We’re migrating product documentation to docs.vmware.com, starting with Carbon Black Cloud. Learn more.

Carbon Black App Control Server 8.6.0 Released - (Previously known as CB Protection)

Carbon Black App Control Server 8.6.0 Released - (Previously known as CB Protection)

2/4/2021 - Current Release: 8.6.0.155 

I'm excited to announce the release of Carbon Black App Control Server v8.6.0.

Notable items in this release include: 

  • global_state was added as a field to all four syslog output formats. It displays the global approval state of the file in the event.
  • Alert email throttling allows you to define when and how often you receive alert emails for the “Unapproved File Block Alert”.
    • Dropdown with options for sending e-mails for event rules only: all, one per hash, one per computer, one per hash per computer
  • Server support for Windows Server 2008 and SQL Server 2008 has been depreciated with the 8.6 release.
  • We are happy to announce there is a new Rapid Config Guide, that provides more details regarding Rapid Configs.  You can find that here.

For a list of all new features and improvements, please see the 8.6.0 Server Release Notes.

You can download Carbon Black App Control Server v8.6.0 from hereThis is a one time use link and you must be logged into the UeX to use it.

SHA256 Hash of the ParityServerSetup.exe: 2ca0631efdfc066ae907daad2534f9ab4be1d9876199dfe91144655918bebabb

You will need to download the Rules Installer and Carbon Black App Control (Previously known as CB Protection) Agents separately and those can be downloaded from the following links:

Rules Installer 1.8
CB Protection 8.5.0 Windows Agent


For all other downloads and documentation, please see the 8.x repository

Labels (2)
Comments

Just an FYI that we will be cleaning up the past comments since a new version has been posted, making older comments obsolete.

Is there a reason that the Linux agent link points to v7.4.0 instead of  v7.4.6?

While trying to download an error is received :

HTTP Status 500 -


type Status report

description The server encountered an internal error that prevented it from fulfilling this request.

Please try a different browser or an incognito browser.

Looking for instructions, specifically on how to upgrade from 8.1.6 to 8.5.2

Hello @dcvl, i  have done 3 upgrades  and used this steps:

  1. Read Release Note, check upgrade paths;
  2. Make backup of MSSQL Database and server itself;
  3. Run  Installer you will need service account on sa for Database Server;
  4. After Successful Installation restart the server and DB instance

!!! But be aware that version 8.5.2 brokes capability to send events to SIEM and Syslog server, this is a known issue and VMware Carbon Black team is actually working on it  !!!

 

@dkatsiashvili 

What brought this to your attention (version 8.5.2 brokes capability to send events to SIEM and Syslog server) and/or how did you validate this?

 

Thanks

I have the same problem with logs no longer being sent to our SIEM after an upgrade to 8.5.2. I validated this with PCAPs on both the CbAC server and on the SIEM where no syslog traffic was found. VMware is aware of this problem and I have a case in, awaiting a solution.

@bhicks 

Everyone  upgraded to  this version have same issue,  and there is  CB_Support post regarding issue

https://community.carbonblack.com/t5/Knowledge-Base/App-Control-No-network-traffic-to-Syslog-server-...

BR,

Dimitri

 

@dkatsiashvili  - @xstuartbarrettx 

 

Thanks for sharing this information and please be sure to share any progress or fix to this challenge once there is more information to share. 

 

Thanks, Bill 

Hi all,

please see  "sending syslog message" fix

Resolution
  1. Download the configuration file 'NLog.config' from HERE
  2. Open and edit the file by updating lines 62 and 81 and changing the example IP: 1.2.3.4 to the IP address matching your Syslog server
    <sl:server>1.2.3.4</sl:server>
  3. Backup the existing file located here:
    \Program Files (x86)\Bit9\Parity Server\Reporter\NLog.config
  4. Replace the file with the new one
  5. Restart the CB App Control Reporter service; events should start forwarding shortly after

For the Agent Packages in CB Protection getting reset upon upgrading to the 8.5.2.4 version on the Site Server

App Control: Shepherd Config Generate Installer Resets to False After Upgrade to 8.1.4+
 
Environment
  • App Control Server: 8.1.4 and Higher
Symptoms
  • Shepherd_Config GenerateWindowsInstaller resets to False after upgrading to 8.1.4.
  • Shepherd_Config GenerateMACInstaller resets to False after upgrading to 8.1.4.
  • Shepherd_Config GenerateRedhatInstaller resets to False after upgrading to 8.1.4.
Cause
Package generation fails due to leftover temporary files.
Resolution
  1. Login to the App Control Server as the Service Account.
  2. Open Services.msc
  3. Stop CB Protection Server service.
  4. Delete all files in directory:
    C:\Users\<ServiceAccount>\Appdata\Local\Temp
  5. Start CB Protection Service
  6. Navigate to https://ServerName/Shepherd_config.php
  7. Verify the Generate Installer configuration(s) is set to True and remains.

Additional Notes
A similar issue has been seen if this is a new install and pointed to the wrong SQL Instance

This is the workaround for the Folks who have upgraded to the CB Protection 8.5.4.2 on their Site Servers and it then breaks the ability of the SIEM to capture or upload log files from the CB Protection Solution

 

App Control: Syslog stops sending traffic after upgrade to 8.5.2 

Environment

  • App Control Server: 8.5.2

 

Symptoms

  • After upgrading to 8.5.2 syslog events are no longer sent
  • Syslog traffic to the local 127.0.0.1 is working
  • Packet captures do not show any outgoing traffic to the syslog server
  • SyslogGetEvents scheduled task continues to run

 

Cause

Syslog events are sent to the local 127.0.0.1 regardless of configuration due to defect: EP-11687

 

Resolution

  1. Download the configuration file 'NLog.config' from HERE
  2. Open and edit the file by updating lines 62 and 81 and changing the example IP: 1.2.3.4 to the IP address matching your Syslog server
    <sl:server>1.2.3.4</sl:server>
  3. Backup the existing file located here:
    \Program Files (x86)\Bit9\Parity Server\Reporter\NLog.config
  4. Replace the file with the new one
  5. Restart the CB App Control Reporter service; events should start forwarding shortly after

 

Related Content

App Control: Syslog Parsing Errors After Upgrade to 8.5.2

App Control: Syslog Parsing Errors After Upgrade to 8.5.2 

Environment

  • App Control Server: 8.5.2 (Formerly CB Protection)

 

Symptoms

Parsing of syslog is incorrect after upgrade to 8.5.2

 

Cause

The Product name and vendor within the output has changed from CB Protection to Carbon Black App Control. The configuration may not be parsing the new values correctly

 

Resolution

Update your SIEM using the new configurations, in the Events Integration guide. Making note of the name change:

Vendor:

VMware_Carbon_Black

Product:

App_Control

https://community.carbonblack.com/t5/Documentation-Downloads/VMware-Carbon-Black-App-Control-Events-...

 

type Status report

description The server encountered an internal error that prevented it from fulfilling this request.

 

i have tried from different browsers but still I'm getting the same error 

UZ

Not able to download, clicking the download "here" link throws an error page starting with below give error.  Tired two different comptuers, chrome and firefox browsers, and incognito mode. Same result.

FreeMarker template error (HTML_DEBUG mode; use RETHROW in production!)

The following has evaluated to null or missing:
==> http_client_request.content.href  [in template "custom-smartfile-integrations.ftl" at line 14, column 5]

----
Tip: It's the step after the last dot that caused this error, not those before it.
----
Tip: If the failing expression is known to be legally refer to something that's sometimes null or missing, either specify a default value like myOptionalVar!myDefault, or use <#if myOptionalVar??>when-present<#else>when-missing</#if>. (These only cover the last step of the expression; to cover the whole expression, use parenthesis: (myOptionalVar.foo)!myDefault, (myOptionalVar.foo)??
----

 

Community Error.jpg

@UZ can you please try an incognito browser?

I am unable to download installer for Linux. It says page has been archived. Can anyone suggest

@esullivan 

This is very frustrating. even after trying in different browser or incognito mode it says 403/unauthorized error.   Though 3 days back I was able to download it but cancelled it by mistake not after multiple attempts I am not able to do it.

@ndhyani - I am checking with the team why that document was archived.

@piyushsingh - Apologies for the issue.  I am unable to reproduce on my end which makes troubleshooting difficult.  If you have a location where I can upload the file for you to download while we continue to investigate this issue, please drop me a line at edwards@vmware.com.  

@ndhyani I've updated the post to point to the latest repository where you can find all documentation and downloads.

Here's the link to the latest Linux agent - https://community.carbonblack.com/t5/App-Control-Documents/Announcing-General-Availability-of-the-VM...

 

@lhowarth - Thanks. It worked now 

EDIT: The hyperlink works now.

I cannot download the installer.

Earlier today when I tried that I got an HTTP 403.

Right now I am getting HTTP 500!

Please fix this. Thanks.

https://community.carbonblack.com/plugins/custom/carbonblack/carbonblack/custom-smartfile-integratio...

Yup, having the same issue trying to download, even in incognito. Guess I'll try again later, sounds like that's what's working for other folks. 

@esullivan Same issue. Is it a cert problem or something?

Don't believe so.  I have been investigating this issue for months and have not been able to determine why the link works for some but not others.

I am in the process of switching the backend we use to host the installers which will hopefully clear up any issues for all users.

@esullivan  Thanks bro and I got an error message printed in red "File or directory has been removed." I tried at around 10:26 UTC+8.

By the way, the previous link (which I reported with HTTP 403 / 500 error) does work sometimes. I didn't test it seriously but I managed to download the installer one day morning (UTC+8 again). Before that, I had tried multiple times getting the error while all of them were in the afternoon.

 

@cfsup thank you for the additional details. That's the frustrating part as the exact same link seems to work sometimes, but not others.  Makes it difficult to troubleshoot.  And for me, the link always works.  

Hopefully we will be on our new backend platform soon and this will no longer be an issue.

sflinks.carbonblack.com has an incomplete certificate chain.  Any chance that could be fixed?

@ilovetacos I have raised this with the platform vendor, thank you.

@esullivan 

 

Hi I am getting the 403 error again. :(

this is by far the most frustrating download I have ever seen. we cant simply download when we want. all of sudden it works sometimes.

Please update the installers somewhere else as well so that we can download it directly.

 

Regards,

Piyush

Hi Ed

I cannot download the installer yet again. I get the HTTP 500 error.

I've tried 3 different browsers (Chrome, Firefox, IE) and incognito mode on both Chrome and Firefox.

The last time this happened I got it going by using good old IE but even that isn't working this time.

Getting http status 500 error while trying to access 8.6.0 download link from all browsers

Hi Folks - apologies.  We are days away from migrating off the backend that is currently hosting these files (they are too large to host natively on the community platform.)

Can you please try: https://sflinks.carbonblack.com/73EZkcMS3yY/  

Hi,

Anyone roll with 8.6.0.155 yet?

Thoughts?

@lhowarth @esullivan 

Hi guys!

In the past I have watched the discussions on new server releases to get a sense of when to do the upgrade. The previous comments here, while not saying run, do not have people saying "Go For It".

Can you tell me what percentage of customers have upgraded or at the least is there a general level of success?

Thanks!

@cool_breeze sorry that is not information that is available to me.  

Article Information
Author:
Creation Date:
‎02-04-2021
Views:
23228
Contributors