VMware has acknowledged a new issue with its Carbon Black Endpoint Detection and Response (EDR) solution. The company confirmed in a security advisory that Carbon Black EDR is causing blue screens of death (BSOD) and boot loops on Windows machines.
Carbon Black is an incident response and threat hunting tool that uses machine learning and analytics to find, investigate, and mitigate security threats. The solution offers several incident response features and makes it easier for security teams to detect malicious activities quickly.
According to cybersecurity researcher Tim Geschwindt, the BSOD bug started appearing on Windows 10 and Windows Server machines at 02:30 PM UTC yesterday. The problem currently affects devices running Carbon Black sensor 22.214.171.1243 in around 50 organizations. Several users and IT admins reported on Reddit that their servers and workstations failed to boot with the “PFN_LIST_CORRUPT” error.
VMware confirmed that the problem was caused by a recent update to Carbon Black’s threat research rulesets. Specifically, the update was rolled out to VMware customers in the EU, Asia Pacific, and the US East regions.
“Updated Threat Research rulesets were rolled out to Prod01, Prod02, ProdEU (aka Prod06), ProdSYD, and ProdNRT after internal testing showed no signs of issues,” the company explained.
Fortunately, VMware has used the update rollback policy to address the issue on affected Windows PCs. The company has recommended customers to place affected devices into bypass mode via the Carbon Black Cloud Console to remove the older ruleset. VMware has also detailed an additional workaround for select users, which involves rebooting impacted devices into Safe Mode.
The VMware team has provided detailed instructions that can help IT admins ensure that the updated ruleset has been deployed on the endpoints. Let us know in the comments section below if you have encountered the BSOD errors or boot loops on your Windows devices.