Carbon Black Cloud Linux Sensor Release Notes

Carbon Black Cloud Linux Sensor Known Issues

Carbon Black Cloud Linux Sensor Fixed Issues

Carbon Black Cloud Linux Sensor Release Notes

 

2.11.3 

VMware Carbon Black Cloud Linux sensor version 2.11.3 includes support for installing the sensor on Ubuntu 21 and major improvements/bug fixes.

You can install sensor version 2.11.3 on Ubuntu 21. All sensor features are supported on Ubuntu 21. See the support matrix at Carbon Black Cloud sensor: Linux sensor support.


2.11.2 

VMware Carbon Black Cloud Linux sensor version 2.11.2 includes major improvements/bug fixes. We recommend that you upgrade to 2.11.2 on BPF-based systems (4.4+ kernels).

This release supports digital integrity verification of the Linux sensor tar-ball (TGZ) files. Both the RPM and DEB files are digitally signed; this allows customers to verify other file contents within the tar-ball (TGZ).


2.11.1 

Carbon Black Cloud Linux sensor version 2.11.1 includes support for specify proxy server details such as Host and Port on the command line while installing the sensor. A new “-p or –proxy” option specifies the proxy server details. See the VMware Carbon Black Cloud Sensor Installation Guide for more information.


2.11.0 

Carbon Black Cloud Linux sensor version 2.11.0 includes support for expanded distributions on Endpoint Standard, Debian Support, and other improvements/bug fixes. 

Endpoint Standard

Expanded Distribution Support

You can now benefit from uniform coverage across the VMware Carbon Black Cloud platform with expanded distribution coverage. The Linux sensor version 2.11.0 now supports the following distributions:
RHEL 8, CentOS 8, Oracle (RHCK and UEK kernels) 8, Amazon Linux, SUSE, Ubuntu and Debian. See Supported Linux Distributions for more information.

To expand to a wide number of distributions, the Linux sensor is leveraging Extended Berkeley Packet Filters (eBPF or BPF). See the 2.10.1 release for more information.

After the new sensor is installed, Endpoint Standard works as seamlessly as a kernel-based sensor. You can perform the following actions:

  • Detect and block known malware
  • Add hashes to a custom company banlist
  • Add hashes to a custom company allowlist
  • Put a sensor into bypass

Endpoint Standard, Enterprise EDR, and Audit & Remediation

Debian Support

Debian is now officially supported on Endpoint Standard, Enterprise EDR, and Audit & Remediation. See Supported Linux Distributions for more information.

 


2.10.3 

VMware Carbon Black Cloud Linux sensor version 2.10.3 includes sensor improvements and bug fixes.


2.10.2 

VMware Carbon Black Cloud Linux sensor version 2.10.2 includes sensor improvements and bug fixes.


2.10.1 

VMware Carbon Black Cloud Linux sensor version 2.10.1 includes support for expanded distributions on Enterprise EDR, and other improvements/bug fixes.

Enterprise EDR

Expanded distribution support

The Enterprise EDR Linux sensor version 2.10.1 now supports the following distributions:
RHEL 8, CentOS 8, Oracle (RHCK and UEK kernels) 8, Amazon Linux, SUSE, and Ubuntu
See Supported Linux Distributions for more information.

To expand to a wide number of distributions, the Linux sensor is leveraging Extended Berkeley Packet Filters (eBPF or BPF).

BPF provides these key benefits:

  • The majority of 4.X and 5.X kernels support BPF by default, which means that expanding to new distributions will be easier (as a compiled kernel module is not required).
  • BPF runs safely in a kernel sandbox, so a crash in a BPF program will not crash the kernel.

After the new sensor is installed, Enterprise EDR can be expected to work as seamlessly as a kernel-based sensor. You can perform the following actions:

  • Use the Investigate page
  • Perform process analysis
  • Create watchlists
  • Put sensors into bypasslinux process page.png

     

Note: Kernel headers are required for the sensor to function properly. See the Carbon Black Cloud Sensor Installation Guide for additional information.

Audit and Remediation

OSquery update

The Linux sensor version 2.10.1 now supports osquery v4.5.0.


2.9.1 

VMware Carbon Black Cloud Linux sensor version 2.9.1 includes RHEL/Oracle 7.9 support and other improvements/bug fixes. This release also ends support for RHEL/CentOS/Oracle 6.5 and below for Audit and Remediation.

RHEL/Oracle 7.9 is now supported on all products. See Supported Linux Distributions.


 2.9.0

VMware Carbon Black Cloud Linux sensor version 2.9.0 includes script load event collection on Enterprise EDR, the first version of the open source kernel module, and other improvements/bug fixes. See Supported Linux Distributions.

Enterprise EDR

Script load collection

Script files are now reported as a scriptload event of the process that loaded the script. Like all process events on the Process Analysis page, each item is easily searchable and is expandable for more context.image (10).png

 

 

Enterprise EDR and Endpoint Standard

Open Source Linux Kernel

With the release of the 2.9.0 sensor, the kernel module is now open source. Users can contribute and submit bugs through our GitHub page. Link to the Carbon Black Cloud kernel module: https://github.com/vmware/kernel-event-collector-module.linux rn github.png

 


2.8.0 

Carbon Black Cloud Linux sensor version 2.8.0 adds Oracle Linux Support to all products on the Carbon Black Cloud platform. It also adds a new event type for file creation events to Endpoint Standard (formerly CB Defense) on RHEL, CentOS and Oracle 6/7, and other improvements/bug fixes. See Supported Linux Distributions.

Endpoint Standard

The Linux sensor supports collection of file creation events for Endpoint Standard.

Note: This feature will be available in prod05 by the end of day 07/01/2020 and 6/30/2020 in all other environments.File_Event_Investigate 2.jpg

 

All Carbon Black Cloud Products

Oracle Linux Support

  • Audit and Remediation (formerly CB LiveOps) is supported on Oracle Linux 6.0-8.2 on both the RHCK kernel and UEK kernel.
  • Endpoint Standard (formerly CB Defense) is supported on Oracle Linux 6.6-7.8 on the RHCK kernel.
  • Enterprise EDR (formerly CB ThreatHunter) is supported on Oracle Linux 6.6-7.8 on the RHCK kernel.Oracle_Linux.jpg

     

 


2.7.1 

Carbon Black Cloud Linux sensor version 2.7.1 supports RHEL 7.8 and an update to OpenSSL version 1.1.1g. See Supported Linux Distributions.

RHEL 7.8 is now supported on all products.


2.7.0 

Carbon Black Cloud Linux sensor version 2.7.0 supports the first iteration of Endpoint Standard (formerly CB Defense) on RHEL and CentOS 6/7 and other improvements/bug fixes. See Supported Linux Distributions.

VMware Carbon Black Cloud

Sensor diagnostic log collection script

Beginning with the 2.7.0 sensor, the installer now includes a diagnostic log collection script that gathers information. Your support engineer might request that you run the diagnostic log collection script as part of the troubleshooting process.

The diagnostic log collection script collects logs and configuration information from the VMWare Carbon Black Cloud Linux endpoint agent. It also collects various system identity, configuration, and state information. The collected information helps VMware Carbon Black to understand and remediate problems that occur at runtime or during agent installation.

After sensor installation, the script is located here: 
/opt/carbonblack/psc/bin/collectdiags.sh

Endpoint Standard (CB Defense) and Enterprise EDR (CB ThreatHunter)

Bypass

The Linux sensor supports the ability to put the sensor into bypass. Bypass mode will turn off event collection and prevention. Live Response will still be functional. Policy level Permission rules (Allow & Log and targeted Bypass rules) are not supported in this version.

 

Enterprise Standard

Adding to Company Blacklist

The Linux sensor supports the “runs or is running” policy action when a process reputation is added to the company blacklist.coblacklist.png

Known Malware

The Linux sensor supports the “runs or is running” policy action when a process reputation is “Known Malware”.

knownmalware.png

Adding to Company Whitelist

The Linux sensor supports adding hashes to the company whitelist, so you can limit the number of alerts that are triggered from benign processes.

 


2.6.0

Carbon Black Cloud Linux Sensor version 2.6.0 includes event accuracy improvements and performance improvements for Enterprise EDR. See Supported Linux Distributions.

Enterprise EDR: Add hashes to the company blacklist

The Linux 2.6.0 sensor enables Enterprise EDR customers to add hashes to their company blacklist. After a hash is added to the company blacklist, it is prevented from the following:
 
  • Being opened with execute access
  • Starting a process from a file

Processes that have the blacklisted hash loaded at the time that the hash is added to the blacklist are terminated shortly after the sensor receives the updated reputation.

Note: This functionality is enabled in the Linux 2.6.0 GA sensor, but will not be available for use until a future Carbon Black Cloud console release.

Direct User and Command Line installations

For direct end user installs, an install.sh script is provided to input the company code. Command Line Installation is also supported via the use of the native RPM installer (assuming prerequisite steps are taken). See the Carbon Black Cloud Sensor Installation Guide for instructions. Please note that install.sh should not be used to upgrade sensors.
 

Known differences between Linux and other operating systems

The User field on the Endpoints page is typically populated with the email address of the user who installed the sensor on the endpoint. We’ve intentionally left this field blank for Linux sensors because there can be multiple logged-in users and multiple simultaneous desktop users.

 

Sensor Version Fixed Product Issue ID Description
2.11.3 All PSCLNX-8938 --force option available with install.sh script was not functioning correctly.
2.11.3 All CBC-9515 OSquery binary version is upgraded to 4.9.0.1.
2.11.3 All CBC-7636, EA-19416 Live Response button was erroneously showing Disabled in the console after upgrading to the 2.11 sensor version.
2.11.3 All CBC-9630 Retry the VDI re-registration after 60 seconds upon initial failure.
2.11.3 All PSCLNX-9355 Reduced unnecessary logging in the Enterprise EDR log to prevent log overflow and help with better troubleshooting.
2.11.3 All PSCLNX-9203, EA-19202 Skip filetype processing for file events for network file systems.
2.11.3 All

PSCLNX-9039, EA-19145

Resolved an issue with deleting files on CIFS shares.
2.11.2 All PSCLNX-8738, EA-18940 Linux BPF-based (4.4+ kernels) sensors could cause high memory usage and miss start event data (command line args and/or path).
2.11.2 All PSCLNX-8614 Fixed an issue where file handles were being leaked.
2.11.1 All PSCLNX-106 Live Response icon now only displays when the sensor has Live Response enabled in the policy.
2.11.1 All PSCLNX-8399 OpenSSL upgraded to version 1.1.1k.
2.11.1 All PSCLNX-7876 Connectivity issues that caused up to a 20 second communications delay are resolved.
2.11.1 All PSCLNX-8486 Policy remained unassigned despite auto assignment rule.
2.11.1 All PSCLNX-8310 Exempted processes are no longer terminated on Ubuntu systems.
2.11.1 All PSCLNX-8538 Linux sensor clears old policy GUIDs.
2.11.1 All PSCLNX-8613 The sensor could become unstable if thousands of sensors were being consecutively installed or uninstalled.
2.11.0 All PSCLNX-7480 Scriptloads now report hashes.
2.11.0 All PSCLNX-7698 A small memory leak is fixed.
2.11.0 All PSCLNX-7682 Resolves BTRFS file paths for SUSE.
2.11.0 All PSCLNX-8153 Agent registration for RHEL/CentOS/Oracle 6.9 and earlier versions does not fail on restart.
2.11.0 All PSCLNX-7089 Linux sensor sends the MAC address to the backend.
2.11.0 All PSCLNX-7976 Disabling Live Response on the sensor now updates in 60 seconds or less.
2.11.0 All PSCLNX-8354 Added BPF events-detail and events-average to agent diagnostics.
2.10.3 All PSCLNX-8098 The BPF event_collector lost connection on overloaded systems.
2.10.3 All PSCLNX-7913 Improves CPU Utilization by improving kernel module event tracking.
2.10.2 All PSCLNX-7706 Fixed a hang in the event_collector process.
2.10.2 Endpoint Standard PSCLNX-7505 Events are now throttled to 50 events per second after an extended period of disconnect from backend.
2.10.2 All PSCLNX-4628 Fixed a race condition in per-process file-tracking when a process exits.
2.9.3 All EA-17779, PSCLNX-4628 Fixes race condition that can cause unexpected hangs and reboots.
2.10.1 All EA-17307, PSCLNX-7408 High delay in NFS NetApp directories in CentOS 6 and RHEL 6.
2.10.1 All PSCLNX-7315 A hard deadlock can occur if an endpoint uses a large portion of its RAM.
2.10.1 All PSCLNX-7106 A banned file might not be unbanned if a user wants to remove it from the banlist.
2.10.1 All PSCLNX-7034 The agent failed to configure one of the SQL settings after a long downtime.
2.9.2 All PSCLNX-7494 Fixed a potential crash in the 2.9.1 sensor on an endpoint that had a high load.
2.9.2 All PSCLNX-7408, EA-17307 Fixed a high delay in NFS NetApp directories in RHEL/CentOS 6.
2.9.2 All PSCLNX-7237 Fixed a race condition that could cause a kernel panic.
2.9.2 All PSCLNX-7231, EA-17373 Fixed a hang in the sensor could cause a spike in CPU usage.
2.9.1 All EA-17370 The sensor caused a long delay in file transfers in NFS directories.
2.9.1 All CBC-404 When an interpreter loaded multiple scripts, only the first script loaded was reported.
2.9.1 All PSCLNX-7162 If sensor files were moved by a user while the sensor was running, the sensor could exceed its disk usage limits. Limits are now more strictly tracked and enforced by the sensor.
2.9.1 All PSCLNX-7117 There was a hang up during uninstall or while enabling bypass.
2.9.1 All PSCLNX-7245 A Segfault occurred during uninstall or while enabling bypass.
2.9.1 All PSCLNX-7058

BulkBehaviorHighDiskUsageMb can now be set without also configuring BulkBehaviorMaxDiskUsageMbFor more information, see Carbon Black Cloud for Linux How to Restrict the Disk.

2.9.1 All PSCLNX-7141

Handles bad request error cases better so LiveQuery can continue to function normally.

2.9.1 All PSCLNX-7161

Fixes a kernel panic when allocating a new slab.

2.9.0 All EA-16621, EA-16854 Fixed an issue where a fork of banned process was not killed.
2.9.0 All PSCLNX-6827 Agent upgrade from 2.8.0.238774 to 2.8.1.275105 failed due to timeout.
2.8.3 All EA-17142 In some cases, the sensor can misinterpret the available disk space because of a missing decrementation. If this occurs, the sensor might not return defense events to the cloud. The issue is fixed by updating this counter to properly decrement when messages are sent; the disk space metric used by the bulk storage manager is accurate.
2.8.2 All EA-16729 Improves the agent’s ability to handle NFS.
2.8.2 All PSCLNX-6479 Fixes a kernel panic for a race condition with task exits.
2.8.2 All PSCLNX-6476 A specific script would hang with the agent installed.
2.8.2 All PSCLNX-6787 A deadlock occurred during certain memory allocations.
2.8.2 All PSCLNX-6530 Server initiated upgrades failed on Oracle.
2.8.1 All EA-16425 The installation failed when /opt was symlinked to another directory.
2.8.1 All PSCLNX-6680 Fixed an issue in a TCP response and removes the following error message from the logs: event_collector_1_9_8988: Error copying UDP DNS response data.
2.8.0 All EA-16006 Adds low disk space warning to installer.
2.8.0 All EA-16405 Fixes memory leak in the kernel module.
2.8.0 All EA-16335 Linux policy was not updating properly.
2.8.0 All EA-16249 Fixed crash in the kernel module.
2.8.0 All PSCLNX-6305 Made updates to install.sh to allow for installation on unsupported rpm-based distros without modifications to the script.
2.7.1 All PSCLNX-6065 OpenSSL is updated to 1.1.1g that fixes CVE-2020-1967.
2.7.0 CB LiveOps PSCLNX-4956 osqueryi was updated from 3.3.2 to 4.1.2.
2.7.0 All EA-15956 Linux sensor was stuck in Admin Bypass.
2.6.0 All PSCLNX-4464 Empty paths were reported frequently in event data.
2.6.0 All PSCLNX-4467 Process data was sometimes missing cmdline or binary details.
2.6.0 All PSCLNX-4370 Bad paths could be reported in event data.
2.6.0 All
PSCLNX-4086 Incorrect local and remote addresses were sometimes reported for UDP netconn events.
2.6.0 All PSCLNX-4085 Outgoing TCP netconn events could be duplicated in the console.
2.6.0 All PSCLNX-954 Event throughout increased 2.75x (from 2.5.0 to 2.6.0).

 

 

Sensor Version Found Product Issue ID Description
2.11.0 All PSCLNX-8333

If kptr_restrict is set to 2, then the probe will go into bypass.

2.10.1 All PSCLNX-7618

Some Linux distributions with SElinux might have a default policy that blocks services making BPF calls. See Carbon Black Cloud: How to allow BPF event collection on SELinux.

2.10.1 All PSCLNX-7520

File rename and move operations are not collected.

2.10.1 All PSCLNX-7631

On SUSE12, file paths sometimes have BTRFS subvolume name pre-fixed onto the actual path. For example: /tmp/dir will look like @/.snapper/1/snapshot/tmp/dir.

2.10.1 All PSCLNX-7462

Scriptload collection is not working on the following distribution versions: Oracle RHCK 8.2, CentOS/RHEL 8.0, 8.2 and 8.3.

2.8.0 All PSCLNX-6537

During a successful rpm-based upgrade on RHEL/CentOS/Oracle 6, the log shows the following warning that can be ignored:

Stopping cbagentd: Agent failed to exit, killing with SIGTERM

2.7.0 CB Defense PSCLNX-5780

The User field is empty for alerts/events.

2.7.0 CB Defense N/A

Endpoint Standard does not collect filemod, netconns, or scriptloads.

2.6.0 All PSCLNX-2710

The sensor does not support uninstall from the Carbon Black Cloud. To uninstall, issue the following commands:

  • For CentOS, RHEL, SUSE or Amazon Linux: rpm -e cb-psc-sensor
  • For Ubuntu: dpkg --purge cb-psc-sensor

Note: The agent will still be listed in the Registered Devices list on the backend after running the command unless you choose Take Action > Uninstall.

2.6.0 All PSCLNX-455

The sensor only supports unauthenticated proxies.

2.6.0 All PSCLNX-3874

When the agent restarts successfully, Error[00000002 (00000002)] is reported.

2.6.0 All N/A

Deploying the Carbon Black Cloud Linux sensor and the CB Response  Linux sensor to the same endpoint is not recommended. There are no known interoperability issues when running both sensors; however, higher performance utilization occurs if both sensors are running on an endpoint.