Sensor Version Fixed | Product | Issue ID | Description |
3.6.1.10 | All |
DSEN-15228 |
Fixed rare repCLI reporting issue. |
3.6.1.10 | All |
DSEN-14761, DSEN-14003 |
Improved sensor tamper protection efficacy for sensor operating in Kernel Extension mode. |
3.6.1.10 | All |
DSEN-14394 |
Improved recovery mechanism of sensor data files that, in rare circumstances, could occur after unexpected machine shutdown. |
3.6.1.10 | All |
DSEN-14892 |
Minor user interface enhancement. |
3.6.1.10 | All |
DSEN-14909 |
Log collection enhancements. |
3.6.1.10 | All |
DSEN-15597 |
Improved error handling when sensor downloads data files. |
3.6.1.10 | All |
DSEN-15782, |
Email address was incorrectly populated by a company code on < 1% of macOS sensors. |
3.6.1.10 | All |
DSEN-15600 |
The CBCloudUI widget crashed when selecting About Carbon Black Cloud from the drop-down menu. Selecting Open failed to display the window showing protection events. |
3.6.1.10 | All |
CBC-9429 |
Quality improvements made to configuration management. |
3.6.1.10 | All |
DSEN-15365 |
Resolved an issue where NTFS-formatted USB devices were not being blocked. |
3.5.3.82 | All |
DSEN-2781, EA-18371 |
Unattended installation script could fail after customizations due to some variables to paths that are not quoted in the script. |
3.5.3.82 | All |
DSEN-2800, EA-18355 |
Pushing large amounts of data via MDM (such as Jamf) alongside the configuration for VMware Carbon Black Cloud could cause the sensor to incorrectly report that it was not properly configured for Full Disk Access via the backend console and the output of the RepCLI status command. |
3.5.3.82 | All |
DSEN-13481 |
In extremely rare circumstances, the sensor failed to uninstall successfully after undergoing repeated installs and uninstalls. |
3.5.2.78 | All | DSEN-13778 |
The macOS 11.3 kernel introduced a bug that may lead to a kernel panic with sensors running in KEXT mode. 3.5.2.78 contains a workaround for this Apple bug and kernel panics should no longer be experienced on macOS 11.3. Learn more. NOTE: 3.5.x sensors running in SE mode are not impacted. If running in KEXT mode, customers should upgrade to the 3.5.2.78 sensor prior to upgrading their OS to 11.3. |
3.5.2.78 | All | DSEN-11614 | Sensors on macOS Big Sur now correctly report the OS version as 11.X rather than 10.16 on the backend console. This is only a presentation fix, and has no impact on functionality. |
3.5.2.78 | All |
DSEN-9164 DSEN-12487 |
Updated OpenSSL, cURL, and sqlite3 libraries. |
3.5.2.78 | All |
DSEN-10397 DSEN-11226 |
When installing System Extension sensor in attended mode without MDM configured, strict System Extension approval timeout has been removed. |
3.5.2.78 | All | DSEN-11666 | Installer no longer prevents administrators from switching to KEXT-enabled mode on ARM architecture. |
3.5.2.78 | All | DSEN-10664 | Both company and user install codes can now be used in either unattended or attended install (removed the previous limitation) |
3.5.2.78 | All | DSEN-10782, DSEN-11149 | Processes spawned by a process that is part of a 'Performs any operation > Bypass' Permissions rule should no longer be reported on and there should no longer be reports of applications with a hash of all 0s and 1s. Learn more. |
3.5.2.78 | All | DSEN-12985 | Upgrading sensor in System Extensions mode while in bypass no longer disables the sensor until reboot is performed on endpoint. |
3.5.2.78 | All | DSEN-12831 | Resolves a sensor performance issue where the CBC SysEXT caused a spike in CPU usage on endpoints with high file IO, or after a prolonged period in operation depending on system load. |
3.5.2.78 | All | DSEN-12961, DSEN-13099 |
Resolves repeated CBC service restart on startup, triggered by specific, valid MDM configurations, that could prevent sensors from checking in. NOTE: MDM unattended upgrade or manual attended upgrade to 3.5.2.78 should be used to resolve this issue, rather than cloud upgrade. |
3.5.2.78 | All | DSEN-13451 | Resolves a rare race condition in the connection filter resulting in a crash of the Network Extension and temporary network connectivity drop. |
3.5.2.78 | All | DSEN-13458 | Resolves a sensor performance issue where repmgr causes a spike in CPU usage. |
3.5.2.78 | All | DSEN-11669 | Cloud-upgrading from the 3.5.2 KEXT-enabled sensor on Big Sur is no longer permitted, so the endpoint cannot be left in an unprotected state until the KEXT is approved and a reboot is performed. |
3.5.2.78 | All | DSEN-14103 | Removed legacy third party libraries in favor of built-in Apple libraries. |
3.5.1.31 |
All | DSEN-12831 | Resolves a sensor performance issue where the CBC SysEXT causes a spike in CPU usage on endpoints with high file IO, or after a prolonged period in operation depending on system load. |
3.5.1.31 | All | DSEN-13099 | Resolves repeated CBC service restart on startup, triggered by specific, valid MDM configurations, that could lead to sensors stop checking in. MDM unattended upgrade or manual attended upgrade to 3.5.1.31 should be used to resolve this issue, rather than cloud upgrade. |
3.5.1.31 | All | DSEN-13450 | Enables downgrade from future 3.5 and later sensors back to 3.5.1. Downgrade from future 3.5+ sensors back to 3.5.1.23 or 3.5.1.19 is not supported. |
3.5.1.31 | All | DSEN-13418 | Fixes KEXT upgrade and downgrade on MacOS11.3 beta 4 and 11.3 beta 5 sensors. 3.5.1.19 or 3.5.1.23 KEXT-mode sensors will not be able to upgrade over an existing sensor on MacOS11.3 beta 4 and 11.3 beta 5. |
3.5.1.23 | All | DSEN-12388 | Resolves an issue where the sensor goes into bypass on macOS 11.2 due to the OS compatibility check that is built into the sensor. |
3.5.1.19 | All | N/A | Adds --extend-approval-timeout to unattended install script. This increases time to two minutes to manually approve the System Extension. |
3.5.1.19 | All | EA-15476, EA-15761, EA-16054 | Xcode build times were sometimes impacted on macOS 10.14 and greater with the Carbon Black Cloud sensor installed. |
3.4.4.51 | All | DSEN-8952, EA-16183 |
A rare sensor installation failure occurred due to interaction with third party tools. |
3.4.4.51 | Endpoint Standard | DSEN-9331 | Normal operating system processes were associated with malicious behavior and generated TamperBehavior4 alerts. |
3.4.4.51 | Endpoint Standard | DSEN-7179 | Improved cloud reputation updates (cloud TTL), resulting in improved prevention efficacy of near 0-day malware. |
3.4.4.51 | Endpoint Standard | DSEN-8608 | Improved sensor performance by efficient handling of lookups for files that are frequently dropped-executed-deleted. |
3.4.4.51 | All | DSEN-9401 | Updated osquery binary to version 4.4.0 that includes OpenSSL Security Vulnerability fix. |
3.4.3.44 | Endpoint Standard | DSEN-8518 | Improved Alerting on malware files at the time of malware drop. |
3.4.3.44 | Endpoint Standard |
DSEN-8243, EA-15346 |
Fixed latency in certificate approval that caused trusted software installs/updates to fail with sensors in Advanced policies. |
3.4.3.44 | Endpoint Standard |
DSEN-8125 |
Improved handling of macOS 10.15 maintenance OS upgrades with sensors in Advanced policies. |
3.4.3.44 | Endpoint Standard |
DSEN-7585, |
Improved prevention of malicious Office macros embedded in legacy (non - OOXML) Office document format. |
3.4.3.44 | Endpoint Standard |
DSEN-8124 |
Fixed incorrect process “Start Time” in the console. |
3.4.3.44 | Endpoint Standard |
DSEN-8509, EA-16114 |
Resolved a false positive Alert and TTP for TamperBehavior3 triggered during OS shutdown. |
3.4.3.44 | Enterprise EDR |
EA-16177 |
Missing or duplicate Enterprise EDR process tree nodes were rendered, with both Endpoint Standard and Enterprise EDR enabled. |
3.4.3.44 | Enterprise EDR |
DSEN-8293 |
Enterprise EDR events were occasionally not reported. |
3.4.3.44 | Audit and Remediation |
DSEN-6645 |
Updated osquery binary (part of Audit and Remediation engine) to 4.1.2. |
3.3.4 |
All | DSEN-2700 | Rare issue where repmgr service sporadically crashed on shutdown, typically when the cloud was unreachable. The issue had no impact on end-user or product efficacy. |
3.4.1 | CB ThreatHunter | DSEN-5744, DSER-17746 | Code signing certificates were not present in event details or process data views. |
3.4.2.23 |
All | DSEN-7120, EA-15474 | Resolved tamper protection false positive (MODIFY_SENSOR TTP) against launchd (disabling sensor service) during endpoint reboot. |
3.4.2.23 | All | DSEN-7114, EA-15476 | Resolved an issue where a Bypass Permission rule was not fully effective in reducing performance impact during code compilation when the rule was applied to a toolchain (such as XCode). |
3.4.1.7 | CB Defense | DSEN-4105 | Enhanced Reputation feedback loop with the cloud that results in more timely updates, thereby effectively improving prevention of near-0 day malware. |
3.4.1.7 | CB Defense | DSEN-5854 | Increased length of reported process command-line strings. This is in addition to command-line reporting improvements that were introduced in the macOS 3.3.3 sensor release. |
3.4.1.7 | CB Defense | DSEN-6549 | Rule case sensitivity. Blocking and Isolation and Permission "by path" rules are now evaluated as case-insensitive on Mac. Please review your "by path" policy rules, as their scope may now be broader. |
Sensor Version Found | Product | Issue ID | Description |
3.6.1.10 | All | N/A |
Limited LiveOps support on Apple Silicon devices. In the current release, LiveOps functionality on Apple Silicon devices is limited to endpoints that have Rosetta preinstalled. Due to current limitations of the OSQuery engine, not all queries work fully on Apple Silicon chipsets, even with Rosetta. The LiveOps Apple Silicon limitations will be addressed in future sensor releases that will provide full native Apple Silicon/Apple Silicon OSQuery support. |
3.6.1.10 | All | N/A |
If a Kernel Extension sensor is installed in macOS Catalina, and an OS upgrade to Big Sur occurs, users might see an extraneous Kernel Extension approval pop-up, despite the Kernel Extension already being approved. Users can safely re-approve the Kernel Extension or safely ignore the pop-up. Users should re-approve Kernel Extension upon any future sensor upgrades. |
3.6.1.10 | All | N/A |
3.6.1.10 is the first GA version supporting the Apple Silicon chipset. Sensor downgrade to versions prior to 3.6.1.10 is therefore not officially supported on Apple Silicon machines. Doing so would bring the sensor to a version that does not officially support Apple Silicon, causing the sensor to run in emulation mode. Note that downgrade behavior/expectations on Intel machines does not change. We are aware that some customers are utilizing the 3.5.x versions for emulated support of the sensor on Apple Silicon chip sets. The recommended downgrade path from Apple Silicon native sensors (any 3.6.x+ sensor) to any Apple Silicon pre-native sensor (any sensor prior to 3.6.x) is via uninstall of the native sensor and installation of the pre-native emulated version Utilizing standard downgrade behaviors is unsupported and can lead to undefined behavior. |
3.6.1.10 | All | N/A |
Including the sensor as part of migrating data from Intel to an Apple Silicon machine (i.e. Migration Assistant) is not a supported workflow. The recommended workflow is to uninstall the sensor before migration or exclude the sensor during migration and install it on the target machine. |
3.6.1.10 | All | N/A |
System Extension sensor upgrade or uninstall can fail with error code 4096 in rare circumstances. This issue will be fixed in a future release. For manual remediation steps, see: Carbon Black Cloud: Unable to upgrade or install due to existing system extension (macOS) |
3.5.3.82 | All | N/A |
Pre-execution prevention capability is not available with the macOS Big Sur sensor in System Extensions mode. Applications will not be blocked before they are run. This release supports post-execution prevention. Learn more. Install the sensor in KEXT mode for full prevention functionality. Learn more. |
3.5.3.82 | All | DSEN-14562 |
If a sensor exits bypass mode, device discovery events may not be generated for devices plugged in while the sensor was in bypass mode. |
3.5.2.78 | All | N/A |
Pre-execution prevention capability is not available with the macOS Big Sur sensor in System Extensions mode. Applications are not blocked at launch. This release does support post-execution prevention. Learn more. Workaround/Fix/Mitigation: Install the sensor in KEXT mode for full prevention functionality. Full prevention functionality on the System Extension-enabled sensor will be enabled in future releases. Learn more. |
3.5.2.78 | All | N/A |
Failing to approve the System Extension prompt will leave the sensor unable to check in with the backend until system extension is approved. Workaround/Fix/Mitigation: Configure System Extension MDM approvals before install. |
3.5.1.19 | All | N/A |
Prevention capability is not available with the macOS Big Sur sensor in System Extensions mode. Learn more. Install the sensor in KEXT mode for prevention functionality. Full prevention functionality on the System Extension-enabled sensor will be available in future releases. Learn more. |
3.5.1.19 | All | N/A |
Per Apple, an MDM is required for KEXT installation and approval on macOS 11. Installing the sensor into KEXT mode without an MDM will not work. Learn more. Configure MDM KEXT pre-approval before installation, and use the custom RebuildKernelCache command or manually approve the KEXT and reboot OS after install. Learn more. |
3.5.1.19 | All | N/A |
If Full Disk Access is misconfigured, Live Response sessions display a generic error message when attempting to access ~/Desktop, ~/Documents, or ~/Downloads. The generic error returned in this case will be improved to be Full Disk Access-specific. See MDM documentation for instructions on how to give the sensor Full Disk Access. |
3.4.3.44 |
Audit and Remediation | DSEN-7849 |
A sensor that is configured for Audit and Remediation-only does not block network connections when the endpoint is quarantined. |
3.4.3.44 | All | DSEN-8799 |
Rare issue where repmgr service crashes on shutdown in absence of network connectivity. The issue has no impact on end-user or product efficacy. |
3.4.1.7 | All | DSEN-3702, DSEN-8839 | Malware Removal infrequently and inaccurately reports actions that were or were not taken. |
3.4.1.7 | All | DSEN-2543 | The unattended install script does not accept multiple long options. The workaround is to always provide a value (such as 0 or 1) next to every long option following = character; for example: --downgrade=1 --skip-kext-approval-check=1. |
3.4.1.7 | All | DSEN-3740 | When a device is removed from an AD domain, the sensor is still reflected within that domain in the Endpoints page and remains in a sensor group. The sensor must be taken out of auto-assignment to make policy updates to that sensor. As a workaround, you can manually remove the sensor from the AD group and assign a policy (click into the device, turn off auto-assign, and change the policy). |
3.4.1.7 | CB Defense | DSEN-3669 | Old canary files, specifically with variable or random file names, are not always properly cleaned up by the sensor. This can cause ransomware false positives. |