now fully supported when upgrading from version 3.7 and later sensors. The following table describes rollbacks that various Carbon Black Cloud sensor versions support.
For more details about rollback functionality, see the VMware Carbon Black Cloud Sensor Installation Guide.
Enterprise EDR Hash Banning
This feature provides Enterprise EDR users with the ability to ban files by hash, thus preventing files from:
For more details, see https://community.carbonblack.com/t5/Enterprise-EDR-Discussions/Announcing-Hash-Banning-for-Enterprise-EDR/m-p/105098#M306
Ransomware Boot Record Protection
A new disk driver (cbdisk.sys) helps protect against the most dangerous types of ransomware that attempt to corrupt the boot record of an endpoint. This type of ransomware encrypts files and alters the master boot record (MBR) and partition boot record (PBR), rendering the device unusable.
Important Note: A reboot is required after install/upgrade/cloning a golden VM image to fully leverage our ransomware protection capabilities. This new disk driver should be added to any previously set AV exclusions.
SHA-2 Windows Updates Required for Continued Support of Windows 7 and Windows Server 2008 R2
Microsoft no longer allows code-signing using SHA1. To continue running VMware Carbon Black Cloud Windows sensor version 3.7+, the KB4474419 patch should be applied to applicable operating systems. Our Carbon Black Cloud sensor - OS Support article on UEX reflects this change.
Automatic re-registration of VMware Carbon Black Cloud Windows sensors in Citrix PVS environments
The 3.7 Windows sensor supports a new cfg.ini parameter AutoReRegisterForCitrix = True for automatically re-registering Windows sensor on VDI clones in Citrix PVS environments.
3.6.0.2127
SHA-2 Windows Updates Required for Continued Support of Windows 7 and Windows Server 2008 R2
Microsoft is no longer allowing code signing using SHA1. To continue running our latest Carbon Black Cloud Windows 3.6 sensor version (3.6.0.2127+), the KB4474419 patch should be applied to applicable operating systems. Our Carbon Black Cloud sensor - OS Support article on UEX has been updated to reflect this change.
3.6.0.2076
This updated Windows sensor version includes fixes and performance improvements.
3.6.0.1979
This updated Windows sensor version includes fixes and performance improvements.
3.6.0.1941
osquery version update 4.5.1
This updated Windows sensor includes the most recent version of osquery (4.5.1). See the Carbon Black Cloud Sensor Support for osquery document for a full list of sensor versions and supported schema versions.
3.6.0.1897 (This sensor is no longer available for download)
osquery version update 4.5.0
This updated Windows sensor includes the most recent version of osquery (4.5.0). See the Carbon Black Cloud Sensor Support for osquery document for a full breakdown of sensor versions and supported schema versions.
This update lets you query the Windows event log. Users can now craft custom queries or use new out-of-the-box queries from our Threat Analysis Unit to pull back artifacts from Windows event logs on demand. These artifacts include event ID, the time an event occurred, the source or channel of the event, the provider name and guid associated with an event, the severity level of an event, and more.
This version also includes Windows support for the yara table and no longer requires an on-disk signature to be present.
3.6
VMware Carbon Black Cloud sensor version 3.6 is for Windows only. See supported operating systems on the UEX: Carbon Black Cloud sensor support.
osquery 4.4.0
The 3.6 Windows sensor introduces osquery version 4.4.0. Learn more about version 4.4.0 here: https://github.com/osquery/osquery/releases/tag/4.4.0
Firewall exclusion
The 3.6 Windows sensor leverages a content management system to enable the dynamic configuration of prevention features. Prior to installing or upgrading to 3.6, if you have restrictive firewall policies active in your environment, you might need to add a new firewall/proxy exclusion for the sensor to be fully functional.
Add a new network/proxy exclusion for a direct connection over TCP/443 to https://content.carbonblack.io
Enterprise EDR, AMSI Prevention, and Unified Binary Store require the exclusion to work with the 3.6 sensor.
To learn more about the sensor communication requirements, see Carbon Black Cloud: What Ports must be opened on the Firewall and Proxy Servers?
Sensor install/uninstall improvements
With the Carbon Black Cloud Windows 3.6 sensor, the install and uninstall experience is strengthened on the endpoint. If a failure occurs during an initial install of the product or during an uninstall, the endpoint will be returned to the state it was in prior to the attempt.
To learn more about Windows sensor installation and uninstallation, see the Sensor Install Guide on the UEX or in your VMware Carbon Black Cloud Console under the Help menu in the top bar.
AMSI Prevention and visibility (Endpoint Standard)
VMware Carbon Black Cloud has extended its default prevention capabilities for script-based Windows attacks, built on Microsoft Anti-Malware Scan Interface (AMSI). This extension of the AMSI integration expands on existing PowerShell preventions with improved ease of use and a better security posture.
This release includes the ability for the sensor to dynamically leverage AMSI metadata to define and configure prevention logic. These updated, high-fidelity prevention rules are being crafted by VMware Carbon Black’s Threat Analysis Unit to include frequently used off-the-shelf attacker frameworks that are regularly seen in script-based attacks.
AMSI prevention and visibility is only supported on Windows 10 and greater and requires sensor version 3.6+. AMSI prevention and visibility will be rolled out in a staggered manner to customers. No action is required by the customer.
Sensors that are registered with the following backend instances can use the functionality on the listed date.
URL |
Date |
8/31 |
|
8/31 |
|
9/7 |
|
9/7 |
|
9/14 |
Sensor logs locations
Previous versions of the sensor stored logs in the \Program Files\Confer\Logs\ directory.
The Windows 3.6 sensor stores some logs in Program Files and some logs in ProgramData:
Throughout 3.6 maintenance releases, we will move all logs to ProgramData to better align with Microsoft guidelines.
VDI improvements
The VDI workflow is improved with the Windows 3.6 sensor. Re-registering is less restrictive and easier. VDI clones and re-registered devices inherit the policy of the primary image if one exists. Otherwise, clones and re-registered devices are assigned the Virtual Desktop policy or the Standard policy in that order. Additionally, if an organization is using sensor groups, the new device will be moved to the appropriate policy when the metadata matches. See the Sensor Installation Guide for full VDI considerations and see the in-product User Guide for more information about sensor groups.
3.5
VMware Carbon Black Cloud sensor version 3.5 is for Windows only. This release is Generally
Available.
Notes:
Turn off services associated with malware
Malicious services that run at start-up have the potential to execute and impact the endpoint
before the sensor starts up. A new feature finds all malicious services associated with Known
Malware hashes and puts them in a un-enabled state. The services remain in off across
reboots, and therefore cannot execute at startup. If a service binary in question was not
malicious or if some other tool is used to clean the malware, then the sensor will not
automatically enable the service again. To re-enable the service you must manually do so by
using LiveResponse or other standard tools. The feature is enabled by default and can be
turned off by a request to Support.
The command for the remediation through CB LiveResponse is:
The possible start types are: boot | system | auto | demand | disabled | delayed-auto
The event that is sent during the service un-enable contains the original start type and displays in
the user interface. The user needs this data to return the start type to its original value. If the
start type changes to boot, auto or delayed-auto, they must reboot.
Removal of registry keys during deletion
Deletion of files, both manual and through the Malware Removal workflow, previously did not
attempt to remove registry keys that were created by the malware. When requested to delete a
file, the Windows 3.5 sensor also removes RunOnce registry keys from the HKLM hive that reference the malicious binary that is being deleted. Other auto-start registry keys referencing the malware might remain.
Offline installer
The Windows 3.5 sensor supports offline installs to support machines that are configured in an offline environment. The feature is enabled during a command line installation by adding the flag “OFFLINE_INSTALL=1”. The sensor connects with the Carbon Black Cloud backend and accesses a policy when network connectivity is restored. The sensor does not provide any visibility or protection until it is connected to the backend.
To use the feature, ensure that there is a host or network level firewall rule in place to prevent the master image from connecting to the Carbon Black Cloud devices URL. Then, Install the sensor using the OFFLINE_INSTALL parameter and any other parameter that is typically used during a command line install (aside from PROXY). Clone or restore to snapshot. Each snapshot and clone appears as a new device in the backend console and are not treated as a VDI clone unless you explicitly install with VDI=1 or used the repCLI reregister command. Otherwise, console admins are responsible for cleaning up old clones, either manually or via API.
Note: If a user changes the company code in the backend, you can no longer make new clones that haven’t registered yet because those clones will continue to try to use the original company code. If you change the company code, you must create new images using the new company code.
Endpoint management improvements
The Windows 3.5 sensor effectively handles non-persistent domain disconnections. Previously, the sensor applied the default policy when the AD attribute was cleared (in instances such as off-network without VPN). Now, the sensor maintains the desired AD group and the desired policy. The distinguished name is not cleared unless the machine is not registered as part of the domain.
In the Endpoints page, the Windows 3.5 sensor reports who is logged into an endpoint every 8 hours instead of reporting the user who installed the sensor. If there is no interactive user logged in to the endpoint within the 8 hour window, you might get a non-interactive user name such as “Windows Manager\DWM-2”. In the case of multiple logged-in users, the most recently logged-in user is associated with the endpoint.
Improved capability to identify command interpreters
CB Defense has improved its methods for identifying a process as a command interpreter or as
a script host. By integrating with the yara binary pattern matching utility, the Windows 3.5 sensor
better protects against threats where an attacker brings their own copy of standard operating
system interpreters or tries to hide by running tools with non-standard names. Customers who
are already leveraging the Tries to invoke command interpreter rule immediately benefit from
this update.
As part of this update, Carbon Black’s Threat Analysis Unit (TAU) can dynamically update the
definition of what it means to be a command interpreter.
Improved Netconn detection for proxy servers
With the Windows 3.4 sensor, CB ThreatHunter customers who are using a proxy server in their
environment saw most (all) outbound network connections being reported with the proxy's address and host name as the destination. The Windows 3.5 sensor improves reporting of network events to report the actual destination IP and hostname, rather than those of the intermediate proxy.
Note: This functionality is enabled in the Windows 3.5 sensor, but will not be available for use until a future Carbon Black Cloud console release.
CB ThreatHunter hash deny-listing
The Windows 3.5 sensor enables deny-listing of files by hash for CB ThreatHunter. Once a hash is added to the company deny-list it is prevented from the following:
Processes that have the deny-listed hash loaded at the time the hash is added to the deny-list are
terminated shortly after the sensor receives the updated reputation.
Note: This functionality is enabled in the Windows 3.5 sensor, but will not be available for use until a future Carbon Black Cloud console release.
Dynamic tamper protection
The Windows 3.5 sensor has improved methods for identifying tamper events. The improvements help prevent access to sensor files and reduce interoperability issues with third-party products.
AMSI logging
The Windows 3.5 sensor enables the collection of deobfuscated command line data through AMSI for CB ThreatHunter customers. For more information on AMSI, see https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal.
In the cloud console, this integration will manifest in the form of filess_scriptload events, which represents processes that executed commands in fileless execution context. More information will be provided in the backend release notes for the February 18th UI release.
Updated 09/02/2020:
Sensor check-in time update
The sensor check in time is reduced from 5 minutes to 1 minute. The maximum expected latency for establishing a Live Response session should now be 60 seconds (assuming the device is online and running a 3.5 or newer sensor version). Other operations might also complete faster.
The Last check in value in the console will not necessarily update faster because of performance/scale reasons.
Sensor Version Fixed | Product | Issue ID | Description |
3.8.0.398 |
All |
UAV-2154, EA-18733, EA-19153 |
AMSI rules were being bypassed in Windows Terminal and other containerized applications. |
3.8.0.398 |
All |
DSEN-16642, EA-19844 |
Sensors could not exit Quarantine mode after losing network connectivity. |
3.8.0.398 |
All |
DSEN-16429, DSEN-12463 |
Upgrades conducted by non-admin users could leave the sensor in an inoperable state if the Windows registry was corrupted from a previous install or upgrade failure. |
3.8.0.398 |
All |
DSEN-16231, DSEN-14832 |
Windows 11 devices (running build 10.0.2200) displayed as Windows 10 in the Carbon Black Cloud console. |
3.8.0.398 |
All |
DSEN-15324, EA-19302, EA-19398 |
Sensor misreported files being executed from Recycle Bin. |
3.8.0.398 |
Endpoint Standard |
DSEN-15157, EA-19374 |
A rare crash in repmgr could occur when the sensor was scanning files. |
3.8.0.398 |
All |
DSEN-15013, DSEN-6805, EA-19223 |
Improved command line script detection. |
3.8.0.398 |
Endpoint Standard |
DSEN-14799, EA-19232 |
The sensor was not checking for bypass when enforcing Process Doppelgänging protections. |
3.8.0.398 |
All |
DSEN-14721, EA-19615 |
The sensor could cause system crashes to occur with ctifile.sys. |
3.8.0.398 |
All |
DSEN-14550, EA-18912 |
Updated default zip/compression settings for sensor events being stored on disk to reduce CPU consumption of the sensor. This settings change is intended to mitigate potential event loss due to proxy errors. However, sensor events being written to disk can see a 70% increase in file size/bandwidth compared to previous sensor versions. Event batch disk space usage remains 1GB by default. |
3.8.0.398 |
All |
DSEN-14184, EA-18800 |
End-user License Agreement has been updated to indicate the creation of canary files on successful sensor installations. |
3.8.0.398 |
All |
DSEN-14134, EA-18111, EA-19331 |
Deleting a file failed in a redirected folder setup in Horizon VDI with DEM folder redirection. |
3.8.0.398 |
All |
DSEN-13173, EA-17975, EA-18052 |
CbAMSI.dll is now WHQL signed to resolve issues where the sensor was blocked from loading CbAMSI.dll in svchost.exe processes if the "Enable svchost.exe mitigation policy" setting was turned on. |
3.8.0.398 |
All |
DSEN-12801, EA-19124 |
Improved suppression of “RepUx.exe - Bad Image” prompts when third party apps are blocked from injection attempts. |
3.8.0.398 |
All |
DSEN-11416, EA-17516 |
The sensor was unable to decrypt proxy_creds with installations performed from system account context. |
3.8.0.398 |
All |
DSEN-7625, EA-18519 |
Added ability to protect against aspx files executing on IIS. |
3.8.0.398 |
Endpoint Standard |
DSEN-5145 |
Improved sensor behavior to check for policy updates prior to blocking actions to ensure long-running processes are enforced via new policy rules set after process launch. |
3.7.0.1503 |
All |
DSEN-15629 |
Fixed an issue where upon creation of an instant clone pool, the internal template got network access, which resulted in the internal template's sensor contacting the backend with the same Device ID as the golden image. This resulted in duplicate Device IDs.
|
3.7.0.1503 |
All |
UAV-2292, EA-19483 |
Fixed an issue causing system crashes to occur due to ctifile.sys. |
3.7.0.1503 |
All |
UAV-2267, EA-19384 |
Fixed an issue causing a large number of alerts to be generated with previous 3.7 Windows sensors around wordpad.exe attempting to inject code into other processes via SetWindowsHookEx. |
3.7.0.1503 |
All |
DSEN-16174, EA-19890 |
Fixed an issue where any Non-RepMgr process logging that goes through FileLogger grew unbounded causing multiple sensor logs to grow excessively large. |
3.7.0.1503 |
All |
DSEN-16109, EA-19823, EA-19826 |
Fixed an issue where RepMgr could be deadlocked and render the endpoint unresponsive and spike the sensor’s memory usage. |
3.7.0.1503 | All |
DSEN-16024, EA-19263 |
Improved Tamper Protection policy to improve performance for Endpoint Standard. |
3.7.0.1503 | All |
DSEN-15958, EA-19799 |
Fixed an issue with sensor upgrades from v3.6 → v3.7 where the reference count of ctiuser.dll was not being properly reset and could lead to a missing ctiuser.dll file if a failure occurs on sensor upgrade. |
3.7.0.1503 | All |
DSEN-15889, EA-19561, EA-19723 |
Fixed an issue causing effective reputation applied to allowed certificates to change after sensor upgrades to previous 3.7 sensors. |
3.7.0.1503 | All |
DSEN-15667, EA-19586 |
Fixed an issue with the sensor applying a policy deny rule for applications signed with allowed listed certificates. |
3.7.0.1503 | All |
DSEN-15618, EA-19564 |
Fixed an issue with missing serial number information associated with attached devices. |
3.7.0.1503 | All |
DSEN-15505, EA-19390, EA-19454, EA-19504, EA-1991 |
Fixed an issue where sensor management operations, such as sensor uninstall or sensor upgrades, would not work if CbELAM files are missing on Windows operating systems supporting Microsoft Early Launch AntiMalware (ELAM) drivers. |
3.7.0.1503 | All |
DSEN-15065 |
Updated osqueryi.exe to version 4.8.0. |
3.7.0.1503 | All |
DSEN-14942, EA-19404 |
Fixed an issue with the simple hash table of ctifile.sys. |
3.7.0.1503 | All |
DSEN-12932, EA-17866 |
Fixed an issue where ctiuser.dll could be loaded twice. |
3.7.0.1411 |
Endpoint Standard |
UAV-2212, EA-19082, EA-19167 |
A large number of alerts were being generated with the CBC Windows 3.7.0.1253 sensor around explorer.exe injecting into iexplore.exe via NtQueueApcThread. See our UEX knowledge base for more information: Carbon Black Cloud: Observing a large number of alerts for code injection via NtQueueApcThread after upgrade to 3.7.0.1253 |
3.7.0.1411 |
Enterprise EDR |
UAV-2206, EA-18589 |
A temp file could be left behind when saving a modified Excel file in Enterprise EDR (only) orgs. |
3.7.0.1411 |
All |
UAV-2201, EA-19048 |
A data-race issue could lead to a system crash. |
3.7.0.1411 |
All |
DSEN-15119, EA-19388 |
System crashed when attempting to format drives. |
3.7.0.1411 |
All |
DSEN-14950, EA-19195, EA-19313 |
System crashed on Windows Server 2008 R2 systems. |
3.7.0.1411 |
Endpoint Standard |
DSEN-14817 |
Fixed a bug when applying Endpoint Standard functionality immediately after switching from an Enterprise EDR (only) org. |
3.7.0.1411 |
All |
DSEN-14801, EA-19243 |
The 3.7.0.1253 CBC Windows sensor blocked MSI installations of software that required a registry modification of a disk drive upper filter value to complete installation. |
3.7.0.1411 |
Endpoint Standard |
DSEN-14787 |
Due to an unsafe location, tamper blocks occurred when osqueryi.exe attempted to load cbamsi.dll. |
3.7.0.1411 |
All |
DSEN-14690 |
The sensor misreported process privs when compared to Process Explorer. |
3.7.0.1411 |
All |
DSEN-14604 |
First time sensor installation required a reboot to remove the sensor from Bypass mode for sensors installed with ‘Bypass sensor after login’ enabled through the sensor’s policy settings. |
3.7.0.1411 |
All |
DSEN-14592, DSEN-12808, EA-16115 |
The sensor reported improper shutdown/sleep states in the console. |
3.7.0.1411 |
All |
DSEN-14584 |
The sensor now supports a config prop for leveraging BIOS UUID for re-registration of VDI clones. |
3.7.0.1411 |
All |
DSEN-14575, DSEN-13266 |
Logging now properly reports a failure due to an expired company code. |
3.7.0.1411 |
All |
DSEN-14574, DSEN-13926 |
The .msi installer precheck returned an error and failed to upgrade sensors due to missing sensor version information in MsiGetProductInfo. |
3.7.0.1411 |
All |
DSEN-14558 |
Added a pop-up error dialogue when CBC Windows sensor installation has detected a non-SHA256 patched Windows OS system. Updates Required for Continued Support of Windows 7 and Windows Server 2008 R2 |
3.7.0.1411 |
All |
DSEN-14423 |
Fixed a bug in the ctinet.sys driver that would cause a system crash when processing specific network events. |
3.7.0.1411 |
Endpoint Standard |
DSEN-14326, EA-18664 |
The sensor allowed deleting of files that had the “readonly” attribute set. |
3.7.0.1411 |
All |
DSEN-14015, EA-17990 |
The sensor would not perform process classifications while in bypass. It required RepCLI commands issued through a Live Response session that require authentication to be sent to the sensor in an active state. |
3.7.0.1411 |
Endpoint Standard |
DSEN-13971, EA-18729, EA-19333 |
Files with hashes that were populated in the banned hash list could temporarily run for a short time. |
3.7.0.1411 |
All |
DSEN-13517, EA-18627 |
The sensor ignored bypass rules for .tmp files. |
3.7.0.1411 |
All |
DSEN-13281, EA-18012 |
Fixed an issue with shutting down the sensor service in hardened environments that could lead to failures with sensor upgrades. |
3.7.0.1411 |
All |
DSEN-13064 |
Now ship with osqueryi.exe version 4.7.0. |
3.7.0.1411 |
Endpoint Standard |
DSEN-12555, EA-18067, EA-18165, EA-18418, EA-18581, EA-18866 |
Fixed a bug where the sensor could hang Microsoft Software Shadow Copy Provider service on startup. |
3.7.0.1411 |
Endpoint Standard |
DSEN-12394 |
Sensor upgrades initiated outside the server console could result in failure due to msiexec.exe being blocked by tamper protection. |
3.7.0.1411 |
All |
DSEN-8545 |
RepCLI capture could only be used to save zip files to local directories. If you attempted to save the zip file to a network location, the file is written to the c:\programdata\carbonblack\logs\temp directory. |
3.7.0.1411 |
All |
DSEN-8123 |
Sensors running on Windows 10 Enterprise Multi-Session environments could display the OS version as “Windows Server 2019”. |
3.6.0.2127 |
All |
DSEN-14423, |
Fixed a bug in ctinet driver that could lead to system crash. |
3.6.0.2127 |
Endpoint Standard, Enterprise EDR |
UAV-2191, UAV-2204, EA-18905, EA-18910, EA-18889, EA-18965, EA-18982, EA-18881 |
Non-ASCII characters in filenames (such as Chinese and Japanese) could cause the AMSI module to crash the process that was being inspected. Logging related to AMSI events generated from non-ASCII file names is also fixed.
|
3.6.0.2127 |
All |
UAV-2201, EA-19048 |
A data-race issue that could lead to a bugcheck. |
3.6.0.2127 |
Enterprise EDR |
UAV-2206, EA-18589 |
A temp file was left behind when saving a modified excel file. |
3.6.0.2127 |
All |
DSEN-12043 |
We now allow the sensor to be uninstalled if the BackupPath key located under HKLM\SYSTEM\CurrentControlSet\Control\EarlyLaunch is not set. |
3.6.0.2127 |
Endpoint Standard |
DSEN-12555, EA-18067, EA-18165, EA-18418, EA-18581, EA-18866 |
The sensor could hang Microsoft Software Shadow Copy Provider service on startup. |
3.6.0.2127 |
All |
DSEN-13226, EA-17848 |
The sensor could time-out during upgrades on systems that had large amounts of applications and files in use. |
3.6.0.2127 |
Endpoint Standard |
DSEN-13250, EA-18515 |
Fixed a bug that could lead to a process deadlock on busy systems as described in this knowledge base article on UEX: https://community.carbonblack.com/t5/Knowledge-Base/Carbon-Black-Cloud-Windows-applications-randomly-hang-when/ta-p/102334 |
3.6.0.2127 |
All |
DSEN-13429, EA-18403 |
Fixed a bug that could lead to a bugcheck if a process attempted to access a file residing on a network share. |
3.6.0.2127 |
All |
DSEN-13767, EA-18685 |
Error dialogs appeared when third-party apps attempted to inject into any of the sensor’s processes. |
3.6.0.2127 |
Endpoint Standard |
DSEN-13807, EA-18785, EA-18821 |
Fixed a bug triggering false positive AMSI alerts. |
3.6.0.2127 |
All |
DSEN-14127, DSEN-14133 |
Our CBC Windows builds are no longer signed with SHA1 code signing (only SHA2 and WHQL). As such, Windows Operating System updates may need to be applied in order to run our 3.6.0.2076+ CBC Windows sensor version. Please see our UEX posts for more information: |
3.6.0.2127 |
All |
DSEN-14154 |
The sensor could remain in bypass mode after a system reboot. This only occurred if the sensor was configured to run as AMPPL, but was not actually AMPPL on startup. This only occurred when upgrading from v3.3 and earlier sensors or when config props to disable AMPPL exist. |
3.6.0.2127 |
All |
DSEN-13691, EA-18749, EA-18647 |
Sensor uninstall could fail if C:\Windows\ELAMBKUP\CbELAM.sys file was not present. |
3.7.0.1253 |
Endpoint Standard, Enterprise EDR |
CBC-2554 |
The 3.7 CBC Windows sensor now automatically registers the CBC Windows sensor on VDI clones in vSphere environments. This feature requires both the vSphere HostModule and the 3.7 CBC Windows sensor. Log information can be found at C:\ProgramData\CarbonBlack\Logs\vhostcomms.log. AV exclusions might be needed for C:\Program Files\Confer\VHostComms.exe. |
3.7.0.1253 | All |
DSEN-13848 |
The 3.7 Windows sensor supports a new cfg.ini parameter AutoReRegisterForCitrix = True for automatically re-registering CBC Windows sensor on VDI clones in Citrix environments. Note: A separate script to re-register the agent is not required after specifying this parameter in the cfg.ini file. |
3.7.0.1253 | All |
CBC-831 |
Added alarms for installation, uninstallation and upgrade failures. |
3.7.0.1253 | All |
CBC-1017 |
Various improvements to sensor services.
|
3.7.0.1253 | Endpoint Standard |
CBC-1638, DSEN-11202 |
Defense API reports that used to be sourced from API hooking have been moved to Event Tracing For Windows Providers and the File System Driver for product stability reasons. |
3.7.0.1253 | Endpoint Standard |
CBC-1925 |
The background status progress based on percentage complete is now visible via the RepCLI status output. |
3.7.0.1253 | Endpoint Standard, Enterprise EDR |
UAV-2041, EA-17693, EA-18300 |
Reduced frequency of non-paged pool memory allocations to avoid memory fragmentation and help with system performance. |
3.7.0.1253 | Endpoint Standard |
UAV-2191, |
Fixed a bug where non-ASCII characters (such as Chinese and Japanese) in filenames caused the AMSI module to crash the process that Endpoint Standard was inspecting. |
3.7.0.1253 | Endpoint Standard |
DSEN-5758, EA-18469 |
Fixed a bug where the length of the alert details message could impact CPU performance. |
3.7.0.1253 | Endpoint Standard |
DSEN-5833, DSEN-7252, DSEN-7253, EA-14620, EA-15335, EA-15649 |
Detect and prevent malicious lnk chains. |
3.7.0.1253 | All |
DSEN-5870, EA-18220 |
Sensor installation/uninstallation failed if the BackupPath registry key was missing from “HKLM\SYSTEM\CurrentControlSet\Control\EarlyLaunch\” |
3.7.0.1253 | Endpoint Standard, Enterprise EDR |
DSEN-7246, EA-17566, EA-15975 |
Fixed a bug capturing certificate information from jar files. |
3.7.0.1253 | Endpoint Standard |
DSEN-7266, EA-15600 |
Windows sensor endpoint details will now append a “YYYYMMDD” date to Scan Engine information to specify the date the signature pack was collected. Note: On upgrades from older versions of the CBC Windows sensor, a signature pack update might be needed to display this information.
|
3.7.0.1253 | Endpoint Standard |
DSEN-8198, EA-18133, EA-17388, EA-16521, EA-18124 |
Intermittent failures with RDP connections. |
3.7.0.1253 | All |
DSEN-8262, EA-17682 |
Fixed a bug with reporting the last interactive logged-on user on Windows Server 2019 as WDM instead of the local user account. |
3.7.0.1253 | Endpoint Standard |
DSEN-8340 |
CBC Windows sensor now allows updating signature packs while in network quarantine. |
3.7.0.1253 | Audit & Remediation |
DSEN-10001, EA-16517 |
Fixed a bug with closing Live Response sessions. |
3.7.0.1253 | Endpoint Standard |
DSEN-10427, EA-16855 |
Improved performance with launching Office 365 applications. |
3.7.0.1253 | All |
DSEN-10677, EA-17112 |
Fixed a bug with the sensor removal tool cleaning up registry entries after uninstallation of the sensor. |
3.7.0.1253 | Endpoint Standard, Enterprise EDR |
DSEN-10830, EA-17223 |
Improved pruning of the DB_REP file to prevent excessive growth. |
3.7.0.1253 | Endpoint Standard, Enterprise EDR |
DSEN-11084, EA-17416 |
The sensor did not recover gracefully when it lost connection to the kernel. |
3.7.0.1253 | Endpoint Standard, Enterprise EDR |
DSEN-11181, EA-17345 |
Fixed a bug with displaying protection state information via RepCLI and the console when DelayProtectionAtBoot or DelayProtectionAtLogin are applied. |
3.7.0.1253 | Endpoint Standard |
DSEN-11290, EA-17462, EA-16703 |
Fixed a bug with excess process handles causing performance degradation. |
3.7.0.1253 | Endpoint Standard |
DSEN-11413, EA-17335 |
Fixed a bug with processes running in a container being falsely marked as “hidden”. Can manifest as alerts with the TTP: HIDDEN_PROCESS after installing sensor version 3.6.0.1719. |
3.7.0.1253 | Endpoint Standard, Enterprise EDR |
DSEN-11731, EA-17882 |
Fixed a bug causing registration issues with sensors upgraded through the command line interface that incorrectly specified OFFLINE_INSTALL=1. |
3.7.0.1253 | Endpoint Standard, Enterprise EDR |
DSEN-12164, EA-18080 |
Fixed a bug causing an error message to appear when clicking “VMware, Inc” from the “About” section under CBC Windows tray icon. |
3.7.0.1253 | Endpoint Standard |
DSEN-12447, EA-18230, EA-18064 |
Fixed a bug with script interpreters being wrongfully terminated when applied rules were set to only deny. Can manifest as a console alert showing that an Office document was denied opening another Office document. |
3.7.0.1253 | Endpoint Standard |
DSEN-12526, EA-18264 |
Fixed a bug causing Repmgr to crash when an access violation on a buffer occurs. |
3.7.0.1253 | All |
DSEN-13201 |
Fixed a bug with sensors connecting to the backend through a proxy when a default WinHTTP proxy is configured in the registry, such as if you configured through netsh. |
3.7.0.1253 | Endpoint Standard |
DSEN-13429, EA-18403 |
Fixed a bug that could lead to a bug check if a process attempted to access a file residing on a network share. |
3.7.0.1253 | Endpoint Standard, Enterprise EDR |
DSEN-13518, EA-18633 |
Fixed a bug with incorrect MAC addresses being returned if no local area connection adapter is found. |
3.7.0.1253 | Endpoint Standard, Enterprise EDR |
DSEN-13742, EA-18213 |
Missing parent information on the process tree page for hashban terminate alert. |
3.7.0.1253 | Endpoint Standard |
DSEN-14058, UAV-2140 |
Repmgr service crashed during log collection when an invalid memory access was encountered. |
3.7.0.1253 | All |
DSEN-14127, DSEN-14133 |
Our CBC Windows builds are no longer signed with SHA1 code signing (only SHA2 and WHQL). As such, Windows Operating System updates may need to be applied in order to run our 3.7+ CBC Windows sensor version. Please see our UEX posts for more information: |
3.7.0.1253 | All |
DSEN-14154 |
Fixed a bug where the sensor could remain in bypass mode after system reboots. |
3.6.0.2076 | Endpoint Standard |
DSEN-12449, EA-18064, EA-18230, EA-18270, EA-18324, EA-18429 |
Microsoft Office processes were terminated if the Invokes an untrusted process rule was applied. |
3.6.0.2076 | Endpoint Standard |
DSEN-12571, EA-18105 |
Corrected RepMgr scan behavior during certificate reputation updates. |
3.6.0.2076 | Endpoint Standard |
DSEN-12613, EA-18202 |
Fixed a registration issue with Windows Security Center after a Windows update. |
3.6.0.2076 | Endpoint Standard |
UAV-1936, EA-17503 |
Improved sensor performance in a number of scenarios. You should see increased performance in a number of scenarios, such as when reading files over the network or when logging out. |
3.6.0.2076 | Endpoint Standard |
UAV-1943 |
When the Citrix Virtual Memory Optimization service is present, the Windows sensor did not block all executions from Alternate Data Streams. See the following KB article for more information: https://community.carbonblack.com/t5/Knowledge-Base/Endpoint-Standard-Citrix-Virtual-Memory-Optimization-Service/ta-p/99222 |
3.6.0.2076 | Endpoint Standard |
DSEN-11432, EA-17439 |
Signature pack updates were not respecting the CurlCrlCheck config property. |
3.6.0.2076 | Endpoint Standard |
DSEN-11615 |
Ransomware blocks were not always generating console alerts. |
3.6.0.2076 | Endpoint Standard |
DSEN-11626 |
Added the ability to skip blocking executions from alternate data streams if the content hash is on the company approved reputation list. |
3.6.0.2076 | Endpoint Standard |
DSEN-11654, EA-17667 |
Improved performance of Live Queries that leverage Yara to scan directories that have a lot of files. |
3.6.0.2076 | Endpoint Standard |
DSEN-11710, EA-17591, EA-17693, EA-17877 |
Improved performance on machines that have a high frequency of short lived processes. |
3.6.0.2076 | Endpoint Standard |
DSEN-11732 |
Rules were not being updated while the sensor was in bypass mode. |
3.6.0.2076 | Endpoint Standard |
DSEN-11805, EA-17554, EA-17841 |
Improved hashing performance when large files are executed on the network. |
3.6.0.2076 | Endpoint Standard |
DSEN-11814, EA-16261, EA-17121 |
Improved sensor performance during boot time. |
3.6.0.2076 | Endpoint Standard |
DSEN-11927, EA-17912 |
Not trusted policy enforcement was being applied on approved files. Under Policy > Sensor, if Scan execute on network drives is off and a never seen before hash is executed that should be approved, an unwanted block could occur. |
3.6.0.2076 | Endpoint Standard |
DSEN-12048, EA-17649 |
Improved sensor detection of auto-generated Microsoft PowerShell scripts. |
3.6.0.2076 | Endpoint Standard |
DSEN-12095 |
A local user interface alert was generated for known malware services. In some circumstances, when a service backed by malicious files was discovered and blocked, a local user interface alert would not occur. |
3.6.0.2076 | Endpoint Standard |
DSEN-12129 |
Invalidly signed files that matched certificate approval rules using wildcard patterns might have been incorrectly approved despite the signature being untrustworthy. |
3.6.0.2076 | Endpoint Standard |
DSEN-12143, EA-18020, EA-18064, EA-18092, EA-18148, EA-18205 |
Some recent Windows Updates resulted in Microsoft OS files being delivered before their external catalog that is used to verify their digital signature was registered. This resulted in the files appearing as not signed on first inspection, which could lead to tamper protection blocks and user visible errors when launching repux. The CB sensor now reinspects operating system files that appear unsigned to reverify their digital signature and avoid the tamper blocks. See the following KB article for more information: https://community.carbonblack.com/t5/Knowledge-Base/Carbon-Black-Cloud-Repux-exe-or-Scanhost-exe-unable-to-start/ta-p/99249 |
3.6.0.2076 | Endpoint Standard |
DSEN-12211 |
Live Response was prevented from launching non-Microsoft executables by a tamper policy error. |
3.6.0.1979 | Endpoint Standard |
UAV-1941, EA-17514, EA-17627, EA-17765 |
Performance issues arose across various assets such as Excel, video files, and USB printers. This fix improves hashing logic to make the process more efficient.
|
3.6.0.1979 | Endpoint Standard |
DSEN-11514, EA-17653 |
Uninstall rollback during upgrades did not bring the system to protected state until reboot, causing a failure during upgrades. |
3.6.0.1979 | Endpoint Standard |
UAV-1853, EA-16874, EA-17503 |
Improved network file operations performance. |
3.6.0.1979 | Endpoint Standard |
DSEN-11461, EA-17152 |
Delays while closing some applications. |
3.6.0.1979 | Endpoint Standard |
DSEN-11477 |
In Endpoint Standard-only organizations, device control alerts could take hours to appear in the Alerts page because low event volume delayed reporting to the cloud. |
3.6.0.1979 | Endpoint Standard |
DSEN-11617, EA-17780 |
One reported occurrence of a BSOD on a 32-bit Windows 7 machine. |
3.6.0.1979 | Endpoint Standard |
UAV-1951, EA-17567, EA-17571 |
One documented case of ERP software running slowly on ERP servers. |
3.6.0.1979 | Endpoint Standard |
DSEN-11639, EA-17572, EA-17811, EA-17831 |
Latency on file open operations on local drives and network shares. |
3.6.0.1941 | Endpoint Standard | DSEN-11146, EA-17629 |
A reboot of a Domain Controller server during sensor uninstall is now resolved. |
3.6.0.1941 | Endpoint Standard |
DSEN-11217, EA-17431 |
One customer reported a crash on a clustered SQL instance. |
3.6.0.1941 | Endpoint Standard |
DSEN-10927, EA-17214 |
Excel terminated with error "attempted to modify the next instruction to execute in the process". |
3.6.0.1941 | Endpoint Standard |
DSEN-11192, |
The local scanner was not updating endpoints that use proxy connections. |
3.6.0.1941 | Endpoint Standard |
DSEN-11203 |
With Device Control on, users might see a slow down when accessing files on Google Drive with the Google Drive app running locally and mounting a volume in Windows Explorer. |
3.6.0.1941 | Endpoint Standard |
DSEN-11229 |
The following error appeared after upgrading the sensor; then rebooting: |
3.6.0.1941 | Endpoint Standard |
DSEN-11107, EA-17416 |
Tableau server hung up on sensor install. |
3.6.0.1941 | Endpoint Standard |
DSEN-11019 |
An issue was identified and fixed that could lead to background scan consuming excessive CPU. The background scan is executed upon sensor install. |
3.6.0.1941 | Endpoint Standard |
DSEN-10847 |
Wavefront’s telegraph service would not start when the sensor was installed. This issue was found internally only. |
3.6.0.1941 | Endpoint Standard |
DSEN-11338, EA-16703, EA-16977 |
High CPU usage by SVChost service. |
3.6.0.1941 | Endpoint Standard |
DSEN-10968, EA-17653 |
Uninstall might have failed in some scenarios. |
3.6.0.1941 | Endpoint Standard |
DSEN-11344, EA-17590 |
Thread handle leak in Repmgr led to hang on domain controllers. |
3.6.0.1941 | Endpoint Standard |
DSEN-11220 |
General performance improvements. |
3.6.0.1941 | Endpoint Standard |
UAV-1847, EA-15161 |
Normalization LRUCache has inconsistent key format if the key is a folder. |
3.6.0.1941 | Endpoint Standard |
DSEN-11216, EA-15031 |
Sensor was not sending the endpoint’s MAC address to the backend. |
3.6.0.1941 | Endpoint Standard |
DSEN-11217, EA-17431 |
A crash occurred on a clustered SQL instance - 0x22_CsvFs!CsvFsExceptionFilter |
3.6.0.1941 | Endpoint Standard |
UAV-1893, EA-17269, EA-17446 |
A large number of registry operations showed high rule engine match overhead. |
3.6.0.1897 | Endpoint Standard |
DSEN-11344, EA-17590 |
Systems with a high occurrence of network connection attempts running Windows sensor versions 3.6.0.1791 and 3.6.0.1897 may experience degraded performance. These sensor versions are no longer available for download. This issue is resolved in Windows sensor version 3.6.0.1941. |
3.6.0.1897 | Endpoint Standard | UAV-1852, EA-15616 |
Sensor ignored Endpoint Standard processing of network files that were not opened for execution. |
3.6.0.1897 | Endpoint Standard | DSEN-10981, EA-17152 |
Performance improvement where applications such as Microsoft Word make heavy use of NtReadVirtualMemory. |
3.6.0.1897 | Endpoint Standard |
DSEN-10922, EA-17214 |
Applications making a copy of themselves caused false positive code injection alerts in the console. |
3.6.0.1897 | Endpoint Standard |
DSEN-10822, |
Improved performance for file reads on the endpoint when a file is quarantined in place. |
3.6.0.1897 | Endpoint Standard |
DSEN-10778, |
Incremental performance improvements for moving network files. |
3.6.0.1897 | Endpoint Standard |
DSEN-10699, |
Sensors did not move to the correct group because metadata changes were not reported. |
3.6.0.1897 | Endpoint Standard |
DSEN-10676, |
Resolved hang issue while inflating OneDrive files. |
3.6.0.1897 | Endpoint Standard |
DSEN-10494, |
Sensors will now use new static proxy settings even if previously persisted ones are succeeding. |
3.6.0.1897 | Endpoint Standard |
DSEN-10212, |
Customers might have experienced false positives for processes which had already been terminated. |
3.6.0.1897 | Endpoint Standard |
DSEN-10154, |
Signatures did not always get re-evaluated on an upgrade from older sensor versions. This might have resulted in users seeing an alert that a file was unsigned and the process terminated. |
3.6.0.1897 | Endpoint Standard |
DSEN-10043, |
After a sensor was cloned, the sensor might have updated the golden images endpoints check-in time prior to registering as a new cloned endpoint. This might have resulted in duplicated DeviceIDs in the console. |
3.6.0.1897 | Endpoint Standard |
DSEN-10217 |
The sensor upgrade might have failed when Windows Security Center was disabled. |
3.5.0.1813 |
Endpoint Standard | DSEN-10655 |
This fix improves the execution of kernel mode code. |
3.5.0.1813 | Endpoint Standard | DSEN-10334 |
This fix resolves an intermittent issue during sensor upgrades after a fresh install. The upgrade sometimes hung while removing the old CB Defense service. |
3.5.0.1813 | Endpoint Standard | DSEN-10246 |
Resolved an issue that caused applications to crash with ctiuser.dll as a faulting module after upgrading sensor version from 3.5.0.1680 to 3.5.0.1756. |
3.6.0.1791 | Endpoint Standard | DSEN-10154 |
Improved signature evaluation logic on upgrade. |
3.6.0.1791 | Endpoint Standard | DSEN-10370 |
Rare case where cert reputation did not persist. |
3.6.0.1791 | Endpoint Standard | DSEN-10104 |
Performance improvement around caching volumes. |
3.6.0.1791 | Endpoint Standard | DSEN-10555 |
Need to check for null content manager on shutdown. |
3.6.0.1791 | Endpoint Standard | DSEN-10089 |
Performance improvement: not caching normalized in post-create when rules trigger the normalization. |
3.6.0.1791 | Endpoint Standard | DSEN-10507 |
Fixed small performance inefficiency in CbdFileEventObjectBase::GetFileSize. |
3.6.0.1791 | Endpoint Standard | DSEN-10466 |
REG_CREATE_KEY event included both new key creation events and existing key open events. |
3.6.0.1791 | Endpoint Standard | DSEN-10489 |
Overlapping PROC_RECORD flags caused inaccurate breached alerts. |
3.6.0.1791 | Endpoint Standard | DSEN-7715 |
Banned scripts failed to be blocked on Box cloud file sharing app. The issue did not occur on Google Drive or OneDrive. |
3.6.0.1791 | Endpoint Standard | DSEN-10458 |
Inconsistent Storage of pscinfo in db_rep led to query failures. |
3.6.0.1791 | Endpoint Standard | UAV-1813 |
Protobuf definitions of IPv4 and IPv6 addresses now include a human-readable format. |
3.6.0.1791 | Endpoint Standard | DSEN-10246 |
Application crashes were due to members of SuspendInfo struct not being aligned on a 16 byte boundary. |
3.6.0.1791 | Endpoint Standard | DSEN-10453 |
Delete code set the publisher/issuer name to VERIFIED. |
3.6.0.1791 | Endpoint Standard | DSEN-10069 |
Major Windows upgrade did not migrate Our ELAM Backup. |
3.6.0.1791 | Endpoint Standard | DSEN-10068 |
siUtil_IsProcessRunning did not take action on STATUS_ACCESS_DENIED; it now creates better log prints. |
3.6.0.1791 | Endpoint Standard | DSEN-10198 |
Performance improvements: FQDN lookup optimizations. |
3.6.0.1791 | Endpoint Standard | DSEN-10403 |
Performance improvement: Avoid acquiring exclusive file record lock to set process file type. |
3.6.0.1791 | Endpoint Standard | DSEN-10158 |
Performance improvement: Cache process record references in handle context. |
3.6.0.1791 | Endpoint Standard | DSEN-10334 |
CTINET: Unload prevented due to inaccurate flow counters [EA]. |
3.6.0.1791 | Endpoint Standard | DSEN-10308 |
CTINET: Unload prevented due to inaccurate flow counters [EA]. |
3.6.0.1791 | Endpoint Standard | UAV-1808 |
Did not refresh PSC policy upon datafile2 update. |
3.6.0.1791 | Endpoint Standard | DSEN-10158 |
Cache process record references in handle context led to performance issues. |
3.6.0.1791 | Endpoint Standard | DSEN-10134 |
TLS configprops input validation was inconsistent. |
3.6.0.1791 | Endpoint Standard | DSEN-9952 |
CHashObject::DetermineIntendedSourceMask accessed DB without holding lock. |
3.6.0.1791 | Endpoint Standard | DSEN-10309 |
Added a sensor alarm for failure disabling LSP. |
3.6.0.1791 | Endpoint Standard | DSEN-10248 |
Error in confer.log of WARNING GetRegStringValue: Failed to read registry key Software\VMware, Inc.\ViewComposer\ga\AgentIntegration\CustomizationStarted |
3.6.0.1791 | Endpoint Standard | DSEN-10153 |
Sigpack update caused on-access scan to effectively become enabled even if it was disabled in policy. |
3.6.0.1791 | Endpoint Standard | DSEN-10091 |
ctifile blocked pre-write by RepMgr and confer.log logging stopped. |
3.6.0.1791 | Endpoint Standard | DSEN-10246 |
Application crashes were due to members of SuspendInfo struct not being aligned on a 16 byte boundary. |
3.6.0 | All | DSEN-9774 |
Hyper-V host blue-screened when accessing CSV file system. |
3.6.0 | All | DSEN-6963 |
Sensor installation now supports both the user code provided in the email and the company code. |
3.6.0 | All | UAV-1586 |
The ASP page took 20 seconds to return with AmsiEnabled in the 3.5 sensor. |
3.6.0 | All | UAV-1421 |
The LiveResponse memdump command caused crashes. It was disabled by default on Windows sensors 3.3 and 3.4. It is now enabled by default and no longer causes crashes. |
3.6.0 | All | UAV-1415 |
The sensor wrote large amounts of extra data to the confer.log file. The extraneous data that is written to confer.log has been reduced. |
3.6.0 | All | UAV-1400 |
The sensor allowed non-execute access to quarantined files. Now, quarantined files are not accessible. This can prevent other security applications from scanning and alerting on the file, but will prevent files from being copied to other locations. |
3.6.0 | All | UAV-1396 |
Intermittent delays occurred when opening Office files and navigating file systems on Windows 10. |
3.6.0 | All | UAV-1302 |
Sensor install failed on Windows Server 2019 machines where there was a missing directory value for registry key HKLM\SYSTEM\CurrentControlSet\Control\EarlyLaunch value "BackupPath". The value is typically C:\Windows\ELAMBKUP. |
3.6.0 | All | DSEN-8597 |
During updates to Windows 19H1, the system either blocked the update or crashed during the update. This issue was only reproduced and identified internally, and the issue did not reproduce if the sensor was in Bypass mode. |
3.6.0 | All | DSEN-8502 |
Previously, if a user executed an unattended install with the flag and argument "INSTALLFOLDER=<path>", the sensor installed but was non-functional. Now, an installation failure occurs if a user tries to use a non-standard installation folder. |
3.6.0 | All | DSEN-8501 |
Under high load, repmgr.exe handle counts grew very large, causing minor performance issues. |
3.6.0 | All | DSEN-7592 |
If the sensor's background scan changed from disabled (either via install arguments or cloud policy) to expedited, a race condition could put the background scan into disabled state. |
3.6.0 | All | DSEN-7119 |
Windbg was observed to crash. |
3.6.0 | All | DSEN-6405 |
RepMgr.exe crashed upon running any process from a path with Japanese Characters (c:\見る) |
3.6.0 | Enterprise EDR | DSEN-6056 |
If the customer turned off Scan On Network Read/Scan on Network Execute in the policy, the sensor still tried to normalize a network path even if Enterprise EDR wasn't enabled. |
3.6.0 | All | DSEN-5043 |
TTPs: ACCESS_EMAIL_DATA was assigned to an event. The application C:\Windows\System32\taskhost.exe attempted to access the email file "C:\Users\mosesveroy\AppData\Local\Microsoft\Internet Explorer\Indexed DB\Internet.edb" C:\Users\mosesveroy\AppData\Local\Microsoft\Internet Explorer\Indexed DB\Internet.edb looked like an Internet Explorer data file, not an email data file. Expected behavior: Clarify or correct TTP ACCESS_EMAIL_DATA for internet.edb.
|
3.6.0 | All | DSEN-4873 |
WinSSL CRL checking caused friction in POC environments that required a proxy configuration. |
3.6.0 | All | DSEN-4720 |
The API hook for GetAsyncKeyState (and a small number of other functions) were in GetCallingDll. The fix for DSEN-2810 avoided an expensive call to GetLongPathNameW by checking if the pathname contained any tilde ("~") characters. If the path contained a tilde character, the call to GetLongPathNameW was made, resulting in a noticeable slowdown. Customer was using an IME-like Active-X control, called GetAsyncKeyState, and the dll was installed below C:\Program Files (x86). This resulted in having a short name with a tilde in it. |
3.6.0 | All | DSEN-4682 |
Having a rule to deny memory scraping by TaskMgr does not work in Windows 10. Ctiuser is not injected into taskmgr.exe on Windows 10, so ctiuser cannot prevent memory scraping of any process (that is, creating a dump file) by taskmgr. Ctiuser was not loaded into taskmgr.exe. This behavior did not occur in Windows 7, where ctiuser is loaded through AppInit_DLLs, and creating a dump from taskmgr is successfully blocked. |
3.6.0 | All | DSEN-4580 |
Occasionally, the local scan misclassified a file with a malware reputation. If repmgr requests a scan of the file, this AV rep persists in dbrep. If the local scan corrected this reputation in a subsequent signature update, RepMgr did not rescan the file, and the AV reputation was not corrected in dbrep. If there is no higher priority reputation from other rep sources, including from the cloud, this AV reputation persisted. The work-around was to add the hash to the Approved list. |
3.6.0 | All | DSEN-4154 |
IT_TOOLs rule was still enforced after removing the rule on a long running process. |
3.6.0 | All | DSEN-3099 |
Known malware executed and remained running. |
3.6.0 | All | DSEN-2480 |
Agent Core Installer separated the installer directory from the data directory. |
3.6.0 | All | DSEN-2167 |
When trying to pull down an AV pack update, the proxy information in the curl request was not set up. |
3.6.0 | All | DSEN-1755 |
The sensor was in bypass mode for around 3 hours. When the sensor was taken off of bypass mode, it remained in bypass for 25 minutes, at which time the machine rebooted and the sensor checked in. |
3.6.0 | All | DSEN-1077 |
Powershell_ise.exe is a CLR process. In Windows 10, Carbon Black does not inject into the process because it doesn't meet the following criteria:
|
3.5.0.1801 | All | DSEN-10230, EA-16950, EA-16957, EA-16961 |
An earlier maintenance release of the 3.5 CBC Windows Sensor (3.5.0.1786) resulted in a system crash/BSOD for endpoints that hit a specific non-common code path. There were three reported cases against about 175,000 endpoints across all environments. Please note that this was introduced in 3.5.0.1786 and that is the only version in which the problem exists. It is now fixed in 3.5.0.1801 |
3.5.0.1801 | All | UAV-1779, EA-16903 |
Due to an interaction with third-party proxy management software called Open Text Socks Client, one customer experienced RepCLI (local command line interface) breaking by returning error message "RepCLIClient: Failed to open socket". This issue was found in 3.5.0.1680 and fixed in 3.5.0.1801. |
3.5.0.1801 | All | UAV-1755, EA-16865 |
One customer reported a system crash. This issue was found in 3.5.0.1627 and fixed in 3.5.0.1801. |
3.5.0.1786 |
All | UAV-1724, EA-16649, EA-16526, EA-16702, EA-16761 |
The sensor caused slowness, freezing on the endpoint, and the domain controller to enter an unresponsive state. |
3.5.0.1786 | All | DSEN-9760, EA-16641 |
A RepMgr.exe crash created performance degradation and a high number of event ID 1 and 1000 in Windows application logs. |
3.5.0.1786 | All | UAV-1646 |
Startup performance improvements alleviate slow start and/or logon type issues. Performance improvements will remain a focus in future releases. |
3.5.0.1786 | All | DSEN-5266, UAV-1678, EA-14291 |
Fixed performance issues using Windows Explorer to navigate to locations in SharePoint. |
3.5.0.1786 | All | DSEN-9612, EA-15998 |
Upon reboot, a customer experienced the following error condition: "Carbon Black Cloud Sensor: RepUx.exe - Bad Image. C:\Program Files (x86)\Common Files\Microsoft Shared\INK\PENUSA.DLL is either not designed to run on Windows or it contains an error. Try installing the program again using the original installation media or contact your system administrator or the software vendor for support. Error status 0xc0000022." |
3.5.0.1756 | All | DSEN-9434, EA-16297 |
Issue connecting to the proxy server. |
3.5.0.1756 | All | DSEN-8645, EA-16130, EA-16208 |
When using OFFLINE_INSTALL=1 and providing PROXY_SERVER on the command line, the sensor never registered with the backend. |
3.5.0.1756 | CB Defense | DSEN-8950, EA-14957, EA-16471 |
Customers allow listing IT Tools might have seen the feature fail if wildcard characters were not used in the allow-listed string. This issue is now fixed and non-wildcard strings match. |
3.5.0.1756 | CB Defense | DSEN-8307, EA-16479, EA-16509 |
Bypass rules were not properly applied in certain cases. |
3.5.0.1756 | All | DSEN-8562, EA-15614 |
Alerts were surfaced for a file that was already deleted from the system. |
3.5.0.1756 | All | UAV-1595, EA-16261 |
Log on performance has been improved. |
3.5.0.1756 | CB LiveOps | DSEN-8768, EA-16504 |
The Live Response exec command failed in some cases. |
3.5.0.1756 | All | DSEN-8291, EA-16578 |
Intermittent issues with login delays causing RDP session timeouts. |
3.5.0.1756 | All | DSEN-8507, EA-16068 |
Issues contributing to slow log in are now addressed. |
3.5.0.1680 | CB Defense | DSEN-8605, EA-16214, EA-16283 |
Two customers experienced a deadlock between a sensor process and system process, which could cause the endpoint to freeze up. |
3.5.0.1680 | LiveOps | DSEN-8537, EA-15636, EA-16147 |
Customer might have experienced greater than expected resource consumption on their endpoints upon LiveQuery usage. Previously, the back end cancelled queries after they were outstanding for a week. This fix introduces configurable thresholds in runtime and memory consumption that, if crossed, cancel the query and prevent excessive resource consumption. |
3.5.0.1680 | All | DSEN-8440, EA-16086 |
Customers might have experienced greater than expected resource consumption when installing large files. |
3.5.0.1680 | All | DSEN-8405, EA-16014 |
Users may have noticed a larger pagefile size which generated volmgr errors in windows event viewer. The sensor now auto-configures the memory dump settings on the machine unless you opt of that by setting the msi command line arg "AUTO_CONFIG_MEM_DUMP=0" during a command line install. |
3.5.0.1680 | CB ThreatHunter | DSEN-8331 |
CB ThreatHunter might not have reported scriptloads for scripts that had VB scripts office docs, python, or perl file extensions. |
3.5.0.1627 | All | DSEN-7254 |
Creating a folder on a network file share might have taken up to 15 seconds. The initial folder creation occurred within a normal time frame. |
3.5.0.1590 | All | UAV-1415 |
Uninstall on a machine that is serving an RDP session could hang/fail if the RDP client machine was sharing local drives with the RDP server. Note that an upgrade from Windows sensor 3.4 to an earlier 3.5 version requires an uninstall, and can cause this issue if the previous criteria are met. To resolve the issue in this case, use the sensor removal tool. |
3.5.0.1627 | All | DSEN-7565 |
An internal observation of the sensor crashing while being taken out of bypass during system startup. This issue was not reported externally. |
3.5.0.1627 | All | DSEN-7760, EA-15839 |
In one case, the sensor service stopped repeatedly, generating errors such as this in the event log: "The CB Defense service terminated unexpectedly. It has done this 4 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service." This was a result of a service crash. |
3.5.0.1627 | All | DSEN-7831, EA-15341, EA-15810, EA-15403 |
In some cases, the sensor did not honor bypass rules as they were configured in the policy, which led to unexpected blocks, interoperability issues, or poor application performance. |
3.5.0.1627 | All | DSEN-7759 |
Endpoints exited network quarantine after upgrading from 3.4 to 3.5. Upgrades and uninstalls are no longer permitted in quarantine. |
3.5.0.1627 | CB LiveOps | DSEN-7576 |
As of version 3.5.0.1627, the Windows sensor supports osQuery 4.1.2. |
3.5.0.1590 |
All | DSEN-7344, EA-15076 | Customers can experience performance issues if end users access many files over a network drive. The specific issue in EA-15076 is resolved. |
3.5.0.1590 | All | DSEN-7358 | Support staff might have requested additional logs and diagnostic information during troubleshooting in certain cases due to log messages being dropped. |
3.5.0.1590 | All | DSEN-7391, EA-14361 | Windows Event Security Logs surface a message that reads: "Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error. File Name: \Device\HarddiskVolume4\Windows\System32\ctiuser.dll." This suggest ctiuser.dll might be corrupted, which is not the case. |
3.5.0.1590 | All | EA-15784, DSEN-7488 | A customer observed a recurrence of event ID 49 in the Windows Application Event logs. |
3.5.0.1590 | All | DSEN-7565 | An internal observation of the sensor crashing while being taken out of bypass during system startup. This issue was not reported externally. |
3.5.0.1590 | All | DSEN-7592 | The sensor will now log windows events whenever backend requests a deregister/uninstall. Additionally, we will log to Windows events whenever sensor enter/exits bypass or server maintenance modes. |
3.5.0.1590 | All | DSEN-7759 | Users reported endpoints exiting network quarantine after upgrading from 3.4 to 3.5. Upgrades and uninstalls are no longer permitted in quarantine. |
3.5.0.1590 | All | DSEN-7837, EA-15874 | One customer observed that the backend did not display events for up to two hours. |
3.5.0.1590 | All | DSEN-7208 | In VDI environments, the uninstaller kept an old device's uninstall code. This issue is now fixed and the uninstall process in VDI environments is improved. |
3.5.0.1590 | All | UAV-1393 | Folder creation on network paths might have taken up to 25 seconds to complete. |
3.5.0.1590 | All | DSEN-6985 | Any path based rule that started with \ and not \\ was not enforced on Windows. This prevented users from creating path rules for files that had no system-wide drive letter. |
3.5.0.1590 | All | DSEN-7446 | In some cases, the Endpoints page did not reflect Active Directory or Organizational Unit data. |
3.5.0.1590 | All | UAV-1386, DSEN-7326 | This release introduces several fixes to memory leaks (none of which were reported by customers). |
3.5.0.1590 | All | DSEN-5225 | When a process (.bat or .cmd) was executed via a command interpreter via "cmd.exe /c", the process might have been blocked. This issue is now resolved for .bat and .cmd processes. |
3.5.0.1590 | All | DSEN-7358 | The sensor dropped log messages, resulting in Carbon Black support reaching out more frequently for diagnostic information. |
3.5.0.1590 | All | DSEN-7275 | If the background scan was running, the sensor might have uninstalled very slowly. Users would encounter this only if they had attempted to uninstall shortly after install because, if configured, background scan executes upon install. |
3.5.0.1590 | CB ThreatHunter | UAV-1396, EA-15835 |
In one case, a server hung up during boot. |
3.5.0.1523 | All | DSEN-6534/EA-14866 | Customers might have seen an increase in false positive blocks. One customer reported Excel and Outlook as blocked. |
3.5.0.1523 | All | DSEN-3992 | Subkeys could be created under the CBDefense key in the Windows registry. |
3.5.0.1523 | CB Defense | DSEN-5332, EA-12882 | Sensor might have terminated a process due to an attempt "to modify the next instruction to execute in the process" when the process belongs to the application. |
3.5.0.1523 | All | DSEN-4054, DSEN-4033 | The LiveResponse memdump command was previously observed to cause crashes. It was disabled by default on Windows sensors 3.3 and 3.4. It is now enabled by default and no longer causes crashes. |
3.5.0.1523 | All | DSEN-4375 | The sensor wrote large amounts of extra data to the confer.log file. Numbers vary across environments, but the issue is resolved so that the extraneous data written to confer.log is reduced. The actual size of confer.log can increase because although extraneous data is reduced, valuable log data remains over a longer course of time due to a seperate change. |
3.5.0.1523 | All | DSEN-5626 | Previously, the sensor allowed non-execute access to quarantined files. Now, quarantined files are not accessible. This can prevent other security applications from scanning and alerting on the file, but prevents files from spreading to other locations. |
3.5.0.1523 | All | DSEN-6322, EA-14880 | There were reports of intermittent delays when opening various Office files and navigating file systems on Windows 10. |
3.5.0.1523 | All | DSEN-5995, EA-14707, EA-14723, EA-14729 | Customers who were using Windows sensor versions from 3.4.0.1047 to 3.4.0.1077 had Office applications such as Word and Excel hang when updating a file on Google File Stream and similar products (Box, Citrix Cloud, etc.). This issue is fixed in 3.5 and 3.4.0.1086 versions of the sensor. |
3.5.0.1523 | All | EA-14455, DSEN-5699 | Sensor install failed on Windows Server 2019 machines where there is a missing directory value for registry key HKLM\SYSTEM\CurrentControlSet\Control\EarlyLaunch value "BackupPath". The value is typically C:\Windows\ELAMBKUP. |
3.5.0.1523 | All | DSEN-5493, DSEN-5491 | During updates to Windows 1H19, the system either blocked the update or potentially crashed during the update. This issue was only reproduced and identified internally, and the issue did not reproduce if the sensor was in Bypass mode. |
3.5.0.1523 | All | DSEN-4050 | Previously, if a user executed an unattended install with the flag and argument "INSTALLFOLDER=<path>", the sensor installed but was non-functional. Carbon Black now forces an install failure if a user tries to use a non-standard install folder. |
3.5.0.1523 | All | DSEN-4043 | Under high load, repmgr.exe’s handle counts grew very large, which could cause minor performance issues. |
3.5.0.1523 | All | DSEN-6372 | If the sensor's background scan changed from Disabled (either via install arguments or cloud policy) to Expedited, a race condition could put the background scan into disabled state. This issue was not observed externally. |
3.5.0.1523 | CB Defense | DSEN-6077 | Windbg was observed to crash. |
3.5.0.1523 | All | DSEN-3061 | The sensor did not whitelist files by certificate if the certificate was signed with multi-byte characters. A backend fix was implemented for this issue. |
3.5.0.1523 | All | EA-15148, DSEN-6552 | A crash could inconsistently occur on file renames on network drives. |
3.5.0.1523 | All | DSEN-6535, DSEN-6591 | Sensor upgrades failed with error 1603 when attempting to perform the upgrade at the same time as a Windows upgrade to Redstone 5. |
3.5.0.1523 | CB ThreatHunter | DSEN-4756, DSER-14090, EA-13906 | Customers running CB ThreatHunter standalone might have seen Windows Security Center Real Time protection feature disabled. This issue was resolved by navigating to the Policies page, clicking the Sensor tab, and unchecking Use Windows Security Center. |
3.5.0.1523 | All | DSEN-6057 | Previously, release notes stated that banned scripts execute if the policy is refreshed on the backend after being banned. Only scripts executing when the sensor was coming out of bypass were not blocked. Banned scripts executed after bypass is disabled are blocked. This issue is functioning as designed. |
3.5.0.1523 | CB ThreatHunter | DSEN-6487 | In Sensor environments 3.4.0.1070 and 3.4.0.1077 (and 3.4.0.1016), the sensor crashed upon running any process from a path with multibyte characters (c:\見る) when UBS for CB ThreatHunter customers was enabled. |
3.5.0.1523 | All | DSEN-6490 | HTML file load and open and close performance degraded in 3.5 compared to 3.4. This fix was implemented in 3.5.0.1402. |
3.5.0.1523 | All | DSEN-6653 | When the Windows sensor 3.5 was in bypass mode, the sensor uninstall failed. |
3.5.0.1523 | All | DSEN-6876, EA-15319, EA-15301 | Some customers observed latency associated with Microsoft office applications. |
3.5.0.1523 | All | DSEN-6871 | Users could deregister the sensor from Windows Security Center in conflict with the policy setting. |
3.5.0.1523 | All | DSEN-6826 | 3.5 beta users might have experienced a performance problem on a Windows 10 19H2 environment with CB Defense and CB ThreatHunter enabled. A 50% performance spike in repmgr.exe usage was identified when the system is idle. |
3.5.0.1523 | All | DSEN-6867 | The CB LiveResponse API previously defaulted to UTF-16LE encoding rather than UTF-8. Because many customers rely on the latter, the default setting is restored to UTF-8. This issue only impacted 3.5 beta users. |
3.5.0.1523 | CB ThreatHunter | DSEN-6145 | Customers who had moved from CB ThreatHunter standalone to CB ThreatHunter with CB Defense experienced false positive blocks. This issue was only reported internally. |
3.5.0.1523 | All | DSEN-6491 | Some users experienced a minor delay in loading common applications. |
3.5.0.1523 | All | DSEN-6569 | When running a Carbon Black-signed msi in Windows sensor 3.5 beta, cmd.exe was granted full bypass.The cmd.exe was only placed in bypass if the sensor msi was executed in cmd.exe. |
3.5.0.1523 | All | DSEN-6625 | The Windows sensor did not support multi-byte characters in Osquery results in version 3.4.0.1016. |
3.5.0.1523 | All | DSEN-6660 | One internal user experienced a crash on Windows sensor 3.5.0.1346 running on Windows 8.1 x86. |
3.5.0.1523 | All | DSEN-6691 | In earlier 3.5 builds, if a file had a bypass rule that was removed after the file was deleted, then copies of that file would not be quarantined in place. |
3.5.0.1523 | All | DSEN-6706 | Explorer.exe hung indefinitely on an attempt to run any process in the confer install folder as administrator in the Windows sensor 3.5.0.1357. |
3.5.0.1523 | All | DSEN-5163 | The sensor did not prohibit downgrades from existing Windows 3.5 versions to older Windows 3.5 versions. This issue is resolved in all released 3.5 builds except for 3.5.0.1278. Carbon Black does not recommend or support downgrades, but the downgrade to 3.5.0.1278 is not prevented. |
3.5.0.1523 | All | DSEN-5934, EA-14272, EA-14956 | Customers could not open attachments while using applications such as KnowBe4 Second Chance or Digital Guardian’s Outlook plug-in. |
3.5.0.1523 | All | DSEN-6540 | The sensor user interface might have shown the sensor in bypass when it is active. This issue was only reproduced internally and was considered a rare event. |
3.5.0.1523 | All | DSEN-6543 | False positive blocks might have occurred due to sharing violations while retrieving signature information. |
3.5.0.1523 | All | DSEN-6941 | Application launch performance degraded in the Windows 3.5 sensor compared to the Windows 3.4 sensor. |
3.5.0.1523 | All | DSEN-6899, DSEN-7134 | Customers experienced delays of up to 35 seconds associated with copying files to remote network drives. The sensor no longer reporting signature or reputation information at the time of "last write" (i.e. close of handle that modified an executable file). The sensor will still collect and report that info if the file was executed but will not stall to collect it at time of modification. |
3.5.0.1523 | All | DSEN-7005, DSEN-6990 | Files that had no logical drive mapping (such as some Google drive files) might not have been reported to the cloud.This issue impacted beta sensors only. |
3.5.0.1523 | All | DSEN-6315 | Some sub-processes were left in a suspended state after their parents were terminated. This was only observed internally. |
3.5.0.1523 | All | DSEN-7026 | One customer had observed a crash on some machines during the 3.5 beta program. |
3.5.0.1523 | All | DSEN-7099 | Internal observations of timeouts that led to reputation mismatch, which could have resulted in false positive blocks. |
Sensor Version Found | Product | Issue ID | Description |
3.5.0.1627 | All | DSEN-16957 |
In rare instances, the sensor can switch to bypass mode post-upgrade. This is due to an issue unloading one of the drivers and has been seen more frequently on Windows Server 2019 systems. In such cases, a reboot is required to complete the upgrade and remove the bypass sensor state. |
3.8.0.398 |
All | DSEN-17019, DSEN-16602 |
Beginning with 3.8.0.370, after install or upgrade you might see events or alerts where repmgr.exe's parent process is a hash of all zeroes. This goes away after a reboot. |
3.8.0.398 | All | DSEN-16573 |
If you have an open Explorer window that contains banned or malicious binaries, the Explorer window might be closed due to Explorer having those binaries mapped. |
3.8.0.398 | All | DSEN-15424 |
Performance issues on Windows 11 systems where WindowsSearch service is actively indexing files. |
3.8.0.398 | All | DSEN-14236, EA-18878 |
Issue with code integrity where the image hash of some Carbon Black files being loaded are determined to not be valid and create Windows events with error ID 5038. |
3.8.0.398 | All | DSEN-9577 |
Fileless script termination rules should be applied to the parent process of the fileless script process, as the process executing the fileless script is the fileless script. |
3.8.0.398 | All |
DSEN-8551 |
Trying to access the sensor installation directories in non-elevated Explorer windows may be blocked if the user is not a member of the authenticated RepCLI users. Customers are encouraged to have a set of RepCLI users authenticated, and use those users for support sessions if there is a need to inspect this folder. These users could successfully access %programdata%\CarbonBlack through Explorer.exe. |
3.7.0.1253 | Endpoint Standard | DSEN-13482 |
Events showing NT file path of dropped files. |
3.7.0.1253 | Endpoint Standard | DSEN-12202 |
Uninstalling through the “sensor removal tool” may still leave behind the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityCenter\Provider\AV\ registry entry. |
3.7.0.1253 | Endpoint Standard | DSEN-12189 |
When a process is blocked from running, multiple block events can display in the console and local user interface. |
3.7.0.1253 | Endpoint Standard, Enterprise EDR | DSEN-11116 |
Banned file names and paths are not captured correctly when launched through a WebDAV path. |
3.5.0.1523 | All | DSEN-7416 | After upgrading from Windows 7 x64 to 19H1, the endpoint might still report that the machine is running Windows 7. |
3.5.0.1523 | All | DSEN-1387 | Background scan remains disabled on devices where VDI=1 was used. See https://community.carbonblack.com/docs/DOC-12001. |