21.2 All Features
The tables in the following sections list all the features included in releases included in version 21.2.
The tables contain the following information about each feature:
The feature area
A description of the changes
Whether you need to update your server or sensor to the version listed
The supported operating system for the machines for the sensor
The sensor and server versions required to utilize the feature
In this topic:
Version 21.2.640 (Service Pack)
Issue |
Area |
Description |
Required Update |
Sensor OS |
|---|---|---|---|---|
DFND-46765 |
NGAV |
When using NGAV on an endpoint machine, as a non-admin user on the machine, if you clicked the prompt from Windows Security Center to update the Cybereason signatures database, command window continued to display on the machine (while the update ran in the background), disrupting the work of the endpoint machine user. We have resolved this issue to ensure that the signature database update does not interfere with normal machine usage. |
Sensor and server |
Windows |
DFND-46902 |
Behavioral Execution Prevention |
When using Behavioral Execution Prevention, the cmstp_abnormal_execution and msexchange_owapool_webshell rules were causing the Cybereason platform to generate MalOps that were false positive MalOps. We have resolved this issue and these rules should no longer generate MalOps that are false positive. |
Sensor and server |
Windows |
Version 21.2.622 (Service Pack)
Issue |
Area |
Description |
Required Update |
Sensor OS |
|---|---|---|---|---|
DFND-44363 |
Sensor performance |
When performing an installation, upgrade, or uninstallation of a sensor on Windows machines, the Cybereason installer caused applications that use the Powereason.dll file to shutdown or restart due to the installer needing to access shared locker files used by the other programs. We have updated the installer program configuration to resolve this issue, so that other programs will work as expected during installation, upgrade, or uninstallation. |
Sensor and server |
Windows |
DFND-46239 |
Device Control |
In the Endpoint Controls section of a sensor policy, when adding a device to the allowed devices list, if the device name had more than 1 underscore character in the name, the device was not blocked or allowed correctly as set in the sensor policy. We have resolved this issue and updated the configuration for parsing device names and devices should be blocked or allowed as set in the policy even with extra underscore characters. |
Sensor and server |
All |
Version 21.2.603 (Service Pack)
Issue |
Area |
Description |
Required Update |
Sensor OS |
|---|---|---|---|---|
DFND-43432 |
Mac sensors |
In random cases, on sensors running on macOS machines, when the machine restarted, the Anti-Malware > Signatures database reverted to the first version instead of maintaining the current version. This resulted in unnecessary redownloads of the signatures database to the sensor. We have resolved this issue and the Signatures database version is persisted after the machine restart. |
Sensor and server |
macOS |
DFND-43494 |
Mac sensors |
In recent Cybereason versions, when upgrading sensors through the System > Sensors screen, for sensors running on macOS with 2-way SSL enabled, after the upgrade the sensors were unable to connect to the Cybereason platform. We have resolved this issue and all Mac sensors using 2-way SSL are able to successfully connect to the Cybereason platform after upgrade. |
Sensor and server |
macOS |
DFND-43950 |
Detection rules, MalOp details |
In some cases, associated suspicions for some MalOps were not included in the MalOp details. As a result, you were not able to see the full scope of the MalOp and related activity and prioritize the analysis and triage appropriately We have resolved this issue and related suspicions for MalOps should always be part of the MalOp details for MalOps. |
Server |
N/A |
Version 21.2.581 (Service Pack)
Issue |
Area |
Description |
Required Update |
Sensor OS |
|---|---|---|---|---|
DFND-39979 |
Sensor tagging |
When adding sensor tags by uploading a CSV files, if the CSV file contained more than 10,000 rows, some sensors did not get sensor tags with an unknown entity id error message. We have updated the sensor tag upload flow to successfully upload CSV files with more than 10,000 rows. |
Server |
N/A |
DFND-41099 |
Proxy, Linux sensors |
When trying to connect to the Global Update server through a proxy connection (configured in the installed sensor package through sensor personalization), sensors on Linux machines were not able to access the Global Update server successfully. We have resolved this issue and you can now connect Linux machines to the Global Update server through a proxy connection. |
Sensor and server |
Linux |
DFND-40989, DFND-41723 |
NGAV |
If you added a local update server URL to the Anti-Malware settings in a sensor policy, and then updated the policy settings or assigned a sensor to a different policy, the local update server settings on the endpoint machine retained the previous URL from the first policy instead of updating the new URL settings. We have resolved this issue and changes in the local update server URL from the policy are propagated to endpoint machines correctly. |
Sensor and server |
Windows |
DFND-42766 |
NGAV |
When adding domain exclusions for Fileless Protection (in the Fileless Protection > Domain exclusions section of the sensor policy), if a machine had a slower network connection or performance, the exclusion details did not propagate to the endpoint machine before the timeout period and domains were blocked when they should have been allowed. We have resolved this and Domain exclusions will propagate correctly for all endpoint machines. |
Sensor and server |
Windows |
Version 21.2.560 (Service Pack)
Issue |
Area |
Description |
Required Update |
Sensor OS |
|---|---|---|---|---|
DFND-39356 |
Detections |
In recent versions, the Cybereason platform did not always detected process injections - both injection into processes and processes injecting into other processes) correctly. We have updated the configuration for this detection and related sensor collections to improve the accuracy of these detections. |
Sensor and server |
Windows |
DFND-39625 |
Sensor performance |
In some cases, the sensor was stuck in a loop of repeated crashes of the sensor program (minionhost.exe), possibly from issues with WMI on the endpoint machine. We have updated the sensor program configuration to continue to work in these situations, and the sensor should not continue to have crash loops if there are WMI issues on the machine. |
Sensor and server |
Windows |
DFND-40164 |
Device Control |
On endpoint machines, when the setting for the Device control mode was set to Read only in the associated sensor policy for the machine, the machine continued to display a notification on the machine indicating that a USB device was blocked (although the machine user was able to access and read the device properly). We have resolved the issue and this notification is no longer displayed on the machine. |
Sensor and server |
Windows |
DFND-40512 |
Data collection |
When viewing details on Services (such as the image file path or the command line arguments), the details for Service Elements were often reported incorrectly or incomplete in the Element Details screen. We have updated the configuration used by the sensor collector and details about Services are collected and reported accurately in the Element Details screen. |
Sensor and server |
Windows |
DFND-40693 |
Reputations |
When viewing reputations in the Reputations screen, if you tried to sort the table of reputations by the Description column, a message was displayed, claiming that there were no reputations in the platform. We have resolved this issue and you can now sort by the Description column without issue. |
Server |
N/A |
DFND-40929 |
Sensor installation |
In the latest Cybereason version, if you downloaded the sensor installation package to a location where the file path contained Unicode characters (such as Japanese characters), the sensor installation/upgrade failed. We have resolved this issue and the installation should work with Unicode characters in the installation path. |
Sensor and server |
Windows |
DFND-40981 |
Personal Firewall Control |
When creating a custom firewall rules for inbound and outbound communication in the Endpoint Controls section of your sensor policy, the communication was not blocked on the specified ports on Linux machines. We have resolved this issue and the communication on Linux machines is now blocked according to the custom firewall rules. |
Sensor and server |
Linux |
Version 21.2.541 (Service Pack)
Issue |
Area |
Description |
Required Update |
Supported OS |
|---|---|---|---|---|
DFND-23077 |
MalOps management |
When loading MalOps created based on a Logon Session Element (MalopLogonSession), the Malops management screen unexpected reported an error and was unable to load the MalOp. We have resolved this error to ensure all the data related to the MalOp can load and MalOps based on Logon Sessions load without issue. |
Server |
N/A |
DFND-30783 |
MalOps management |
In environments with the new Data Platform, in the Malops management screen, Endpoint Protection MalOps and MalOps created from custom detection rules did not display the detection description in the MalOp details. We have resolved this issue and the detection description displays for all MalOps. |
Server |
N/A |
DFND-36377 |
Sensor management |
At times, the System > Sensors screen did not load due to a request to view a large number of sensors (tens of thousands) We have resolved this issue and updated the server configuration to limit the number of sensors retrieved in a single request to help manage the performance of this page to load properly. In particular, the /rest/sensors/query API endpoint now has a maximum limit of 30,000 sensors in a single request. |
Server |
N/A |
DFND-37901 |
Sensor upgrade |
On some supported Linux operating systems (such as RHEL 6 or CentOS 6), upgrades failed due to the sensor upgrade installer not being able to find the correct services. We have resolved this error and upgrades on all supported Linux operating systems work properly. |
Sensor and server |
Linux |
Version 21.2.521 (Service Pack)
Issue |
Area |
Description |
Required Update |
Supported OS |
|---|---|---|---|---|
DFND-33731 |
Malops management |
To help you review the Malops in the Malops management screen, we have increased the number of Malops you can view on a page. By default, the Malops management screen displays 50 Malops. You can also select to view 100, 250, or 500 Malops per page. |
Server |
N/A |
DFND-31144 |
Sensor system tray icon |
In some cases, the sensor created multiple icons in the taskbar for a single sensor. We have resolved this error and the sensor displays only a single icon in the taskbar of the machine. |
Sensor and server |
Windows |
DFND-33482 |
Malops management |
In Japanese environments using the new Data Platform, in the Malops management screen, the Investigation Status filters listed Pending twice instead of Pending and On Hold. We have resolved this issue and the filters display correctly now. |
Server |
N/A |
DFND-35360 |
Malop comments |
In environments using the new Data Platform, when adding a comment to Malop in non-English languages (such as Japanese), the comments were displayed in the Malop with strange characters instead of the proper language characters. We have resolved this issue and comments should display correctly. |
Server |
N/A |
Version 21.2.500 (Service Pack)
Issue |
Area |
Description |
Required Update |
Supported OS |
|---|---|---|---|---|
DFND-33383 |
User roles |
We have updated the requirements for the Responder L2 role to no longer require two-factor authentication or SSO. |
Server |
N/A |
DFND-33213 |
Sensor management, notifications |
At times, the Cybereason platform sent email notifications for sensors that were manually unarchived (as opposed to automatic unarchive due to platform settings). For example, if you manually unarchived a sensor, the platform would still send a notification that the sensor was archived. We have resolved this issue and you should not receive email notifications about a sensor being archived even though it was unarchived. |
Server |
All |
DFND-34323 |
Malops |
In environments using the new Data Platform, Malops were not being created for malicious logon sessions. This issue has been resolved and all Malops are created as expected. |
Server |
N/A |
DFND-34555 |
Sensor installation/upgrade |
When performing the steps required for mitigation of the CVE-2013-3900 vulnerability, it was not possible to install or upgrade sensors on the machine. We have resolved this issue and you can install/upgrade sensors on a machine even with the mitigations for CVE-2013-3900 applied on a machine. |
Sensor and server |
Windows |
DFND-35360 |
Malops management |
In environments using the new Data Platform, when adding a comment to Malop in non-English languages (such as Japanese), the comments were displayed in the Malop with strange characters instead of the proper language characters. We have resolved this issue and comments should display correctly. |
Server |
N/A |
Version 21.2.484 (Service Pack)
Issue |
Area |
Description |
Required Update |
Sensor OS |
|---|---|---|---|---|
DFND-13560 |
Sensor installation |
When installing or upgrading a sensor on Linux machines, the installation log had unexpected results, including numerous repeated and redundant lines in the log. This was due to the results of a verification of the presence of prerequisite libraries on the machine. We have resolved this issue and the log entries have been streamlined for better use. |
Sensor and server |
Linux |
DFND-14202 |
Sensor performance |
Frequently, the sensor was not able to connect to the Dynamic Sensor Connections service to get sensor content updates. This occurred when the token was expired and a new token was not downloaded. This issue has been resolved and the sensor is now able to continually connect to the Dynamic Sensor Connections service as expected on a continuous basis. |
Sensor and server |
Windows |
Version 21.2.466 (Service Pack)
Issue |
Area |
Description |
Required Update |
Supported OS |
|---|---|---|---|---|
DFND-23332 |
Sensor installation/sensor upgrade |
We have added a prerequisite check to the sensor installation and sensor upgrade processes to ensure that you have the Sectigo certificate required by the Microsoft Virus Initiative (MVI) installed on the machine. |
Sensor and server |
Windows |
DFND-23654 |
Sensor performance |
In certain cases, when using the .NET part of Fileless protection, some programs such as the Windows Event Viewer and PowerShell, for example, were unable to run on the machine. We have resolved this error and programs on the machine should work as expected with Fileless Protection enabled. |
Sensor and server |
Windows |
DFND-28973 |
User management |
When trying to add new users with an .inc domain in the email address, the Cybereason platform failed to add these users correctly. This issue has been resolved and you can add users with a .inc domain in the user email address. |
Server |
N/A |
DFND-29216 |
Investigation |
When exporting investigation query results to a CSV file, if you selected an option other than All data, the CSV data export did not contain all available data or missed random items in the data. We have resolved this issue and now exports work as expected with data exported. |
Server |
N/A |
DFND-29800 |
Sensor performance |
On some hypervisor virtual machines, sensors were not able to run due to a crash in the minionhost.exe process. We have resolved this issue and the sensor starts as expected. |
Sensor and server |
Windows |
DFND-33594 |
Machine isolation |
On the latest version, if your environment has the new Data Platform infrastructure, you could not isolate a machine from the Element Details screen. When you clicked the Isolate button, the isolation command did not work. We have resolved this issue and you can now isolate a machine and remove the machine from isolation in these environments as expected. |
Server |
All |
Version 21.2.443 (Service Pack)
Issue |
Area |
Description |
Required Update |
Supported OS |
|---|---|---|---|---|
DFND-16006 |
User screen |
We have updated the quick filters on the left of the Users screen to include all user roles. There is now an All analysts section and an All admins section populated with the relevant roles. Use these filters to quickly display relevant users with these roles:
Use these filters to quickly display relevant users with these roles. |
Server |
N/A |
DFND-17947 |
Predictive Anti-Ransomware |
For users in Japanese environments, we have updated the title of the Predictive Ransomware Protection screen to 予測型ランサムウェア保護. |
Server |
N/A |
DFND-28883 |
Anti-Malware scans |
We have updated the logs recorded when you perform an Anti-Malware scan to also report the Static Analysis prediction score for a file and the PE file type for each file. |
Sensor and Server |
All |
DFND-9630 |
Behavioral Allowlisting |
If you created a behavioral allowlisting rule with a special character, you were not able to later edit this rule. This issue has been resolved and you can edit allowlisting rules with special characters. |
Server |
N/A |
DFND-13846 |
Sensors screen |
At times when an environment uses a proxy, the Internal IP address field value displayed for a sensor in the Sensors screen was 127.0.0.1 instead of the real IP address of the sensor due to the looping of the address as part of the proxy. We have updated the configuration of the sensor to report the correct IP address for the machine in the Sensors screen. |
Sensor and server |
All |
DFND-19860 |
Sensor installation |
When uninstalling a sensor from the latest version, the uninstallation failed with an error that the sensor installation folder was still in use. We have resolved this issue and the uninstallation works as expected. |
Sensor and server |
Windows |
DFND-20802 |
Behavioral Document Protection |
Previously, detection rules used with Behavioral Document Protection did not create detections when the document files contained Japanese characters. We have resolved the issues and detection rules work even when the document file contains Japanese characters in the name. |
Sensor and server |
Windows |
DFND-21372 |
Local responder role |
Previously, users with the Local Responder role had access to non-authorized sections of the Cybereason UI, including
We have updated the permissions for the Local Responder role and users with this role should no longer be able to access these parts of the Cybereason UI. |
Server |
N/A |
DFND-21496 |
L3 analyst role |
Previously, users with the L3 analyst role were not able to view and edit machine isolation exception rules. We have resolved this issue and users with the L3 analyst role are able to view and edit as expected. |
Server |
N/A |
DFND-22698 |
Linux sensors |
When trying to install sensors on Linux machines running Oracle Linux operating systems, the installation would fail as the minionhost process did not work properly. This issue has been resolved and installations on Oracle Linux machines work properly. |
Sensor and Server |
Oracle Linux |
DFND-22993 |
Sensors screen |
When exporting details on sensors to a CSV file with the API, the list of sensors was incomplete. For example, the exported might contain 10,000 lines instead of the expected 40,000 lines. This issue has been resolved and the CSV file exports with the correct amount of data. |
Server |
N/A |
DFND-23360 |
Sensor system tray icon |
At times, the minionhost.exe process used by the sensor created multiple cramtray.exe process instances on the machine, causing a sensor error. This issue has been resolved and the processes open as expected with a single cramtray.exe process. |
Sensor and server |
Windows |
DFND-23407 |
Detection rules |
Due to a change in the sensor certificate name, Attempt to manipulate Cybereason sensor false-positive detections were generated for the sensor’s amsvc.exe and activeconsole.exe processes. This issue has been resolved and these detections should no longer be created for the sensor processes. |
Server |
N/A |
DFND-28702 |
Remediation |
When viewing the Response History screen, if you clicked the Back button in your browser, you were returned to the default Discovery Board page, instead of the previous screen. This issue has been resolved and clicking the Back button returns you to your previous screen. |
Server |
N/A |
Version 21.2.421 (Service Pack)
Issue |
Area |
Description |
Required Update |
Supported OS |
|---|---|---|---|---|
DFND-19717 |
Device Control |
When using Device Control, after you disable or enable a Read Only for USB devices, endpoint machine users no longer need to re-mount a USB device to ensure that the sensor enforces the Read Only policy setting. |
Sensor and server |
Windows, Linux |
DFND-681 |
Machine Isolation |
By default, actions sent to offline sensors are queued for 3 days. If, after 3 days, the sensor has not come back online, the action is no longer queued and will not execute if the sensor comes back online at a later time. Now, the queued period can be customized. |
Sensor and server |
All |
DFND-20395 |
Sensor installation |
As part of the initiative to meet MVI (Microsoft virus initiative) requirements, we have added a warning and a logic to stop installation when you try to install a sensor on a machine running Windows 7. This installation prevention is due to the fact that the Sectigo certificate used for the MVI compliance is not supported on Windows 7. |
Sensor and server |
Windows |
DFND-15669 |
Process information collection |
At times, when the sensor collected details on the command lines used by processes, the collector on the sensor would add an extra space in the command line string that was sent to the detection server. As a result, if you built a behavioral allowlisting rule to exclude the command line from creating a Malop, the behavioral allowlisting rule would not correctly trigger Malops. This issue has been resolved and the command line is collected and sent to the Detection server correctly without the extra spaces. |
Sensor and server |
Windows |
Version 21.2.401 (Service Pack)
Issue |
Area |
Description |
Required Update |
Supported OS |
|---|---|---|---|---|
N/A |
Sensor certificates |
Sensor binaries are now signed by Sectigo cross certificate to meet MVI (Microsoft’s virus initiative) requirements. Learn more |
Sensor and server |
Windows |
DFND-18847 |
Variant paylod prevention |
To provide a clearer explanation of the protection it provides, we have updated the name of Binary Similarity Analysis (BSA) in-memory protection to Variant payload prevention. As a result, the Binary Similarity Analysis (BSA) in-memory protection section in the Anti-Malware section of the sensor policy is now named Variant payload prevention. |
Sensor and server |
Windows |
DFND-18847 |
Behavioral execution prevention |
To provide a clearer explanation of the protection it provides, we have updated the name of Behavioral execution protection to Behavioral execution prevention. As a result, the Behavioral execution protection section in the Anti-Malware section of the sensor policy is now named Behavioral execution prevention. |
Sensor and server |
Windows |
DFND-17002 |
Sensor upgrade |
If you upgrade a sensor that has had proxy settings changed, after the upgrade, the proxy settings are retained. If the sensor upgrade package contains new proxy settings, the updated proxy settings override the sensor’s existing proxy settings. |
Sensor and server |
All |
DFND-16449 |
Sensors for Mac |
We’ve improved the antivirus initialization flow for sensors running on M1-based Macs. This new flow provides antivirus protection sooner in the installation/upgrade process than in previous Cybereason versions. |
Sensor and Server |
macOS |
DFND-16940 |
Anti-Malware scans |
We have updated the configuration used by the Cybereason platform’s Anti-Malware scans to better handle scans of large archives (e.g. .zip files), including:
The option to increase the file size allowed for a scan is not enabled by default. Open a Technical Support case to enable this option. |
Sensor and server |
Windows |
DFND-10830 |
Platform license agreement |
We have updated the End User License Agreement (EULA) for the Cybereason platform. The first user to sign in to the Cybereason console after you deploy this version will be required to accept the new agreement, even if you accepted previous versions of the agreement. |
Server |
N/A |
DFND-5100 |
Sensors screen |
We have updated the configuration the Cybereason platform uses to display information about sensors on machines with unsupported OS versions. Now, the Sensors screen will display Other for these sensors to enable you to better filter these machines. |
Server |
N/A |
DFND-17884 |
Anti-Malware scans |
On-demand scans now scan files that contain any Unicode characters in the file name. |
Sensor and server |
Windows |
DFND-18111 |
Malops management |
In the Malops management screen, only subset of malops were displayed when selecting the preset time filters such as Today, Last week, and so forth due to an incorrect calculation of the time window for these preset filters. We have resolved this issue and the preset time filters correctly display all relevant Malops for these filters. |
Server |
N/A |
DFND-18658 |
Behavioral allowlisting |
When previewing the effect of a behavioral allowlisting rule in Japanese, the preview would display an error for invalid query syntax. This issue has been resolved and the preview of the rules in Japanese displays the rules correctly. |
Server |
N/A |
DFND-19310 |
Malop remediation |
When you have a sensor policy with the option to Quarantine malicious files selected (in the Anti-Malware section of the sensor policy edit screen), if you have a MalOp with a quarantined file that you mark to Exclude, it was not possible to remove the quarantined file from the quarantine file location. This issue has been resolved and you are now able to remove the file from quarantine. |
Server |
N/A |
DFND-15804 |
Anti-Malware |
In rare cases, the Anti-Malware service had recurring crashes and was not able to recover. This issue has been resolved as we improved our Windows AV service to recover in a more robust way in during these rare cases. |
Sensor and server |
Windows |
Version 21.2.293 (Service Pack)
Issue |
Area |
Description |
Required Update |
Supported OS |
|---|---|---|---|---|
DFND-15182 |
Data collection (Windows) |
We have updated the detection rule logic for APC injections to minimize false-positive rate. |
Sensor and Server |
Windows |
CYBR-3469 |
Mac AV |
We improved how the sensor initiates signature-based detection so that it reaches a protected state even sooner. |
Sensor and Server |
macOS |
DFND-6581 |
Sensor Management |
On the System > Sensors > Deleted Sensors screen, we have added the Deleted by and Deleted date columns to help you understand more about a deleted sensor. |
Server |
N/A |
DFND-9947 |
SHA-based prevention support |
The Cybereason platform now supports prevention on Windows machines for items based on SHA-1 and SHA-256 hash values. Previous versions of Cybereason only supported prevention for MD5 hash values. This feature is disabled by default. This feature is not generally available. Contact your Customer Success Manager to get access to this feature. |
Sensor and Server |
Windows |
DFND-16940 |
Windows AV |
We made configuration improvements to the archive scan to prevent it from timing out. |
Sensor and Server |
Windows |
DFND-12516/DFND-3469 |
Sensor proxy connection |
We have updated the sensor configuration for proxy connection to better ensure that the sensor connects to the proxy when using the auto-detect mechanism on the sensor. |
Sensor and server |
Windows |
DFND-17049 |
Fileless Protection |
In sensor versions between 21.2.180 and 21.2.268, Fileless protection scans that received a null pointer in the source field caused application crashes. This issue has been resolved. |
Sensor and Server |
Windows |
DFND-16419 |
Remote Shell |
Users with the Responder L2 role were unable to open the Remote Shell utility from the Investigation screen. This issue has been resolved and these users can open a Remote Shell utility as expected. |
Server |
N/A |
DFND-13342 |
User Management |
Users with notifications enabled did not receive notifications that a Malop with an unknown detection type was created. This issue has been resolved. |
Server |
N/A |
DFND-17817 |
Sensors screen |
If a Detection Server was disconnected from the Web App server, the Sensors and Detection Servers screen did not load properly. This issue has been resolved and the Sensors/Detection Server screens in the Cybereason platform’s UI load properly. |
Server |
N/A |
DFND-20505 |
Sensor Platform |
In the latest version, when Application Control was enabled, file or folder rename operations on network drives failed. This issue has been resolved and all file or folder network rename operations work on the machine as expected. Learn more |
Sensor and server |
Windows |
Version 21.2.265 (Service Pack)
Issue |
Area |
Description |
Required Update |
Supported OS |
|---|---|---|---|---|
DFND-14925 |
NGAV |
If an error prevents Anti-Malware from being enabled on an endpoint (for example Other AV Found), we have improved reporting of the error and Anti-Malware automatically becomes enabled on the endpoint once the error is resolved. |
Sensor and Server |
Windows |
DFND-7238 |
MalOp Management |
If an affected machine in a MalOp had an undefined attribute, you could not respond to the MalOp. This issue has been resolved. |
Server |
N/A |
Version 21.2.241 (Service Pack)
Issue |
Area |
Description |
Required Update |
Supported OS |
|---|---|---|---|---|
DFND-13558 |
Linux AV |
If a malicious process is detected by an Anti-malware quick scan, only the malicious process is killed. Other members of the process group continue to run as normal. |
Sensor and Server |
Linux |
DFND-14013 |
Apple Silicon Mac M1 support |
The Cybereason platform supports sensors running on Apple Silicon Mac M1, M1 Max, and M1 Pro. This applies to macOS Monterey and Big Sur. In versions prior to 21.2.241, sensors running on Apple M1 Silicon (Arm) Macs required the Rosetta 2 emulator in order to run. |
Sensor and Server |
macOS |
DFND-14202 |
Sensor performance |
Frequently, the sensor was not able to connect to the Dynamic Sensor Connections service to get sensor content updates. This occurred when the token was expired and a new token was not downloaded. This issue has been resolved and the sensor is now able to continually connect to the Dynamic Sensor Connections service as expected on a continuous basis. |
Sensor and server |
Windows |
Version 21.2.228 (LTS)
Feature |
Description |
Required Update |
OS |
|---|---|---|---|
DFIR |
The DFIR package is available to add to your environment (at additional cost). To add this package to your Cybereason environment, contact Customer Success. |
Server |
Windows |
Windows proxy |
It is now possible to connect to the NGAV Local Update Server through a proxy. |
Server |
Windows |
macOS Monterey 12.3 support |
The Cybereason platform has expanded macOS Monterey support to include Monterey 12.3 and later. Previous versions of Cybereason 21.2 support Monterey 12.0 through 12.2. Note You must ensure that Python is installed on the machine as Python is no longer provided with macOS beginning with macOS 12.3 (Monterey). |
Sensor and server |
Mac OS 12 (Monterey) |
Fileless Protection |
A nonPowerShell .NET process using hooked calls caused the sensor to crash on some systems. This issue has been resolved. |
Sensor and server |
Windows |
Sensor tampering protection |
If Enhanced Sensor tampering protection detects an attempt to tamper with the sensor, a MalOp is created. To take part in the beta phase of this feature, contact your Customer Success Manager. Learn more |
Sensor, server |
Windows |
Version 21.2.203
Feature |
Description |
Required Update |
OS |
|---|---|---|---|
Remote Shell |
Use of the Remote Shell utility is now supported on machines running a supported Linux operating system. This feature is not generally available. Contact your Customer Success Manager to use this feature. |
Sensor and server |
Linux (all) |
Version 21.2.190
Feature |
Description |
Required Update |
OS |
|---|---|---|---|
Behavioral execution protection |
Behavioral execution protection is now generally available. Learn more |
Sensor, server |
Windows |
Improved sensor update process |
We have improved the sensor update process so you can update 1,000 sensors per hour. To enable this feature, contact your Customer Success Manager. Learn more |
Sensor, server. |
Windows |
Malops management |
The Malops Management screen and features are now generally available without the Beta status. In addition, if your Cybereason environment is built with the newer data infrastructure, the Malops management screen has been updated for a smoother user experience and workflow, including a new search bar above the Malops list, new filters, and a time-based filter., |
Server |
N/A |
macOS Endpoint Security Framework (ESF) support |
Sensors running on macOS Monterey (12) machines now support ESF. |
Sensor and server |
macOS |
Sensor tampering protection |
Enhanced Sensor tampering protection is available. To take part in the beta phase of this feature, contact your Customer Success Manager. Learn more |
Sensor, server |
Windows |
Auto remediation for custom rules |
You can now specify that the Cybereason platform perform automatic remediation actions when it encounters behavior that satisfies a custom detection rule. Learn more. |
Server |
N/A |
Version 21.2.168
Feature |
Description |
Required Update |
OS |
|---|---|---|---|
Binary Similarity Analysis (BSA) in-memory protection |
This version introduces Binary Similarity Analysis (BSA) protection as part of the NGAV protection suite. BSA in-memory protection performs memory scans to identify binary fractures of highly evasive attack tools (such as Cobalt strike, Emotet, Dridex, and more), and is capable of preventing them on execution. Learn more This feature is not generally available. Contact your Customer Success Manager to use this feature. |
Sensor and server |
Windows |
Exclusions by process name on Linux machines |
To improve performance, the Cybereason platform now excludes known and safe processes by default on Linux machines. You can also exclude additional files from Anti-Malware scans based on the name of the process that opens the files. To use this capability, contact Technical Support. Learn more |
Sensor and server |
Linux (all supported versions) |
Query result customization |
You can now customize a specific number of results in a page of query results. Learn more Note This feature requires that your Cybereason instance uses the newer data infrastructure. This feature is not enabled by default. Open a Technical Support case to enable this feature. |
Server |
N/A |
Debian 10 DNS collection |
Sensors running Debian 10 now support DNS collection. |
Server |
Linux |
Version 21.2.145
Feature |
Description |
Required Update |
OS |
|---|---|---|---|
Updated File search |
We have updated the File search screen to make file search more intuitive and effective for you. This includes:
|
Server |
N/A |
Sensor grouping support for Remote Shell |
We added the Local Responder role to enable you and your analysts to use the Remote Shell utility when you have sensor grouping enabled in your environment. If you or a user admin assigns the Local Responder role to a user, you should also assign the Local Analyst role to the same user to enable them to access the sensors in the assigned groups. |
Server |
N/A |
Delete sensors from the Cybereason UI |
To better manage the sensors within your environment, you can now delete a sensor from the sensors list in the Cybereason platform UI. Once the sensor is deleted from the UI, it is no longer visible in the UI, however, the sensor remains connected to the Detection server and collects and sends data for three days. |
Server |
N/A |
AMSI/.NET modules for Fileless protection |
The Cybereason platform provides a new option to select the AMSI and/or .NET modules for Fileless protection. Cybereason recommends that you activate both modules for full protection. This new capability allows you to select the type of protection that best suits your organization’s needs. Learn more |
Sensor and server |
Windows |
Investigation query limits |
From the Investigation screen you can select a timeframe within which to apply your query. Options include the last hour, 6 hours, 12 hours, or 24 hours, the last 3 or 7 days, or all data. Default value is 24 hours. Learn more |
Server |
N/A |
Predictive Ransomware Protection |
The Cybereason platform now supports a new type of ransomware protection which uses a multi-layered detection mechanism to identify typical ransomware behavior and prevent unknown strains of ransomware. This feature is disabled by default. Contact Technical Support to enable Predictive Ransomware Protection. This feature is not generally available. Contact your Customer Success Manager to get access to this feature. |
Sensor and Server |
Windows |
Sensor tampering protection |
If Enhanced Sensor tampering protection detects an attempt to tamper with the sensor, a MalOp is created. To take part in the beta phase of this feature, contact your Customer Success Manager. Learn more |
Sensor and server |
Windows |
Version 21.2.124
Feature |
Description |
Required Update |
OS |
|---|---|---|---|
Sensors for Mac |
We have updated the sensor program name for the Mac sensors from com.cybereason.activeprobe to CybereasonSensor.app. As a result, after upgrading to this version, you will need to enable Full Disk Access for the new sensor on a macOS machine, even if you did this procedure previously. If you grant Full Disk Access manually, see Enable Full Disk Access for macOS Sensors. If you grant Full Disk Access via Jamf MDM, see macOS Deployment via Jamf MDM. If you have other applications that use the sensor program name, such as OPSWAT, these other programs may no longer recognize or identify the sensor after the upgrade. As a result, you will need to update the sensor name in these programs accordingly. |
Sensor and server |
macOS (All) |
Machine information collected for Windows endpoints |
The Cybereason platform now collects and displays the following data for Windows endpoints:
|
Sensor and server |
Windows |
Device control - Linux support |
To increase protection across additional OSs and device types, the Device control feature now supports MTP and all USB devices on Linux endpoints. Learn more |
Server |
Linux |
Linux AV |
To improve performance of Anti-malware on access scans on Linux machines, the Cybereason platform now excludes network shares by default. In addition, the Cybereason platform excludes the following mount points on local paths by default:
To exclude additional mount points, contact Technical Support. |
Sensor and server |
Linux |
Mac AV |
For sensors on machines running macOS with Anti-malware enabled, on the System > Sensors screen, we have improved the reliability of the status displayed in Sensor status column. |
Sensor and server |
macOS |
Mac AV |
macOS developer workloads (such as Git and other developer tools) no longer have performance impacts in combination with Anti-malware on access scans. |
Sensor, server |
macOS |
Mac AV |
Anti-malware on access scans no longer have a performance impact on upgrading macOS machines to a newer OS version. |
Sensor and server |
macOS |
Sensor installation for sensor groups |
When using sensor groups you can download a sensor installation package pre-configured to add sensors to a specific group. Learn more. |
Server |
N/A |
Version 21.2.103
Feature |
Description |
Required Update |
OS |
|---|---|---|---|
Custom reputations |
Cybereason updated the Reputation screen in the UI. The new Reputation screen allows you to easily add, edit, and remove custom reputations without having to use a CSV file. Learn more |
Server |
N/A |
Cybereason Connect |
We have now limited access to the Cybereason Connect screen to users with a specific role. To access the Connect screen, you must have the Sensor Admin L1, System Admin, or Executive roles. |
Server |
N/A |
Historical Data Lake |
The Cybereason Historical Data Lake feature now enriches your historical queries with Malop data from your live environment. Learn more |
N/A |
N/A |
Version 21.2.84
Feature |
Description |
Required Update |
OS |
|---|---|---|---|
XDR |
The Cybereason platform now supports integration of log source data through the XDR module. You can now import and view log source data from supported platforms such as Okta, Google, and Fortinet to give you a wider view of activity across your organization. XDR log source data integrates with existing EDR data to enable you to manage all data, both from endpoint sensors and XDR log sources, in a single place. For more information about supported integrations, see Cybereason Integrations. For more information about Cybereason XDR, see Extended Detection and Response (XDR). Note With the introduction of the XDR module, the User Element is renamed to the User Account Element. |
Server |
N/A |
Windows 10 21H2 support |
We now support sensors running on Windows 10 21H2 machines. |
Server |
Windows |
Investigation query result export |
On environments with the new Data Platform installed, the option to select the specific number of results to export to a CSV file when viewing investigation query results is enabled by default. You do not need to contact Technical Support to enable this export feature. |
Server |
N/A |
Version 21.2.63
Feature |
Description |
Required Update |
OS |
|---|---|---|---|
Behavioral execution protection |
Behavioral execution protection allows organizations to detect and prevent malicious execution of processes based on the process behavior. Behavioral execution protection uses intricate research data to identify anomalies in the image name, command line, image file metadata, or the process hierarchy. This data is available directly on the endpoint, which significantly shortens response time. Learn more Note This feature is not yet generally available. To request access to this feature, contact Customer Success. |
Sensor, server |
Windows |
View Malop activity by timeframe |
You can now view Malop activity from a certain time frame from the Malop details screen. Use the ‘View activity since’ feature on the top right of the Malop details screen to select a date range. The Malop details screen will update to reflect activity that occurred within the specified time frame. |
Server |
All OSs |
Version 21.2.43
Feature |
Description |
Required Update |
OS |
|---|---|---|---|
macOS Monterey support |
You can now install sensors on machines running the macOS Monterey operating system. The macOS Endpoint Security Framework (ESF) is not currently supported. |
Server |
macOS |
Debian 10 support |
You can now install sensors on machines running the Debian 10 operating system. DNS collection is supported in versions 21.2.168 and later. |
Server |
Linux |
Linux AV |
In Linux machines, the Cybereason platform now supports the option to perform on file access scans by default. You no longer need to contact Technical Support to enable this option. |
Sensor and Server |
Linux |
Personal firewall control |
To allow protection for additional operating systems, the use of Personal firewall control is now available for machines running Linux operating systems. |
Sensor and Server |
Linux |
Investigation query result export |
You can now select the specific number of results to export to a CSV file when viewing investigation query results. Note This feature requires that your Cybereason instance uses the newer data infrastructure. Contact Technical Support to enable the feature. |
Server |
N/A |
File events collection |
We have updated the policy options for file events collection to help you select the proper level of collection in your organization. Now you can select from one of two modes to help you tailor the collection to meet your needs:
|
Sensor and Server |
Windows |
WMI Persistent Object Element |
We have added a number of new Features related to the WMI Persistent Element, including:
|
Server |
N/A |
Version 21.2.21
Feature |
Description |
Required Update |
OS |
|---|---|---|---|
Amazon Linux 2 support |
You can now install sensors on machines running the Amazon Linux 2 operating system. |
Server and Sensor |
Amazon Linux 2 |
Windows 11 support |
On the System > Dashboard screen, machines running Windows 11 are now displayed under the Sensors by OS version section. |
Server |
Windows |
Sensor signatures database |
After initial installation, the sensor now reports to the Windows Security Center after the signatures database downloaded is complete. This prevents an unnecessary notification stating virus protection is out of date. If after 4 hours the signatures database download is not complete, the notification stating virus protection is out of date is correctly displayed. |
Sensor, server |
Window |
Investigation query results |
The Investigation screen now displays an estimated total count of all query results in the system. This enables you to understand the full scope of the issue you are searching for with your query. Learn more Note This feature requires that your Cybereason instance uses the newer data infrastructure. |
Server |
N/A |
Please see our Legal Disclaimer on links to third party web sites.