Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

PSC Release Notes June 2019

PSC Release Notes June 2019

This June 2019 release notes article contains information about the following releases:

 

June 27, 2019 release


Release calendar

The following table provides a timeline for changes in your CB Predictive Security Cloud (PSC) console. Reference the URL that appears in your browser when you sign into the CB PSC console.

Login URL

ETA

https://dashboard.confer.net/

June 27

https://defense.conferdeploy.net

June 27

https://defense-prod05.conferdeploy.net

July 1

https://defense-eu.conferdeploy.net

July 2

https://defense-prodnrt.conferdeploy.net/

July 2

 


Predictive Security Cloud

 

Endpoint Page Improvements

In this release, the Endpoints page has several improvements. You can now reorder sensor groups in bulk, making it easier and faster to determine which groups are evaluated first. Deleting a sensor group is faster because each row has a delete button that is shown on hover. Hovering over an endpoint’s policy now shows a description of the policy.

Fixed in this release

Issue ID

Description

DSER-16481

Fixed: alerts not loading on refresh for some organizations.

DSER-15961

EA-12865

TTPs for notifications are updated.

DSER-15780

EA-13696

REST API query result discrepancies remediated in Status key/field.

DSER-14906

Device Export was including deleted devices, which caused exports to fail in some cases. Deleted devices are now removed from device exports.

DSER-13914

Deregistered devices were not being auto-deleted.


Known issues

Issue ID

Description

DSER-4390

Devices only show the status of Eligible for Upgrade if the sensor version is lower than any version that is available in Endpoints > Download Sensor Kits.

DSER-5437

Additional HTML can be included in the SIEM event connector.

DSER-10342

In some cases, uninstalling a sensor from the console does not trigger an uninstall on the sensor.

DSER-10714

Incorrect API URLs are displayed in the console.

DSER-12676

An additional alert notification is sent to SIEM or API connectors when an alert is dismissed.

DSER-12728

In rare instances, the page renders as a gray screen.

DSER-12858

If a backend org is deregistered, sensors might not be automatically uninstalled. It is always recommended to make note of uninstall codes if they are required for uninstall.

DSER-15081

CB Defense alerts in a CB ThreatHunter-enabled organization improperly map script loads as process creation.

DSER-16034

Creating a connector with a similar name causes a creation failure. To work around this, make sure that any text before a space is unique for connectors.

DSER-16164

The Alerts / Notifications API does not include the CB ThreatHunter investigate URL, which makes breaks these links.

 


CB Defense

Detection analytics improvements

In a continued effort to improve detection analytics, enhanced detection capabilities, and false positive reductions, fixes have been added. In this release, we focus primarily on attacks that leverage native Windows applications to perform malicious activity. Additionally, we focus on reducing high-impact false positives that are related to code injection and port scanning activities. You should see improved detection capability in the Alerts page. 

See the following list of improvements:

Type

Name

Description

New Detection

CMSTP User Account Control Bypass

Improved detection of attackers that leverage CMSTP, a native-signed Windows application that manages network connections,escalates user privileges, and executes malicious activity.

New Detection

Netsh Modifying Local Windows Firewall

Improved detection of attackers that leverage netsh, a native-signed signed Windows application that configures network services and modifies or disables the local Windows firewall.

New Detection

Rundll32 Executing Rogue JavaScript

Improved detection of attackers that leverage rundll32, a native-signed Windows application that executes code on behalf on other applications to execute potentially malicious JavaScript.

New Detection

Certutil Suspicious Behavior

Improved detection of attackers that leverage certutil, a native-signed Windows application that displays and modifies certificate information to perform malicious activity such as encoding/decoding other files and dropping unknown dll files to the disk.

New Detection

Mshta Executing Suspicious Scripts

Improved detection of attackers that leverage MSHTA, a native-signed Windows application that runs HTML-based applications to execute potentially malicious JavaScript.

False Positive

Ransomware

Eliminated False Positive alerts that were related to an uncompromised Microsoft process that triggered ransomware-related alerts.

False Positive

Ransomware

Eliminated False Positive alerts that were related to an uncompromised multimedia application that triggered ransomware-related alerts.

False Positive

Instruction Setting

Eliminated False Positive alerts that were related to an uncompromised Microsoft process that modified the Windows Explorer process.

 

Improved the metadata layout on the Investigate page

We reorganized the metadata and additional information so that you can find data more quickly.

MetadataLayout.png


 

Fixed in this release

Issue ID

Description

EA-13103,

DSER-15331

Older sensors could receive a poorly formatted reputation DB, causing unexpected blocks. This is prevented on newer sensors, and this fix mitigates it for older sensors. 

 

Known issues

Issue ID

Description

DSER-9670

When searching for Threat Category: Malware on the CB Defense Alerts page, results can include non-malware results.

DSER-10468

If no sensor detail message is entered on a policy, the sensor might display false in the sensor UI.

DSER-10667

After whitelisting a file, reputation on the main Investigate page properly shows WHITE_LISTED while the Application tab incorrectly shows NOT_LISTED.

DSER-10961

While the sensor will prevent the deletion, the console still allows the user to send a delete request for PSC sensor files.

DSER-11370

When dismissing an alert, if a reason is specified, the alert dismissal might fail.

DSER-15748

The Reputation filter on the Alerts page does not display any filter options.

DSER-16022

When a policy rule is created for Unknown reputation files, these rules are incorrectly applying to NOT_LISTED applications.
Due to the nature of UNKNOWN reputation being very transient, we recommend using both NOT_LISTED and UNKNOWN rules and having them match.

DSER-16223

Changes to the auto-blacklist feature are not logged in the audit log.

DSER-16224

When a hash is auto-blacklisted, an audit log entry is not added.

DSER-16458

When exporting from the server dashboard, dismissed alerts are not exported when the Include dismissed alerts filter is enabled.

DSER-16508

The Tags filter on the Alerts page does not populate with entered tags.

DSER-16563

Exporting data from the PSC Dashboard can lead to timeouts when a large amount of data is exported.

 


CB ThreatHunter

Enhanced Watchlist Investigate Experience

To see the full set of processes that hit (or could have hit) on a Watchlist, clicking the Investigate button on the Watchlist details page previously took you to the Investigate page to show all search results that matched the Watchlist for all time. There was no explanation that this search experience was in the context of the Watchlist that you were just examining.

With this release, we have customized the experience of searching for all (or potential) hits for a Watchlist. Now, when you click the Investigate button on the Watchlists page, the PSC provides you with the following:

  • New context-specific header that includes the name of the Watchlist to reinforce that this is a Watchlist-specific customized search experience.
  • Toggle to enable or disable alerts for the current Watchlist.
  • Take Action menu to let you edit, disable or unsubscribe from the Watchlist.

Previously:Watchlist Investigate (old).png

 

Now:Watchlist Investigate (0.47.0).png

 


June 10, 2019 release


CB ThreatHunter

Enhanced Watchlist Hits is more visible in Investigate page

Watchlist Hits are better integrated into the Investigate page search results.

Prior to this change, all search results for a process that had one or more Watchlist hits (thereby indicating that the process had one or more events that matched criteria on one or more subscribed Watchlists), included a red square that included the highest severity of any matching Watchlist Report:Watchlist Hits old.png

 

A new orange ! icon indicates that there is at least one Watchlist hit for any process: Watchlist Hits new - summary.png

 

Click the orange ! icon to summarize the relevant findings:

  • Severity score for the latest hit.
  • Name of the Report in which the hit was found.
  • The query on which the hit occurred. 
  • Time of the occurrence of the event, which was captured as a Watchlist hit.
  • A link that allows you to search for all Watchlist hits for this specific process (search by Process GUID which is a globally unique version of the Process ID):Watchlist Hits new - modal.png

 

Fixed in this release

Issue ID

Description

DSER-13636

Facets did not update when you navigated away from the Investigate page and then returned.

DSER-14276

When user deleted a custom Watchlist from enabled Watchlists page, the Results section of page reported No watchlists enabled.

DSER-15432

The progress bar on the events table on the Process Analysis page got stuck in an endless loop after the user browsed several parents up the tree.

DSER-15784

ThreatHunter searches using the Process Search API that send parameter data with a wrong data type caused a 502 Bad Gateway error.

DSER-15805

In the Add Query to Watchlist feature on Investigate page, when you selected the Include historical data checkbox, an Error while creating IOC message displayed, but the Watchlist was created.

DSER-16080

Report Search on Watchlists page returned a 500 error when querying for more than 10,000 reports.

DSER-16099

The process tree sometimes showed only one node on the Process Analysis page.

DSER-16234

Search bar query was ignored when a user selected a filter on the Investigate page.

 

Known issues

Issue ID

Description

TPLAT-6201

The First seen as field on the Binary Details page (and from the API) does not return paths in prevalence order; therefore, it is not possible to guarantee the actual first seen instance.

DSER-10685

Text remains in Investigate Search Bar if user navigates away and uses navigation Investigate option return to the Investigate page.

DSER-11445

Hovering the mouse on a Investigate search filter hides the percentage values.

DSER-11662

After you deselect a selected filter on the Investigate page, an otherwise-empty search still displays search results.

DSER-11904

Count of devices with hash on the Process Analysis page is different from count of devices on the Investigate page.

DSER-11959

When user types - or + and then accepts a suggested search field name, the + or - character is removed from the search bar on the Investigate page.

DSER-12453

ThreatHunter Watchlist tags do not show up on the Notes/Tags tab of the Alerts page — these are a different type of tag data.

DSER-12538

Binary Details page crashes when UBS APIs return unexpected output.

DSER-13177

The User Guide is missing from the Help menu for organizations that subscribe to CB ThreatHunter.

DSER-13271

No field descriptions/examples in many suggestions for search fields on Process Analysis page.

DSER-13283

When you search for Reports for a new Watchlist, you cannot access or add a Report that was returned by the search.

DSER-13295

For processes that have a very large number of events, the Process Analysis page for that process can be manually reloaded to load additional events until the query is completed in the background.

DSER-13773

Watchlist link still showing on Process Analysis page side panel after Watchlist is deleted.

DSER-14090

If CB Defense is enabled on the PSC with WSC integration enabled, and you remove CB Defense, the WSC integration is not disabled.

DSER-14148

When Investigate search bar overflows to multiple lines, user cannot use keyboard navigation or selection.

DSER-14758

Searching by device_internal_ip returns no results for CBTH-native events on the Investigate page.

DSER-15013

Rule Preview links show inconsistent result counts when you use wildcards on the Policies page.

DSER-15052

More Watchlist Notification emails sent than number of Watchlist Hits or Alerts.

DSER-15187

"process_publisher" searches on the Investigate page lead to signed and unsigned binaries.

DSER-15385

Result count drops and rises when changing filters or terms on Investigate search.

DSER-15386

When user deletes the last Report in an enabled Watchlist, the Reports tab on Watchlists page shows all available reports instead of No Reports for this Watchlist.

DSER-15931

Report Search on Watchlists page allows user to submit search when Search Bar is empty.

DSER-16083

On the Watchlists page, the backspace key does not behave as expected to edit a Watchlist name or description.

DSER-16084

In the Update Watchlist API, an empty Name field is allowed.

DSER-16087

In the Create New Report API, the API responds with 500 error if a negative timestamp is submitted.

DSER-16190

The device_policy field is not always populated in API data or Investigate filters.

DSER-16297

The Clear search feature on the Investigate page does not clear selected filters.

 


Carbon Black, Inc. | 1100 Winter Street, Waltham, MA 02451 ?USA | Tel: 617.393.7400

Copyright © 2011–2019 Carbon Black, Inc. All rights reserved. Carbon Black, CB Defense, Cb ThreatHunter, CB ThreatSight, and CB LiveOps are registered trademarks and/or trademarks of Carbon Black, Inc. in the United States and other countries. All other trademarks and product names may be the trademarks of their respective owners.

Article Information
Author:
Creation Date:
‎06-10-2019
Views:
1347
Contributors