20.1 All Features
The tables in the following sections list all the features included in all minor releases included in version 21.1 LTS, organized by minor versions. All the features listed below are also included in the 21.1 LTS version.
The tables contain the following information about each feature:
The feature area
A description of the changes
Whether you need to update your server or sensor to the version listed
The supported operating system for the machines for the sensor
The sensor and server versions required to utilize the feature
In this topic:
Version 20.1.343 (LTS)
Feature |
Description |
Required Update |
Sensor OS |
|---|---|---|---|
Remote Shell |
We have updated the configurations for the Responder user required to use the Remote Shell utility. Now, if you upgrade from a previous version to the current version and you have users with the Responder role, the option to require two-factor authentication is not automatically enforced. However, if your users with the Responder role need to use the Remote Shell in Unrestricted mode, you must later select the option requiring two-factor authentication. Learn more |
Server |
N/A |
Quarantine files |
You can now use the Unquarantine response option for Endpoint Protection Malops. Learn more |
Server and sensor |
All |
Version 20.1.326
Feature |
Description |
Required Update |
Sensor OS |
|---|---|---|---|
Sensor installation |
When installing a sensor, the sensor installer installs the Microsoft C Runtime Environment (CRT) in a shared folder on Windows (the system32 folder). Installing the CRT in this folder affected other applications by causing them to not function properly. This issue is now resolved and the sensor installer installs the needed CRT files in the ActiveProbe folder in the ProgramFiles folder. In addition, as a result of this fix, you do not need to install KB2999226 for operating system versions that previously required this KB. Learn more |
Sensor |
Windows |
Detection rules |
We have updated the Process created with Win32_Process::Create WMI method evidence and Process remotely created with the Win32_Process:Create WMI method evidence to better detect instances use of the Win32:Process_Create event. |
Server |
N/A |
Version 20.1.281
Feature |
Description |
Required Update |
Sensor OS |
|---|---|---|---|
Sensor grouping |
This version introduces the ability for system administrators to create different groups to which sensors can be assigned. In addition, we have added a new “Sensor admin L1” user role. Users with this role can manage sensors in one or more specified sensor groups. Learn more |
Server |
N/A |
PowerShell and .NET configuration |
We have added several enhancements to PowerShell and .NET protection. You can now exclude domains from download payload protection, exclude modules from .NET floating module protection, and set the .NET to JScript protection mode. Learn more |
Server and sensor |
Windows |
Custom firewall rules validation |
When you add new custom firewall rules using the UI, the rules are now validated. An error is visible if a field is empty or invalid. |
Server |
N/A |
Version 20.1.260
Feature |
Description |
Required Update |
Sensor OS |
|---|---|---|---|
Sensor grouping |
This version introduces the ability for system administrators to create different groups to which sensors can be assigned. In addition, we have added a new “Sensor admin L1” user role. Users with this role can manage sensors in one or more specified sensor groups. Learn more |
Server |
N/A |
PowerShell and .NET configuration |
We have added several enhancements to PowerShell and .NET protection. You can now exclude domains from download payload protection, exclude modules from .NET floating module protection, and set the .NET to JScript protection mode. Learn more |
Server and sensor |
Windows |
Custom firewall rules validation |
When you add new custom firewall rules using the UI, the rules are now validated. An error is visible if a field is empty or invalid. |
Server |
N/A |
Version 20.1.241
Feature |
Description |
Required Update |
Sensor OS |
|---|---|---|---|
Remote Shell |
We have enhanced the Remote Shell utility to enable you to use more PowerShell commands in Unrestricted mode, in addition to the previously limited mode. Note that existing users with the Responder role have the option for two-factor authentication as a mandatory user setting. Any user you create and assign the Responder role also has the option for two-factor authentication selected and required for use of the Remote Shell utility. Learn more |
Sensor and server |
Windows |
Behavioral document protection exlusions |
You can now use Behavioral document protection rule IDs to exclude Behavioral document protection in specific scenarios. Learn more |
Sensor and server |
Windows |
Behavioral document protection |
It is now possible to set Behavioral document protection to one of the following modes: Disabled, Detect, Prevent, or Quarantine. In previous versions, the action taken by Behavioral document protection was determined by the Signatures mode. Learn more |
Sensor and server |
Windows |
Endpoint protection - custom firewall rules |
It is now possible to add custom firewall rules using the UI, without having to upload a new CSV file. Learn more |
Server |
N/A |
Detection Rules |
We have updated the logic for the Command line keyword obfuscation evidence to ensure this evidence returns fewer false positive results. |
Server |
N/A |
Version 20.1.221
Feature |
Description |
Required Update |
Sensor OS |
|---|---|---|---|
Reputation management |
Cybereason has changed the terms ‘blacklist’ and ‘whitelist’ to ‘blocklist’ and ‘allowlist’, respectively. In addition, the ‘Behavioral whitelisting’ feature has been renamed to ‘Behavioral allowlisting’. Functionality for reputation management is unchanged |
N/A |
N/A |
Version 20.1.181
Feature |
Description |
Required Update |
Sensor OS |
|---|---|---|---|
Anti-Malware configuration |
We have added several advanced configuration options for signature-based detection, such as an option to determine how frequently sensors download signature updates, the ability to disable scanning of network paths, and more. Learn more |
Sensor, Server |
Windows |
Anti-Malware configuration |
We have added the option to set Signatures protection to Quarantine mode. Cybereason moves malicious files to a different location to prevent them from executing. Learn more |
Sensor, Server |
Windows |
Version 20.1.145
Feature |
Description |
Required Update |
Sensor OS |
|---|---|---|---|
Delete a policy |
Policy administrators can delete policies from the Policy Management screen. You cannot delete the Default or Legacy policies. Learn more |
Sensor, Server |
Windows, Mac, Linux |
User Logon and Management |
User administrators can specify the login method for a specific user as either Legacy (user password) or SSO. When SSO is enabled for a user, a password login will not be allowed. When disabled, the SSO login will not be allowed. The default value for the logon value is Legacy. Learn more The Single Sign On feature is in the beta stage. Contact your Customer Success representative to enable this feature. |
Server |
N/A |
PowerShell detections |
When a PowerShell process is identified as trying to run a malicious command or payload, the detected payload is now displayed within the ‘Process ran a malicious command’ Malop. Learn more |
Sensor and server |
Windows |
Version 20.1.120
Feature |
Description |
Required Update |
Sensor OS |
|---|---|---|---|
Unquarantine file |
You can now unquarantine files that you previously quarantined. You unquarantine a file from the file’s associated Malop’s details screen by clicking Respond, and then selecting the files to unquarantine. If the file’s original folder structure no longer exists, Cybereason rebuilds the path. Learn more |
Sensor and server |
All |
Exploit Protection configuration |
We have added several configuration enhancements to the System > Policies Management > Create/Edit Policy > Exploit protection screen. You can now select a cautious or aggressive Exploit protection mode, and add Exploit protection exclusions. For more details, see Exploit Protection Settings |
Sensor and server |
Windows |
Linux file collection |
In previous versions, Cybereason did not report whether an executable file was considered signed or verified on CentOS 8 and on Red Hat Enterprise Linux. This limitation has been resolved. |
Sensor |
Linux CentOS and RHEL8 |
Version 20.1.100
Feature |
Description |
Required Update |
Sensor OS |
|---|---|---|---|
Email notification management |
To allow user admins to easily manage notifications for users, we have added a new checkbox called ‘Enable notifications’ in the Users screen. We have also added a ‘Notifications’ column to the list of users, which shows whether notifications are enabled or disabled. Users with privileges to create and edit users are able to edit this checkbox for all users. Individual users can change notification settings from the user preferences menu. Learn more. |
Server |
Windows, Mac, Linux |
Customized proxy settings |
To increase customization it is now possible to enable different proxy settings (for groups of sensors or for all sensors) for communication between the sensor and the Detection server. A new parameter specifies whether to use the customized settings or the settings configured in the Detection Servers screen. Learn more. |
Sensor |
Windows |
Exploit protection |
You can now view the ‘Malicious exploit attempt’ Endpoint Protection Malop in the Malops management screen. This Malop is triggered when Cybereason blocks malicious exploit attempts. Learn more. |
Sensor,Server |
Windows |
Version 20.1.80
Feature |
Description |
Required Update |
Sensor OS |
|---|---|---|---|
CVE detection |
We have updated our detection rules to better detect attempts to exploit known CVE reports. This includes adding a suspicion and evidence indicating a possible attempt to exploit a CVE. In addition, we have introduced an ‘Attempted exploitation’ Malop in Research mode for such attempts. The Malop details report which CVE the attempt tried to exploit. These detections support detection of exploits for CVE reports for which the proper operating system update is installed. The evidence, suspicion, and Malop are supported on machines running Windows 10 and higher. Learn more. |
Sensor, Server |
Windows |
Custom firewall rules validation in UI |
When a user imports a custom firewall CSV file, Cybereason now displays the Error uploading CSV file dialog box when the number of columns for a custom firewall rule does not match the number of columns in the header row. The dialog box indicates the specific rows that include errors. Learn more. |
Server |
Windows |
Quarantine file cleanup |
Cybereason manages the amount of stored quarantined files by checking if the folder contains files older than x days (30 days by default). If so, the mechanism deletes those files. The cleanup is scheduled to run daily (every 24 hours) and on sensor startup. |
Sensor |
All |
Sensor CPU usage statistics |
We have improved the collection of sensor CPU usage statistics and optimized the management of sensor CPU usage logs. |
Sensor |
All |
Version 20.1.64
Feature |
Description |
Required Update |
Sensor OS |
|---|---|---|---|
Anti-Malware > Last signature update |
In the Sensors screen, we have added the Last signatures update column, which indicates the last time the sensor has received an Anti-Malware > Signatures database update. The time displayed is according to the server timezone. |
Sensor, Server |
Windows, Mac |
Anti-Malware > Last signatures version |
In the Sensors screen, we have added the Last signatures version column, which indicates the version number of the Anti-Malware > Signatures database. |
Sensor, Server |
Windows |
Custom firewall rules validation |
Cybereason performs various checks to ensure that custom firewall rules are applied and configured correctly. Learn more. |
Sensor, Server |
Windows |
Endpoint Controls Windows 7 support |
Endpoint controls is now supported on Windows 7 SP1 and later versions. See Prevention features. |
Sensor, Server |
Windows |
Exploit Protection Windows 7 support |
Exploit protection is now supported on Windows 7 SP1 and later versions. For more details, see Prevention features and Exploit protection. |
Sensor, Server |
Windows |
MITRE ATT&CK mapping |
Throughout the Investigation, Malop Details, and Element Details screen, we have updated relevant Feature (filter) names to include the MITRE ATT&CK ID number as well as the tactic or technique name. |
Server |
N/A |
Version 20.1.43
Feature |
Description |
Required Update |
Sensor OS |
|---|---|---|---|
Anti-Malware > AI model update |
The ‘Anti-Malware > Artificial Intelligence’ model was updated. The updated model is more accurate in identifying malicious executables and not detecting benign ones. Customers who upgrade to this version are expected to receive more detections based on Anti Malware > Artificial Intelligence. Please contact Technical Support if you believe a false detection was generated. |
Sensor, Server |
Windows |
New Malop types |
Cybereason now identifies two types of Malops:
|
Server |
Windows, Mac, Linux |
Malops management screen |
The Malops management screen provides analysts a single pane from which to analyze, triage, and respond to threats in their organization. |
Server |
Windows, Mac, Linux |
Automatically assign sensors to default policy |
When installing new sensors, all sensors are automatically assigned the default policy and compliance is set to ‘true’. Since this process is automatic, you do not need to customize the installation parameters if you want sensors to adopt the default policy. You can still use installation parameters to assign sensors to specific existing policies. Learn more. |
Sensor, Server |
Windows, Mac, Linux |
Version 20.1.21
Feature |
Description |
Required Update |
Sensor OS |
|---|---|---|---|
Endpoint controls enhancements |
We have introduced the following enhancements to the Endpoint controls feature:
Important: If you are using a custom firewall rules CSV file that includes Japanese text, you must convert the file to the UTF-8 format before uploading the file. |
Sensor, Server |
Windows |
Exploit protection |
Exploit protection enables you to automatically block malicious attempts to exploit vulnerabilities on the organization’s endpoints. Exploit protection is a Cybereason prevention feature that includes various security mitigation techniques and is configured as part of the sensor policy. Learn more. |
Sensor, Server |
Windows |
Injection detection improvements |
We have updated the detection logic for the ‘Malicious by Code Injection’ Malop to ensure fewer false positive results. We have removed cases of injecting processes of unknown reputation, as this caused most of the false positives. Learn more. |
Server |
Windows |
Prevent mode |
We have added the option to set Anti-Malware > Signatures protection to Prevent mode. In this mode, malicious files are prevented but are not modified or moved from their location. Use this mode if you want to use Cybereason as your antivirus tool and prevent malicious files from executing, but do not want to modify files. In version 20.1.21, the Prevent option is hidden in the UI. Ask Technical Support to make this option visible. Learn more. |
Sensor, Server |
Windows, Mac |
Timeline filter improvements |
From the Investigation screen’s Timeline filter, you can include only items that were created within the specified time interval by selecting the Created radio button, or items that existed during that interval by selecting the Existed radio button. Learn more. |
Server |
N/A |