All

UAV-2154, EA-18733, EA-19153

All

DSEN-16642, EA-19844

All

DSEN-16429, DSEN-12463

All

DSEN-16231, DSEN-14832

All

DSEN-15324, EA-19302, EA-19398

Endpoint Standard

DSEN-15157, EA-19374

All

DSEN-15013, DSEN-6805, EA-19223

Endpoint Standard

DSEN-14799, EA-19232

All

DSEN-14721, EA-19615

All

DSEN-14550, EA-18912

All

DSEN-14184, EA-18800

All

DSEN-14134, EA-18111, EA-19331

All

DSEN-13173, EA-17975, EA-18052

All

DSEN-12801, EA-19124

All

DSEN-11416, EA-17516

All

DSEN-7625, EA-18519

Endpoint Standard

DSEN-5145

All

DSEN-15629

All

UAV-2292, EA-19483

Fixed an issue causing system crashes to occur due to ctifile.sys.

All

UAV-2267, EA-19384

Fixed an issue causing a large number of alerts to be generated with previous 3.7 Windows sensors around wordpad.exe attempting to inject code into other processes via SetWindowsHookEx.

All

DSEN-16174, EA-19890

Fixed an issue where any Non-RepMgr process logging that goes through FileLogger grew unbounded causing multiple sensor logs to grow excessively large.

All

DSEN-16109, EA-19823, EA-19826

Fixed an issue where RepMgr could be deadlocked and render the endpoint unresponsive and spike the sensor’s memory usage.

DSEN-16024, EA-19263

Improved Tamper Protection policy to improve performance for Endpoint Standard.

DSEN-15958, EA-19799

Fixed an issue with sensor upgrades from v3.6 → v3.7 where the reference count of ctiuser.dll was not being properly reset and could lead to a missing ctiuser.dll file if a failure occurs on sensor upgrade.

DSEN-15889, EA-19561, EA-19723

Fixed an issue causing effective reputation applied to allowed certificates to change after sensor upgrades to previous 3.7 sensors.

DSEN-15667, EA-19586

Fixed an issue with the sensor applying a policy deny rule for applications signed with allowed listed certificates.

DSEN-15618, EA-19564

Fixed an issue with missing serial number information associated with attached devices.

DSEN-15505, EA-19390, EA-19454, EA-19504, EA-1991

Fixed an issue where sensor management operations, such as sensor uninstall or sensor upgrades, would not work if CbELAM files are missing on Windows operating systems supporting Microsoft Early Launch AntiMalware (ELAM) drivers.

DSEN-15065

Updated osqueryi.exe to version 4.8.0.

DSEN-14942, EA-19404

Fixed an issue with the simple hash table of ctifile.sys.

DSEN-12932, EA-17866

Fixed an issue where ctiuser.dll could be loaded twice.

Endpoint Standard

UAV-2212, EA-19082, EA-19167

A large number of alerts were being generated with the CBC Windows 3.7.0.1253 sensor around explorer.exe injecting into iexplore.exe via NtQueueApcThread. See our UEX knowledge base for more information: Carbon Black Cloud: Observing a large number of alerts for code injection via NtQueueApcThread after upgrade to 3.7.0.1253

Enterprise EDR

UAV-2206, EA-18589

A temp file could be left behind when saving a modified Excel file in Enterprise EDR (only) orgs.

All

UAV-2201, EA-19048

A data-race issue could lead to a system crash.

All

DSEN-15119, EA-19388

System crashed when attempting to format drives.

All

DSEN-14950, EA-19195, EA-19313

System crashed on Windows Server 2008 R2 systems.

Endpoint Standard

DSEN-14817

Fixed a bug when applying Endpoint Standard functionality immediately after switching from an Enterprise EDR (only) org.

All

DSEN-14801, EA-19243

The 3.7.0.1253 CBC Windows sensor blocked MSI installations of software that required a registry modification of a disk drive upper filter value to complete installation.

Endpoint Standard

DSEN-14787

Due to an unsafe location, tamper blocks occurred when osqueryi.exe attempted to load cbamsi.dll.

All

DSEN-14690

The sensor misreported process privs when compared to Process Explorer.

All

DSEN-14604

First time sensor installation required a reboot to remove the sensor from Bypass mode for sensors installed with ‘Bypass sensor after login’ enabled through the sensor’s policy settings.

All

DSEN-14592, DSEN-12808, EA-16115

The sensor reported improper shutdown/sleep states in the console.

All

DSEN-14584

The sensor now supports a config prop for leveraging BIOS UUID for re-registration of VDI clones.

All

DSEN-14575, DSEN-13266

Logging now properly reports a failure due to an expired company code.

All

DSEN-14574, DSEN-13926

All

DSEN-14558

Added a pop-up error dialogue when CBC Windows sensor installation has detected a non-SHA256 patched Windows OS system.

For more information:
[CBC Windows] SHA-2 Windows

Updates Required for Continued Support of Windows 7 and Windows Server 2008 R2
Carbon Black Cloud sensor: Windows desktop support

Carbon Black Cloud sensor: Windows Server support  

All

DSEN-14423

Fixed a bug in the ctinet.sys driver that would cause a system crash when processing specific network events.

Endpoint Standard

DSEN-14326, EA-18664

The sensor allowed deleting of files that had the “readonly” attribute set.

All

DSEN-14015, EA-17990

The sensor would not perform process classifications while in bypass. It required RepCLI commands issued through a Live Response session that require authentication to be sent to the sensor in an active state.

Endpoint Standard

DSEN-13971, EA-18729, EA-19333

Files with hashes that were populated in the banned hash list could temporarily run for a short time.

All

DSEN-13517, EA-18627

The sensor ignored bypass rules for .tmp files.

All

DSEN-13281, EA-18012

Fixed an issue with shutting down the sensor service in hardened environments that could lead to failures with sensor upgrades.

All

DSEN-13064

Now ship with osqueryi.exe version 4.7.0.

Endpoint Standard

DSEN-12555, EA-18067, EA-18165, EA-18418, EA-18581, EA-18866

Fixed a bug where the sensor could hang Microsoft Software Shadow Copy Provider service on startup.

Endpoint Standard

DSEN-12394

Sensor upgrades initiated outside the server console could result in failure due to msiexec.exe being blocked by tamper protection.

All

DSEN-8545

RepCLI capture could only be used to save zip files to local directories. If you attempted to save the zip file to a network location, the file is written to the c:\programdata\carbonblack\logs\temp directory.

All

DSEN-8123

Sensors running on Windows 10 Enterprise Multi-Session environments could display the OS version as “Windows Server 2019”.

All

DSEN-14423,
EA-19046

Fixed a bug in ctinet driver that could lead to system crash.

Endpoint Standard, Enterprise EDR

UAV-2191, UAV-2204, EA-18905, EA-18910, EA-18889, EA-18965, EA-18982, EA-18881

Non-ASCII characters in filenames (such as Chinese and Japanese) could cause the AMSI module to crash the process that was being inspected. Logging related to AMSI events generated from non-ASCII file names is also fixed.

All

UAV-2201, EA-19048

A data-race issue that could lead to a bugcheck.

Enterprise EDR

UAV-2206, EA-18589

A temp file was left behind when saving a modified excel file.

All

DSEN-12043

We now allow the sensor to be uninstalled if the BackupPath key located under HKLM\SYSTEM\CurrentControlSet\Control\EarlyLaunch is not set.

Endpoint Standard

DSEN-12555, EA-18067, EA-18165, EA-18418, EA-18581, EA-18866

The sensor could hang Microsoft Software Shadow Copy Provider service on startup.

All

DSEN-13226, EA-17848

The sensor could time-out during upgrades on systems that had large amounts of applications and files in use.

Endpoint Standard

DSEN-13250, EA-18515

Fixed a bug that could lead to a process deadlock on busy systems as described in this knowledge base article on UEX: https://community.carbonblack.com/t5/Knowledge-Base/Carbon-Black-Cloud-Windows-applications-randomly-hang-when/ta-p/102334

All

DSEN-13429, EA-18403

Fixed a bug that could lead to a bugcheck if a process attempted to access a file residing on a network share.

All

DSEN-13767, EA-18685

Error dialogs appeared when third-party apps attempted to inject into any of the sensor’s processes.

Endpoint Standard

DSEN-13807, EA-18785, EA-18821

Fixed a bug triggering false positive AMSI alerts.

All

DSEN-14127, DSEN-14133

Our CBC Windows builds are no longer signed with SHA1 code signing (only SHA2 and WHQL). As such, Windows Operating System updates may need to be applied in order to run our 3.6.0.2076+ CBC Windows sensor version. Please see our UEX posts for more information:
[CBC Windows] SHA-2 Windows Updates Required for Continued Support of Windows 7 and Windows Server 2008 R2

Carbon Black Cloud sensor: Windows desktop support

Carbon Black Cloud sensor: Windows Server support

All

DSEN-14154

The sensor could remain in bypass mode after a system reboot. This only occurred if the sensor was configured to run as AMPPL, but was not actually AMPPL on startup. This only occurred when upgrading from v3.3 and earlier sensors or when config props to disable AMPPL exist.

All

DSEN-13691, EA-18749, EA-18647

Sensor uninstall could fail if C:\Windows\ELAMBKUP\CbELAM.sys file was not present.

Endpoint Standard, Enterprise EDR

CBC-2554

The 3.7 CBC Windows sensor now automatically registers the CBC Windows sensor on VDI clones in vSphere environments. This feature requires both the vSphere HostModule and the 3.7 CBC Windows sensor. Log information can be found at C:\ProgramData\CarbonBlack\Logs\vhostcomms.log. AV exclusions might be needed for C:\Program Files\Confer\VHostComms.exe.

DSEN-13848

The 3.7 Windows sensor supports a new cfg.ini parameter AutoReRegisterForCitrix = True for automatically re-registering CBC Windows sensor on VDI clones in Citrix environments.

Note: A separate script to re-register the agent is not required after specifying this parameter in the cfg.ini file.

CBC-831

Added alarms for installation, uninstallation and upgrade failures.

CBC-1017

Various improvements to sensor services.
Examples include:

• Potentially less delays for receiving Defense events from sensors
• Faster LQ results
• One request's timeout no longer delays other requests

CBC-1638, DSEN-11202

Defense API reports that used to be sourced from API hooking have been moved to Event Tracing For Windows Providers and the File System Driver for product stability reasons.

In addition we have added a new disk driver “cbdisk.sys” to protect against ransomware threat actors attempting to corrupt the boot records which live on disk and prevent machines from booting.

With the introduction of our new “cbdisk.sys” driver in 3.7, any API_BYPASS previously set will no longer allow processes that were blocked from writing to protected disk regions or accessing canary files. With 3.7, users should now set bypasses for processes performing activity detected as ransomware through a rule: "Application at path -> Performs ransomware-like behavior -> Allow.".

CBC-1925

The background status progress based on percentage complete is now visible via the RepCLI status output.

UAV-2041, EA-17693, EA-18300

Reduced frequency of non-paged pool memory allocations to avoid memory fragmentation and help with system performance.

UAV-2191,
EA-18905,
EA-18910,
EA-18889,
EA-18965,
EA-18982,
EA-18881

Fixed a bug where non-ASCII characters (such as Chinese and Japanese) in filenames caused the AMSI module to crash the process that Endpoint Standard was inspecting.

DSEN-5758, EA-18469

Fixed a bug where the length of the alert details message could impact CPU performance.

DSEN-5833, DSEN-7252, DSEN-7253, EA-14620, EA-15335, EA-15649

Detect and prevent malicious lnk chains.

DSEN-5870, EA-18220

Sensor installation/uninstallation failed if the BackupPath registry key was missing from “HKLM\SYSTEM\CurrentControlSet\Control\EarlyLaunch\”

DSEN-7246, EA-17566, EA-15975

Fixed a bug capturing certificate information from jar files.

DSEN-7266, EA-15600

Windows sensor endpoint details will now append a “YYYYMMDD” date to Scan Engine information to specify the date the signature pack was collected. 

Note: On upgrades from older versions of the CBC Windows sensor, a signature pack update might be needed to display this information.

DSEN-8198, EA-18133, EA-17388, EA-16521, EA-18124

Intermittent failures with RDP connections.

DSEN-8262, EA-17682

Fixed a bug with reporting the last interactive logged-on user on Windows Server 2019 as WDM instead of the local user account.

DSEN-8340

CBC Windows sensor now allows updating signature packs while in network quarantine.

DSEN-10001, EA-16517

Fixed a bug with closing Live Response sessions.

DSEN-10427, EA-16855

Improved performance with launching Office 365 applications.

DSEN-10677, EA-17112

Fixed a bug with the sensor removal tool cleaning up registry entries after uninstallation of the sensor.

DSEN-10830, EA-17223

Improved pruning of the DB_REP file to prevent excessive growth.

DSEN-11084, EA-17416

The sensor did not recover gracefully when it lost connection to the kernel.

DSEN-11181, EA-17345

Fixed a bug with displaying protection state information via RepCLI and the console when DelayProtectionAtBoot or DelayProtectionAtLogin are applied.

DSEN-11290, EA-17462, EA-16703

Fixed a bug with excess process handles causing performance degradation.

DSEN-11413, EA-17335

Fixed a bug with processes running in a container being falsely marked as “hidden”.

Can manifest as alerts with the TTP: HIDDEN_PROCESS after installing sensor version 3.6.0.1719.

DSEN-11731, EA-17882

Fixed a bug causing registration issues with sensors upgraded through the command line interface that incorrectly specified OFFLINE_INSTALL=1.

DSEN-12164, EA-18080

Fixed a bug causing an error message to appear when clicking “VMware, Inc” from the “About” section under CBC Windows tray icon.

DSEN-12447, EA-18230, EA-18064

Fixed a bug with script interpreters being wrongfully terminated when applied rules were set to only deny.

Can manifest as a console alert showing that an Office document was denied opening another Office document.

DSEN-12526, EA-18264

Fixed a bug causing Repmgr to crash when an access violation on a buffer occurs.

DSEN-13201

Fixed a bug with sensors connecting to the backend through a proxy when a default WinHTTP proxy is configured in the registry, such as if you configured through netsh.

DSEN-13429, EA-18403

Fixed a bug that could lead to a bug check if a process attempted to access a file residing on a network share.

DSEN-13518, EA-18633

Fixed a bug with incorrect MAC addresses being returned if no local area connection adapter is found.

DSEN-13742, EA-18213

Missing parent information on the process tree page for hashban terminate alert.

DSEN-14058, UAV-2140

Repmgr service crashed during log collection when an invalid memory access was encountered.

DSEN-14127, DSEN-14133

Our CBC Windows builds are no longer signed with SHA1 code signing (only SHA2 and WHQL). As such, Windows Operating System updates may need to be applied in order to run our 3.7+ CBC Windows sensor version. Please see our UEX posts for more information:

[CBC Windows] SHA-2 Windows Updates Required for Continued Support of Windows 7 and Windows Server 2008 R2

Carbon Black Cloud sensor: Windows desktop support

Carbon Black Cloud sensor: Windows Server support

DSEN-14154

Fixed a bug where the sensor could remain in bypass mode after system reboots.

DSEN-12449, EA-18064, EA-18230, EA-18270, EA-18324, EA-18429

Microsoft Office processes were terminated if the Invokes an untrusted process rule was applied.

DSEN-12571, EA-18105

Corrected RepMgr scan behavior during certificate reputation updates.

DSEN-12613, EA-18202

Fixed a registration issue with Windows Security Center after a Windows update.

UAV-1936, EA-17503

Improved sensor performance in a number of scenarios. You should see increased performance in a number of scenarios, such as when reading files over the network or when logging out.

UAV-1943

When the Citrix Virtual Memory Optimization service is present, the Windows sensor did not block all executions from Alternate Data Streams. See the following KB article for more information: https://community.carbonblack.com/t5/Knowledge-Base/Endpoint-Standard-Citrix-Virtual-Memory-Optimization-Service/ta-p/99222 

DSEN-11432, EA-17439

Signature pack updates were not respecting the CurlCrlCheck config property.

DSEN-11615

Ransomware blocks were not always generating console alerts.

DSEN-11626

Added the ability to skip blocking executions from alternate data streams if the content hash is on the company approved reputation list.

DSEN-11654, EA-17667

Improved performance of Live Queries that leverage Yara to scan directories that have a lot of files.

DSEN-11710, EA-17591, EA-17693, EA-17877

Improved performance on machines that have a high frequency of short lived processes.

DSEN-11732

Rules were not being updated while the sensor was in bypass mode.

DSEN-11805, EA-17554, EA-17841

Improved hashing performance when large files are executed on the network.

DSEN-11814, EA-16261, EA-17121

Improved sensor performance during boot time.

DSEN-11927, EA-17912

Not trusted policy enforcement was being applied on approved files. Under Policy > Sensor, if Scan execute on network drives is off and a never seen before hash is executed that should be approved, an unwanted block could occur.

DSEN-12048, EA-17649

Improved sensor detection of  auto-generated Microsoft PowerShell scripts.

DSEN-12095

A local user interface alert was generated for known malware services. In some circumstances, when a service backed by malicious files was discovered and blocked, a local user interface alert would not occur.

DSEN-12129

Invalidly signed files that matched certificate approval rules using wildcard patterns might have been incorrectly approved despite the signature being untrustworthy.

DSEN-12143, EA-18020, EA-18064, EA-18092, EA-18148, EA-18205

Some recent Windows Updates resulted in Microsoft OS files being delivered before their external catalog that is used to verify their digital signature was registered. This resulted in the files appearing as not signed on first inspection, which could lead to tamper protection blocks and user visible errors when launching repux. The CB sensor now reinspects operating system files that appear unsigned to reverify their digital signature and avoid the tamper blocks.

Note: You can still experience blocks

See the following KB article for more information: https://community.carbonblack.com/t5/Knowledge-Base/Carbon-Black-Cloud-Repux-exe-or-Scanhost-exe-unable-to-start/ta-p/99249

DSEN-12211

Live Response was prevented from launching non-Microsoft executables by a tamper policy error.

UAV-1941, EA-17514, EA-17627, EA-17765

Performance issues arose across various assets such as Excel, video files, and USB printers. This fix improves hashing logic to make the process more efficient.

DSEN-11514, EA-17653

Uninstall rollback during upgrades did not bring the system to protected state until reboot, causing a failure during upgrades.

UAV-1853, EA-16874, EA-17503

Improved network file operations performance.

DSEN-11461, EA-17152

Delays while closing some applications.

DSEN-11477

In Endpoint Standard-only organizations, device control alerts could take hours to appear in the Alerts page because low event volume delayed reporting to the cloud.

DSEN-11617, EA-17780

One reported occurrence of a BSOD on a 32-bit Windows 7 machine.

UAV-1951, EA-17567, EA-17571

One documented case of ERP software running slowly on ERP servers.

DSEN-11639, EA-17572, EA-17811, EA-17831

Latency on file open operations on local drives and network shares.

A reboot of a Domain Controller server during sensor uninstall is now resolved.

DSEN-11217, EA-17431

One customer reported a crash on a clustered SQL instance.

DSEN-10927, EA-17214

Excel terminated with error "attempted to modify the next instruction to execute in the process".

DSEN-11192,
EA-17439

The local scanner was not updating endpoints that use proxy connections.

DSEN-11203

With Device Control on, users might see a slow down when accessing files on Google Drive with the Google Drive app running locally and mounting a volume in Windows Explorer.

DSEN-11229

The following error appeared after upgrading the sensor; then rebooting:
"Carbon Black Cloud Sensor: RepUx.exe - Bad Image”

DSEN-11107, EA-17416

Tableau server hung up on sensor install.

DSEN-11019

An issue was identified and fixed that could lead to background scan consuming excessive CPU. The background scan is executed upon sensor install.

DSEN-10847

Wavefront’s telegraph service would not start when the sensor was installed. This issue was found internally only.

DSEN-11338, EA-16703, EA-16977

High CPU usage by SVChost service.

DSEN-10968, EA-17653

Uninstall might have failed in some scenarios. 

DSEN-11344, EA-17590

Thread handle leak in Repmgr led to hang on domain controllers.

DSEN-11220

General performance improvements.

UAV-1847, EA-15161

Normalization LRUCache has inconsistent key format if the key is a folder.

DSEN-11216, EA-15031

Sensor was not sending the endpoint’s MAC address to the backend.

DSEN-11217, EA-17431

A crash occurred on a clustered SQL instance - 0x22_CsvFs!CsvFsExceptionFilter

UAV-1893, EA-17269, EA-17446

A large number of registry operations showed high rule engine match overhead.

DSEN-11344, EA-17590

Systems with a high occurrence of network connection attempts running Windows sensor versions 3.6.0.1791 and 3.6.0.1897 may experience degraded performance. These sensor versions are no longer available for download. This issue is resolved in Windows sensor version 3.6.0.1941.

Sensor ignored Endpoint Standard processing of network files that were not opened for execution.

Performance improvement where applications such as Microsoft Word make heavy use of NtReadVirtualMemory.

DSEN-10922, EA-17214

Applications making a copy of themselves caused false positive code injection alerts in the console.

DSEN-10822,
EA-17223

Improved performance for file reads on the endpoint when a file is quarantined in place.

DSEN-10778,
EA-16874

Incremental performance improvements for moving network files.

DSEN-10699,
EA-17060

Sensors did not move to the correct group because metadata changes were not reported.

DSEN-10676,
EA-17075

Resolved hang issue while inflating OneDrive files.

DSEN-10494,
EA-17479

Sensors will now use new static proxy settings even if previously persisted ones are succeeding.

DSEN-10212,
EA-16659

Customers might have experienced false positives for processes which had already been terminated.

DSEN-10154,
EA-16866

Signatures did not always get re-evaluated on an upgrade from older sensor versions. This might have resulted in users seeing an alert that a file was unsigned and the process terminated.

DSEN-10043,
EA-17060

After a sensor was cloned, the sensor might have updated the golden images endpoints check-in time prior to registering as a new cloned endpoint. This might have resulted in duplicated DeviceIDs in the console.

DSEN-10217

The sensor upgrade might have failed when Windows Security Center was disabled.

This fix improves the execution of kernel mode code.

This fix resolves an intermittent issue during sensor upgrades after a fresh install. The upgrade sometimes hung while removing the old CB Defense service.

Resolved an issue that caused applications to crash with ctiuser.dll as a faulting module after upgrading sensor version from 3.5.0.1680 to 3.5.0.1756.

Improved signature evaluation logic on upgrade.

Rare case where cert reputation did not persist.

Performance improvement around caching volumes.

Need to check for null content manager on shutdown.

Performance improvement: not caching normalized in post-create when rules trigger the normalization.

Fixed small performance inefficiency in CbdFileEventObjectBase::GetFileSize.

REG_CREATE_KEY event included both new key creation events and existing key open events.

Overlapping PROC_RECORD flags caused inaccurate breached alerts.

Banned scripts failed to be blocked on Box cloud file sharing app. The issue did not occur on Google Drive or OneDrive.

Inconsistent Storage of pscinfo in db_rep led to query failures.

Protobuf definitions of IPv4 and IPv6 addresses now include a human-readable format.

Application crashes were due to members of SuspendInfo struct not being aligned on a 16 byte boundary.

Delete code set the publisher/issuer name to VERIFIED.

Major Windows upgrade did not migrate Our ELAM Backup.

siUtil_IsProcessRunning did not take action on STATUS_ACCESS_DENIED; it now creates better log prints.

Performance improvements: FQDN lookup optimizations.

Performance improvement: Avoid acquiring exclusive file record lock to set process file type.

Performance improvement: Cache process record references in handle context.

CTINET: Unload prevented due to inaccurate flow counters [EA].

CTINET: Unload prevented due to inaccurate flow counters [EA].

Did not refresh PSC policy upon datafile2 update.

Cache process record references in handle context led to performance issues.

TLS configprops input validation was inconsistent.

CHashObject::DetermineIntendedSourceMask accessed DB without holding lock.

Added a sensor alarm for failure disabling LSP.

Error in confer.log of WARNING GetRegStringValue: Failed to read registry key Software\VMware, Inc.\ViewComposer\ga\AgentIntegration\CustomizationStarted 

Sigpack update caused on-access scan to effectively become enabled even if it was disabled in policy.

ctifile blocked pre-write by RepMgr and confer.log logging stopped.

Application crashes were due to members of SuspendInfo struct not being aligned on a 16 byte boundary.

Hyper-V host blue-screened when accessing CSV file system.

Sensor installation now supports both the user code provided in the email and the company code.

The ASP page took 20 seconds to return with AmsiEnabled in the 3.5 sensor.

The LiveResponse memdump command caused crashes. It was disabled by default on Windows sensors 3.3 and 3.4. It is now enabled by default and no longer causes crashes.

The sensor wrote large amounts of extra data to the confer.log file. The extraneous data that is written to confer.log has been reduced.

The sensor allowed non-execute access to quarantined files. Now, quarantined files are not accessible. This can prevent other security applications from scanning and alerting on the file, but will prevent files from being copied to other locations.

Intermittent delays occurred when opening Office files and navigating file systems on Windows 10.

Sensor install failed on Windows Server 2019 machines where there was a missing directory value for registry key HKLM\SYSTEM\CurrentControlSet\Control\EarlyLaunch value "BackupPath". The value is typically C:\Windows\ELAMBKUP.

During updates to Windows 19H1, the system either blocked the update or crashed during the update. This issue was only reproduced and identified internally, and the issue did not reproduce if the sensor was in Bypass mode.

Previously, if a user executed an unattended install with the flag and argument "INSTALLFOLDER=<path>", the sensor installed but was non-functional. Now, an installation failure occurs if a user tries to use a non-standard installation folder.

Under high load, repmgr.exe handle counts grew very large, causing minor performance issues.

If the sensor's background scan changed from disabled (either via install arguments or cloud policy) to expedited, a race condition could put the background scan into disabled state.

Windbg was observed to crash.

RepMgr.exe crashed upon running any process from a path with Japanese Characters (c:\見る)

If the customer turned off Scan On Network Read/Scan on Network Execute in the policy, the sensor still tried to normalize a network path even if Enterprise EDR wasn't enabled.

TTPs: ACCESS_EMAIL_DATA was assigned to an event.

The application C:\Windows\System32\taskhost.exe attempted to access the email file "C:\Users\mosesveroy\AppData\Local\Microsoft\Internet Explorer\Indexed DB\Internet.edb"

C:\Users\mosesveroy\AppData\Local\Microsoft\Internet Explorer\Indexed DB\Internet.edb looked like an Internet Explorer data file, not an email data file.

Expected behavior:

Clarify or correct TTP ACCESS_EMAIL_DATA for internet.edb.

WinSSL CRL checking caused friction in POC environments that required a proxy configuration.

The API hook for GetAsyncKeyState (and a small number of other functions) were in GetCallingDll. The fix for DSEN-2810 avoided an expensive call to GetLongPathNameW by checking if the pathname contained any tilde ("~") characters. If the path contained a tilde character, the call to GetLongPathNameW was made, resulting in a noticeable slowdown. Customer was using an IME-like Active-X control, called GetAsyncKeyState, and the dll was installed below C:\Program Files (x86). This resulted in having a short name with a tilde in it.

Having a rule to deny memory scraping by TaskMgr does not work in Windows 10. Ctiuser is not injected into taskmgr.exe on Windows 10, so ctiuser cannot prevent memory scraping of any process (that is, creating a dump file) by taskmgr. Ctiuser was not loaded into taskmgr.exe. This behavior did not occur in Windows 7, where ctiuser is loaded through AppInit_DLLs, and creating a dump from taskmgr is successfully blocked.

Occasionally, the local scan misclassified a file with a malware reputation. If repmgr requests a scan of the file, this AV rep persists in dbrep. If the local scan corrected this reputation in a subsequent signature update, RepMgr did not rescan the file, and the AV reputation was not corrected in dbrep. If there is no higher priority reputation from other rep sources, including from the cloud, this AV reputation persisted. The work-around was to add the hash to the Approved list.

IT_TOOLs rule was still enforced after removing the rule on a long running process.

Known malware executed and remained running.

Agent Core Installer separated the installer directory from the data directory.

When trying to pull down an AV pack update, the proxy information in the curl request was not set up.

The sensor was in bypass mode for around 3 hours. When the sensor was taken off of bypass mode, it remained in bypass for 25 minutes, at which time the machine rebooted and the sensor checked in.

Powershell_ise.exe is a CLR process. In Windows 10, Carbon Black does not inject into the process because it doesn't meet the following criteria:

• It does not have an .exe file extension
• The CLR process launches itself

An earlier maintenance release of the 3.5 CBC Windows Sensor (3.5.0.1786) resulted in a system crash/BSOD for endpoints that hit a specific non-common code path. There were three reported cases against about 175,000 endpoints across all environments. Please note that this was introduced in 3.5.0.1786 and that is the only version in which the problem exists. It is now fixed in 3.5.0.1801

Due to an interaction with third-party proxy management software called Open Text Socks Client, one customer experienced RepCLI (local command line interface) breaking by returning error message "RepCLIClient: Failed to open socket". This issue was found in 3.5.0.1680 and fixed in 3.5.0.1801.

One customer reported a system crash. This issue was found in 3.5.0.1627 and fixed in 3.5.0.1801.

The sensor caused slowness, freezing on the endpoint, and the domain controller to enter an unresponsive state.

A RepMgr.exe crash created performance degradation and a high number of event ID 1 and 1000 in Windows application logs.

Startup performance improvements alleviate slow start and/or logon type issues. Performance improvements will remain a focus in future releases.

Fixed performance issues using Windows Explorer to navigate to locations in SharePoint.

Upon reboot, a customer experienced the following error condition: "Carbon Black Cloud Sensor: RepUx.exe - Bad Image. C:\Program Files (x86)\Common Files\Microsoft Shared\INK\PENUSA.DLL is either not designed to run on Windows or it contains an error. Try installing the program again using the original installation media or contact your system administrator or the software vendor for support. Error status 0xc0000022."

Issue connecting to the proxy server.

When using OFFLINE_INSTALL=1 and providing PROXY_SERVER on the command line, the sensor never registered with the backend.

Customers allow listing IT Tools might have seen the feature fail if wildcard characters were not used in the allow-listed string. This issue is now fixed and non-wildcard strings match.

Bypass rules were not properly applied in certain cases.

Alerts were surfaced for a file that was already deleted from the system.

Log on performance has been improved.

The Live Response exec command failed in some cases.

Intermittent issues with login delays causing RDP session timeouts.

Issues contributing to slow log in are now addressed.

Two customers experienced a deadlock between a sensor process and system process, which could cause the endpoint to freeze up.

Customer might have experienced greater than expected resource consumption on their endpoints upon LiveQuery usage. Previously, the back end cancelled queries after they were outstanding for a week. This fix introduces configurable thresholds in runtime and memory consumption that, if crossed, cancel the query and prevent excessive resource consumption.

Customers might have experienced greater than expected resource consumption when installing large files.

Users may have noticed a larger pagefile size which generated volmgr errors in windows event viewer. The sensor now auto-configures the memory dump settings on the machine unless you opt of that by setting the msi command line arg "AUTO_CONFIG_MEM_DUMP=0" during a command line install.

CB ThreatHunter might not have reported scriptloads for scripts that had VB scripts office docs, python, or perl file extensions.

Creating a folder on a network file share might have taken up to 15 seconds. The initial folder creation occurred within a normal time frame.

Uninstall on a machine that is serving an RDP session could hang/fail if the RDP client machine was sharing local drives with the RDP server. Note that an upgrade from Windows sensor 3.4 to an earlier 3.5 version requires an uninstall, and can cause this issue if the previous criteria are met. To resolve the issue in this case, use the sensor removal tool.

An internal observation of the sensor crashing while being taken out of bypass during system startup. This issue was not reported externally.

In one case, the sensor service stopped repeatedly, generating errors such as this in the event log: "The CB Defense service terminated unexpectedly. It has done this 4 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service." This was a result of a service crash.

In some cases, the sensor did not honor bypass rules as they were configured in the policy, which led to unexpected blocks, interoperability issues, or poor application performance.

Endpoints exited network quarantine after upgrading from 3.4 to 3.5. Upgrades and uninstalls are no longer permitted in quarantine.

As of version 3.5.0.1627, the Windows sensor supports osQuery 4.1.2.