VMware issues fix for Carbon Black BSODs

A new threat research ruleset has caused blue screens of death across the USA, Asia and Europe

VMware's Carbon Black endpoint security tool is causing PC freezes and boot loops, the company has admitted.

Multiple organisations have reported issues with Carbon Black EDR since the problem was reported yesterday. Threat hunter Tim Geschwindt said he knew of "at least" 50 firms that had been affected.

Carbon Black EDR users install sensors on each endpoint in their company, which monitor for unusual activity. The issue was originally tracked to devices running v3.7.0.1253, but later expanded to more versions: from v3.6.x.x to v3.7.x.x.

The issue appears to be related to a changed threat research ruleset, which VMware rolled out to cloud regions in APAC, the EU and US East yesterday. The company's Knowledge Base article says the ruleset didn't cause any issues in internal testing.

Affected machines will boot into a blue screen of death (BSOD) and may display 'PFN_LIST_CORRUPT'.

VMware has rolled back the ruleset change, and says that affected endpoints will get the updated ruleset and auto-resolve as they check in.

As a temporary workaround, the company recommends placing impacted sensors into Bypass mode via the Carbon Black Cloud Console. This will allow them to boot successfully and have the ruleset removed.

VMware noted that a small subset of devices may need an additional workaround requiring a reboot into Safe Mode, in which case users should open a support case.

VMware acquired Carbon Black in 2019 in the middle of a buying spree that saw it take over four companies in 12 months. Earlier this year, bigger fish Broadcom snapped up VMware itself for $61 billion.