Carbon Black Cloud Windows Sensor Release Notes

Carbon Black Cloud Windows Sensor Known Issues

Carbon Black Cloud Windows Sensor Fixed Issues

Carbon Black Cloud Windows Sensor Release Notes

Sensor Installer Rollback

Build-to-build, version-to-version upgrade rollback is now fully supported when upgrading from version 3.7 and later sensors. The following table describes rollbacks that various Carbon Black Cloud sensor versions support. rollbacks.png

For more details about rollback functionality, see the VMware Carbon Black Cloud Sensor Installation Guide.

Enterprise EDR Hash Banning

This feature provides Enterprise EDR users with the ability to ban files by hash, thus preventing files from:

  • Being opened with execute access
  • Starting a process from a file
  • Being loaded as a module in a process
  • Being loaded as a script
  • Being loaded as a driver

For more details, see

Ransomware Boot Record Protection

A new disk driver (cbdisk.sys) helps protect against the most dangerous types of ransomware that attempt to corrupt the boot record of an endpoint. This type of ransomware encrypts files and alters the master boot record (MBR) and partition boot record (PBR), rendering the device unusable.

Important Note: A reboot is required after install/upgrade/cloning a golden VM image to fully leverage our ransomware protection capabilities. This new disk driver should be added to any previously set AV exclusions.

SHA-2 Windows Updates Required for Continued Support of Windows 7 and Windows Server 2008 R2

Microsoft no longer allows code-signing using SHA1. To continue running VMware Carbon Black Cloud Windows sensor version 3.7+, the KB4474419 patch should be applied to applicable operating systems. Our Carbon Black Cloud sensor - OS Support article on UEX reflects this change.

Automatic re-registration of VMware Carbon Black Cloud Windows sensors in Citrix PVS environments

The 3.7 Windows sensor supports a new cfg.ini parameter AutoReRegisterForCitrix = True for automatically re-registering Windows sensor on VDI clones in Citrix PVS environments.

SHA-2 Windows Updates Required for Continued Support of Windows 7 and Windows Server 2008 R2

Microsoft is no longer allowing code signing using SHA1. To continue running our latest Carbon Black Cloud Windows 3.6 sensor version (, the KB4474419 patch should be applied to applicable operating systems. Our Carbon Black Cloud sensor - OS Support article on UEX has been updated to reflect this change.

This updated Windows sensor version includes fixes and performance improvements.

This updated Windows sensor version includes fixes and performance improvements.

osquery version update 4.5.1

This updated Windows sensor includes the most recent version of osquery (4.5.1). See the Carbon Black Cloud Sensor Support for osquery document for a full list of sensor versions and supported schema versions. (This sensor is no longer available for download)

osquery version update 4.5.0

This updated Windows sensor includes the most recent version of osquery (4.5.0). See the Carbon Black Cloud Sensor Support for osquery document for a full breakdown of sensor versions and supported schema versions.

This update lets you query the Windows event log. Users can now craft custom queries or use new out-of-the-box queries from our Threat Analysis Unit to pull back artifacts from Windows event logs on demand. These artifacts include event ID, the time an event occurred, the source or channel of the event, the provider name and guid associated with an event, the severity level of an event, and more.

This version also includes Windows support for the yara table and no longer requires an on-disk signature to be present.


VMware Carbon Black Cloud sensor version 3.6 is for Windows only. See supported operating systems on the UEX: Carbon Black Cloud sensor support.

osquery 4.4.0

The 3.6 Windows sensor introduces osquery version 4.4.0. Learn more about version 4.4.0 here:

Firewall exclusion

The 3.6 Windows sensor leverages a content management system to enable the dynamic configuration of prevention features. Prior to installing or upgrading to 3.6, if you have restrictive firewall policies active in your environment, you might need to add a new firewall/proxy exclusion for the sensor to be fully functional.

Add a new network/proxy exclusion for a direct connection over TCP/443 to 

Enterprise EDR, AMSI Prevention, and Unified Binary Store require the exclusion to work with the 3.6 sensor. 

To learn more about the sensor communication requirements, see Carbon Black Cloud: What Ports must be opened on the Firewall and Proxy Servers? 

Sensor install/uninstall improvements

With the Carbon Black Cloud Windows 3.6 sensor, the install and uninstall experience is strengthened on the endpoint. If a failure occurs during an initial install of the product or during an uninstall, the endpoint will be returned to the state it was in prior to the attempt. 

To learn more about Windows sensor installation and uninstallation, see the Sensor Install Guide on the UEX or in your VMware Carbon Black Cloud Console under the Help menu in the top bar

AMSI Prevention and visibility (Endpoint Standard) 

VMware Carbon Black Cloud has extended its default prevention capabilities for script-based Windows attacks, built on Microsoft Anti-Malware Scan Interface (AMSI). This extension of the AMSI integration expands on existing PowerShell preventions with improved ease of use and a better security posture. 

This release includes the ability for the sensor to dynamically leverage AMSI metadata to define and configure prevention logic. These updated, high-fidelity prevention rules are being crafted by VMware Carbon Black’s Threat Analysis Unit to include frequently used off-the-shelf attacker frameworks that are regularly seen in script-based attacks.

AMSI prevention and visibility is only supported on Windows 10 and greater and requires sensor version 3.6+. AMSI prevention and visibility will be rolled out in a staggered manner to customers. No action is required by the customer. 

Sensors that are registered with the following backend instances can use the functionality on the listed date.









Sensor logs locations

Previous versions of the sensor stored logs in the \Program Files\Confer\Logs\ directory. 

The Windows 3.6 sensor stores some logs in Program Files and some logs in ProgramData: 

  • \Program Files\Confer\Logs\ 
  • \ProgramData\CarbonBlack\Logs\

Throughout 3.6 maintenance releases, we will move all logs to ProgramData to better align with Microsoft guidelines.

VDI improvements

The VDI workflow is improved with the Windows 3.6 sensor. Re-registering is less restrictive and easier. VDI clones and re-registered devices inherit the policy of the primary image if one exists. Otherwise, clones and re-registered devices are assigned the Virtual Desktop policy or the Standard policy in that order. Additionally, if an organization is using sensor groupsthe new device will be moved to the appropriate policy when the metadata matches. See the Sensor Installation Guide for full VDI considerations and see the in-product User Guide for more information about sensor groups.  




VMware Carbon Black Cloud sensor version 3.5 is for Windows only. This release is Generally



Disable services associated with malware

Malicious services that run at start-up have the potential to execute and impact the endpoint
before the sensor starts up. A new feature finds all malicious services associated with Known
Malware hashes and puts them in a disabled state. The services remain in disabled state across
reboots, and therefore cannot execute at startup. If a service binary in question was not
malicious or if some other tool is used to clean the malware, then the sensor will not
automatically enable the service again. To re-enable the service you must manually do so by
using LiveResponse or other standard tools. The feature is enabled by default and can be
disabled by a request to Support.

The command for the remediation through CB LiveResponse is:

  1. Query the service start type exec: execfg sc.exe qc <servicename>
  2. Change the start type using the command: execfg sc.exe config
    <servicename> start=<starttype>

The possible start types are: boot | system | auto | demand | disabled | delayed-auto

The event that is sent during the service disable contains the original start type and displays in
the user interface. The user needs this data to return the start type to its original value. If the
start type changes to boot, auto or delayed-auto, they must reboot.

Removal of registry keys during deletion

Deletion of files, both manual and through the Malware Removal workflow, previously did not
attempt to remove registry keys that were created by the malware. When requested to delete a
file, the Windows 3.5 sensor also removes RunOnce registry keys from the HKLM hive that reference the malicious binary that is being deleted. Other auto-start registry keys referencing the malware might remain.

Offline installer

The Windows 3.5 sensor supports offline installs to support machines that are configured in an offline environment. The feature is enabled during a command line installation by adding the flag “OFFLINE_INSTALL=1”. The sensor connects with the Carbon Black Cloud backend and accesses a policy when network connectivity is restored. The sensor does not provide any visibility or protection until it is connected to the backend.

To use the feature, ensure that there is a host or network level firewall rule in place to prevent the master image from connecting to the Carbon Black Cloud devices URL. Then, Install the sensor using the OFFLINE_INSTALL parameter and any other parameter that is typically used during a command line install (aside from PROXY). Clone or restore to snapshot. Each snapshot and clone appears as a new device in the backend console and are not treated as a VDI clone unless you explicitly install with VDI=1 or used the repCLI reregister command. Otherwise, console admins are responsible for cleaning up old clones, either manually or via API.

Note: If a user changes the company code in the backend, you can no longer make new clones that haven’t registered yet because those clones will continue to try to use the original company code. If you change the company code, you must create new images using the new company code.

Endpoint management improvements

The Windows 3.5 sensor effectively handles non-persistent domain disconnections. Previously, the sensor applied the default policy when the AD attribute was cleared (in instances such as off-network without VPN). Now, the sensor maintains the desired AD group and the desired policy. The distinguished name is not cleared unless the machine is not registered as part of the domain.

In the Endpoints page, the Windows 3.5 sensor reports who is logged into an endpoint every 8 hours instead of reporting the user who installed the sensor. If there is no interactive user logged in to the endpoint within the 8 hour window, you might get a non-interactive user name such as “Windows Manager\DWM-2”. In the case of multiple logged-in users, the most recently logged-in user is associated with the endpoint.

Improved capability to identify command interpreters

CB Defense has improved its methods for identifying a process as a command interpreter or as
a script host. By integrating with the yara binary pattern matching utility, the Windows 3.5 sensor
better protects against threats where an attacker brings their own copy of standard operating
system interpreters or tries to hide by running tools with non-standard names. Customers who
are already leveraging the Tries to invoke command interpreter rule immediately benefit from
this update.

As part of this update, Carbon Black’s Threat Analysis Unit (TAU) can dynamically update the
definition of what it means to be a command interpreter.

Improved Netconn detection for proxy servers

With the Windows 3.4 sensor, CB ThreatHunter customers who are using a proxy server in their
environment saw most (all) outbound network connections being reported with the proxy's address and host name as the destination. The Windows 3.5 sensor improves reporting of network events to report the actual destination IP and hostname, rather than those of the intermediate proxy.

Note: This functionality is enabled in the Windows 3.5 sensor, but will not be available for use until a future Carbon Black Cloud console release.

CB ThreatHunter hash blacklisting

The Windows 3.5 sensor enables blacklisting of files by hash for CB ThreatHunter. Once a hash is added to the company blacklist it is prevented from the following:

  • Being opened with execute access
  • Starting a process from a file
  • Being loaded as a module in a process
  • Being loaded as a script

Processes that have the blacklisted hash loaded at the time the hash is added to the blacklist are
terminated shortly after the sensor receives the updated reputation.

Note: This functionality is enabled in the Windows 3.5 sensor, but will not be available for use until a future Carbon Black Cloud console release.

Dynamic tamper protection

The Windows 3.5 sensor has improved methods for identifying tamper events. The improvements help prevent access to sensor files and reduce interoperability issues with third-party products.

AMSI logging

The Windows 3.5 sensor enables the collection of deobfuscated command line data through AMSI for CB ThreatHunter customers. For more information on AMSI, see

In the cloud console, this integration will manifest in the form of filess_scriptload events, which represents processes that executed commands in fileless execution context. More information will be provided in the backend release notes for the February 18th UI release.

Updated 09/02/2020:

Sensor check-in time update

The sensor check in time is reduced from 5 minutes to 1 minute. The maximum expected latency for establishing a Live Response session should now be 60 seconds (assuming the device is online and running a 3.5 or newer sensor version). Other operations might also complete faster.
The Last check in value in the console will not necessarily update faster because of performance/scale reasons.


Sensor Version Product Issue ID Description



Fixed a bug in ctinet driver that could lead to system crash.

Endpoint Standard, Enterprise EDR

UAV-2191, UAV-2204, EA-18905, EA-18910, EA-18889, EA-18965, EA-18982, EA-18881

Non-ASCII characters in filenames (such as Chinese and Japanese) could cause the AMSI module to crash the process that was being inspected. Logging related to AMSI events generated from non-ASCII file names is also fixed.


UAV-2201, EA-19048

A data-race issue that could lead to a bugcheck.

Enterprise EDR

UAV-2206, EA-18589

A temp file was left behind when saving a modified excel file.



We now allow the sensor to be uninstalled if the BackupPath key located under HKLM\SYSTEM\CurrentControlSet\Control\EarlyLaunch is not set.

Endpoint Standard

DSEN-12555, EA-18067, EA-18165, EA-18418, EA-18581, EA-18866

The sensor could hang Microsoft Software Shadow Copy Provider service on startup.


DSEN-13226, EA-17848

The sensor could time-out during upgrades on systems that had large amounts of applications and files in use.

Endpoint Standard

DSEN-13250, EA-18515

Fixed a bug that could lead to a process deadlock on busy systems as described in this knowledge base article on UEX:


DSEN-13429, EA-18403

Fixed a bug that could lead to a bugcheck if a process attempted to access a file residing on a network share.


DSEN-13767, EA-18685

Error dialogs appeared when third-party apps attempted to inject into any of the sensor’s processes.

Endpoint Standard

DSEN-13807, EA-18785, EA-18821

Fixed a bug triggering false positive AMSI alerts.


DSEN-14127, DSEN-14133

Our CBC Windows builds are no longer signed with SHA1 code signing (only SHA2 and WHQL). As such, Windows Operating System updates may need to be applied in order to run our CBC Windows sensor version. Please see our UEX posts for more information:
[CBC Windows] SHA-2 Windows Updates Required for Continued Support of Windows 7 and Windows Server 2008 R2

Carbon Black Cloud sensor: Windows desktop support

Carbon Black Cloud sensor: Windows Server support



The sensor could remain in bypass mode after a system reboot. This only occurred if the sensor was configured to run as AMPPL, but was not actually AMPPL on startup. This only occurred when upgrading from v3.3 and earlier sensors or when config props to disable AMPPL exist.


DSEN-13691, EA-18749, EA-18647

Sensor uninstall could fail if C:\Windows\ELAMBKUP\CbELAM.sys file was not present.

Endpoint Standard, Enterprise EDR


The 3.7 CBC Windows sensor now automatically registers the CBC Windows sensor on VDI clones in vSphere environments. This feature requires both the vSphere HostModule and the 3.7 CBC Windows sensor. Log information can be found at C:\ProgramData\CarbonBlack\Logs\vhostcomms.log. AV exclusions might be needed for C:\Program Files\Confer\VHostComms.exe. All


The 3.7 Windows sensor supports a new cfg.ini parameter AutoReRegisterForCitrix = True for automatically re-registering CBC Windows sensor on VDI clones in Citrix environments.

Note: A separate script to re-register the agent is not required after specifying this parameter in the cfg.ini file. All


Added alarms for installation, uninstallation and upgrade failures. All


Various improvements to sensor services.
Examples include:

  • Potentially less delays for receiving Defense events from sensors
  • Faster LQ results
  • One request's timeout no longer delays other requests Endpoint Standard

CBC-1638, DSEN-11202

Defense API reports that used to be sourced from API hooking have been moved to Event Tracing For Windows Providers and the File System Driver for product stability reasons.

In addition we have added a new disk driver “cbdisk.sys” to protect against ransomware threat actors attempting to corrupt the boot records which live on disk and prevent machines from booting.

With the introduction of our new “cbdisk.sys” driver in 3.7, any API_BYPASS previously set will no longer allow processes that were blocked from writing to protected disk regions or accessing canary files. With 3.7, users should now set bypasses for processes performing activity detected as ransomware through a rule: "Application at path -> Performs ransomware-like behavior -> Allow.". Endpoint Standard


The background status progress based on percentage complete is now visible via the RepCLI status output. Endpoint Standard, Enterprise EDR

UAV-2041, EA-17693, EA-18300

Reduced frequency of non-paged pool memory allocations to avoid memory fragmentation and help with system performance. Endpoint Standard


Fixed a bug where non-ASCII characters (such as Chinese and Japanese) in filenames caused the AMSI module to crash the process that Endpoint Standard was inspecting. Endpoint Standard

DSEN-5758, EA-18469

Fixed a bug where the length of the alert details message could impact CPU performance. Endpoint Standard

DSEN-5833, DSEN-7252, DSEN-7253, EA-14620, EA-15335, EA-15649

Detect and prevent malicious lnk chains. All

DSEN-5870, EA-18220

Sensor installation/uninstallation failed if the BackupPath registry key was missing from “HKLM\SYSTEM\CurrentControlSet\Control\EarlyLaunch\” Endpoint Standard, Enterprise EDR

DSEN-7246, EA-17566, EA-15975

Fixed a bug capturing certificate information from jar files. Endpoint Standard

DSEN-7266, EA-15600

Windows sensor endpoint details will now append a “YYYYMMDD” date to Scan Engine information to specify the date the signature pack was collected. 

Note: On upgrades from older versions of the CBC Windows sensor, a signature pack update might be needed to display this information. Endpoint Standard

DSEN-8198, EA-18133, EA-17388, EA-16521, EA-18124

Intermittent failures with RDP connections. All

DSEN-8262, EA-17682

Fixed a bug with reporting the last interactive logged-on user on Windows Server 2019 as WDM instead of the local user account. Endpoint Standard


CBC Windows sensor now allows updating signature packs while in network quarantine. Audit & Remediation

DSEN-10001, EA-16517

Fixed a bug with closing Live Response sessions. Endpoint Standard

DSEN-10427, EA-16855

Improved performance with launching Office 365 applications. All

DSEN-10677, EA-17112

Fixed a bug with the sensor removal tool cleaning up registry entries after uninstallation of the sensor. Endpoint Standard, Enterprise EDR

DSEN-10830, EA-17223

Improved pruning of the DB_REP file to prevent excessive growth. Endpoint Standard, Enterprise EDR

DSEN-11084, EA-17416

The sensor did not recover gracefully when it lost connection to the kernel. Endpoint Standard, Enterprise EDR

DSEN-11181, EA-17345

Fixed a bug with displaying protection state information via RepCLI and the console when DelayProtectionAtBoot or DelayProtectionAtLogin are applied. Endpoint Standard

DSEN-11290, EA-17462, EA-16703

Fixed a bug with excess process handles causing performance degradation. Endpoint Standard

DSEN-11413, EA-17335

Fixed a bug with processes running in a container being falsely marked as “hidden”.

Can manifest as alerts with the TTP: HIDDEN_PROCESS after installing sensor version Endpoint Standard, Enterprise EDR

DSEN-11731, EA-17882

Fixed a bug causing registration issues with sensors upgraded through the command line interface that incorrectly specified OFFLINE_INSTALL=1. Endpoint Standard, Enterprise EDR

DSEN-12164, EA-18080

Fixed a bug causing an error message to appear when clicking “VMware, Inc” from the “About” section under CBC Windows tray icon. Endpoint Standard

DSEN-12447, EA-18230, EA-18064

Fixed a bug with script interpreters being wrongfully terminated when applied rules were set to only deny.

Can manifest as a console alert showing that an Office document was denied opening another Office document. Endpoint Standard

DSEN-12526, EA-18264

Fixed a bug causing Repmgr to crash when an access violation on a buffer occurs. All


Fixed a bug with sensors connecting to the backend through a proxy when a default WinHTTP proxy is configured in the registry, such as if you configured through netsh. Endpoint Standard

DSEN-13429, EA-18403

Fixed a bug that could lead to a bug check if a process attempted to access a file residing on a network share. Endpoint Standard, Enterprise EDR

DSEN-13518, EA-18633

Fixed a bug with incorrect MAC addresses being returned if no local area connection adapter is found. Endpoint Standard, Enterprise EDR

DSEN-13742, EA-18213

Missing parent information on the process tree page for hashban terminate alert. Endpoint Standard

DSEN-14058, UAV-2140

Repmgr service crashed during log collection when an invalid memory access was encountered. All

DSEN-14127, DSEN-14133

Our CBC Windows builds are no longer signed with SHA1 code signing (only SHA2 and WHQL). As such, Windows Operating System updates may need to be applied in order to run our 3.7+ CBC Windows sensor version. Please see our UEX posts for more information:

[CBC Windows] SHA-2 Windows Updates Required for Continued Support of Windows 7 and Windows Server 2008 R2

Carbon Black Cloud sensor: Windows desktop support

Carbon Black Cloud sensor: Windows Server support All 


Fixed a bug where the sensor could remain in bypass mode after system reboots. Endpoint Standard

DSEN-12449, EA-18064, EA-18230, EA-18270, EA-18324, EA-18429

Microsoft Office processes were terminated if the Invokes an untrusted process rule was applied. Endpoint Standard

DSEN-12571, EA-18105

Corrected RepMgr scan behavior during certificate reputation updates. Endpoint Standard

DSEN-12613, EA-18202

Fixed a registration issue with Windows Security Center after a Windows update. Endpoint Standard

UAV-1936, EA-17503

Improved sensor performance in a number of scenarios. You should see increased performance in a number of scenarios, such as when reading files over the network or when logging out. Endpoint Standard


When the Citrix Virtual Memory Optimization service is present, the Windows sensor did not block all executions from Alternate Data Streams. See the following KB article for more information: Endpoint Standard

DSEN-11432, EA-17439

Signature pack updates were not respecting the CurlCrlCheck config property. Endpoint Standard


Ransomware blocks were not always generating console alerts. Endpoint Standard


Added the ability to skip blocking executions from alternate data streams if the content hash is on the company approved reputation list. Endpoint Standard

DSEN-11654, EA-17667

Improved performance of Live Queries that leverage Yara to scan directories that have a lot of files. Endpoint Standard

DSEN-11710, EA-17591, EA-17693, EA-17877

Improved performance on machines that have a high frequency of short lived processes. Endpoint Standard


Rules were not being updated while the sensor was in bypass mode. Endpoint Standard

DSEN-11805, EA-17554, EA-17841

Improved hashing performance when large files are executed on the network. Endpoint Standard

DSEN-11814, EA-16261, EA-17121

Improved sensor performance during boot time. Endpoint Standard

DSEN-11927, EA-17912

Not trusted policy enforcement was being applied on approved files. Under Policy > Sensor, if Scan execute on network drives is off and a never seen before hash is executed that should be approved, an unwanted block could occur. Endpoint Standard

DSEN-12048, EA-17649

Improved sensor detection of  auto-generated Microsoft PowerShell scripts. Endpoint Standard


A local user interface alert was generated for known malware services. In some circumstances, when a service backed by malicious files was discovered and blocked, a local user interface alert would not occur. Endpoint Standard


Invalidly signed files that matched certificate approval rules using wildcard patterns might have been incorrectly approved despite the signature being untrustworthy. Endpoint Standard

DSEN-12143, EA-18020, EA-18064, EA-18092, EA-18148, EA-18205

Some recent Windows Updates resulted in Microsoft OS files being delivered before their external catalog that is used to verify their digital signature was registered. This resulted in the files appearing as not signed on first inspection, which could lead to tamper protection blocks and user visible errors when launching repux. The CB sensor now reinspects operating system files that appear unsigned to reverify their digital signature and avoid the tamper blocks.

Note: You can still experience blocks

See the following KB article for more information: Endpoint Standard


Live Response was prevented from launching non-Microsoft executables by a tamper policy error. Endpoint Standard

UAV-1941, EA-17514, EA-17627, EA-17765

Performance issues arose across various assets such as Excel, video files, and USB printers. This fix improves hashing logic to make the process more efficient. Endpoint Standard

DSEN-11514, EA-17653

Uninstall rollback during upgrades did not bring the system to protected state until reboot, causing a failure during upgrades. Endpoint Standard

UAV-1853, EA-16874, EA-17503

Improved network file operations performance. Endpoint Standard

DSEN-11461, EA-17152

Delays while closing some applications. Endpoint Standard


In Endpoint Standard-only organizations, device control alerts could take hours to appear in the Alerts page because low event volume delayed reporting to the cloud. Endpoint Standard

DSEN-11617, EA-17780

One reported occurrence of a BSOD on a 32-bit Windows 7 machine. Endpoint Standard

UAV-1951, EA-17567, EA-17571

One documented case of ERP software running slowly on ERP servers. Endpoint Standard

DSEN-11639, EA-17572, EA-17811, EA-17831

Latency on file open operations on local drives and network shares. Endpoint Standard DSEN-11146, EA-17629

A reboot of a Domain Controller server during sensor uninstall is now resolved. Endpoint Standard

DSEN-11217, EA-17431

One customer reported a crash on a clustered SQL instance. Endpoint Standard

DSEN-10927, EA-17214

Excel terminated with error "attempted to modify the next instruction to execute in the process". Endpoint Standard


The local scanner was not updating endpoints that use proxy connections. Endpoint Standard


With Device Control on, users might see a slow down when accessing files on Google Drive with the Google Drive app running locally and mounting a volume in Windows Explorer. Endpoint Standard


The following error appeared after upgrading the sensor; then rebooting:
"Carbon Black Cloud Sensor: RepUx.exe - Bad Image” Endpoint Standard

DSEN-11107, EA-17416

Tableau server hung up on sensor install. Endpoint Standard


An issue was identified and fixed that could lead to background scan consuming excessive CPU. The background scan is executed upon sensor install. Endpoint Standard


Wavefront’s telegraph service would not start when the sensor was installed. This issue was found internally only. Endpoint Standard

DSEN-11338, EA-16703, EA-16977

High CPU usage by SVChost service. Endpoint Standard

DSEN-10968, EA-17653

Uninstall might have failed in some scenarios. Endpoint Standard

DSEN-11344, EA-17590

Thread handle leak in Repmgr led to hang on domain controllers. Endpoint Standard


General performance improvements. Endpoint Standard

UAV-1847, EA-15161

Normalization LRUCache has inconsistent key format if the key is a folder. Endpoint Standard

DSEN-11216, EA-15031

Sensor was not sending the endpoint’s MAC address to the backend. Endpoint Standard

DSEN-11217, EA-17431

A crash occurred on a clustered SQL instance - 0x22_CsvFs!CsvFsExceptionFilter Endpoint Standard

UAV-1893, EA-17269, EA-17446

A large number of registry operations showed high rule engine match overhead. Endpoint Standard

DSEN-11344, EA-17590

Systems with a high occurrence of network connection attempts running Windows sensor versions and may experience degraded performance. These sensor versions are no longer available for download. This issue is resolved in Windows sensor version Endpoint Standard UAV-1852, EA-15616

Sensor ignored Endpoint Standard processing of network files that were not opened for execution. Endpoint Standard DSEN-10981, EA-17152

Performance improvement where applications such as Microsoft Word make heavy use of NtReadVirtualMemory. Endpoint Standard

DSEN-10922, EA-17214

Applications making a copy of themselves caused false positive code injection alerts in the console. Endpoint Standard


Improved performance for file reads on the endpoint when a file is quarantined in place. Endpoint Standard


Incremental performance improvements for moving network files. Endpoint Standard


Sensors did not move to the correct group because metadata changes were not reported. Endpoint Standard


Resolved hang issue while inflating OneDrive files. Endpoint Standard


Sensors will now use new static proxy settings even if previously persisted ones are succeeding. Endpoint Standard


Customers might have experienced false positives for processes which had already been terminated. Endpoint Standard


Signatures did not always get re-evaluated on an upgrade from older sensor versions. This might have resulted in users seeing an alert that a file was unsigned and the process terminated. Endpoint Standard


After a sensor was cloned, the sensor might have updated the golden images endpoints check-in time prior to registering as a new cloned endpoint. This might have resulted in duplicated DeviceIDs in the console. Endpoint Standard


The sensor upgrade might have failed when Windows Security Center was disabled.
Endpoint Standard DSEN-10655

This fix improves the execution of kernel mode code. Endpoint Standard DSEN-10334

This fix resolves an intermittent issue during sensor upgrades after a fresh install. The upgrade sometimes hung while removing the old CB Defense service. Endpoint Standard DSEN-10246

Resolved an issue that caused applications to crash with ctiuser.dll as a faulting module after upgrading sensor version from to Endpoint Standard DSEN-10154

Improved signature evaluation logic on upgrade. Endpoint Standard DSEN-10370

Rare case where cert reputation did not persist. Endpoint Standard DSEN-10104

Performance improvement around caching volumes. Endpoint Standard DSEN-10555

Need to check for null content manager on shutdown. Endpoint Standard DSEN-10089

Performance improvement: not caching normalized in post-create when rules trigger the normalization. Endpoint Standard DSEN-10507

Fixed small performance inefficiency in CbdFileEventObjectBase::GetFileSize. Endpoint Standard DSEN-10466

REG_CREATE_KEY event included both new key creation events and existing key open events. Endpoint Standard DSEN-10489

Overlapping PROC_RECORD flags caused inaccurate breached alerts. Endpoint Standard DSEN-7715

Banned scripts failed to be blocked on Box cloud file sharing app. The issue did not occur on Google Drive or OneDrive. Endpoint Standard DSEN-10458

Inconsistent Storage of pscinfo in db_rep led to query failures. Endpoint Standard UAV-1813

Protobuf definitions of IPv4 and IPv6 addresses now include a human-readable format. Endpoint Standard DSEN-10246

Application crashes were due to members of SuspendInfo struct not being aligned on a 16 byte boundary. Endpoint Standard DSEN-10453

Delete code set the publisher/issuer name to VERIFIED. Endpoint Standard DSEN-10069

Major Windows upgrade did not migrate Our ELAM Backup. Endpoint Standard DSEN-10068

siUtil_IsProcessRunning did not take action on STATUS_ACCESS_DENIED; it now creates better log prints. Endpoint Standard DSEN-10198

Performance improvements: FQDN lookup optimizations. Endpoint Standard DSEN-10403

Performance improvement: Avoid acquiring exclusive file record lock to set process file type. Endpoint Standard DSEN-10158

Performance improvement: Cache process record references in handle context. Endpoint Standard DSEN-10334

CTINET: Unload prevented due to inaccurate flow counters [EA]. Endpoint Standard DSEN-10308

CTINET: Unload prevented due to inaccurate flow counters [EA]. Endpoint Standard UAV-1808

Did not refresh PSC policy upon datafile2 update. Endpoint Standard DSEN-10158

Cache process record references in handle context led to performance issues. Endpoint Standard DSEN-10134

TLS configprops input validation was inconsistent. Endpoint Standard DSEN-9952

CHashObject::DetermineIntendedSourceMask accessed DB without holding lock. Endpoint Standard DSEN-10309

Added a sensor alarm for failure disabling LSP. Endpoint Standard DSEN-10248

Error in confer.log of WARNING GetRegStringValue: Failed to read registry key Software\VMware, Inc.\ViewComposer\ga\AgentIntegration\CustomizationStarted Endpoint Standard DSEN-10153

Sigpack update caused on-access scan to effectively become enabled even if it was disabled in policy. Endpoint Standard DSEN-10091

ctifile blocked pre-write by RepMgr and confer.log logging stopped. Endpoint Standard DSEN-10246

Application crashes were due to members of SuspendInfo struct not being aligned on a 16 byte boundary.

3.6.0 All DSEN-9774

Hyper-V host blue-screened when accessing CSV file system.

3.6.0 All DSEN-6963

Sensor installation now supports both the user code provided in the email and the company code.

3.6.0 All UAV-1586

The ASP page took 20 seconds to return with AmsiEnabled in the 3.5 sensor.

3.6.0 All UAV-1421

The LiveResponse memdump command caused crashes. It was disabled by default on Windows sensors 3.3 and 3.4. It is now enabled by default and no longer causes crashes.

3.6.0 All UAV-1415

The sensor wrote large amounts of extra data to the confer.log file. The extraneous data that is written to confer.log has been reduced.

3.6.0 All UAV-1400

The sensor allowed non-execute access to quarantined files. Now, quarantined files are not accessible. This can prevent other security applications from scanning and alerting on the file, but will prevent files from being copied to other locations.

3.6.0 All UAV-1396

Intermittent delays occurred when opening Office files and navigating file systems on Windows 10.

3.6.0 All UAV-1302

Sensor install failed on Windows Server 2019 machines where there was a missing directory value for registry key HKLM\SYSTEM\CurrentControlSet\Control\EarlyLaunch value "BackupPath". The value is typically C:\Windows\ELAMBKUP.

3.6.0 All DSEN-8597

During updates to Windows 19H1, the system either blocked the update or crashed during the update. This issue was only reproduced and identified internally, and the issue did not reproduce if the sensor was in Bypass mode.

3.6.0 All DSEN-8502

Previously, if a user executed an unattended install with the flag and argument "INSTALLFOLDER=<path>", the sensor installed but was non-functional. Now, an installation failure occurs if a user tries to use a non-standard installation folder.

3.6.0 All DSEN-8501

Under high load, repmgr.exe handle counts grew very large, causing minor performance issues.

3.6.0 All DSEN-7592

If the sensor's background scan changed from disabled (either via install arguments or cloud policy) to expedited, a race condition could put the background scan into disabled state.

3.6.0 All DSEN-7119

Windbg was observed to crash.

3.6.0 All DSEN-6405

RepMgr.exe crashed upon running any process from a path with Japanese Characters (c:\見る)

3.6.0 Enterprise EDR DSEN-6056

If the customer turned off Scan On Network Read/Scan on Network Execute in the policy, the sensor still tried to normalize a network path even if Enterprise EDR wasn't enabled.

3.6.0 All DSEN-5043

TTPs: ACCESS_EMAIL_DATA was assigned to an event.

The application C:\Windows\System32\taskhost.exe attempted to access the email file "C:\Users\mosesveroy\AppData\Local\Microsoft\Internet Explorer\Indexed DB\Internet.edb"

C:\Users\mosesveroy\AppData\Local\Microsoft\Internet Explorer\Indexed DB\Internet.edb looked like an Internet Explorer data file, not an email data file.

Expected behavior:

Clarify or correct TTP ACCESS_EMAIL_DATA for internet.edb.


3.6.0 All DSEN-4873

WinSSL CRL checking caused friction in POC environments that required a proxy configuration.

3.6.0 All DSEN-4720

The API hook for GetAsyncKeyState (and a small number of other functions) were in GetCallingDll. The fix for DSEN-2810 avoided an expensive call to GetLongPathNameW by checking if the pathname contained any tilde ("~") characters. If the path contained a tilde character, the call to GetLongPathNameW was made, resulting in a noticeable slowdown. Customer was using an IME-like Active-X control, called GetAsyncKeyState, and the dll was installed below C:\Program Files (x86). This resulted in having a short name with a tilde in it.

3.6.0 All DSEN-4682

Having a rule to deny memory scraping by TaskMgr does not work in Windows 10. Ctiuser is not injected into taskmgr.exe on Windows 10, so ctiuser cannot prevent memory scraping of any process (that is, creating a dump file) by taskmgr. Ctiuser was not loaded into taskmgr.exe. This behavior did not occur in Windows 7, where ctiuser is loaded through AppInit_DLLs, and creating a dump from taskmgr is successfully blocked.

3.6.0 All DSEN-4580

Occasionally, the local scan misclassified a file with a malware reputation. If repmgr requests a scan of the file, this AV rep persists in dbrep. If the local scan corrected this reputation in a subsequent signature update, RepMgr did not rescan the file, and the AV reputation was not corrected in dbrep. If there is no higher priority reputation from other rep sources, including from the cloud, this AV reputation persisted. The work-around was to add the hash to the Approved list.

3.6.0 All DSEN-4154

IT_TOOLs rule was still enforced after removing the rule on a long running process.

3.6.0 All DSEN-3099

Known malware executed and remained running.

3.6.0 All DSEN-2480

Agent Core Installer separated the installer directory from the data directory.

3.6.0 All DSEN-2167

When trying to pull down an AV pack update, the proxy information in the curl request was not set up.

3.6.0 All DSEN-1755

The sensor was in bypass mode for around 3 hours. When the sensor was taken off of bypass mode, it remained in bypass for 25 minutes, at which time the machine rebooted and the sensor checked in.

3.6.0 All DSEN-1077

Powershell_ise.exe is a CLR process. In Windows 10, Carbon Black does not inject into the process because it doesn't meet the following criteria:

  • It does not have an .exe file extension
  • The CLR process launches itself All DSEN-10230, EA-16950, EA-16957, EA-16961

An earlier maintenance release of the 3.5 CBC Windows Sensor ( resulted in a system crash/BSOD for endpoints that hit a specific non-common code path. There were three reported cases against about 175,000 endpoints across all environments. Please note that this was introduced in and that is the only version in which the problem exists. It is now fixed in All UAV-1779, EA-16903

Due to an interaction with third-party proxy management software called Open Text Socks Client, one customer experienced RepCLI (local command line interface) breaking by returning error message "RepCLIClient: Failed to open socket". This issue was found in and fixed in All UAV-1755, EA-16865

One customer reported a system crash. This issue was found in and fixed in
All UAV-1724, EA-16649, EA-16526, EA-16702, EA-16761

The sensor caused slowness, freezing on the endpoint, and the domain controller to enter an unresponsive state. All DSEN-9760, EA-16641

A RepMgr.exe crash created performance degradation and a high number of event ID 1 and 1000 in Windows application logs. All UAV-1646

Startup performance improvements alleviate slow start and/or logon type issues. Performance improvements will remain a focus in future releases. All DSEN-5266, UAV-1678, EA-14291

Fixed performance issues using Windows Explorer to navigate to locations in SharePoint. All DSEN-9612, EA-15998

Upon reboot, a customer experienced the following error condition: "Carbon Black Cloud Sensor: RepUx.exe - Bad Image. C:\Program Files (x86)\Common Files\Microsoft Shared\INK\PENUSA.DLL is either not designed to run on Windows or it contains an error. Try installing the program again using the original installation media or contact your system administrator or the software vendor for support. Error status 0xc0000022." All DSEN-9434, EA-16297

Issue connecting to the proxy server. All DSEN-8645, EA-16130, EA-16208

When using OFFLINE_INSTALL=1 and providing PROXY_SERVER on the command line, the sensor never registered with the backend. CB Defense DSEN-8950, EA-14957, EA-16471

Customers allow listing IT Tools might have seen the feature fail if wildcard characters were not used in the allow-listed string. This issue is now fixed and non-wildcard strings match. CB Defense DSEN-8307, EA-16479, EA-16509

Bypass rules were not properly applied in certain cases. All DSEN-8562, EA-15614

Alerts were surfaced for a file that was already deleted from the system. All UAV-1595, EA-16261

Log on performance has been improved. CB LiveOps DSEN-8768, EA-16504

The Live Response exec command failed in some cases. All DSEN-8291, EA-16578

Intermittent issues with login delays causing RDP session timeouts. All DSEN-8507, EA-16068

Issues contributing to slow log in are now addressed. CB Defense DSEN-8605, EA-16214, EA-16283

Two customers experienced a deadlock between a sensor process and system process, which could cause the endpoint to freeze up. LiveOps DSEN-8537, EA-15636, EA-16147

Customer might have experienced greater than expected resource consumption on their endpoints upon LiveQuery usage. Previously, the back end cancelled queries after they were outstanding for a week. This fix introduces configurable thresholds in runtime and memory consumption that, if crossed, cancel the query and prevent excessive resource consumption. All DSEN-8440, EA-16086

Customers might have experienced greater than expected resource consumption when installing large files. All DSEN-8405, EA-16014

Users may have noticed a larger pagefile size which generated volmgr errors in windows event viewer. The sensor now auto-configures the memory dump settings on the machine unless you opt of that by setting the msi command line arg "AUTO_CONFIG_MEM_DUMP=0" during a command line install. CB ThreatHunter DSEN-8331

CB ThreatHunter might not have reported scriptloads for scripts that had VB scripts office docs, python, or perl file extensions. All DSEN-7254

Creating a folder on a network file share might have taken up to 15 seconds. The initial folder creation occurred within a normal time frame. All UAV-1415

Uninstall on a machine that is serving an RDP session could hang/fail if the RDP client machine was sharing local drives with the RDP server. Note that an upgrade from Windows sensor 3.4 to an earlier 3.5 version requires an uninstall, and can cause this issue if the previous criteria are met. To resolve the issue in this case, use the sensor removal tool. All DSEN-7565

An internal observation of the sensor crashing while being taken out of bypass during system startup. This issue was not reported externally. All DSEN-7760, EA-15839

In one case, the sensor service stopped repeatedly, generating errors such as this in the event log: "The CB Defense service terminated unexpectedly. It has done this 4 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service." This was a result of a service crash. All DSEN-7831, EA-15341, EA-15810, EA-15403

In some cases, the sensor did not honor bypass rules as they were configured in the policy, which led to unexpected blocks, interoperability issues, or poor application performance. All DSEN-7759

Endpoints exited network quarantine after upgrading from 3.4 to 3.5. Upgrades and uninstalls are no longer permitted in quarantine. CB LiveOps DSEN-7576

As of version, the Windows sensor supports osQuery 4.1.2.
All DSEN-7344, EA-15076 Customers can experience performance issues if end users access many files over a network drive. The specific issue in EA-15076 is resolved. All DSEN-7358 Support staff might have requested additional logs and diagnostic information during troubleshooting in certain cases due to log messages being dropped. All DSEN-7391, EA-14361 Windows Event Security Logs surface a message that reads: "Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error. File Name: \Device\HarddiskVolume4\Windows\System32\ctiuser.dll." This suggest ctiuser.dll might be corrupted, which is not the case. All EA-15784, DSEN-7488 A customer observed a recurrence of event ID 49 in the Windows Application Event logs. All DSEN-7565 An internal observation of the sensor crashing while being taken out of bypass during system startup. This issue was not reported externally. All DSEN-7592 The sensor will now log windows events whenever backend requests a deregister/uninstall. Additionally, we will log to Windows events whenever sensor enter/exits bypass or server maintenance modes. All DSEN-7759 Users reported endpoints exiting network quarantine after upgrading from 3.4 to 3.5. Upgrades and uninstalls are no longer permitted in quarantine. All DSEN-7837, EA-15874 One customer observed that the backend did not display events for up to two hours. All DSEN-7208 In VDI environments, the uninstaller kept an old device's uninstall code. This issue is now fixed and the uninstall process in VDI environments is improved. All UAV-1393 Folder creation on network paths might have taken up to 25 seconds to complete. All DSEN-6985 Any path based rule that started with \ and not \\ was not enforced on Windows. This prevented users from creating path rules for files that had no system-wide drive letter. All DSEN-7446 In some cases, the Endpoints page did not reflect Active Directory or Organizational Unit data. All UAV-1386, DSEN-7326 This release introduces several fixes to memory leaks (none of which were reported by customers). All DSEN-5225 When a process (.bat or .cmd) was executed via a command interpreter via "cmd.exe /c", the process might have been blocked. This issue is now resolved for .bat and .cmd processes. All DSEN-7358 The sensor dropped log messages, resulting in Carbon Black support reaching out more frequently for diagnostic information. All DSEN-7275 If the background scan was running, the sensor might have uninstalled very slowly. Users would encounter this only if they had attempted to uninstall shortly after install because, if configured, background scan executes upon install. CB ThreatHunter UAV-1396, EA-15835
In one case, a server hung up during boot. All DSEN-6534/EA-14866 Customers might have seen an increase in false positive blocks. One customer reported Excel and Outlook as blocked. All DSEN-3992 Subkeys could be created under the CBDefense key in the Windows registry. CB Defense DSEN-5332, EA-12882 Sensor might have terminated a process due to an attempt "to modify the next instruction to execute in the process" when the process belongs to the application. All DSEN-4054, DSEN-4033 The LiveResponse memdump command was previously observed to cause crashes. It was disabled by default on Windows sensors 3.3 and 3.4. It is now enabled by default and no longer causes crashes. All DSEN-4375 The sensor wrote large amounts of extra data to the confer.log file. Numbers vary across environments, but the issue is resolved so that the extraneous data written to confer.log is reduced.
The actual size of confer.log can increase because although extraneous data is reduced, valuable log data remains over a longer course of time due to a seperate change. All DSEN-5626 Previously, the sensor allowed non-execute access to quarantined files. Now, quarantined files are not accessible. This can prevent other security applications from scanning and alerting on the file, but prevents files from spreading to other locations. All DSEN-6322, EA-14880 There were reports of intermittent delays when opening various Office files and navigating file systems on Windows 10. All DSEN-5995, EA-14707, EA-14723, EA-14729 Customers who were using Windows sensor versions from to had Office applications such as Word and Excel hang when updating a file on Google File Stream and similar products (Box, Citrix Cloud, etc.). This issue is fixed in 3.5 and versions of the sensor. All EA-14455, DSEN-5699 Sensor install failed on Windows Server 2019 machines where there is a missing directory value for registry key HKLM\SYSTEM\CurrentControlSet\Control\EarlyLaunch value "BackupPath". The value is typically C:\Windows\ELAMBKUP. All DSEN-5493, DSEN-5491 During updates to Windows 1H19, the system either blocked the update or potentially crashed during the update. This issue was only reproduced and identified internally, and the issue did not reproduce if the sensor was in Bypass mode. All DSEN-4050 Previously, if a user executed an unattended install with the flag and argument "INSTALLFOLDER=<path>", the sensor installed but was non-functional. Carbon Black now forces an install failure if a user tries to use a non-standard install folder. All DSEN-4043 Under high load, repmgr.exe’s handle counts grew very large, which could cause minor performance issues. All DSEN-6372 If the sensor's background scan changed from Disabled (either via install arguments or cloud policy) to Expedited, a race condition could put the background scan into disabled state. This issue was not observed externally. CB Defense DSEN-6077 Windbg was observed to crash. All DSEN-3061 The sensor did not whitelist files by certificate if the certificate was signed with multi-byte characters. A backend fix was implemented for this issue. All EA-15148, DSEN-6552 A crash could inconsistently occur on file renames on network drives. All DSEN-6535, DSEN-6591 Sensor upgrades failed with error 1603 when attempting to perform the upgrade at the same time as a Windows upgrade to Redstone 5. CB ThreatHunter DSEN-4756, DSER-14090, EA-13906 Customers running CB ThreatHunter standalone might have seen Windows Security Center Real Time protection feature disabled. This issue was resolved by navigating to the Policies page, clicking the Sensor tab, and unchecking Use Windows Security Center. All DSEN-6057 Previously, release notes stated that banned scripts execute if the policy is refreshed on the backend after being banned. Only scripts executing when the sensor was coming out of bypass were not blocked. Banned scripts executed after bypass is disabled are blocked. This issue is functioning as designed. CB ThreatHunter DSEN-6487 In Sensor environments and (and, the sensor crashed upon running any process from a path with multibyte characters (c:\見る) when UBS for CB ThreatHunter customers was enabled. All DSEN-6490 HTML file load and open and close performance degraded in 3.5 compared to 3.4. This fix was implemented in All DSEN-6653 When the Windows sensor 3.5 was in bypass mode, the sensor uninstall failed. All DSEN-6876, EA-15319, EA-15301 Some customers observed latency associated with Microsoft office applications. All DSEN-6871 Users could deregister the sensor from Windows Security Center in conflict with the policy setting. All DSEN-6826 3.5 beta users might have experienced a performance problem on a Windows 10 19H2 environment with CB Defense and CB ThreatHunter enabled. A 50% performance spike in repmgr.exe usage was identified when the system is idle. All DSEN-6867 The CB LiveResponse API previously defaulted to UTF-16LE encoding rather than UTF-8. Because many customers rely on the latter, the default setting is restored to UTF-8. This issue only impacted 3.5 beta users. CB ThreatHunter DSEN-6145 Customers who had moved from CB ThreatHunter standalone to
CB ThreatHunter with CB Defense experienced false positive blocks. This issue was only reported internally. All DSEN-6491 Some users experienced a minor delay in loading common applications. All DSEN-6569 When running a Carbon Black-signed msi in Windows sensor 3.5 beta, cmd.exe was granted full bypass.The cmd.exe was only placed in bypass if the sensor msi was executed in cmd.exe. All DSEN-6625 The Windows sensor did not support multi-byte characters in
Osquery results in version All DSEN-6660 One internal user experienced a crash on Windows sensor running on Windows 8.1 x86. All DSEN-6691 In earlier 3.5 builds, if a file had a bypass rule that was removed after the file was deleted, then copies of that file would not be quarantined in place. All DSEN-6706 Explorer.exe hung indefinitely on an attempt to run any process in the confer install folder as administrator in the Windows sensor  All DSEN-5163 The sensor did not prohibit downgrades from existing Windows 3.5 versions to older Windows 3.5 versions. This issue is resolved in all released 3.5 builds except for Carbon Black does not recommend or support downgrades, but the downgrade to is not prevented. All DSEN-5934, EA-14272, EA-14956 Customers could not open attachments while using applications
such as KnowBe4 Second Chance or Digital Guardian’s Outlook plug-in. All DSEN-6540 The sensor user interface might have shown the sensor in bypass
when it is active. This issue was only reproduced internally and was considered a rare event. All DSEN-6543 False positive blocks might have occurred due to sharing violations while retrieving signature information. All DSEN-6941 Application launch performance degraded in the Windows 3.5 sensor compared to the Windows 3.4 sensor. All DSEN-6899, DSEN-7134 Customers experienced delays of up to 35 seconds associated
with copying files to remote network drives. The sensor no longer reporting signature or reputation information at the time of "last write" (i.e. close of handle that modified an executable file). The sensor will still collect and report that info if the file was executed but will not stall to collect it at time of modification. All DSEN-7005, DSEN-6990 Files that had no logical drive mapping (such as some Google drive files) might not have been reported to the cloud.This issue impacted beta sensors only. All DSEN-6315 Some sub-processes were left in a suspended state after their
parents were terminated. This was only observed internally. All DSEN-7026 One customer had observed a crash on some machines during the 3.5 beta program. All DSEN-7099 Internal observations of timeouts that led to reputation
mismatch, which could have resulted in false positive blocks.



Sensor Version Product Issue ID Description Endpoint Standard DSEN-14817

For endpoints running that switch from from Enterprise EDR-only to an Endpoint Standard enabled org, a reboot is required before Endpoint Standard capabilities fully function. Endpoint Standard DSEN-14801, EA-19243

The Windows sensor is currently blocking MSI installations of software that requires a registry modification of a disk drive upper filter value in order to complete installation. This includes, but is not limited to, Dell Encryption software.

This known issue is planned to be addressed through a rules change, pushed from our cloud backend, that will be made available as soon as possible.

In the interim, any impacted software can be installed ahead of the sensor upgrade or the sensor can be temporarily placed in bypass mode to install impacted software prior to our rules update. Endpoint Standard DSEN-14604

First-time sensor installation can require a reboot to remove the sensor from Bypass mode for sensors installed with ‘Bypass sensor after login’ enabled via policy settings. Enterprise EDR UAV-2206

For EEDR (only) orgs, a temp file may be left behind when saving a modified excel file. The suggested work around for this issue is to delete the unnecessary temp files. Endpoint Standard, Enterprise EDR, Audit & Remediation DSEN-14015

Sensor does not perform process classifications while in bypass. RepCLI commands issued through a Live Response session that require authentication are not allowed until the sensor is returned to an active state. Endpoint Standard DSEN-13482

Events showing NT file path of dropped files. Endpoint Standard DSEN-13464

Missing FopsId for executing file prevents user mode from running Local Scanner. All DSEN-13266

Installer log is not providing a specific error message for attempts to install the CBC Windows sensor using an expired Company Code. Endpoint Standard DSEN-12394

Sensor upgrades initiated outside the server console (e.g: SCCM, GPO, Manual) may result in failure due to msiexec.exe being blocked by tamper protection. This can be worked around through upgrading via the server console. Endpoint Standard DSEN-12202

Uninstalling through the “sensor removal tool” may still leave behind the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityCenter\Provider\AV\ registry entry. Endpoint Standard DSEN-12189

When a process is blocked from running, multiple block events can display in the console and local user interface. Endpoint Standard, Enterprise EDR DSEN-11116

Banned file names and paths are not captured correctly when launched through a WebDAV path. All DSEN-8545

RepCLI capture can only be used to save zip files to local directories. If you attempt to save the zip file to a network location, the file is written to the c:\programdata\carbonblack\logs\temp directory. All DSEN-8123

Sensors running on Windows 10 Enterprise Multi-Session environments can display the OS version as “Windows Server 2019”. Endpoint Standard DSEN-11563

When ransomware-like behavior is terminated by the sensor, the event shown on the Investigate page in the Carbon Black Cloud console no longer indicates the operation was blocked and that the application was terminated by the Window sensor. However, an alert on the Alerts page shows that the application was terminated. Endpoint Standard DSEN-10058,

The sensor has experienced an interoperability issue with Webroot that can cause Internet Explorer to crash. This issue is targeting the November maintenance release for a fix. All DSEN-10763

Upgraded sensors will not accept datafile2 changes when no psc rules are received. All DSEN-10674

Although docker and windows containers are not fully supported, they should be able to run uninterrupted. All DSEN-10058

Webroot interop issue needs rules-driven API specific bypass. All DSEN-7586

ForcePoint uninstall fails even with a sensor in bypass. ForcePoint uninstall succeeds only when the sensor is uninstalled. All DSEN-10547

Repmgr: continuous service crash alarms (ARM specific). All DSEN-10665

Purging a bad record from rep_db does not set the needed hash object flag.

3.6.0 All DSEN-7586

ForcePoint uninstall fails even when the sensor is in bypass. ForcePoint uninstall succeeds only when the sensor is uninstalled.

3.6.0 All DSEN-10058

Webroot interop issue needs rules-driven API specific bypass.

3.6.0 All DSEN-10069

Major Windows upgrade does not migrate ELAM backup.

3.6.0 All DSEN-10264

Sensor blocks Airwatch Service.

3.6.0 All UAV-1776

Missing "Reason" data in some AMSI alerts.
All DSEN-9621, EA-16219

After an endpoint is placed into quarantine, the device cannot be taken out of quarantine through the console or API. All DSEN-8380

Upgrade from 2.1.x to 3.x sensor fails on Windows Server due to CbDefenseWSC service failing to stop. To work around the issue, reboot the machine before installing a new build. All DSEN-8445

One customer could not copy and paste unless the sensor was in bypass. This was due to an interoperability issue with SecureCircle. This product must be running together with the sensor for the issue to occur.

  All DSEN-8366

The sensor reported a status message 15 minutes after install which could have shown the sensor being Active during that time frame even if the sensor was originally installed in Bypass. CB Defense DSEN-8493

IT Tools did not normalize file names. To use IT tools, you should wildcard the volume name and remove any symlinks from the name as a temporary workaround. All DSEN-8551

Tamper protection blocked Explorer from accessing \ProgramData\CarbonBlack\ before going into bypass, but not after coming out of bypass if the folder is accessed while in bypass.

Customers are encouraged to have a set of RepCLI users authenticated, and use those users for support sessions if there is a need to inspect this folder.
These users could successfully access %programdata%\CarbonBlack through Explorer.exe. All DSEN-8052, EA-14696, EA-15605, EA-15653, EA-15688

A previous release note stated that as of, customer can apply the configuration settings SkipNetworkConversionToPhysical=false
OnlyAttemptDFSForPhysicalDeviceNames=true locally in the configuration setting file to improve performance in DFS access scenarios. These values are configured using the repCLI updateconfig command.  See the Knowledge Base article

However, applying these configurations can crash the endpoint. This problem was observed internally and will be fixed in the next maintenance release. In the future, the sensor will support cloud configuration management. All DSEN-8405 Due to a previous change to assist with diagnostics, the size of pagefile gets increased from 2 GB to more than 15 GB. This can also generate errors from volmgr in Windows Event Viewer. All DSEN-7416 After upgrading from Windows 7 x64 to 19H1, the endpoint might still report that the machine is running Windows 7.
3.3 All DSEN-7727 In some cases, the installer dialog requests an email address. To complete the install, an uninstall code is actually required. CB Defense DSEN-6985 CB Defense might not parse path-based rules beginning with a potential backslash. Most commonly, this affects cloud file sharing apps like Box and Google File Stream. A potential workaround is to add wildcards before the backslash, although that will match any subfolder that has that partial path. This issue will be fixed in an upcoming maintenance release. All DSEN-1987 False positive alert when the [application name] attempts to access raw disk on the file. See All DSEN-1180, DSEN-3065 When using CB LiveResponse, users can terminate the sensor if they terminate RepMgr.exe. Terminating this process means that the sensor cannot connect to the backend, and the CB LiveResponse session ends. The sensor does not recover until after a reboot. Users can also delete certain files in the confer directory. Users are advised to use caution during CB LiveResponse sessions. All DSEN-2378 During an attended install, the Windows installer shows a blank error dialogue when attempting to install on an unsupported operating system. All DSEN-1387 Background scan remains disabled on devices where VDI=1 was used. See All DSEN-4216 The Windows 3.4 sensor accumulates deleted files within the sensor cache and does not remove them when the files are removed from disk. This can lead to the sensor reporting that malware is still on disk when it has been
removed. All DSEN-4143

Users might experience blocks of Microsoft OS upgrades if an upgrade is attempted shortly after release, before the Carbon Black Cloud product has established a reputation for the operating system.

An administrator can work around this issue by either placing the sensor in Bypass or adding the following paths to bypass:


Make sure that the policy configuration: When an unknown application tries to run - deny/terminate is disabled when you upgrade. All DSEN-4591, EA-13682 Arcmap files are corrupted or missing in certain environments. All DSEN-4581, DSEN-4694 A terminate action might be applied to wmiprvse.exe, showing an alert in the Carbon Black Cloud console during machine start-up. At the time, wmiprvse has an unknown reputation and is scraping lsass.exe. This
commonly happens during Windows updates. Wmiprvse.exe should execute after the reputation resolves, and the update should succeed. All DSEN-4924, EA-13414 Some customers have reported interoperability issues with Skype, Lync, and Windbg on Windows 7. Other operating systems are unaffected. All DSEN-3408 The CLI_USERS=<Sid> command line option works correctly when you install non-interactively using a COMPANY_CODE, but it doesn't work if you use the direct end user installer using the activation code. All DSEN-6654 A Windows freeze was reported during the first login with a domain account during a Group Policy upgrade from Windows sensor to Windows sensor All DSEN-6622 The Group Policy upgrade from Windows sensor to Windows sensor failed. The steps to resolve this are documented internally and will be
provided in an update of the Carbon Black Cloud User Guide. All DSEN-6136 Non-executable file reads, writes, and deletes are 40% slower on Windows sensor than Windows sensor All DSEN-4924 One customer observed windbg and Lync crash. All DSEN-7144 When “"disable services of known malware” is enabled, some endpoints have observed a spike in CPU every ~5 minutes. All DSEN-5881 In some cases, metadata associated with blacklisted files is not present in the UI. This has only been reproduced internally.