22.1 All Features
The tables in the following sections list all the features included in all releases included in version 22.1.
The tables contain the following information about each feature:
The feature area
A description of the changes
Whether you need to update your server or sensor to the version listed
The supported operating system for the machines for the sensor
The sensor and server versions required to utilize the feature
Note
Some features are released outside of formal release version on a continous basis. For details on the items added, see Continuous Delivery Features.
In this topic:
Version 22.1.562 (Service Pack)
Issue |
Area |
Description |
Required Update |
Supported OS |
---|---|---|---|---|
DFND-65045 |
Device Control |
When adding Sony USB devices to the exclusion list for Device Control, the Sony USB devices did not successfully receive the exclusion and were incorrectly blocked according to the sensor policy settings. We have resolved this issue and these types of devices will work on the exclusion list as expected. |
Sensor and server |
All |
DFND-58670 |
NGAV |
At times, when Anti-Malware mode was set to Quarantine, the file was prevented successfully, but quarantine failed. This issue was resolved, and in such cases the file is now quarantined successfully. |
Sensor and server |
Windows |
Version 22.1.540 (Service Pack)
Issue |
Area |
Description |
Required Update |
Supported OS |
---|---|---|---|---|
DFND-62558 |
NGAV |
In some cases, the Anti-Malware > Artificial Intelligence mode detected the cramtray.exe process used by the sensor as malicious due to a certificate issue. We have resolved this issue and the Anti-Malware > Artificial Intelligence mode will not detect sensor processes as malicious. |
Sensor and server |
Windows |
DFND-62101 |
NGAV |
When viewing the Signature mode state column for sensors in the Sensors screen, at times the column mistakenly displayed the status Disabled - Network error for the signature mode update, even though the update of the signatures succeeded. We have resolved this issue and the Signature mode state column reports the correct status |
Server |
N/A |
DFND-61956 |
Linux sensors |
On machines running supported versions of the Linux operating system, the sensor would take ownership of RPM lock files on the machine. We have resolved this issue and the sensor should not interfere with the RPM files |
Sensor and server |
Linux |
Version 22.1.521 (Service Pack)
Issue |
Area |
Description |
Required Update |
Supported OS |
---|---|---|---|---|
DFDN-60825 |
Sensor management |
At times, sensors did not send data to their assigned Detection server when it failed to connect to the IP address for the Detection server. As a result, the sensor reported as Online, but certain parts of the sensor data, such as collected data, details on the signatures database version, and scan status would not update in the Sensors screen correctly. We have resolved this issue and all information from the sensor will report to the Detection server as expected. |
Server |
N/A |
DFND-60422 |
NGAV |
In recent Cybereason sensor versions, when the Anti-Malware service was enabled, machines experienced unexpected and intermittent performance problems, such as machine crashes or blue screens on the machine. We have resolved this issue and the machine will perform as expected with Anti-Malware enabled. |
Sensor and server |
Windows |
DFND-59902 |
Syslog |
In the MalOp syslog file, we now report the Product version in a syslog message. For example, a syslog entry for a MalOp created event would report CEF:0|Cybereason|Cybereason|23.2|Malop|Malop Created|10|. Previously, this value was empty. |
Server |
N/A |
DFND-58026 |
Malware alerts |
In Japanese environments, when exporting a CSV file of malware alerts from the Malware Alerts screen, at times the CSV file would unexpectedly change from Japanese to English (such as after a restart of the platform’s servers). We have resolved this issue and the CSV file will export in the correct language, based on the language settings for the user that is performing the export. |
Server |
N/A |
DFND-53320 |
Linux AV |
In the latest version, after installing a sensor on machines running Ubuntu 20.04 and CentOS 8.4, the Anti-Malware service used by the sensor did not start properly. We have resolved this issue and the Anti-Malware service now starts correctly after sensor installation on these operating systems. |
Sensor and server |
Linux (Ubuntu 20.04 and CentOS 8.4) |
Version 22.1.502 (Service Pack)
Issue |
Area |
Description |
Required Update |
Supported OS |
---|---|---|---|---|
DFND-58417, DFND-57656 |
User management |
In the Users screen, if you selected the Local Analyst or Local Responder role for a user along with another global role (such as Policy Admin, User Admin, and so forth), the option to select the sensor groups for the user remained visible on the page, even though the user had no ability to be assigned to groups since they have a role that was global in nature. We have resolved this issue and when you select a Local Analyst or Local Responder role along with another role, the option to select groups for the user is no longer displayed. |
Server |
N/A |
DFND-58267 |
Sensor performance |
In machines running supported versions of Windows, at times, the sensor consumed excess virtual memory from the machine causing performance problems on the machine. We have introduced a mechanism into the sensor’s services to ensure the virtual memory not be consumed too high. |
Sensor and server |
Windows |
DFND-58061 |
NGAV |
On machines running supported versions of Linux, at times the Anti-Malware > Signatures mode scans would stop due to the process reaching the memory limits allowed for the Anti-Malware scanning services. We have resolved this issue and updated the sensor configuration to allow for greater memory usage to enable scans to continue. |
Sensor and server |
Linux |
DFND-57606 |
Sensor performance |
On machines running CentOS 7.1, if the Anti-Malware > Signatures scans attempted to scan a file larger than 2 GB, the file became locked and other processes also could not open the file, due to issues with dependencies in the operating system. We have resolved this issue so that the sensor does not lock the access these large files, and customers will be able to access these files on CentOS 7.1 machines. |
Sensor and server |
Linux CentOS 7.1 |
Version 22.1.484 (Service Pack)
Issue |
Area |
Description |
Required Update |
Supported OS |
---|---|---|---|---|
DFND-56610 |
NGAV Anti-Malware |
On machines running Linux and macOS operating systems, when adding an exclusion that ended with a forward slash (/), the sub-folders under the entered path were also unexpectedly excluded from Anti-Malware scans. We have resolved this issue and the sub-folders for the entered path will not be excluded from Anti-Malware scans. |
Sensor and server |
macOS, Linux |
DFND-56211 |
Remote shell |
At times, if a sensor was unable to start a Remote Shell utility session, the sensor would crash unexpectedly. We have resolved this issue and the sensors will not crash when there is a failure to start the Remote Shell utility. |
Sensor and server |
Windows |
DFND-53646 |
Investigation |
In the Investigation screen, when viewing investigation query results, if you selected the option to limit the total number of results, the results displayed per page were not always correct. We have resolved this issue and investigation query results will report totals (all total results and per page) correctly. |
Server |
N/A |
DFND-53600 |
MalOp details, Investigation, Malware Alerts |
At times, in the Malware Alerts, Investigation, and Response History screens, the full machine name for the malware alert did not display if the malware was detected in a scan. This was due to a limitation of the Windows OS API used to collect information about a machine. We have resolved this issue and the machine name displays correctly. |
Sensor and server |
Windows |
Version 22.1.466 (Service Pack)
Issue |
Area |
Description |
Required Update |
Supported OS |
---|---|---|---|---|
DFND-23543 |
NGAV |
The sensor can now report file metadata to Cybereason headquarters for analysis that will impact the accuracy rate of our anti-malware engines and help reduce false positives. Open a Technical Support to enable this feature. |
Sensor and server |
Windows |
DFND-41756 |
User notifications |
In environments that use sensor grouping, if a MalOp was triggered on a machine a sensor groups, local analysts for other groups in which the sensor was not assigned also received an email notifying that there were 0 MalOps detected. We have resolved this issue and analysts from other groups not associated with the machine in the MalOp will not receive email notifications for machines not in their assigned groups. |
Server |
N/A |
DFND-53308 |
NGAV, Behavioral Document Protection |
At times, AI-based Behavioral Document Protection triggered false positive MalOps for files that did not have a macro but contained suspicious strings of characters. We have resolved this issue and the Cybereason platform’s AI-based Behavioral Document Protection will not trigger MalOps for files with suspicious strings but no macros. |
Sensor and server |
Windows |
DFND-53805 |
NGAV |
In recent Cybereason versions, on machines using Sensor Tampering Protection, MalOps based on Variant Payload Protection or Threat Intelligence services were not generated as expected. We have resolved this issue and Variant Payload Protection and Threat Intelligence will generate as expected, even with Sensor Tampering protection enabled. |
Sensor and server |
Windows |
DFND-54537 |
Sensor logs |
When retrieving sensor logs from the Sensors screen, the exclusions in the sensor policy will be decrypted as part of the retrieval operation to enable administrators to read clear text in the exclusions entries in the log. |
Sensor and server |
Windows |
DFND-55970 |
User notifications |
In recent versions, email notifications sometimes were not sent in the language set by the user for their access to the Cybereason platform. Instead, the mail notifications used the language set for the machine on which the WebApp server was running. We have resolved this issue and the mail notifications will use the user-defined language setting. |
Server |
N/A |
DFND-56056 |
Sensor installation |
In recent Cybereason versions, when trying to upgrade sensors, an error about Downgrade is not supported was displayed, even though the operation was not a downgrade operation. This was due to issues with the sensor installation report that is created as part of the sensor installation/upgrade process. We have resolved this error and the downgrade message should not display. |
Sensor and server |
Windows |
Version 22.1.443
Issue |
Area |
Description |
Required Update |
Supported OS |
---|---|---|---|---|
DFND-56196 |
Sensor management |
In the most recent version, in the Sensors > Overview screen, no sensor data was displayed for all connected endpoint machines. We have resolved this issue and the Overview screen will display data for all endpoint machine sensors. |
Server |
N/A |
Version 22.1.442 (Service Pack)
Issue |
Area |
Description |
Required Update |
Supported OS |
---|---|---|---|---|
DFND-54285 |
Sensor performance |
On sensors on Windows machines, when the sensor collected data related to the WMI persistent object Element, the sensor sometimes experienced performance problems, occasionally causing the sensor program to crash. We have updated the sensor’s internal mechanism to ensure that the sensor’s performance is not affected by data collection of items related to the WMI Persistent Object Element. |
Sensor and server |
Windows |
DFND-54077 |
Sensor installation |
On recent Cybereason versions, the sensor did not install correctly on the Windows Server 2019 Core operating system. We have resolved this error and the sensor installs without issue on Windows Server 2019 Core. |
Sensor and server |
Windows Server 2019 Core |
DFND-53231 |
Sensor performance |
When using Sensor Tampering Protection in machines running Windows 7 or Windows 8, the cramtray.exe program (that runs the System Tray icon) did not start. We have resolved this issue and the cramtray.exe program will now work on machines running Windows 7 and Windows 8. |
Sensor and server |
Windows 7/8 |
DFND-53214 |
Sensor performance |
When performing a sensor installation on Linux machines running the RHEL 9.X operating system, the sensor and sensor services were unable to start after installation. We have resolved this issue and the sensor should run as normal on RHEL 9.X operating systems. |
Sensor and server |
Linux (RHEL 9.X) |
DFND-53149 |
Sensor performance |
On machines running Linux operating systems, when the sensor state changed (such as from crash recovery state to normal state), the sensor had to restart its process, which at times may cause the sensor to crash during process shutdown. As most of the sensor parts were shut down already, a crashdump could have been created in the root directory (/), which led to exhaustion of endpoint storage. We have resolved this issue and the sensor should never create coredumps (if any) files at the wrong location. |
Sensor and server |
Linux |
DFND-52505 |
Device Control |
In recent Cybereason versions, when you enabled Device Control in a sensor policy, if you set the Device Control mode for devices to Read only, the Device control mode reported in the Sensors screen for sensors assigned to this policy was Disabled instead of Enabled. We have resolved this issue and updated the logic used by the server for the Read only mode for devices to report that Device Control is enabled instead of disabled. |
Server |
N/A |
DFND-269 |
Endpoint Controls |
The Device control screen enables system and security admins to view Device control events and easily monitor the usage of USB devices across their environment. This feature is currently in beta stage. Contact your Customer Success Manager to gain access to this feature. |
Server |
Windows |
Version 22.1.422 (Service Pack)
Issue |
Area |
Description |
Required Update |
Supported OS |
---|---|---|---|---|
DFND-52505 |
Device Control |
In recent Cybereason versions, when you enabled Device Control in a sensor policy, if you set the Device Control mode for devices to Read only, the Device control mode reported in the Sensors screen for sensors assigned to this policy was Disabled instead of Enabled. We have resolved this issue and updated the logic used by the server for the Read only mode for devices to report that Device Control is enabled instead of disabled. |
Server |
N/A |
DFND-51716 |
NGAV |
On sensors using Behavioral Document Protection AI, sensors did not report the behavior ID to the Cybereason Detection server as part of the event details for the detected event. In turn, the Behavior ID associated with the detected event was not included in the MalOp details or Investigation screens for analysts to understand the event. We have resolved this issue and the event behavior ID is now reported by the sensor and included in the MalOp details and Investigation query results for a detected event. |
Sensor and server |
Windows |
DFND-50950 |
Sensor upgrade |
When upgrading from 20.1 versions to the latest Cybereason versions, the sensor did not start due to an issue with upgrade of files required by the sensor and the sensor services. We have resolved this issue and all files will upgrade successfully and allow the sensor and sensor services to start and run as expected. |
Sensor and server |
Windows |
DFND-50501 |
Sensor installation |
If you ran the installer package for the sensor from a network drive (instead of a local drive), the installation failed with an error about the sensor installer being unable to verify the certificate of the bundle. We have resolved this issue and you can run the sensor installer from a network drive also. |
Sensor and server |
Windows |
DFND-50468 |
Data collection, Linux sensors |
On environments with sensors running Linux operating systems, at times the Investigation screen would report strange and unexplained connection and port details that did not match the real connection details (i.e. the IP addresses for the connections). We have resolved this issue and updated the configuration used by the sensor around collecting communication data to ensure that the details reported about communication on Linux machines is collected and reported correctly. |
Sensor and server |
Linux |
DFND-50390 |
NGAV |
When using canary-based Anti-Ransomware, if a command was added to the Anti-Ransomware exclusions, the command continued to be detected and reported as a detection by the Cybereason platform. This is due to the fact that the Anti-Ransomware exclusions only stopped the suspension of the excluded command only (but still detected the performance of the command). We have updated the flow used by the Cybereason platform when adding an Anti-Ransomware exclusion to both not suspend the command and not detect the performance of the command entered in the exclusions. |
Server |
N/A |
DFND-50131 |
Investigation |
In the Investigation screen, when exporting query results, the time for different items in the CSV is now represented in the local time shown in the investigation screen instead of GMT. |
Server |
N/A |
DFND-47231 |
Sensor management |
In the Sensors screen, when you used the search to find sensors that had a group assignment of Dynamic or Manual, the filtering did not work correctly. We have resolved this issue and filtering by sensor groups works as expected. |
Server |
N/A |
Version 22.1.401 (Service Pack)
Issue |
Area |
Description |
Required Update |
Supported OS |
---|---|---|---|---|
DFND-49876 |
Investigation |
In Japanese environments, when exporting query results to a CSV file, the exported CSV file did not include the AM or PM designation on times. We have resolved this issue and the exported CSV files will now include the AM or PM with the time. |
Server |
N/A |
DFND-49398 |
Malops management |
In Japanese environments, In the MalOp details screen, we have updated the string 件を開始 (as part of the Process started/ended) to を開始 to make the string a more accurate translation. |
Server |
N/A |
DFND-49165 |
Sensor performance |
When upgrading sensors on Windows machines from recent versions, the sensor would not run as expected due to repeated crashes in the minionhost.exe process. We have resolved this issue and the sensors will upgrade successfully without the repeated crashes. |
Sensor and server |
Windows |
DFND-49016 |
Malops management |
In the MalOp details screen, if you selected the View activity since remediated option, no additional data displayed even though there had been associated activity for that MalOp. We have updated the View activity since remediation option to View activity since closed to more accurately reflect what the option displays. |
Server |
N/A |
DFND-48850 |
Sensor installation |
When installing Linux sensors, at times you would see warning messages in the installation logs about missing libraries, even though the sensor was working properly and the library may have been installed on the machine. We have updated the sensor installation logic and these warnings will be reported in a more meaningful way or not reported at all in some cases. |
Sensor and server |
Linux |
DFND-48616 |
User roles |
In a sensor policy, users with the System Viewer were unable to scroll and view the full list of exclusions available in the sensor policy. We have resolved this issue and users with this role will be able to scroll and see policy exclusions, not just the few exclusions that display in the first few rows of the table. |
Server |
N/A |
DFND-48512 |
Sensor upgrade |
In the most recent version, in some cases, when performing a sensor upgrade the sensor upgrade did not work and remained in progress indefinitely. We have resolved this issue and sensor upgrades will work properly. |
Sensor and server |
All |
DFND-47486 |
Device Control |
In the Device Control screen, at times, events that were reported on endpoint machines did not display on the Device Control screen. We have resolved this issue and events reported on the endpoint machine will also report on the Device Control screen. |
Sensor and server |
Windows |
DFND-47146 |
Remediation |
We have updated the logic used by the Cybereason platform’s file quarantine feature to ensure that the sensor cannot quarantine sensor-related files. |
Sensor and server |
All |
DFND-21874 |
User roles |
Users with the Sensor Admin L1 role can now assign sensors to any group and remove sensors from any group to which they have permissions. |
Server |
N/A |
DFND-6192 |
Malops |
We have made some adjustments to how the Cybereason platform retains data, especially related to MalOp details, to reduce the time for a MalOp to be generated and to ensure that as many details for the MalOp are reported in the MalOp details. |
Server |
N/A |
Version 22.1.341 (Service Pack)
Issue |
Area |
Description |
Required Update |
Supported OS |
---|---|---|---|---|
DFND-28668 |
Custom detection rules |
To help you build more useful custom detection rules, you can add Registry Event and File Event Elements in the rule logic. |
Server |
N/A |
DFND-44580 |
Sensor upgrade |
In recent versions, in some rare cases, when upgrading a sensor that had Behavioral Execution Prevention enabled, the sensor experienced the blue screen crash on a Windows machine and was unable to be used or restarted. We have resolved this error and machines with these options will upgrade without issues. |
Sensor and server |
Windows |
DFND-46703 |
Sensor installation |
The Repair option has been removed from all sensor installer workflows. This option is not supported by the Cybereason platform. |
Sensor and server |
Windows |
DFND-46902 |
Behavioral Execution Prevention |
When using Behavioral Execution Prevention, the cmstp_abnormal_execution and msexchange_owapool_webshell rules were causing the Cybereason platform to generate MalOps that were false positive MalOps. We have resolved this issue and these rules should no longer generate MalOps that are false positive. |
Sensor and server |
Windows |
Version 22.1.324
Issue |
Area |
Description |
Required Update |
Supported OS |
---|---|---|---|---|
DFND-44095, DFND-43409 |
MalOps |
We have made some adjustments to how the Cybereason platform retains data, especially related to MalOp deatils, to reduce the time for a MalOp to be generated and to ensure that as many details for the MalOp are reported in the MalOp details. |
Server |
N/A |
Version 22.1.322 (Service Pack)
Issue |
Area |
Description |
Required Update |
Supported OS |
---|---|---|---|---|
DFND-44095, DFND-43409 |
MalOps |
We have made some adjustments to how the Cybereason platform retains data, especially related to MalOp deatils, to reduce the time for a MalOp to be generated and to ensure that as many details for the MalOp are reported in the MalOp details. |
Server |
N/A |
DFND-38707 |
Mac sensors, NGAV |
In recent Cybereason versions, in some cases, on machines running macOS, scans were not performed correctly (including quick and full scans as well as scheduled scans). We have resolved this error and scans will work as expected on macOS machines. |
Sensor and server |
macOS |
DFND-44363 |
Sensor performance |
When performing an installation, upgrade, or uninstallation of a sensor on Windows machines, the Cybereason installer caused applications that use the Powereason.dll file to shutdown or restart due to the installer needing to access shared locker files used by the other programs. We have updated the installer program configuration to resolve this issue, so that other programs will work as expected during installation, upgrade, or uninstallation. |
Sensor and server |
Windows |
DFND-45952 |
Data collection |
In cases where the sensor collected a process name in a different case than the actual process name on a machine, and the command line for the process contained double quotes, in the various places in the MalOp details and Element details, the process name was reported incorrectly or had characters removed from the process name. We have resolved these errors to ensure that the process name is reported consistently. |
Server |
N/A |
DFND-46239 |
Device Control |
In the Endpoint Controls section of a sensor policy, when adding a device to the allowed devices list, if the device name had more than 1 underscore character in the name, the device was not blocked or allowed correctly as set in the sensor policy. We have resolved this issue and updated the configuration for parsing device names and devices should be blocked or allowed as set in the policy even with extra underscore characters. |
Sensor and server |
All |
DFND-46765 |
NGAV |
When using NGAV on an endpoint machine, as a non-admin user on the machine, if you clicked the prompt from Windows Security Center to update the Cybereason signatures database, command window continued to display on the machine (while the update ran in the background), disrupting the work of the endpoint machine user. We have resolved this issue to ensure that the signature database update does not interfere with normal machine usage. |
Sensor and server |
Windows |
Version 22.1.303 (Service Pack)
Issue |
Area |
Description |
Required Update |
Supported OS |
---|---|---|---|---|
N/A |
NGAV |
Predictive Ransomware Protection is now generally available. This new type of ransomware protection uses a multi-layered detection mechanism to identify typical ransomware behavior and prevent unknown strains of ransomware. This feature now appears by default in the Sensor Policy screen. The legacy Anti-Ransomware feature is still available, and should be used for sensor versions prior to 22.1.303. Learn more Important: Please make sure to update your sensors to the latest version before enabling Predictive Ransomware Protection, to avoid endpoint compatibility issues. |
Sensor and server |
Windows |
N/A |
EPP Dashboard |
In environments with the new Data Platform infrastructure, the EPP Dashboard screen is now generally available. |
Server |
N/A |
DFND-44828 |
Sensor installation |
You can now uninstall sensors from the Sensors screen even for sensors with Sensor Tampering protection enabled. |
Sensor and server |
Windows |
DFND-37258 |
Server performance |
When trying to view any of the tabs in the System screen (such as System > Sensors, System > Overview, and so forth), sometimes the Cybereason UI experienced unexpected performance with slow load times, such as when many different remediation requests were performed in a short time period. We have resolved this error and screens in the Cybereason UI should load even when other requests are being processed by the Cybereason platform’s servers. |
Server |
N/A |
DFND-39353 |
Sensor installation/upgrade |
When performing the steps required for mitigation of the CVE-2013-3900 vulnerability, it was not possible to install or upgrade sensors on the machine. We have resolved this issue and you can install/upgrade sensors on a machine even with the mitigations for CVE-2013-3900 applied on a machine. |
Sensor and server |
Windows |
DFND-43432 |
Mac sensors |
In random cases, on sensors running on macOS machines, when the machine restarted, the Anti-Malware > Signatures database reverted to the first version instead of maintaining the current version. This resulted in unnecessary redownloads of the signatures database to the sensor. We have resolved this issue and the Signatures database version is persisted after the machine restart. |
Sensor and server |
macOS |
DFND-43494 |
Mac sensors |
In recent Cybereason versions, when upgrading sensors through the System > Sensors screen, for sensors running on macOS with 2-way SSL enabled, after the upgrade the sensors were unable to connect to the Cybereason platform. We have resolved this issue and all Mac sensors using 2-way SSL are able to successfully connect to the Cybereason platform after upgrade. |
Sensor and server |
macOS |
DFND-43754 |
Linux sensors, Proxy |
On Linux sensors, when proxy connection details were added for a sensor with a personalized sensor, the Anti-Malware Signatures service on the sensor did not receive the proxy connection settings and required a restart of the sensor for the proxy connection settings to take effect. We have fixed this issue and the proxy connection settings propagate to the Anti-Malware service correctly. |
Sensor and server |
Linux |
DFND-43950 |
Detection rules, MalOp details |
In some cases, associated suspicions for some MalOps were not included in the MalOp details. As a result, you were not able to see the full scope of the MalOp and related activity and prioritize the analysis and triage appropriately We have resolved this issue and related suspicions for MalOps should always be part of the MalOp details for MalOps. |
Server |
N/A |
Version 22.1.285
This version contains all the items in version 22.1.282 and the items in the table below:
Issue |
Area |
Description |
Required Update |
Sensor OS |
---|---|---|---|---|
DFND-46765 |
NGAV |
When using NGAV on an endpoint machine, as a non-admin user on the machine, if you clicked the prompt from Windows Security Center to update the Cybereason signatures database, command window continued to display on the machine (while the update ran in the background), disrupting the work of the endpoint machine user. We have resolved this issue to ensure that the signature database update does not interfere with normal machine usage. |
Sensor and server |
Windows |
Version 22.1.282 (Service Pack)
Issue |
Area |
Description |
Required Update |
Sensor OS |
---|---|---|---|---|
DFND-35140 |
Sensor installation |
We have updated the various screens used in the sensor installation wizard to ensure that the proper Cybereason logo is used in all screens. |
Sensor and server |
All |
DFND-37373 |
Sensor upgrade |
We have updated the sensor upgrade configuration used by the Cybereason platform to retry a sensor upgrade if the initial upgrade request fails. Previously, if an upgrade request failed, the platform reported an error and you needed to manually resolve the error. |
Sensor and server |
Windows |
DFND-33652 |
Sensor installation/upgrade |
In the latest Cybereason version, after uninstalling a sensor from an endpoint machine with the Uninstall action in the Actions menu in the Sensors screen, the Sensors screen did not update the sensor’s status to reflect a successful uninstallation. We have resolved this issue and the sensor uninstall reports correctly. |
Server |
Windows |
DFND-39356 |
Detections |
In recent versions, the Cybereason platform did not always detected process injections - both injection into processes and processes injecting into other processes) correctly. We have updated the configuration for this detection and related sensor collections to improve the accuracy of these detections. |
Sensor and server |
Windows |
DFND-39625 |
Sensor performance |
In some cases, the sensor was stuck in a loop of repeated crashes of the sensor program (minionhost.exe), possibly from issues with WMI on the endpoint machine. We have updated the sensor program configuration to continue to work in these situations, and the sensor should not continue to have crash loops if there are WMI issues on the machine. |
Sensor and server |
Windows |
DFND-40093 |
Sensor logs |
In the latest Cybereason, after running an on-demand scan on an endpoint machine, log entries for the scan on the endpoint machine contained strange characters that did not help understand the log entry about the scan. We have resolved this issue and strange characters should not be part of the scan logs on the endpoint machine, which will allow you to use the log entries effectively. |
Sensor and server |
Windows |
DFND-39979 |
Sensor tagging |
When adding sensor tags by uploading a CSV files, if the CSV file contained more than 10,000 rows, some sensors did not get sensor tags with an unknown entity id error message. We have updated the sensor tag upload flow to successfully upload CSV files with more than 10,000 rows. |
Server |
N/A |
DFND-40164 |
Device Control |
On endpoint machines, when the setting for the Device control mode was set to Read only in the associated sensor policy for the machine, the machine continued to display a notification on the machine indicating that a USB device was blocked (although the machine user was able to access and read the device properly). We have resolved the issue and this notification is no longer displayed on the machine. |
Sensor and server |
Windows |
DFND-40466 |
Machine isolation |
In rare cases in environments that use DHCP connections, when isolating an endpoint machine, the endpoint machine staye offline permanently and was unable to communicate with Cybereason servers or rejoin the network in any way. We have resolved this issue to address the issue of DHCP connections on isolated machines so that the machines do not stay offline permanently. |
Sensor and server |
Windows |
DFND-40512 |
Data collection |
When viewing details on Services (such as the image file path or the command line arguments), the details for Service Elements were often reported incorrectly or incomplete in the Element Details screen. We have updated the configuration used by the sensor collector and details about Services are collected and reported accurately in the Element Details screen. |
Sensor and server |
Windows |
DFND-40641 |
Sensor upgrade |
When upgrading multiple sensors through the Sensors screen, the Action log would report a upgrade failure for some of the machines even though the sensors were successfully upgraded (as seen in the sensor information in the sensor grid). We have resolved this issue and the Action log report matches the actual sensor upgrade status. |
Server |
N/A |
DFND-40693 |
Reputations |
When viewing reputations in the Reputations screen, if you tried to sort the table of reputations by the Description column, a message was displayed, claiming that there were no reputations in the platform. We have resolved this issue and you can now sort by the Description column without issue. |
Server |
N/A |
DFND-40929 |
Sensor installation |
In the latest Cybereason version, if you downloaded the sensor installation package to a location where the file path contained Unicode characters (such as Japanese characters), the sensor installation/upgrade failed. We have resolved this issue and the installation should work with Unicode characters in the installation path. |
Sensor and server |
Windows |
DFND-40981 |
Personal Firewall Control |
When creating a custom firewall rules for inbound and outbound communication in the Endpoint Controls section of your sensor policy, the communication was not blocked on the specified ports on Linux machines. We have resolved this issue and the communication on Linux machines is now blocked according to the custom firewall rules. |
Sensor and server |
Linux |
DFND-41099 |
Sensors for Linux |
When trying to connect to the Global Update server through a proxy connection (configured in the installed sensor package through sensor personalization), sensors on Linux machines were not able to access the Global Update server successfully. We have resolved this issue and you can now connect Linux machines to the Global Update server through a proxy connection. |
Sensor and server |
Linux |
DFND-41102 |
Sensor performance |
On some machines, a number of empty Cybereason processes were created due to crashes in sensor-related processes. These extra processes caused performance issues on the machine. We have resolved this issue and these extra processes should not appear even when sensor processes crash or have other issues. |
Sensor and server |
Linux |
DFND-41183 |
Behavioral allowlisting |
When building a Behavioral allowlisting rule, you can click the Preview to see how many existing malops be allowed by this rule. Previously, when you clicked Preview, the Cybereason platform retrieved all Malops with the matching root cause to check the impact of the rule. If you had a large number (such as thousands) of MalOps, the Cybereason UI would not be able to load due to a timeout issue. We have updated the platform configuration for the Behavioral allowlisting screen to limit the total number of previewed MalOps to 500 MalOps. |
Server |
N/A |
DFND-41517 |
Sensor installation/upgrade |
We have resolved this issue and you can now install or upgrade sensors as expected on Windows machines. |
Sensor and server |
Windows |
DFND-41637 |
Sensor installation |
When performing sensor installation on machines running supported versions of Ubuntu or Debian Linux, there were a number of errors reported during the installation process. We have resolved these issues and installation on these operating systems run without error. |
Sensor and server |
Ubuntu/Debian Linux |
DFND-40989, DFND-41723 |
NGAV |
If you added a local update server URL to the Anti-Malware settings in a sensor policy, and then updated the policy settings or assigned a sensor to a different policy, the local update server settings on the endpoint machine retained the previous URL from the first policy instead of updating the new URL settings. We have resolved this issue and changes in the local update server URL from the policy are propagated to endpoint machines correctly. |
Sensor and server |
Windows |
DFND-41871 |
Sensor performance |
When performing an installation, upgrade, or uninstallation of a sensor on Windows machines, the Cybereason installer caused applications that use the Powereason.dll file to shutdown or restart due to the installer needing to access shared locker files used by the other programs. We have updated the installer program configuration to resolve this issue, so that other programs will work as expected during installation, upgrade, or uninstallation. |
Sensor and server |
Windows |
DFND-42287 |
Sensor installation |
On the latest versions, when installing or upgrading a Linux sensor, the endpoint machine experienced decreased performance with above-average CPU usage on the machine. We have resolved this issue and the performance on Linux machines falls within expected performance guidelines. |
Sensor and server |
Linux |
DFND-42414 |
MalOps management |
In environments with sensor grouping enabled, at the top of the Malops management screen, when you view the graphs for total MalOps and the graph for total machines, the graph reported incorrect numbers that did not filter out machines and MalOps not related the selected group. We have resolved this issue and the graphs should display correct totals when a group is selected in the the Malops management screen. |
Server |
N/A |
DFND-42766 |
NGAV |
When adding domain exclusions for Fileless Protection (in the Fileless Protection > Domain exclusions section of the sensor policy), if a machine had a slower network connection or performance, the exclusion details did not propagate to the endpoint machine before the timeout period and domains were blocked when they should have been allowed. We have resolved this and Domain exclusions will propagate correctly for all endpoint machines. |
Sensor and server |
Windows |
Version 22.1.248 (Service Pack)
Issue |
Area |
Description |
Required Update |
Supported OS |
---|---|---|---|---|
DFND-34311 |
Reputations |
We have added the ability to specify sensor groups for item reputations in your environment. When you add or update an item’s reputation, you can specify if the reputation should apply to a single group or all groups in your environment. This feature is disabled by default. Open a Technical Support case to get access to this feature. |
Server |
N/A |
N/A |
Malop remediation history |
To help you better understand and analyze all remediation actions in your environment, we have added the Response History screen. This screen shows all response actions, on all machines, taken by all users. This feature is not generally available. Contact your Customer Success Manager to gain access to this feature. |
Server |
N/A |
DFND-23077 |
MalOps management |
When loading MalOps created based on a Logon Session Element (MalopLogonSession), the Malops management screen unexpected reported an error and was unable to load the MalOp. We have resolved this error to ensure all the data related to the MalOp can load and MalOps based on Logon Sessions load without issue. |
Server |
N/A |
DFND-30783 |
MalOps management |
In environments with the new Data Platform, in the Malops management screen, Endpoint Protection MalOps and MalOps created from custom detection rules did not display the detection description in the MalOp details. We have resolved this issue and the detection description displays for all MalOps. |
Server |
N/A |
DFND-34499 |
MalOps management |
In the Malops management screen, if your environment uses the newer Data Platform, if the Malop had a state of Reopened, the Investigation status displayed an incorrect value. We have resolved the issue and the correct Investigation status displays for Malops with the Reopened state. |
Server |
N/A |
DFND-35383 |
MalOps management |
In the Malops management screen, if your environment uses the newer Data Platform, you could not filter by MalOps with a state of Reopened,. We have resolved the issue and the filter for Reopened works as expected. |
Server |
N/A |
DFND-36377 |
Sensor management |
At times, the System > Sensors screen did not load due to a request to view a large number of sensors (tens of thousands) We have resolved this issue and updated the server configuration to limit the number of sensors retrieved in a single request to help manage the performance of this page to load properly. In particular, the /rest/sensors/query API endpoint now has a maximum limit of 30,000 sensors in a single request. |
Server |
N/A |
DFND-37901 |
Sensor upgrade |
On some supported Linux operating systems (such as RHEL 6 or CentOS 6), upgrades failed due to the sensor upgrade installer not being able to find the correct services. We have resolved this error and upgrades on all supported Linux operating systems work properly. |
Sensor and server |
Linux |
DFND-38121 |
Sensor upgrade |
When upgrading sensors from older versions that used the cybereason-av service, the service was not removed from the machine with the upgrade version installation, causing sensor performance issues. We have resolved this issue and the upgrade removes old versions of the sensor services on upgrade. |
Sensor and server |
Windows |
DFND-39136 |
Sensor performance |
In some cases, when Sensor Tampering protection was enabled on sensors, users had delays in performing network operations remotely from the machine. We have resolved this issue and network operations should not be affected when Sensor Tampering protection is enabled. |
Sensor and server |
Windows |
DFND-40466 |
Machine isolation |
In rare cases in environments that use DHCP connections, when isolating an endpoint machine, the endpoint machine staye offline permanently and was unable to communicate with Cybereason servers or rejoin the network in any way. We have resolved this issue to address the issue of DHCP connections on isolated machines so that the machines do not stay offline permanently. |
Sensor and server |
Windows |
DFND-40641 |
Sensor upgrade |
When upgrading multiple sensors through the Sensors screen, the Action log would report a upgrade failure for some of the machines even though the sensors were successfully upgraded (as seen in the sensor information in the sensor grid). We have resolved this issue and the Action log report matches the actual sensor upgrade status. |
Server |
All |
DFND-41517 |
Sensor installation/upgrade |
In the latest Cybereason version, on Windows machines, you were unable to install or upgrade sensors due to a certificate error warning from Microsoft for a specific Microsoft policy configuration. We have resolved this issue and you can now install or upgrade sensors as expected on Windows machines. |
Sensor and server |
Windows |
Version 22.1.228 (Service Pack)
Issue |
Area |
Description |
Required Update |
Supported OS |
---|---|---|---|---|
N/A |
Investigation |
Environments with the newer platform architecture can now use the contains and does not contain operators when constructing queries instead of matches pattern and does not match pattern. |
Server |
N/A |
DFND-32203 |
Attack Tree |
At times, if the Attack Tree contained a large number of processes in the tree (both parent/ancestor and child/descendant processes), the Attack Tree did not load at all. We have updated the configuration used by the Cybereason platform to load the Attack Tree with a partial list of processes, even when the Tree contains a large number of processes. |
Server |
N/A |
DFND-37373 |
Sensor upgrade |
We have updated the sensor upgrade configuration used by the Cybereason platform to retry a sensor upgrade if the initial upgrade request fails. Previously, if an upgrade request failed, the platform reported an error and you needed to manually resolve the error. The sensor performs this retry up to five times. This feature is not generally available. Contact your Customer Success Manager to gain access to this feature. |
Sensor and server |
Windows |
DFND-31144 |
Sensor Performance |
In some cases, the sensor created multiple icons in the taskbar for a single sensor. We have resolved this error and the sensor displays only a single icon in the taskbar of the machine. |
Sensor and server |
Windows |
DFND-33658 |
Sensor uninstallation |
In the latest Cybereason version, after uninstalling a sensor from an endpoint machine with the Uninstall action in the Actions menu in the Sensors screen, the Sensors screen did not update the sensor’s status to reflect a successful uninstallation. We have resolved this issue and the sensor uninstall reports correctly. |
Server |
N/A |
DFND-35360 |
Malop comments |
In environments using the new Data Platform, when adding a comment to Malop in non-English languages (such as Japanese), the comments were displayed in the Malop with strange characters instead of the proper language characters. We have resolved this issue and comments should display correctly. |
Server |
N/A |
DFND-36206 |
Investigation |
When adding filters for Elements in an investigation query, for some Elements, unexpected filters, such as {{$ctrl.feature.translatedName}} were added as filters. We have resolved this issue and no unexpected filters should be available for Elements when building queries. |
Server |
N/A |
DFND-36241 |
Personal Firewall Control |
When adding custom firewall rules through a CSV file, you were unable to later edit the rule through the firewall rules table in your sensor policy. We have resolved this issue and you can now edit firewall rules even when they are created through a CSV file. |
Server |
N/A |
DFND-37217 |
Sensor upgrade |
In the latest Cybereason version, after performing a sensor upgrade, the value of the Last update status column in the System > Sensors screen did not update correctly to report the successful upgrade. We have resolved this issue and upgrade statuses for a successful upgrade report correctly. |
Server |
N/A |
DFND-37403 and DFND-37067 |
Sensor Performance |
On sensors on Linux machines, some machines reported very high memory and CPU usage. We have resolved this issue and sensors on Linux machines should run as expected with normal performance. |
Sensor and Server |
Linux |
Version 22.1.210
Feature |
Description |
Required Update |
OS |
---|---|---|---|
Communication |
TLS 1.3 is now supported for communication between sensors and servers. |
Sensor and server |
All |
Investigation |
In Cybereason versions 22.1.168 and later, investigation queries may have had unexpected loading times and results. We have resolved this issue and queries should load with appropriate performance times (relative to the amount of data being retrieved) and with correct results. |
Server |
N/A |
Investigation |
When adding filters for Elements in an investigation query, for some Elements, unexpected filters, such as {{$ctrl.feature.translatedName}} were added as filters. We have resolved this issue and no unexpected filters should be available for Elements when building queries. |
Server |
N/A |
MalOps |
Sometimes, when viewing the Malop details, the description was reported as NULL. We have updated the server configuration to better ensure that the MalOp description reports an actual description instead of a empty NULL value. |
Server |
All |
MalOps |
In environments using the new Data Platform, Malops were not being created for malicious logon sessions. This issue has been resolved and all MalOps are created as expected. |
Server |
N/A |
MalOps management |
In the MalOps management screen, when exporting the list of MalOps, we have added the Affected machines count and Affected users count columns to the exported CSV file to enable you to see how many machines and users are associated with a MalOp. |
Server |
All |
MalOps management |
To help you review the MalOps in the MalOps management screen, we have increased the number of MalOps you can view on a page. By default, the Malops management screen displays 50 MalOps. You can also select to view 100, 250, or 500 MalOps per page. |
Server |
All |
MalOps management |
In the MalOps management screen, for the Detection engine filter, we have added options for Behavioral Execution Prevention and Application Control to find MalOps detected by Behavioral Execution Prevention and Application Control engines. |
Server |
All |
Malops management |
In the MalOps management screen, if you are using the newer Data Platform, when you open a MalOp, it now opens in a separate tab. |
Server |
All |
MalOps management |
In the MalOps management screen, if your environment uses the newer Data Platform, when you exported the MalOp list, in the exported CSV list, the values for the Labels column were incorrect. We have resolved this issue and the proper labels you have added in the MalOps management screen are reported in the Labels column of the CSV file. |
Server |
All |
MalOps management |
In the MalOps management screen, if your environment uses the newer Data Platform, you did not have the option to add additional columns in the MalOps grid. We have resolved this issue and you now have the option to add columns in the grid. |
Server |
All |
Malops management |
In environments using the new Data Platform, when adding a comment to Malop in non-English languages (such as Japanese), the comments were displayed in the Malop with strange characters instead of the proper language characters. We have resolved this issue and comments should display correctly. |
Server |
N/A |
DFIR |
Users that have the Local Responder role in environments with sensor grouping can now use the Live File Search screen. When you perform a live file search in these environments, each Local Responder will see the results from machines in the groups to which the user is assigned. |
Server |
All |
MalOps notifications |
MalOps notification emails now include the environment name in the Subject of the email. For example: MalOp Report for: <xyz.cybereason.net>. |
Server |
All |
Attack Tree |
We have added to improve attack tree loading times, most notably when the Attack Tree has a large number of child processes and suspicious processes. |
Server |
N/A |
NGAV |
On demand scans on the end point (Right-click scan and CLI scan) are now generally available. These features are now enabled by default. Learn more. |
Sensor |
Windows |
NGAV |
The Predictive Ransomware Protection feature is in beta phase. This new type of ransomware protection uses a multi-layered detection mechanism to identify typical ransomware behavior and prevent unknown strains of ransomware. Contact Support to enable this feature. Learn more |
Sensor and Server |
Windows |
NGAV |
The Anti-Malware > Artificial Intelligence mode can now scan .NET files. This feature is in beta phase. Open a Technical Support case to enable it. |
Sensor |
Windows |
Sensor grouping |
When creating assignment logic for sensor groups, based on the OS versions filter option, when you begin entering a string for the operating system, the Cybereason platform automatically displays a list of possible supported operating systems to help you more easily select and enter the operating system correctly. |
Server |
All |
Sensor management, notifications |
At times, the Cybereason platform sent email notifications for sensors that were manually unarchived (as opposed to automatic unarchive due to platform settings). For example, if you manually unarchived a sensor, the platform would still send a notification that the sensor was archived. We have resolved this issue and you should not receive email notifications about a sensor being archived even though it was unarchived. |
Server |
All |
Sensor management |
We have updated the Signature mode current status column in the Sensors screen to Signatures mode state. |
Server |
N/A |
User management |
When selecting the Super User roles for a user, if the user already had the Responder L2 role, the Responder L2 role was changed to Responder L1 instead. We have resolved this issue and when you select Super user, all roles are selected. |
Server |
N/A |
Sensor performance |
On sensors on Linux machines, some machines reported very high memory and CPU usage. We have resolved this issue and sensors on Linux machines should run as expected with normal performance. |
Sensor and server |
Linux |
Sensor performance |
On some machines, a number of empty Cybereason processes were created due to crashes in sensor-related processes. These extra processes caused performance issues on the machine. We have resolved this issue and these extra processes should not appear even when sensor processes crash or have other issues. |
Sensor and server |
Windows |
Sensor performance |
In some cases, the sensor created multiple icons in the taskbar for a single sensor. We have resolved this error and the sensor displays only a single icon in the taskbar of the machine. |
Sensor and server |
Windows |
User roles |
We have updated the requirements for the Responder L2 role to no longer require two-factor authentication or SSO. |
Server |
All |
Process collection |
To help you better analyze Malops and investigation queries, we have added the Architecture field to the Process details section in the Element Details screen you view for investigation query results. If there is no value for the Architecture Feature for the process, this field is not displayed. |
Server |
All |
Process collection |
We have added a number of Features to the Process Element to help you understand more about protected processes:
You can see these Features (if there is data available) in the Element details screen, and these are available as columns in the Investigation screen. |
Sensor and server |
Windows |
Process collection |
For processes, we now collect the Logon Session UID from the machine. |
Sensor and server |
Windows |
Endpoint controls |
When adding custom firewall rules through a CSV file, you were unable to later edit the rule through the firewall rules table in your sensor policy. We have resolved this issue and you can now edit firewall rules even when they are created through a CSV file. |
Server |
N/A |
Version 22.1.187
Feature |
Description |
Required Update |
OS |
---|---|---|---|
NGAV |
The Variant Payload Protection feature is now generally available for all environments. As a result, you no longer need to have Technical Support enable this feature in your sensor policy. Learn more |
Sensor and server |
Windows |
NGAV |
In this version, there is a minor known issue for Variant Payload Protection for environments with Data Platform: It is not possible to filter for Variant Payload Protection MalOps from the MalOps Management screen. To view such MalOps, use the ‘Detection module > All MalOps’ filter. |
Sensor and server |
Windows |
File events collection |
We have updated the file events enablement configuration to better collect appropriate security data from your environment without having a negative effect on sensor and server performance. These changes include:
In addition, we have removed the Moderate and Aggressive modes from the sensor policy to ensure you collect the correct data for security purposes. Learn more |
Sensor and server |
Windows |
SHA-based prevention support |
Prevention of SHA-1 and SHA-256 file hash values is now enabled by default. You now no longer need to contact Technical Support to enable this feature. |
Sensor and server |
Windows |
NGAV |
Users can initiate on demand scans of files, folders and drives on the endpoint itself. Users can right-click a file, folder or drive to perform a scan. Users can also use the Command Line to perform a full scan, quick scan, or scan of a specific path. Learn more |
Sensor |
Windows |
NGAV exclusions |
In log files, we now obfuscate any NGAV exclusions to prevent malicious attackers from viewing the items that are excluded from NGAV inspections. |
Sensor and server |
Windows |
NGAV |
To help you troubleshoot problems with your NGAV coverage and status, we have added a Disabled - Network Error status if there are network issues on your machines (such as proxy communication problems, firewall access issues, and so forth) in the Signature mode current status and Last signatures update status in the System > Sensors screen. |
Sensor and server |
Windows |
Sensor infrastructure |
When upgrading to this version, the ProtectedService.exe process is renamed CrEX3.exe. |
Sensor and server |
Windows |
Sensor policies |
For sensors in the most recent version, sensors reported non-compliance for certain sensors, even though no sensor settings had changed. We have resolved this issue and sensor setting compliance is reported correctly for these sensors. |
Sensor and server |
All |
Version 22.1.168
Feature |
Description |
Required Update |
OS |
---|---|---|---|
Device control |
We now support Device Control on machines running supported macOS versions. Learn more |
Sensor ane server |
macOS (All) |
Investigation |
The timeline filter (created on/existed on) located in the top right of the Investigation screen is now applied to all Elements in the query chain that have time-based components (Connection, LogonSession, MalopDetectionEvents, MalopProcess, Process). In previous versions, the timeline filter only applied to the last time-based Element in the query chain. Learn more |
Server |
N/A |
MalOp remediation |
You can now automatically add an unquarantined file to the allowlist when responding to a MalOp. Learn more |
Server |
All |
Machine isolation |
Users can now create machine isolation exception rules that include IP address ranges and multiple ports, in addition to specific IP addresses. Learn more |
Sensor and server |
N/A |
Data collection |
We have updated the configuration used by the process collection mechanism for sensors for Windows to ensure the sensor collects information about short-lived processes, including the process command line. |
Sensor and server |
Windows |
Sensor installation |
You can now uninstall sensors on Windows machines from the System > Sensors screen. Learn more |
Sensor and server |
Windows (All) |
Sensor installation |
We now prevent the installation or upgrade of sensors on Windows 7 machines due to the fact that Sectigo code signing required for the Microsoft Virus Initiative (MVI) is not supported on Windows 7. |
Sensor and server |
Windows |
Sensor upgrade |
We have added a new New package downloaded status to the System > Sensors screen to enable you to monitor which sensors have the new sensor package for upgrade downloaded to the machine but not installed. |
Sensor and server |
Windows |
Sensor upgrade |
We have added additional verifications to the steps run during a sensor upgrade, including:
|
Sensor and server |
Windows |
User management |
When enabling or disabling two-factor authentication (TFA) for one user or all users from the Users screen, the Cybereason platform prompts you to confirm your choice before changing the TFA setting. Learn more |
Server |
N/A |
Sensor management |
To better help you understand whether you can use the Cybereason Anti-Malware > Signatures mode on an endpoint, we have added a status of Other AV Found for the new Signature mode current status column for a sensor in the System > Sensors screen. |
Sensor and server |
All |
DFIR |
If you use the DFIR package, you can use the IR Tools screen to upload, deploy, run, and view results from IR tools and forensic data ingestion tools. Learn more |
Sensor and server |
Windows, Linux |
DFIR |
If you use the DFIR package, for the Forensic data ingestion tools, we have updated the tool configuration to make the default results folder results be another folder other than the default sensor folder. As a result, you can now use DFIR and the Self-Protect feature in your environment simultaneously. |
Sensor and server |
Windows, Linux |
Linux sensors |
To improve process collection on Linux machines, you can now use the eBPF framework on Linux sensors. This feature is not available by default. Contact your Customer Success Manager to get access to this feature. Learn more |
Sensor and server |
Linux (CentOS and RHEL 7.6, 7.7, 7.8, and 7.9) |
Investigation |
When exporting investigation query results to a CSV file, if you selected an option other than All data, the CSV data export did not contain all available data or missed random items in the data. We have resolved this issue and now exports work as expected with data exported. |
Server |
N/A |
Sensor performance |
On some hypervisor virtual machines, sensors were not able to run due to a crash in the minionhost.exe process. We have resolved this issue and the sensor starts as expected. |
Sensor and server |
Windows |
User management |
When trying to add new users with an .inc domain in the email address, the Cybereason platform failed to add these users correctly. This issue has been resolved and you can add users with a .inc domain in the user email address. |
Server |
N/A |
Sensor performance |
In certain cases, when using the .NET part of Fileless protection, some programs such as the Windows Event Viewer and PowerShell, for example, were unable to run on the machine. We have resolved this error and programs on the machine should work as expected with Fileless Protection enabled. |
Sensor and server |
Windows |
Sensor performance |
In the latest version, in rare cases, file or folder rename operations on network shared drives failed. This issue has been resolved and all file or folder network rename operations work on the machine as expected. |
Sensor and server |
Windows |
Malop remediation, Reputations |
When using the Exclude option for a Malop, the file hash value, IP address, or domain name associated with the root cause Element was not added to the allowlist. We have resolved this issue, and when you click Exclude the value is added to the allowlist as expected. |
Server |
N/A |
Machine isolation |
On the latest version, if your environment has the new Data Platform infrastructure, you could not isolate a machine from the Element Details screen. When you clicked the Isolate button, the isolation command did not work. We have resolved this issue and you can now isolate a machine and remove the machine from isolation in these environments as expected. |
Server |
All |
Version 22.1.152
Feature |
Description |
Required Update |
OS |
---|---|---|---|
Investigation queries |
When building queries, you can join multiple values for a single Feature with an ‘AND’ operator by adding a second instance of the Feature to the filter. For example, you can add ‘Command line matches pattern abc’ and ‘Command line doesn’t match pattern xyz to the same filter statement to return items whose command line contains the string ‘abc’ but not the string ‘xyz’. This is because filters are joined by an implicit ‘AND’ operator. In previous versions, you could only reference an individual Feature once in a single filter statement, which only provided the ‘OR’ operator between values. Learn more |
Server |
N/A |
Registry events collection |
We have updated the registry event configuration in your sensor policy, including:
|
Sensor and server |
Windows |
Investigation queries |
Previously, the timeline filter (created on/existed on) located in the top right of the Investigation screen is applied to all Elements in the query chain that have time-based components (Connection, LogonSession, MalopDetectionEvents, MalopProcess, Process). In previous versions, the timeline filter only applied to the last time-based Element in the query chain. Learn more |
Server |
N/A |
Sensor groups |
System administrators can change the priority order of the rules used to automatically assign sensors to groups. Previously, assignment logic was applied in chronological order of when the assignment logic was created. Learn more |
Server |
N/A |
Users screen |
We have updated the quick filters on the left of the Users screen to include all user roles. There is now an All analysts section and an All admins section populated with the relevant roles. Use these filters to quickly display relevant users with these roles:
Use these filters to quickly display relevant users with these roles. |
Server |
N/A |
Sensor upgrade |
We have updated the sensor upgrade flow to check if the machine has the proper certificates and uses a supported machine architecture (e.g. 64-bit vs. 32 bit) installed. If the machine is missing the certificates or uses unsupported architecture, the sensor upgrade will fail with details on the error. Learn more |
Sensor and server |
Windows |
Sensor upgrade |
We have updated the Last update status column in the System > Sensors screen to show an additional status of Deployed. This status will show you those sensors which have downloaded the required sensor package for the upgrade but have not installed the upgraded version. Learn more |
Sensor and server |
Windows |
System viewer role |
In this version, we added a new System viewer user role. Users with the System viewer role have read-only permissions for screens that the System admin users have access to. While users with the System view role can view the Cybereason platform system and sensor settings, they cannot change any settings or perform actions. Learn more |
Server |
N/A |
Anti-Malware scans |
We have updated the logs recorded when you perform an Anti-Malware scan to also report the Static Analysis prediction score for a file and the PE file type for each file. |
Sensor and server |
All |
Sensor system tray icon |
At times, the minionhost.exe process used by the sensor created multiple cramtray.exe process instances on the machine, causing a sensor error. This issue has been resolved and the processes open as expected with a single cramtray.exe process. |
Sensor and server |
Windows |
Detection rules |
Due to a change in the sensor certificate name, Attempt to manipulate Cybereason sensor false-positive detections were generated for the sensor’s amsvc.exe and activeconsole.exe processes. This issue has been resolved and these detections should no longer be created for the sensor processes. |
Server |
N/A |
Sensors screen |
When exporting details on sensors to a CSV file with the API, the list of sensors could sometimes be incomplete when exporting more than 10,000 sensors. For example, the exported might contain 10,000 lines instead of the expected 40,000 lines. This issue has been resolved and the CSV file exports with the correct amount of data. |
Server |
N/A |
Sensors screen |
At times when an environment uses a proxy, the Internal IP address field value displayed for a sensor in the Sensors screen was 127.0.0.1 instead of the real IP address of the sensor due to the looping of the address as part of the proxy. We have updated the configuration of the sensor to report the correct IP address for the machine in the Sensors screen. |
Server |
N/A |
Behavioral allowlisting |
If you created a behavioral allowlisting rule with a special character, such as $, you were not able to later edit this rule. This issue has been resolved and you can edit allowlisting rules with special characters. |
Server |
N/A |
Remediation |
When viewing the Response History screen, if you clicked the Back button in your browser, you were returned to the default Discovery Board page, instead of the previous screen. This issue has been resolved and clicking the Back button returns you to your previous screen. |
Server |
N/A |
Linux sensors |
When trying to install sensors on Linux machines running Oracle Linux operating systems, the installation would fail as the minionhost process did not work properly. This issue has been resolved and installations on Oracle Linux machines work properly. |
Sensor and server |
Oracle Linux |
Local responder |
Previously, users with the Local Responder role had access to non-authorized sections of the Cybereason UI, including
We have updated the permissions for the Local Responder role and users with this role should no longer be able to access these parts of the Cybereason UI. |
Server |
N/A |
Version 22.1.123
Feature |
Description |
Required Update |
OS |
---|---|---|---|
Mac sensors |
To improve the collection of process information on macOS machines, we now support the macOS Endpoint Security framework with sensors on macOS machines. |
Sensor and server |
MacOS |
Sensor installation |
As part of the initiative to meet MVI (Microsoft virus initiative) requirements, we have added a warning and a logic to stop installation when you try to install a sensor on a machine running Windows 7. This installation prevention is due to the fact that the Sectigo certificate used for the MVI compliance is not supported on Windows 7. |
Sensor and server |
Windows |
Device Control |
When using Device Control, after you disable or enable a Read Only for USB devices, endpoint machine users no longer need to re-mount a USB device to ensure that the sensor enforces the Read Only policy setting. |
Sensor and server |
Windows, Linux |
Machine isolation |
By default, actions sent to offline sensors are queued for 3 days. If, after 3 days, the sensor has not come back online, the action is no longer queued and will not execute if the sensor comes back online at a later time. Now, the queued period can be customized. |
Sensor and server |
All |
System tray icon |
At times, the system tray would display multiple Cybereason icons, even though there was only the single sensor running on the machine. This issue has been resolved and the machine will only display a single icon in the tray. |
Sensor and server |
Windows |
Process information collection |
To improve and stabilize process collection, we have updated the configuration for process collection to rely only event-driven process creation. Note this change will not harm the information for processes created before sensor initialization. |
Sensor and server |
Linux |
Process information collection |
At times, when the sensor collected details on the command lines used by processes, the collector on the sensor would add an extra space in the command line string that was sent to the detection server. As a result, if you built a behavioral allowlisting rule to exclude the command line from creating a Malop, the behavioral allowlisting rule would not correctly trigger Malops. This issue has been resolved and the command line is collected and sent to the Detection server correctly without the extra spaces. |
Sensor and server |
Windows |
Malops management |
In the Malops management screen, only a subset of malops were displayed when selecting the preset time filters such as Today, Last week, and so forth due to an incorrect calculation of the time window for these preset filters. We have resolved this issue and the preset time filters correctly display all relevant Malops for these filters. |
Server |
N/A |
New group assignment logic |
You can now automatically assign sensors to groups by machine OS and FQDN values. This feature is not enabled by default. Contact your Customer Success Manager to enable. |
Server |
All |
Ability to edit groups |
You can now edit existing sensor groups. |
Server |
All |
Version 22.1.106
Feature |
Description |
Required Update |
OS |
---|---|---|---|
Sensor certificates |
Sensor binaries are now signed by Sectigo cross certificate to meet MVI (Microsoft’s virus initiative) requirements. Learn more |
Sensor and server |
Windows |
Remote Shell |
Use of the Remote Shell utility is now supported on machines running a supported Mac operating system. This feature is not generally available. Contact your Customer Success Manager to use this feature. |
Sensor and server |
MacOS |
Process collection |
To improve and stabilize process collection, we have updated the configuration for process collection to rely only event-driven process creation. Note this change will not harm the information for processes created before sensor initialization. |
Sensor and server |
Linux |
Sensor upgrade |
Beginning in this version, the System > Sensors screen displays various statuses about the upgrade status. Learn more |
Server |
N/A |
Sensors screen |
We have updated the configuration the Cybereason platform uses to display information about sensors on machines with unsupported OS versions. Now, the Sensors screen will display Other for these sensors to enable you to better filter these machines. |
Server |
N/A |
Sensors screen |
As part of the initiative to meet MVI (Microsoft virus initiative) requirements, we have added a warning and stop installation when you try install a sensor on a machine running Windows 7. This installation prevention is due to the fact that the Sectigo certificate used for the MVI compliance is not supported on Windows 7. |
Sensor and server |
Windows |
Sensor upgrade |
When trying to upgrade sensors from the Sensors screen on machines running using the macOS M1 architecture, the upgrade failed. This issue has been resolved, and we have updated the server configuration for upgrades to ensure this upgrade succeeds. |
Server |
N/A |
MalOp remediation |
When responding to a MalOp with the prevent execution option in the Malop details screen, the newly created reputation item now holds the name of the file to be prevented, along with the hash value. Previously versions displayed only the hash value. |
Server |
All |
Anti-Malware exclusions |
When you have a sensor policy with the option to Quarantine malicious files selected (in the Anti-Malware section of the sensor policy edit screen), if you have a MalOp with a quarantined file that you mark to Exclude, it was not possible to remove the quarantined file from the quarantine file location. This issue has been resolved and you are now able to remove the file from quarantine. |
Server |
N/A |
Anti-Malware service |
In rare cases, the Anti-Malware service had recurring crashes and was not able to recover. This issue has been resolved as we improved our Windows AV service to recover in a more robust way in during these rare cases. |
Sensor and server |
Windows |
Reputations |
When the Cybereason platform adds or merges multiple hash values which are pointing to the same file, the reputation list item now preserves its original ‘last updated’ timestamp. |
Server |
N/A |
Version 22.1.90
Feature |
Description |
Required Update |
OS |
---|---|---|---|
Machine timeline |
This version introduces the Machine Timeline screen, which provides additional context for an event by displaying details about sensor activity before and after the selected event, within a certain time frame. |
Server |
Windows, Mac, Linux |
NGAV |
On demand scans now scan files that contain any Unicode characters in the file name. |
Sensor and server |
Windows |
Platform license agreement |
We have updated the End User License Agreement (EULA) for the Cybereason platform. The first user to sign in to the Cybereason console after you deploy this version will be required to accept the new agreement, even if you accepted previous versions of the agreement. |
Server |
N/A |
Scaled Sensor Update Process |
The new sensor update process is now in early access, allowing you to update 1,000 sensors per hour. This feature is disabled by default. To enable this feature, contact Technical Support. |
Sensor and server |
Windows |
Sensor Management |
If you upgrade a sensor that has had proxy settings changed, after the upgrade, the proxy settings are retained. If the sensor upgrade package contains new proxy settings, the updated proxy settings override the sensor’s existing proxy settings. |
Sensor and server |
Windows |
Mac NGAV |
We’ve improved the antivirus initialization flow for sensors running on M1-based Macs. This new flow provides antivirus protection sooner in the installation/upgrade process than in previous Cybereason versions. |
Sensor |
MacOS |
Sensors screen |
When upgrading from older versions (pre-20.1), some sensors were not displayed in the System > Sensors screen even though they were connected and sending data to their Detection Server. This issue has been resolved and the sensors are all reported correctly in the Sensors screen. |
Server |
N/A |
Sensors screen |
If a Detection Server was disconnected from the Web App server, the Sensors and Detection Servers screen did not load properly. This issue has been resolved and the Sensors/Detection Server screens in the Cybereason platform’s UI load properly. |
Server |
N/A |
Version 22.1.65
Feature |
Description |
Required Update |
OS |
---|---|---|---|
Behavioral Document Protection AI |
This version introduces Behavioral Document Protection (BDP) AI as part of the NGAV protection suite. BDP AI utilizes a machine learning algorithm to analyze documents to identify if they contain malicious macros. Learn more |
Sensor and server |
Windows |
Mac AV |
We improved the AV initialization flow so that it reaches a protected state even sooner. |
Sensor and server |
Mac OS |
NGAV |
To provide a clearer explanation of the protection it provides, we have updated the name of Behavioral execution protection to Behavioral execution prevention. |
Sensor and server |
Windows |
NGAV |
To provide a clearer explanation of the protection it provides, we have update the name of Binary Similarity Analysis (BSA) in-memory protection to Variant payload prevention. |
Sensor and server |
Windows |
Sensor management |
We have added the Deleted by and Deleted date columns to help you understand more about a deleted sensor. |
Server |
N/A |
Remote shell |
We have updated the configuration for the Responder L2 role to ensure that users with this role can open the Remote Shell utility from the Investigation screen. |
Server |
N/A |
Sensor upgrade |
We improved the AV initialization flow so that it reaches a protected state even sooner. |
Sensor and server |
Mac OS |
Windows AV |
We made configuration improvements to the archive scan to prevent it from timing out. |
Sensor and server |
Windows |
Version 22.1.44
Feature |
Description |
Required Update |
OS |
---|---|---|---|
APC detection rules |
We have updated the detection rule logic for APC injections to minimize the false positive rate of this detection. |
Sensor and server |
Windows |
Sensor proxy connection |
We have updated the sensor configuration for proxy connection to better ensure that the sensor connects to the proxy when using the auto-detect mechanism on the sensor. |
Sensor and server |
Windows |
Sensor performance |
Frequently, the sensor was not able to connect to the Dynamic Sensor Connections service to get sensor content updates. This occurred when the token was expired and a new token was not downloaded. This issue has been resolved and the sensor is now able to continually connect to the Dynamic Sensor Connections service as expected on a continuous basis. |
Sensor and server |
Windows |
Version 22.1.27
Feature |
Description |
Required Update |
OS |
---|---|---|---|
MalOp Management |
If an affected machine in a MalOp had an undefined attribute, you could not respond to the MalOp. This issue has been resolved. |
Server |
N/A |
Version 22.1.7
Feature |
Description |
Required Update |
OS |
---|---|---|---|
Apple Silicon Mac M1 support |
The Cybereason platform supports sensors running on Apple Silicon Mac M1, M1 Max, and M1 Pro. This applies to macOS Monterey and Big Sur. In versions prior to 21.2.240, sensors running on Apple M1 Silicon (Arm) Macs required the Rosetta 2 emulator in order to run. |
Sensor and server |
macOS |
Linux AV |
If a malicious process is detected by an Anti-malware quick scan, only the malicious process is killed. Other members of the process group continue to run as normal. |
Sensor and server |
Linux |
SHA-based prevention support |
The Cybereason platform now supports prevention on Windows machines for items based on SHA-1 and SHA-256 hash values. Previous versions of Cybereason only supported prevention for MD5 hash values. This feature is disabled by default. Contact Technical Support to enable this SHA-based prevention. This feature is not generally available. Contact your Customer Success Manager to get access to this feature. |
Sensor and server |
Windows |
Predictive Ransomware Protection |
The Cybereason platform now supports a new type of ransomware protection which uses a multi-layered detection mechanism to identify typical ransomware behavior and prevent unknown strains of ransomware. This feature is disabled by default. Contact Technical Support to enable Predictive Ransomware Protection. This feature is not generally available. Contact your Customer Success Manager to get access to this feature. |
Sensor and Server |
Windows |
Sensor tampering protection |
If Enhanced Sensor tampering protection detects an attempt to tamper with the sensor, a MalOp is created. To take part in the beta phase of this feature, contact your Customer Success Manager. Learn more |
Sensor and server |
Windows |