Some Versions of VMware Carbon Black Cause BSODs on Windows

Servers and workstations running Windows began to fail in dozens of organizations around the world – it turned out to be a bug provoked by some versions of the Carbon Black security product from VMware.

Carbon Black, acquired by the company in 2019, is a suite of cloud-based endpoint security tools “aimed at strengthening corporate cybersecurity.”

Let me remind you that we also wrote that Much of the Cybersecurity Budget Is Wasted.

The root of the problem affecting many companies lies in the rule set deployed on August 23, 2022 for Carbon Black Cloud Sensor versions 3.6.0.1979 – 3.8.0.398. This update causes devices to crash and cause a Blue Screen of Death (BSOD) on system startup, essentially rendering the machine completely unusable.

The issue affects Windows 10 x64, Windows Server 2012 R2 x64, Windows Server 2016 x64, and Windows Server 2019 x64. On affected systems, the problem code may look like “PFN_LIST_CORRUPT”.

On Reddit, administrators complain that some of them are experiencing BSODs on 500 or more endpoints at the same time.

VMware representatives have already confirmed the problem. They write that “an updated Threat Research rule set has been rolled out to Prod01, Prod02, ProdEU, ProdSYD and ProdNRT after internal testing showed no signs of issues.” The company is currently investigating the bug, is already working with affected customers, and a new set of rules is being rolled back to quickly fix the problem.

Additionally, as a temporary workaround, VMware is proposing to put sensors into Bypass mode via the Carbon Black Cloud console. This will allow affected devices to boot, after which administrators can remove the bugged ruleset.