Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Please Read: Issues identified in Cb Response v.5.2.5/6.0.1 Windows and v.5.2.6 MacOS sensors

Please Read: Issues identified in Cb Response v.5.2.5/6.0.1 Windows and v.5.2.6 MacOS sensors

Hello All,

During the week of 2/6, we made Cb Response version 5.2.6 available via our YUM repositories and to our cloud customers.  This package contained a Windows Sensor v.5.2.5 and a MacOS sensor version 5.2.6.  Issues were discovered in both of these sensor versions shortly after release, and as a result, we disabled downloads of this version from our repos.

Based on download statistics, this issue appears to only affect ~25 customers who updated to 5.2.6 before we disabled the YUM link.  If you updated to 5.2.6, please do not push out the included 5.2.5 Windows Sensors or 5.2.6 MacOS sensors until further notice.

*Note: If you upgraded, there is no issue with continuing to run the 5.2.6 Cb Response Server.

The Cb Response Engineering Team is working diligently to find solutions to the issues we identified. Please watch this post for updates.

We apologize for any inconvenience this may cause, please reply back to the post or contact support with any further questions.

Thanks,

Justin

Technical Product Manager - Cb Response

***​UPDATE 2/21: Cb Response Engineers have found a temporary solution to mitigate the deadlock issue on the 5.2.5 Windows Sensor. Please go to the sensor page in your console and for each sensor group do the following: Click edit settings  - > Click the Event collection tab- > Uncheck "Binary Module Loads".  By disabling "Binary Module Loads" the deadlock condition should be mitigated.  ***Note: Disabling "Binary Module Loads" will stop the collection of modload events from your endpoints. Depending on how your users leverage the product, this could impact detection and investigation capabilities. Once this is done, please see the post  ​ for rollback instructions. Please follow this page for further updates.

***UPDATE 2/22: The windows sensor deadlock issue also affects version 6.0.1.  This sensor was only available to cloud customers and all affected customers were notified of this directly via email over the weekend.  Adding the update here for completeness. -Thanks

***UPDATE 2/23: Cb Response Engineering has completed the fix for the deadlock issue identified with the 5.2.5/6.0.1 Windows sensors.  We are currently in QA/Testing and validation and should be in a position to provide an estimated timeline for delivery early next week.  Also, we updated the support solution here: Rollback 5.2.5 and 6.0.1 Windows Sensors.​ The updates cover instructions for removing the affected sensor versions from the Console UI. -Thanks

***UPDATE 3/3: 

Hello all,

We have a new version, 5.3, of the Windows Sensor that addresses the recent issues encountered in the 5.2.5 and 6.0.1 releases. Due to the limited content in this release we will be releasing it as a hotfix release rather than a GA release. As such, it will not be made public on our Yum site and access will be made available via Carbon Black Technical Support.

The sensor is intended for the following scenarios only:

  1. You are still running the 5.2.5 or 6.0.1 Windows sensor
  2. There were fixes in 5.2.5 / 6.0.1 that you require

Release notes for 5.3 can be found here: to review the included fixes.

If you downgraded your windows sensors to 5.2.1 and do not need a specific fix included in 5.3 it is recommended that you remain on 5.2.1.


If you meet one of the above scenarios, please contact Technical Support for access to the hotfix. -Thanks

Comments

What are the issues with these sensor version?  What do you do if you have upgraded to them?

Hello,

I'm one of those 25 customers checking in.. I have the sensor deployed to 5 clients of ~400. Shoould we simply roll back to 005.001.001.60603 or 005.001.001.60415?

Hi there,

On the windows side, it appears that some work we did in version 5.2.5 created a deadlock condition that is exacerbated when you attempt to install/uninstall programs on the affected machine.

On the mac side, there is a kernel panic that occurs due to the SMAP functionality in MacOS.  As part of the sensor's normal behavior, we access specific parts of user space memory from the kernel, which SMAP does not allow (hence the KP).

The issues are well understood and we're working quickly and diligently to get fixes out.

If you have upgraded to the affected version, please work with Cb support to get the steps needed to rollback.

Thanks,

-Justin

Yes, a rollback is recommended. Please work with support to go through the rollback process.

-Justin

When do you expect to release an updated version of the MacOS Sensor?

You can check out this document for windows rollback instructions: Rollback 5.2.5 Windows Sensors

Not to be negative but could you guys make this any more confusing.

Could you let us know when it is safe to upgrade to 5.2.6 release. Safe meaning  the windows and mac fix is baked into the release. Why would we be expected to get the released software from one place and a fix from another place?

I am at 5.2.0 Patch 3 currently.

Hi Mshubaly,

Sorry for the confusion, if you're looking for the next stable release I'd recommend following this page: When Was Cb Response On-Prem Build xxxx Available?

Chris

Are the latest Windows and MacOS issues listed above fixed in the latest release listed  When Was Cb Response On-Prem Build xxxx Available?

The current release that is GA is 5.2.6 server with a 5.2.1 Windows sensor and 5.2.5 OS X sensor. These are the releases we recommend unless you have a need for something that was addressed in the recent 5.3 Windows sensor hotfix release mentioned above. We have not yet released a hotfix or other update for the OS X issue. We have also not yet determined a release for these changes to be made generally available.

I hope this helps to clarify things, but if not, you can reach to me directly and we can schedule a call to discuss further. mbilancieri@carbonblack.com

Regards,

Michael

Is there an update on the timeline for an update to the 6.0.1 sensor?

Your software versioning is incredibly confusing and needs work. It's next to impossible to tell what's the current stable releases. It probably doesn't help that this is the worst support site to navigate and find information on.

Thank you for the candid feedback. We are looking to introduce more clarity and visibility into current GA product versions in an easy-to-find and easy-to-understand format on this forum.

If you have immediate questions on releases/versioning you can ask here or contact technical support. You can even send me a private message if you'd prefer that.

Planning for an updated 6.0 OS X sensor by end of next week, and updated 6.0 Windows sensor by early April. Please contact Justin Falck (jfalck@carbonblack.com) if you'd like to participate in our Controlled Distribution program.

Michael - any update on OSX 6.0 sensor?

Hello,

The OSX-6.0.4 sensor is currently available for GA. The version was packaged with the Cb Response 6.1 release in May. The release notes can be found here: Carbon Black Response v6.1 - Release Notes

Kind Regards,

Gino

Article Information
Author:
Creation Date:
‎02-17-2017
Views:
7555