18.1 Fixed Issues

The following is a list of the fixed issues in the 18.1 GA release. Note that many issues below were also fixed in service packs of previous versions.

Item

Area

Relevant OS

Description

Component

CYBR-14820

Behavioral Whitelisting

All

After upgrading to the latest version, behavioral whitelisting rules set for Excel and Microsoft office programs did not work due to missing data.

After this fix, the configuration is updated to ensure that the necessary data is sent for the behavioral whitelisting rule to be applied correctly.

Server

CYBR-13843

Detection Rules

All

When the LanMan Hash was used as part of the NTLM authentication process, Malops were created but these Malops were false positive results.

With this fix, we have modified the rules for the Pass the Hash detection logic to decrease false positive results.

Server

CYBR-14715

Detection Rules

All

After upgrading to the latest version, on Windows 7 machines domain information was not collected and the Domain Generation Algorithm (DGA) Malop was not detected.

After this fix, domain information is collected correctly and the DGA Malop is also detected correctly.

CYBR-15681

Detection Rules

All

False positive Malops of Pass the Hash attacks occurred in cases where the behavior was legitimately caused by a domain controller.

After the fix, such behavior does not generate a Malop.

Server

CYBR-16027

Detection Rules

All

Credential theft Malops were reporting a high number of false positive results and therefore causing many MDS requests to the server.

After this fix and detection rule update, the false positive rate is dropped.

Server

CYBR-13198

Detection Servers

All

In rare cases, Detection servers were found to hold the wrong versions of custom reputations.

If you have issues with this situation, contact Technical Support for assistance in aligning the versions across Detection servers.

Server

CYBR-14812

Display Settings

Mac

In the latest version, the right side of the header in the Cybereason UI was distorted and did not display correctly.

After this fix, the header is displaying without errors.

Server

CYBR-15760

Investigation

All

In the Investigation screen of the Cybereason UI, when viewing Elements to connect to the Logon Session Element, it was not possible to connect the Source IP Element in a query.

After this fix, it is possible to use both Elements in a query.

Server

CYBR-14256

Malop Inbox

Windows

When investigating Malops in the Malop details screen, files with an empty path were displayed. Therefore, when you tried to download these files from the Malop details screen, the download would fail due because there was no path. In addition, because of the missing path, you could not investigate these Elements in the Investigation screen.

After this fix, file paths are reported correctly and you are able to download these files correctly as needed.

Note that this fix does not apply to executable files, only non-executable files.

Sensor

CYBR-14286

Malop Inbox

All

When a Detection Server had to compare incoming threat intel data from the Global Threat Intel server against behavioral whitelisting rules on the Private Threat Intel Server, Malops were sometimes not being raised correctly due to server timeout issues.

After this fix, the server configuration has been updated to allow for a longer timeout period and give the Detection Server adequate time to compare Global Threat Intel information with behavioral whitelisting rules in the Private Threat Intel server.

Server

CYBR-16471

Malop Inbox

All

Malops on the same machine that were related to PowerShell processes were not grouped into one Malop.

After the fix, such Malops are grouped correctly.

Server

CYBR-11689

NGAV

Windows

When updating any of the NGAV settings, the Sensor asked you to restart the machine unnecessarily.

After this fix, the request for a restart no longer occurs.

Sensor

CYBR-14981

NGAV

Windows

When running updates of the signature database on virtualization environments, machines with Sensors and their networks experienced heavy network load due to the fact that many Sensors were trying to check for updates at the same time.

After this fix, we have changed the configuration of signature update checks for machines with Sensor to mitigate the effect upon the machines and their networks:

  • When a machine first starts, the update check will come at a random point in the first 15 minutes

  • Update check after this will happen every 15 minutes thereafter

Sensor

CYBR-15130

NGAV

Windows

After an Anti-Malware update, memory usage on machines was increasing collectively. Over time this meant that the amount of memory consumed grew with each update.

After this fix, the configuration of the update process has been updated to address this memory usage growth and the increasing memory use no longer occurs.

Sensor

CYBR-15529

NGAV

Windows

After an update to the Anti-Malware settings in the Cybereason UI, Sensors unexpectedly disabled the Anti-Malware settings on a machine.

After this fix, any custom Anti-Malware settings for a Sensor are retained and the Anti-Malware settings are not disabled even when a change is performed in the Cybereason UI.

Sensor

CYBR-14478

Registration Server

All

When assigning Sensors to Registration servers, there were some issues:

  1. All Sensors pending assigned were automatically assigned to a Detection server even if the Detection server was already under heavy load

  2. After a Sensor connected to the Registration server it did not remove it from the list of Sensors pending an assignment

  3. When a Sensor was pending assignment the connection between its previous Detection server was not updated in the registry correctly, causing problems in viewing distribution of Sensors.

After this fix, we have updated the configurations so that Sensors are sent to the Detection servers correctly to match the available load, and the assignment registration details are reported correctly.

Server

CYBR-14556

Registration Server

All

When Sensors were trying to communicate with the Registration server, the communication occurred multiple times. This caused performance problems and prevented some Sensors from communicating with the Registration Server.

After this fix, the communication occurs only one time and the performance impact on the Registration server has been reduced.

Server

CYBR-13842

Sensor Installation

Windows

When upgrading only a Sensor to the most recent version (without a console upgrade), the Windows Add and Remove dialog showed both the old and new versions of the Sensor.

After this fix, the status of the Sensor is displayed correctly.

Sensor

CYBR-14726

Sensor Installation

Windows

In the latest version, the right side of the header in the Cybereason UI was distorted and did not display correctly.

After this fix, the header is displaying without errors.

Sensor

CYBR-14512

Sensor Management

All

When the Actions log in the System > Sensors screen contained a large number of items in the list (usually over 50), the Sensors screen experienced performance problems.

After this fix, the number of items in the Actions list is limited to 50 to eliminate performance issues.

Server

CYBR-15744

Sensor Management

All

In the System > Sensors screen, when trying to perform a Sensor action on Sensors filters by sensor tags, the action was performed on all Sensors instead of just the currently filtered Sensors.

After this fix, actions are performed only on the Sensors in the filter.

Server

CYBR-11823

Sensor Performance

Windows

When restarting the machine on which the Sensor was located, the minionhost.exe Sensor process failed to start.

Therefore we added a fail-safe mechanism that will make sure that the minionhost.exe process runs as scheduled even if it failed to start after restart.

Sensor

CYBR-12395

Sensor Performance

Windows

When the Windows update service startup type was unknown on a machine, the Sensor crashed unexpectedly and no indication of the crash reason was sent to the Sensor logs.

After this fix, the Sensor will no longer crash if the startup type was unknown. If the Sensor crashes, the log will display the reason.

Sensor

CYBR-12753

Sensor Performance

Windows

Previously, the Cybereason PowerShell protection had modified existing registry keys, some of which have been used by other system programs, causing problems in these other programs. This happens even if the PowerShell protection was not enabled.

After this fix, we have updated the Sensor to ensure that the PowerShell features in Cybereason function do not affect registry values for other programs if the feature is disabled.

Sensor

CYBR-13930

Sensor Performance

Windows

For Sensors installed on Windows machines running Microsoft Support Center products, the machine crashed if the minionhost.exe process was running and collecting information.

After this fix, the machine crash no longer occurs.

Sensor

CYBR-14947

Sensor Performance

Linux

After upgrading Sensors for Linux to the latest 17.5 version, Linux machines experienced decreased performance.

With this fix, we have updated the configuration for the Sensor for Linux to ensure more optimal performance.

Sensor

CYBR-12766

Sensor Settings

Windows

After the following series of events, stale sensor emails were not sent:

  1. Stale sensor feature was set to off.

  2. WebApp server was restarted.

  3. Stale sensor feature was set to on.

  4. No user edited the Stale sensor policy screen in the UI.

After this fix, the emails are sent correctly.

Server

CYBR-15285

Sensor Tagging

All

When searching in the System > Sensors screen, it was not possible to search Sensors for Sensor tags or machine names if the string contained a single quote character

After this fix, the search works as expected.

Server