VMware recently admitted that enterprise Windows users using the Carbon Black Endpoint Detection and Response (EDR) solution may encounter blue screens or reboot loops.

VMware recently admitted that enterprise Windows users using the Carbon Black Endpoint Detection and Response (EDR) solution may encounter blue screens or reboot loops. In a security advisory published earlier today, the company acknowledged that the issues were caused by a recently released threat research rule set for Carbon Black.

Affected enterprise users can solve the problem by rolling back the update. Additionally, the company has provided a temporary workaround:

Endpoint Standard: Sudden blue screen on Windows devices (August 23, 2022)

Environment:

Carbon Black Cloud Console: All Versions

Carbon Black Cloud Sensor: 3.6.x.x - 3.7. x.x

Microsoft Windows: All Support Versions

Symptoms:

Devices enter a blue screen on boot

Stop code may display "PFN_LIST_CORRUPT"

Cause

Updated Threat Research ruleset has been rolled out to Prod01, Prod02, ProdEU, ProdSYD and ProdNRT

parsing after internal testing showed no signs of the problem

VMware Carbon Black has rolled back the ruleset and when machines check in they will get the updated ruleset and resolve it automatically.

Workaround

Put affected sensors into bypass mode via the Carbon Black Cloud Console to allow them to start successfully and remove the ruleset

A small number of affected devices may require additional workaround and require a reboot to Safe mode , if so please open a support case