23.1 All Features

The tables in the following sections list all the features included in all releases included in version 23.1.

The tables contain the following information about each feature:

• The feature area

• A description of the changes

• Whether you need to update your server or sensor to the version listed

• The supported operating system for the machines for the sensor

• The sensor and server versions required to utilize the feature

Note

Some features are released outside of formal release version on a continous basis. For details on the items added, see Continuous Delivery Features.

Version 23.1.401

Issue	Area	Description	Required Update	Supported OS
DFND-66056	MalOps management	In environments in Japanese, in the MalOps management screen, the button to Clear sorting was not translated into Japanese. We have resolved this issue and the Clear sorting button will now display a Japanese string.	Server	N/A
DFND-65417	Sensor upgrade	In the most recent Cybereason version, performing an upgrade to this version led to an error requiring an unexpected restart of the machine. We have resolved this issue and you do not need to restart after performing the upgrade.	Sensor and server	Windows

Version 23.1.361

Issue	Area	Description	Required Update	Supported OS
DFND-65045	Device Control	When adding Sony USB devices to the exclusion list for Device Control, the Sony USB devices did not successfully receive the exclusion and were incorrectly blocked according to the sensor policy settings. We have resolved this issue and these types of devices will work on the exclusion list as expected.	Sensor and server	All
DFND-64763	Sensor upgrade	In the most recent Cybereason version, performing an upgrade to this version led to an error requiring an unexpected restart of the machine. We have resolved this issue and you do not need to restart after performing the upgrade.	Sensor and server	Windows
DFND-58670	NGAV	At times, when Anti-Malware mode was set to Quarantine, the file was prevented successfully, but quarantine failed. This issue was resolved, and in such cases the file is now quarantined successfully.	Sensor and server	Windows

Version 23.1.342

Issue	Area	Description	Required Update	Supported OS
DFND-62558	NGAV	In some cases, the Anti-Malware > Artificial Intelligence mode detected the cramtray.exe process used by the sensor as malicious due to a certificate issue. We have resolved this issue and the Anti-Malware > Artificial Intelligence mode will not detect sensor processes as malicious.	Sensor and server	Windows
DFND-62101	NGAV	When viewing the Signature mode state column for sensors in the Sensors screen, at times the column mistakenly displayed the status Disabled - Network error for the signature mode update, even though the update of the signatures succeeded. We have resolved this issue and the Signature mode state column reports the correct status. Actions	Server	N/A
DFND-61956	Linux sensors	On machines running supported versions of the Linux operating system, the sensor would take ownership of RPM lock files on the machine. We have resolved this issue and the sensor should not interfere with the RPM files	Sensor and server	Linux

Version 23.1.323

Issue	Area	Description	Required Update	Supported OS
DFND-65417	Sensor installation	In the most recent Cybereason version, performing an upgrade to this version led to an error requiring an unexpected restart of the machine. We have resolved this issue and you do not need to restart after performing the upgrade.	Sensor and server	Windows

Version 23.1.321

Issue	Area	Description	Required Update	Supported OS
DFND-60422	NGAV	In recent Cybereason sensor versions, when the Anti-Malware service was enabled, machines experienced unexpected and intermittent performance problems, such as machine crashes or blue screens on the machine. We have resolved this issue and the machine will perform as expected with Anti-Malware enabled.	Sensor and server	Windows
DFND-59902	Syslog	In the MalOp syslog file, we now report the Product version in a syslog message. For example, a syslog entry for a MalOp created event would report CEF:0|Cybereason|Cybereason|23.2|Malop|Malop Created|10|. Previously, this value was empty.	Server	N/A
DFND-59812	MalOps management	In Japanese environments, in the MalOps management screen, when viewing details on filters or sorting above the MalOp grid, the Clear sorting string was not translated into Japanese. We have resolved this issue and Clear sorting is displayed in Japanese as expected.	Server	N/A
DFND-59676	Sensor management	In environments with a large number of sensors, including very large numbers of archived or decommissioned sensors, sensor operations and viewing the Sensors screnen would not work as expected with performance problems in sending commands or viewing the Sensors screen. We have resolved this issue and optimized how the Cybereason platform processes sensor commands to ensure that these commands work as expected.	Server	N/A
DFND-58026	Malware alerts	In Japanese environments, when exporting a CSV file of malware alerts from the Malware Alerts screen, at times the CSV file would unexpectedly change from Japanese to English (such as after a restart of the platform’s servers). We have resolved this issue and the CSV file will export in the correct language, based on the language settings for the user that is performing the export.	Server	N/A
DFND-53320	Linux AV	In the latest version, after installing a sensor on machines running Ubuntu 20.04 and CentOS 8.4, the Anti-Malware service used by the sensor did not start properly. We have resolved this issue and the Anti-Malware service now starts correctly after sensor installation on these operating systems.	Sensor and server	Linux (Ubuntu 20.04 and CentOS 8.4)
DFND-43198	NGAV	When updating a sensor policy or reloading the Anti-Malware service on macOS M1 machines, the Anti-Malware service was repeatedly crashing. We have resolved this issue and the Anti-Malware service will no longer crash on macOS M1 machines during policy updates and the reloading of the Anti-Malware service.	Sensor and server	macOS
DFND-41846	Behavioral Document Protection	When scanning documents on network drives using Behavioral Document Protection, at times the Anti-Malware service performed unexpectedly or crashed. We have resolved this error and the Anti-Malware service will perform as expected even when scanning network drives.	Sensor and server	Windows

Version 23.1.303

Issue	Area	Description	Required Update	Supported OS
DFND-61454	Anti-Ransomware	On a Windows sensor with Anti-Ransomware enabled, if you performed rename operations on files where the new file name was the same as the old file name, the sensor’s Anti-Ransomware service showed unexpected behaviors, such as frequent crashes and restarts. We have resolved this issue and the Anti-Ransomware service no longer crashes/restarts often when performing the rename operations.	Sensor and server	Windows

Version 23.1.302

Issue	Area	Description	Required Update	Supported OS
DFND-60545	Sensor management	If a sensor sent data to the Cybereason platform, if there was issues or errors in retaining sensor data, the sensor information was not persisted by the Cybereason platform accurately. As a result, if there were any restarts or updates in the platform infrastructure (such as a Detection Server restart), the sensor details were not persisted and sensor information, such as the time the sensor was first seen by the Cybereason platform, are not correct. We have updated the platform’s logic to address issues with retaining sensor data to ensure sensor information is persisted in the platform databases and servers.	Server	N/A

Version 23.1.301 (Service Pack)

Issue	Area	Description	Required Update	Supported OS
DFND-58417	Notifications	In environments with sensor grouping enabled, when an email notification for a new MalOp was sent to users with the Local Analyst L1 role assigned, the email notification contained a MalOp ID for the MalOP, but the MalOp ID was not a clickable link. We have resolved this issue and the email notification sent to Local Analyst L1 users will contain the MalOp ID as a clickable link to enable these users to open up the MalOp in their Cybereason environment.	Server	N/A
DFND-58267	Sensor performance	In machines running supported versions of Windows, at times, the sensor consumed excess virtual memory from the machine causing performance problems on the machine. We have introduced a mechanism into the sensor’s services to ensure the virtual memory not be consumed too high.	Sensor and server	Windows
DFND-58061	NGAV	On machines running supported versions of Linux, at times the Anti-Malware > Signatures mode scans would stop due to the process reaching the memory limits allowed for the Anti-Malware scanning services. We have resolved this issue and updated the sensor configuration to allow for greater memory usage to enable scans to continue.	Sensor and server	Linux
DFND-57656	User management	In the Users screen, if you selected the Local Analyst or Local Responder role for a user along with another global role (such as Policy Admin, User Admin, and so forth), the option to select the sensor groups for the user remained visible on the page, even though the user had no ability to be assigned to groups since they have a role that was global in nature. We have resolved this issue and when you select a Local Analyst or Local Responder role along with another role, the option to select groups for the user is no longer displayed.	Server	N/A
DFND-57606	Sensor performance	On machines running CentOS 7.1, if the Anti-Malware > Signatures scans attempted to scan a file larger than 2 GB, the file became locked and other processes also could not open the file, due to issues with dependencies in the operating system. We have resolved this issue so that the sensor does not lock the access these large files, and customers will be able to access these files on CentOS 7.1 machines.	Sensor and server	Linux CentOS 7.1
DFND-54233	Custom detection rules	In environments using the new Data Platform infrastructure and the Virtual Cache feature, for detections generated based on custom detection rules, the Last triggered value was not reported for the detection. We have resolved this issue and the Last triggered value will display in these environments.	Server	N/A
DFND-52579	Device Control	The Device Control screen is now available by default.	Server	N/A

Version 23.1.284

Issue	Area	Description	Required Update	Supported OS
DFND-55917	NGAV exclusions	In a sensor policy, in the Fileless Protection screen of the policy, when you added exclusions in the Script analysis section of the policy, the exclusions were not saved. We have resolved this issue and the Script analysis exclusions are now saved as expected. In some cases, you may see duplicated entries, with slightly different syntax, for the Script analysis exclusions to support the older (legacy) format for these exclusions as well as the new format.	Server	N/A
DFND-53320	Anti-Malware	In the latest version, after installing a sensor on machines running Ubuntu 20.04 and CentOS 8.4, the Anti-Malware service used by the sensor did not start properly. We have resolved this issue and the Anti-Malware service now starts correctly after sensor installation on these operating systems.	Sensor and server	Linux (Ubuntu 20.04, CentOS 8.4)

Version 23.1.283 (Service Pack)

Issue	Area	Description	Required Update	Supported OS
DFND-56766	Predictive Ransomware	At times, if a folder path or file contained non-English characters, Predictive Ransomware Protection did not respond as expected to ransomware execution in these paths. We have resolved this issue and Predictive Ransomware Protection works as expected when a folder or file path contains non-English characters.	Sensor and server	Windows
DFND-56610	NGAV Anti-Malware	On machines running Linux and macOS operating systems, when adding an exclusion that ended with a forward slash (/), the sub-folders under the entered path were also unexpectedly excluded from Anti-Malware scans. We have resolved this issue and the sub-folders for the entered path will not be excluded from Anti-Malware scans.	Sensor and server	macOS, Linux
DFND-56211	Remote shell	At times, if a sensor was unable to start a Remote Shell utility session, the sensor would crash unexpectedly. We have resolved this issue and the sensors will not crash when there is a failure to start the Remote Shell utility.	Sensor and server	Windows
DFND-54233	Custom detection rules	In environments using the new Data Platform infrastructure and the Virtual Cache feature, for detections generated based on custom detection rules, the Last triggered value was not reported for the detection. We have resolved this issue and the Last triggered value will display in these environments.	Server	N/A
DFND-53775	Investigation	In recent Cybereason versions, when after upgrading to the newer version and enabling sensor grouping in the environment, in the Investigation screen, you were unable to group the results by some of the available Features if the value for the Group was empty. We have resolved this error and you can now sort investigation query results by all Features when you enable sensor grouping in the environment.	Server	N/A
DFND-53646	Investigation	In the Investigation screen, when viewing investigation query results, if you selected the option to limit the total number of results, the results displayed per page were not always correct. We have resolved this issue and investigation query results will report totals (all total results and per page) correctly.	Server	N/A
DFND-53600	MalOp details, Investigation, Malware Alerts	At times, in the Malware Alerts, Investigation, and Response History screens, the full machine name for the malware alert did not display if the malware was detected in a scan. This was due to a limitation of the Windows OS API used to collect information about a machine. We have resolved this issue and the machine name displays correctly.	Sensor and server	Windows

Version 23.1.263 (Service Pack)

Issue	Area	Description	Required Update	Supported OS
DFND-23543	NGAV	The sensor can now report file metadata to Cybereason headquarters for analysis that will impact the accuracy rate of our anti-malware engines and help reduce false positives. Open a Technical Support to enable this feature.	Sensor and server	Windows
DFND-41756	User notifications	In environments that use sensor grouping, if a MalOp was triggered on a machine a sensor groups, local analysts for other groups in which the sensor was not assigned also received an email notifying that there were 0 MalOps detected. We have resolved this issue and analysts from other groups not associated with the machine in the MalOp will not receive email notifications for machines not in their assigned groups.	Server	N/A
DFND-53308	NGAV, Behavioral Document Protection	At times, AI-based Behavioral Document Protection triggered false positive MalOps for files that did not have a macro but contained suspicious strings of characters. We have resolved this issue and the Cybereason platform’s AI-based Behavioral Document Protection will not trigger MalOps for files with suspicious strings but no macros.	Sensor and server	Windows
DFND-53805	NGAV	In recent Cybereason versions, on machines using Sensor Tampering Protection, MalOps based on Variant Payload Protection or Threat Intelligence services were not generated as expected. We have resolved this issue and Variant Payload Protection and Threat Intelligence will generate as expected, even with Sensor Tampering protection enabled.	Sensor and server	Windows
DFND-54537	Sensor logs	When retrieving sensor logs from the Sensors screen, the exclusions in the sensor policy will be decrypted as part of the retrieval operation to enable administrators to read clear text in the exclusions entries in the log.	Sensor and server	Windows
DFND-55333	Linux sensors	On machines running the SUSE 15.3 operating system on Azure provisioned server machines, the sensor was unable to run due to a Could not verify minion signature error message. We have resolved this issue and the sensor can run on these machines without issue.	Sensor and server	Linux - SUSE 15.3
DFND-55970	User notifications	In recent versions, email notifications sometimes were not sent in the language set by the user for their access to the Cybereason platform. Instead, the mail notifications used the language set for the machine on which the WebApp server was running. We have resolved this issue and the mail notifications will use the user-defined language setting.	Server	N/A
DFND-56056	Sensor installation	In recent Cybereason versions, when trying to upgrade sensors, an error about Downgrade is not supported was displayed, even though the operation was not a downgrade operation. This was due to issues with the sensor installation report that is created as part of the sensor installation/upgrade process. We have resolved this error and the downgrade message should not display.	Sensor and server	Windows

Version 23.1.247

Issue	Area	Description	Required Update	Supported OS
DFND-56958, DFND-57639	Sensor system tray icon	On machines running Windows operating systems, there were issues with the Cybereason system tray icon displaying when it should not, such as displaying after a restart even though the sensor policy said not to display the system tray icon, or frequent stopping of the cramtray.exe process. We have improved the configuration of the system tray icon process to ensure that icons do not display (such as multiple icons or icons unexpectedly displaying).	Sensor and server	Windows

Version 23.1.246

Issue	Area	Description	Required Update	Supported OS
DFND-57283	Sensors	At times, sensors did not send data to their assigned Detection server when it failed to connect to the IP address for the Detection server. As a result, the sensor reported as Online, but certain parts of the sensor data, such as collected data, details on the signatures database version, and scan status would not update in the Sensors screen correctly. We have resolved this issue and all information from the sensor will report to the Detection server as expected.	Sensor	Windows

Version 23.1.245

Issue	Area	Description	Required Update	Supported OS
DFND-52422	User management	After upgrading to recent Cybereason versions, if you enabled two-factor authentication (TFA) for users, the TFA no longer worked after the upgrade and you had to reset all user TFA keys. We have resolved this issue and TFA now works properly after the upgrade with no need to reset any TFA keys.	Server	N/A

Version 23.1.244

Issue	Area	Description	Required Update	Supported OS
DFND-56196	Sensor management	In the most recent version, in the Sensors > Overview screen, no sensor data was displayed for all connected endpoint machines. We have resolved this issue and the Overview screen will display data for all endpoint machine sensors.	Server	N/A

Version 23.1.243 (Service Pack)

Issue	Area	Description	Required Update	Supported OS
DFND-54285	Sensor performance	On sensors on Windows machines, when the sensor collected data related to the WMI persistent object Element, the sensor sometimes experienced performance problems, occasionally causing the sensor program to crash. We have updated the sensor’s internal mechanism to ensure that the sensor’s performance is not affected by data collection of items related to the WMI Persistent Object Element.	Sensor and server	Windows
DFND-54077	Sensor installation	On recent Cybereason versions, the sensor did not install correctly on the Windows Server 2019 Core operating system. We have resolved this error and the sensor installs without issue on Windows Server 2019 Core.	Sensor and server	Windows Server 2019 Core
DFND-53773	Sensor installation	When performing a sensor installation on a Linux machine, if the machine used Python 3 instead of older Python versions to run the installer program, a Not found error message was printed in the machine’s terminal, even though there was no issue with the installation. We have resolved this issue and updated the sensor installer flow to not show this unnecessary message.	Sensor and server	Linux
DFND-53642	User management	After upgrading to recent Cybereason versions, if you enabled two-factor authentication (TFA) for users, the TFA no longer worked after the upgrade and you had to reset all user TFA keys. We have resolved this issue and TFA now works properly after the upgrade with no need to reset any TFA keys.	Server	N/A
DFND-53231	Sensor performance	When using Sensor Tampering Protection in machines running Windows 7 or Windows 8, the cramtray.exe program (that runs the System Tray icon) did not start. We have resolved this issue and the cramtray.exe program will now work on machines running Windows 7 and Windows 8.	Sensor and server	Windows 7/8
DFND-53214	Sensor performance	When performing a sensor installation on Linux machines running the RHEL 9.X operating system, the sensor and sensor services were unable to start after installation. We have resolved this issue and the sensor should run as normal on RHEL 9.X operating systems.	Sensor and server	Linux (RHEL 9.X)
DFND-53149	Sensor performance	On machines running Linux operating systems, when the sensor state changed (such as from crash recovery state to normal state), the sensor had to restart its process, which at times may cause the sensor to crash during process shutdown. As most of the sensor parts were shut down already, a crashdump could have been created in the root directory (/), which led to exhaustion of endpoint storage. We have resolved this issue and the sensor should never create coredumps (if any) files at the wrong location.	Sensor and server	Linux
DFND-52915	MalOp details	Previously, if there was no start time for a MalOp, the Cybereason platform incorrectly automatically assigned another value like the current time or the close time for the MalOp as the MalOp start time. We have updated the MalOP creation logic to ensure that if the MalOp start time is not available, the Cybereason platform will use the start time for the first process associated with the MalOp as the start time.	Server	N/A
DFND-52639	Sensor performance	In some cases on Windows machines (usually related to unexpected termination or crashes in the sensor processes), the System tray icon was duplicated unnecessarily, with one icon for the former cramtray.exe process that stopped and one icon for the cramtray.exe process currently running. We have resolved this issue and updated the sensor’s internal flow to ensure that the sensor does not leave or cause extra system tray icons.	Sensor and server	Windows
DFND-52505	Device Control	In recent Cybereason versions, when you enabled Device Control in a sensor policy, if you set the Device Control mode for devices to Read only, the Device control mode reported in the Sensors screen for sensors assigned to this policy was Disabled instead of Enabled. We have resolved this issue and updated the logic used by the server for the Read only mode for devices to report that Device Control is enabled instead of disabled.	Server	N/A
DFND-51863	Predictive Ransomware	In some cases, Predictive Ransomware Protection incorrectly raised a false positive MalOp for possible encryption of a file due to an issue identifying the different streams for the file (a legitimate operating system functionality). We have resolved this issue and updated the configuration for Predictive Ransomware to ensure it handles streams for files correctly so as to not identify one of the streams for the file as encrypted.	Sensor and server	Windows
DFND-50987	MalOps	In recent Cybereason versions, on machines using Sensor Tampering Protection, MalOps based on Variant Payload Protection or Threat Intelligence services were not generated as expected. We have resolved this issue and Variant Payload Protection and Threat Intelligence will generate as expected, even with Sensor Tampering protection enabled.	Server	N/A
DFND-50661	NGAV	For Predictive Ransomware Protection, you can now add Regex-based command line exclusions.	Sensor and Server	Windows
DFND-23530	NGAV exclusions	In the sensor logs, if you added an exclusion for a specific folder or path that ended with a wildcard character, the sensor log indicates that the exclusion will be ignored since the exclusion does not end with a backslash character. The message is misleading as the exclusion still works as expected and is not ignored. We have resolved this issue and updated the log configuration to not report errors like this.	Sensor and server	Windows

Version 23.1.224 (Service Pack)

Issue	Area	Description	Required Update	Supported OS
DFND-52505	Device Control	In recent Cybereason versions, when you enabled Device Control in a sensor policy, if you set the Device Control mode for devices to Read only, the Device control mode reported in the Sensors screen for sensors assigned to this policy was Disabled instead of Enabled. We have resolved this issue and updated the logic used by the server for the Read only mode for devices to report that Device Control is enabled instead of disabled.	Server	N/A
DFND-51716	NGAV	On sensors using Behavioral Document Protection AI, sensors did not report the behavior ID to the Cybereason Detection server as part of the event details for the detected event. In turn, the Behavior ID associated with the detected event was not included in the MalOp details or Investigation screens for analysts to understand the event. We have resolved this issue and the event behavior ID is now reported by the sensor and included in the MalOp details and Investigation query results for a detected event.	Sensor and server	Windows
DFND-50950	Sensor upgrade	When upgrading from 20.1 versions to the latest Cybereason versions, the sensor did not start due to an issue with upgrade of files required by the sensor and the sensor services. We have resolved this issue and all files will upgrade successfully and allow the sensor and sensor services to start and run as expected.	Sensor and server	Windows
DFND-50501	Sensor installation	If you ran the installer package for the sensor from a network drive (instead of a local drive), the installation failed with an error about the sensor installer being unable to verify the certificate of the bundle. We have resolved this issue and you can run the sensor installer from a network drive also.	Sensor and server	Windows
DFND-50468	Data collection, Linux sensors	On environments with sensors running Linux operating systems, at times the Investigation screen would report strange and unexplained connection and port details that did not match the real connection details (i.e. the IP addresses for the connections). We have resolved this issue and updated the configuration used by the sensor around collecting communication data to ensure that the details reported about communication on Linux machines is collected and reported correctly.	Sensor and server	Linux
DFND-50390	NGAV	When using canary-based Anti-Ransomware, if a command was added to the Anti-Ransomware exclusions, the command continued to be detected and reported as a detection by the Cybereason platform. This is due to the fact that the Anti-Ransomware exclusions only stopped the suspension of the excluded command only (but still detected the performance of the command). We have updated the flow used by the Cybereason platform when adding an Anti-Ransomware exclusion to both not suspend the command and not detect the performance of the command entered in the exclusions.	Server	N/A
DFND-50131	Investigation	In the Investigation screen, when exporting query results, the time for different items in the CSV is now represented in the local time shown in the investigation screen instead of GMT.	Server	N/A
DFND-47977	Malops management	In the MalOps management screen, we have added a new filter called Detection type. You can use this filter to display MalOps classified as Potentially Unwanted Programs (PUP).	Server	N/A
DFND-47231	Sensor management	In the Sensors screen, when you used the search to find sensors that had a group assignment of Dynamic or Manual, the filtering did not work correctly. We have resolved this issue and filtering by sensor groups works as expected.	Server	N/A

Version 23.1.202 (Service Pack)

Issue	Area	Description	Required Update	Supported OS
DFND-49876	Investigation	In Japanese environments, when exporting query results to a CSV file, the exported CSV file did not include the AM or PM designation on times. We have resolved this issue and the exported CSV files will now include the AM or PM with the time.	Server	N/A
DFND-49398	Malops management	In Japanese environments, In the MalOp details screen, we have updated the string 件を開始 (as part of the Process started/ended) to を開始 to make the string a more accurate translation.	Server	N/A
DFND-49016	Malops management	In the MalOp details screen, if you selected the View activity since remediated option, no additional data displayed even though there had been associated activity for that MalOp. We have updated the View activity since remediation option to View activity since closed to more accurately reflect what the option displays.	Server	N/A
DFND-49165	Sensor performance	When upgrading sensors on Windows machines from recent versions, the sensor would not run as expected due to repeated crashes in the minionhost.exe process. We have resolved this issue and the sensors will upgrade successfully without the repeated crashes.	Sensor and server	Windows
DFND-48850	Sensor installation	When installing Linux sensors, at times you would see warning messages in the installation logs about missing libraries, even though the sensor was working properly and the library may have been installed on the machine. We have updated the sensor installation logic and these warnings will be reported in a more meaningful way or not reported at all in some cases.	Sensor and server	Linux
DFND-48616	User roles	In a sensor policy, users with the System Viewer were unable to scroll and view the full list of exclusions available in the sensor policy. We have resolved this issue and users with this role will be able to scroll and see policy exclusions, not just the few exclusions that display in the first few rows of the table.	Server	N/A
DFND-48512	Sensor upgrade	In the most recent version, in some cases, when performing a sensor upgrade the sensor upgrade did not work and remained in progress indefinitely. We have resolved this issue and sensor upgrades will work properly.	Sensor and server	All
DFND-47146	Remediation	We have updated the logic used by the Cybereason platform’s file quarantine feature to ensure that the sensor cannot quarantine sensor-related files.	Sensor and server	All
DFND-32637	Behavioral allowlisting	To help you build more effective behavioral allowlisting rules that address additional scenarios, you can now add Grandparent Process and Great-Grandparent Process Elements in the rule.	Server	N/A
DFND-6192	MalOps	We have made some adjustments to how the Cybereason platform retains data, especially related to MalOp details, to reduce the time for a MalOp to be generated and to ensure that as many details for the MalOp are reported in the MalOp details.	Sensor and Server	N/A

Version 23.1.152

Feature	Description	Required Update	OS	Default On/Off?
MalOps management	To help you better retrieve a list of all MalOps with the same details for each MalOp, we have added a new REST API endpoint to retrieve MalOps. The existing endpoints will still be supported for use.	Server	N/A	On
Endpoint machine notifications	Previously, in the Endpoint UI settings screen of a sensor policy in the Notifications > Signature AV section, if the All Alerts checkbox was unchecked, right-click scan notifications were enabled. This issue has been resolved.	Sensor and server	Windows	On
Endpoint system tray enhancements	The Cybereason system tray now displays the sensor version and the connection status. In addition, the system tray notifications mechanism has been optimized to make its behavior more reliable. For example, The notification timeout has changed from 3 seconds to 10 seconds. This is the minimal timeout suggested by the Windows API.	Sensor and Server	Windows	On
NGAV	When using Behavioral Execution Prevention, the cmstp_abnormal_execution and msexchange_owapool_webshell rules were causing the Cybereason platform to generate MalOps that were false positive MalOps. We have resolved this issue and these rules should no longer generate MalOps that are false positive.	Sensor and server	Windows	On
Custom detection rules	To help you build more useful custom detection rules, you can add Registry Event and File Event Elements in the rule logic.	Server	N/A	On
Sensor installation	The Repair option has been removed from all sensor installer workflows. This option is not supported by the Cybereason platform.	Sensor and server	Windows	On
Sensor installation	On Linux machines running the RHEL 8 operating system, you were unable to initialize and start the sensor due to an issue with one of the libraries used by the sensor in the installation process. We have resolved this error and installations on RHEL 8 should work as expected and start successfully.	Sensor and server	RHEL 8	On
Sensor performance	In some cases, the crssvc.exe process used by Anti-Ransomware was experiencing high memory usage, usually when working with specific other programs that were active in modifying files on an endpoint machine. We have resolved this issue and the process will no longer experience high memory usage with other processes.	Sensor and server	Windows	On
Sensor performance	In recent versions, the minionhost.exe process used by the sensor for data collection was repeatedly crashing and suspending data collection on the machine. We have resolved this issue and the sensor and minionhost process should work as expected without performance issues.	Sensor and server	Windows	On
Sensor performance	In the most recent version. the Active Console process used by the sensor was crashing due to unexpected operations. We have resolved this issue and the Active Console process runs without issue.	Sensor and server	Windows	On
Sensor performance	In some cases, sensors were experiencing performance problems, such as data being deleted unexpectedly or reporting as disconnected from the Detection Server, usually due to a large amount of data collected by the sensor. We have resolved these issues and sensors should perform as expected without performance problems.	Sensor and server	Windows	N/A
Device Control	The Device Control screen can now display device control events for Linux machines.	Sensor and server	Linux	Off
Device Control	In the Device Control screen, at times, events that were reported on endpoint machines did not display on the Device Control screen. We have resolved this issue and events reported on the endpoint machine will also report on the Device Control screen.	Sensor and server	Windows	On
Sensor management	The Sensors screen now includes a Sensor ID column that displays the sensor’s unique installation ID. This enables you to track sensors even in cases where the machine name or other fields such as network address have changed.	Server	Windows	On
Sensor management	In the Sensors screen, the Action > **Update option has been renamed to Upgrade sensor to better reflect the meaning of this action.	Server	All	On
Sensor management	For inactive sensors that did not have a valid server ID, you were unable to archive these sensors due to an error message saying the sensor did not have a server ID. We have resolved this issue and you can now archive all sensors even when they do not have a server ID.	Server	N/A	On
Investigation	In the Investigation screen, when using the Timeline filter to select a time range for results, the timestamp for the query creation time did not match the timestamp visible in the Cybereason UI. We have resolved this issue and timestamps used by the Timeline filter will match the actual timestamp in the Cybereason platform.	Server	N/A	On

Version 23.1.130

Feature	Description	Required Update	OS	Default On/Off?
Sensor upgrade, NGAV	In the most recent Cybereason version, if you enabled Anti-Ransomware, the Anti-Ransomware did not work due to a problem with upgrading files required by the Anti-Ransomware service. We have resolved this issue and all files upgrade successfully and you will be able to use Anti-Ransomware as expected.	Sensor and server	Windows	On
Malops management	In the Malops management screen, in environments that use the new Data Platform infrastructure, if you selected Today from the list of time filter options, the dialog box to select a date also displayed unexpectedly. We have resolved this issue and the date selector does not appear when you select the Today option.	Server	N/A	On
Sensor upgrade	When upgrading from 20.1 versions to the latest Cybereason versions, the sensor did not start due to an issue with upgrade of files required by the sensor and the sensor services. We have resolved this issue and all files will upgrade successfully and allow the sensor and sensor services to start and run as expected.	Sensor and server	Windows	On

Version 23.1.128

Feature	Description	Required Update	OS	Default On/Off?
MalOps management	In the Malops management screen, in environments that use the new Data Platform infrastructure, if you selected Today from the list of time filter options, the dialog box to select a date also displayed unexpectedly. We have resolved this issue and the date selector does not appear when you select the Today option.	Server	N/A	On
Sensor upgrade	In the most recent version, in some cases, when performing a sensor upgrade the sensor upgrade did not work and remained in progress indefinitely. We have resolved this issue and sensor upgrades will work properly.	Sensor and server	All	On
Behavioral Execution Prevention	When using Behavioral Execution Prevention, the cmstp_abnormal_execution and msexchange_owapool_webshell rules were causing the Cybereason platform to generate MalOps that were false positive MalOps. We have resolved this issue and these rules should no longer generate MalOps that are false positive.	Sensor and server	Windows	On

Version 23.1.124

Feature	Description	Required Update	OS	Default On/Off?
Predictive Ransomware Protection	Predictive Ransomware Protection is now generally available. This new type of ransomware protection uses a multi-layered detection mechanism to identify typical ransomware behavior and prevent unknown strains of ransomware. This feature now appears by default in the Sensor Policy screen. The legacy Anti-Ransomware feature is still available, and should be used for sensor versions prior to 23.1.100. Learn more Important: Please make sure to update your sensors to the latest version before enabling Predictive Ransomware Protection, to avoid endpoint compatibility issues.	Sensor and Server	Windows	On
MalOps	We have made some adjustments to how the Cybereason platform retains data, especially related to MalOp deatils, to reduce the time for a MalOp to be generated and to ensure that as many details for the MalOp are reported in the MalOp details.	Server	N/A	On
Predictive Ransomware Protection	In the MalOp details screen, all files restored by Predictive Ransomware Protection appear at the top of the Affected Files section, followed by the files that were not restored. This helps you quickly identify the files that were successfully restored.	Sensor and Server	Windows	On
Predictive Ransomware Protection	For Ransomware MalOps, the MalOps Details screen now displays information about the encryption process, encrypted files, prevention/remediation actions, and more. Learn more	Server	Windows	On
EPP Dashboard	In environments with the new Data Platform infrastructure, the EPP Dashboard screen is now generally available. Learn more	Server	N/A	On
Malop Inbox	Beginning in this release, the Malop Inbox screen will be deprecated from support. While the screen will remain in the Cybereason platform UI, there will be no active support for this screen.	Server	N/A	On
TLS communication	The Cybereason platform now supports TLS 1.3 for communication between the sensor and server. As part of adding this support, TLS 1.1 is no longer supported.	Sensor and server	All	On
Sensor groups	When building rules for automatic assignment of sensors to sensor groups, you can now use more than one value for a rule condition with the AND operator between the values.	Server	N/A	On
Machine isolation exceptions	You can now assign Machine Isolation Exception rules to specific sensor groups. This helps you limit access to various endpoint machines to your analysts and admins depending on their group permissions. Learn more	Server	N/A	Off
MalOps management	To help you view more MalOps when opening the MalOps management screen, we have added the ability to collapse the widgets and graphs that are displayed at the top of the MalOps management screen. Learn more	Server	N/A	On
MalOps management	In the MalOps management screen, analysts now have the ability to sort MalOps by one of the specific columns: Malop name GUID State Severity Investigation status Resolved by Learn more	Server	N/A	On
MalOps management	In the Malops management screen, in environments that do not use the newer Data Platform infrastructure, if a MalOp Priority is not set by the analyst, the Malops management screen correctly shows the value to be Set instead of High as in previous versions.	Server	N/A	On
MalOps management	In some cases, in the Malops management screen, the Cybereason platform did not properly update the MalOp state when a MalOp was set back to Re-opened. This caused other actions to have issues, such as being unable to remediate reopened MalOps. We have resolved this issue and the Investigation status and MalOp state work together correctly and all parts of the MalOp triage process should work correctly.	Server	N/A	On
MalOps management	In the Malops management screen, in the MalOp list in the grid, if a MalOp was displayed in the Inactive state (with an orange icon), if you viewed the same MalOp’s details, the state was displayed as Active. We have resolved this issue and the state is the same in the MalOp grid and in the MalOp details.	Server	N/A	On
MalOps management	In the MalOp details screen, when clicking the View Activity since button, at times the button did not work and display the options to select a time frame in which to view recent activity. We have resolved this issue and this button will open and display the options to select a time at all times.	Server	N/A	On
MalOps management	In the Malops management screen, for environments using the new Data Platform infrastructure, for a given MalOp, if there was no name for the root cause Element for the MalOp, the MalOp displayed 0 processes as the root cause. We have resolved this issue and updated the MalOp configuration to display a count of the processes for the root cause if there is no root cause Element name available.	Server	N/A	On
MalOps management	In the Malops management screen, when performing a browser refresh action, such as reloading the page or opening the Malop details and returning to the MalOps list, the current filters in the Malops management screen were not retained. As a result, you needed to reconstruct your previously used filters. We have resolved this issue and filters will be retained when there is a browser refresh action.	Server	N/A	On
NGAV	When using NGAV on an endpoint machine, as a non-admin user on the machine, if you clicked the prompt from Windows Security Center to update the Cybereason signatures database, the command window continued to display on the machine (while the update ran in the background), disrupting the work of the endpoint machine user. We have resolved this issue to ensure that the signature database update does not interfere with normal machine usage.	Sensor and server	Windows	On
Behavioral Execution Prevention	When adding rule exclusions for Behavioral Execution Prevention in a sensor policy, the exclusions were not applied correctly for sensors assigned to that policy, causing MalOps and detections to be generated for the rule represented in the exclusion. We have resolved this issue and the exclusions are applied correctly for sensors and detections will not be generated for the rule in the exclusion.	Sensor and server	Windows	On
Sensor installation	You can now uninstall sensors from the Sensors screen even for sensors with Sensor Tampering protection enabled.	Sensor and Server	Windows	On
Sensor installation	When performing the steps required for mitigation of the CVE-2013-3900 vulnerability, it was not possible to install or upgrade sensors on the machine. We have resolved this issue and you can install/upgrade sensors on a machine even with the mitigations for CVE-2013-3900 applied on a machine.	Sensor and server	Windows	On
Sensor upgrade	If your environment uses the Scaled Sensor upgrade feature, to increase your ability to upgrade sensors, you now have the additional action, Upgrade now, to immediately trigger a sensor upgrade for selected machines. In the past, when selecting the Upgrade option in the Actions menu, if the sensor upgrade package was found on the selected machines, the upgrade was performed immediately. If the sensor package was not found on the machine, the sensor and server would retry sending the sensor upgrade package up to 5 times. However, this action enables you to speed up the upgrade for a few sensors by downloading the package from the sensor immediately. This option is not available by default. Contact Technical Support to enable this feature. Learn more	Sensor and server	All	Off
Sensor performance	In the most recent version. the Active Console process used by the sensor was crashing due to unexpected operations. We have resolved this issue and the Active Console process runs without issue.	Sensor and server	Windows	On
Mac sensors	In recent Cybereason versions, when upgrading sensors through the System > Sensors screen, for sensors running on macOS with 2-way SSL enabled, after the upgrade the sensors were unable to connect to the Cybereason platform. We have resolved this issue and all Mac sensors using 2-way SSL are able to successfully connect to the Cybereason platform after upgrade.	Sensor and server	macOS	On
Mac sensors	In random cases, on sensors running on macOS machines, when the machine restarted, the Anti-Malware > Signatures database reverted to the first version instead of maintaining the current version. This resulted in unnecessary redownloads of the signatures database to the sensor. We have resolved this issue and the Signatures database version is persisted after the machine restart.	Sensor and server	macOS	On
Mac sensors, NGAV	In recent Cybereason versions, in some cases, on machines running macOS, scans were not performed correctly (including quick and full scans as well as scheduled scans). We have resolved this error and scans will work as expected on macOS machines.	Sensor and server	macOS	On
Linux sensors	To enable you to use the eBPF framework on your Linux sensors, we have included the required SELinux configuration used by the eBPF framework as part of the sensor installation on a Linux machine. You no longer need to manually enable and configure SELinux on the machine.	Sensor and server	Linux (CentOS/RHEL)	Off
Sensor grouping	If you have enabled the sensor group installer feature, users with the Sensor Admin L1 role can now assign sensors to any group and remove sensors from any group to which they have permissions.	Server	N/A	On
Detection rules, MalOp details	In some cases, associated suspicions for some MalOps were not included in the MalOp details. As a result, you were not able to see the full scope of the MalOp and related activity and prioritize the analysis and triage appropriately. We have resolved this issue and related suspicions for MalOps should always be part of the MalOp details for MalOps.	Server	N/A	On
Device control	In the Endpoint Controls section of a sensor policy, when adding a device to the allowed devices list, if the device name had more than 1 underscore character in the name, the device was not blocked or allowed correctly as set in the sensor policy. We have resolved this issue and updated the configuration for parsing device names and devices should be blocked or allowed as set in the policy even with extra underscore characters.	Sensor and server	All	On
Device Control	You can now import up to 200 entries in the CSV file of USB device settings (the previous limit was 50 entries).	Server	All	On
Data collection	In cases where the sensor collected a process name in a different case than the actual process name on a machine, and the command line for the process contained double quotes, in the various places in the MalOp details and Element details, the process name was reported incorrectly or had characters removed from the process name. We have resolved these errors to ensure that the process name is reported consistently.	Server	N/A	On

Version 23.1.85

This version contains all the items in version 23.1.83 and the items in the table below:

Feature	Description	Required Update	OS	Default On/Off?
Sensor performance	In the most recent version. the Active Console process used by the sensor was crashing due to unexpected operations. We have resolved this issue and the Active Console process runs without issue.	Sensor and server	Windows	On

Version 23.1.83

Feature	Description	Required Update	OS	Default On/Off?
Endpoint controls	The Device control screen enables system and security admins to view Device control events and easily monitor the usage of USB devices across their environment. This feature is currently in beta stage. Learn more	Sensor and Server	Windows	Off
NGAV	Cybereason introduces Variant File Prevention (VFP), a pre-execution prevention engine which uses advanced fuzzy hashing techniques to quickly identify indicative similarities and patterns of known malware families. This feature is disabled by default. Open a Technical Support case to get access to this feature. Learn more	Sensor and Server	Windows	Off
NGAV	Behavioral Document Protection AI is now generally available. Also, you can now add exclusions by behavior ID for this feature. Note: If you had rule-based Behavioral Document Protection enabled, and you update your sensor to 23.1.8x, the sensor is left with Behavioral Document Protection disabled. In such a case, we recommend to enable Behavioral Document Protection AI on the sensor via the Sensor policy. Learn more	Sensor and Server	Windows	On
NGAV	When adding domain exclusions for Fileless Protection (in the Fileless Protection > Domain exclusions section of the sensor policy), if a machine had a slower network connection or performance, the exclusion details did not propagate to the endpoint machine before the timeout period and domains were blocked when they should have been allowed. We have resolved this and Domain exclusions will propagate correctly for all endpoint machines.	Sensor and server	Windows	On
NGAV	If you added a local update server URL to the Anti-Malware settings in a sensor policy, and then updated the policy settings or assigned a sensor to a different policy, the local update server settings on the endpoint machine retained the previous URL from the first policy instead of updating the new URL settings. We have resolved this issue and changes in the local update server URL from the policy are propagated to endpoint machines correctly.	Sensor and server	Windows	On
Reputations	The ability to use sensor groups in reputations is now generally available. This feature is disabled by default. Open a Technical Support case to get access to this feature. Learn more	Server	N/A	On
NGAV	Fileless protection introduces significant enhancements to provide better stability over time and to accommodate larger environments with numerous exclusions. This feature is not yet generally available. Open a Technical Support case to access this feature. Learn more	Sensor and Server	Windows	Off
NGAV	The Anti-Malware > Artificial Intelligence mode includes enhanced coverage of .NET executables. This feature is now generally available. Learn more	Sensor	Windows	On
Malops management	To help you locate MalOps generated by Variant File Prevention, in the Malops management screen, we have added the Variant File Prevention value in the Detection Engine filter.	Server	N/A	On
Device Control	We have made some improvements to the Device Control feature. In consequence, some USB devices that were previously not supported are now supported.	Sensor	Windows	On
Malops management	In the Malops management screen in environments with the new Data Platform infrastructure, we have restored the tooltips for the Grid/Card view buttons above the MalOp list.	Server	N/A	On
Malops management	In the Malops management screen, if you are using the newer Data Platform, when you open a Malop, instead of automatically opening in a new tab as previously, you use the CTRL + click (for Windows machines) or CMD + click (for macOS machines) to open the MalOp in a separate tab.	Server	N/A	On
MalOps management	To better reflect where a MalOp is in the path toward resolution while you are updating MalOp investigation statues, we have updated the server’s mapping between investigation statuses and MalOp states.	Server	N/A	On
MalOps management	To give additional context to a MalOp, we have added the MITRE tactics and IoCs columns as available columns in the Malops management screen. You can now add these columns in the MalOps grid to view related MITRE ATT&CK tactics or IOCs for a MalOp.	Server	N/A	On
MalOps management	In environments with sensor grouping enabled, at the top of the Malops management screen, when you view the graphs for total MalOps and the graph for total machines, the graph reported incorrect numbers that did not filter out machines and MalOps not related the selected group. We have resolved this issue and the graphs should display correct totals when a group is selected in the Malops management screen.	Server	N/A	On
Sensor installation	In the latest Cybereason version, if you downloaded the sensor installation package to a location where the file path contained Unicode characters (such as Japanese characters), the sensor installation/upgrade failed. We have resolved this issue and the installation should work with Unicode characters in the installation path.	Sensor and server	Windows	On
Sensor installation	On the latest versions, when installing or upgrading a Linux sensor, the endpoint machine experienced decreased performance with above-average CPU usage on the machine. We have resolved this issue and the performance on Linux machines falls within expected performance guidelines.	Sensor and server	Linux	On
Sensor installation/upgrade	In the latest Cybereason version, on Windows machines, you were unable to install or upgrade sensors due to a certificate error warning from Microsoft for a specific Microsoft policy configuration. We have resolved this issue and you can now install or upgrade sensors as expected on Windows machines.	Sensor and server	Windows	On
Sensor installation	When performing sensor installation on machines running supported versions of Ubuntu or Debian Linux, there were a number of errors reported during the installation process. We have resolved these issues and installation on these operating systems run without error.	Sensor and server	Ubuntu/Debian Linux	On
Sensor installation	We have updated the various screens used in the sensor installation wizard to ensure that the proper Cybereason logo is used in all screens.	Sensor and server	All	On
Sensor upgrade	When upgrading multiple sensors through the Sensors screen, the Action log would report a upgrade failure for some of the machines even though the sensors were successfully upgraded (as seen in the sensor information in the sensor grid). We have resolved this issue and the Action log report matches the actual sensor upgrade status.	Server	N/A	On
Sensor performance	In some cases, the sensor was stuck in a loop of repeated crashes of the sensor program (minionhost.exe), possibly from issues with WMI on the endpoint machine. We have updated the sensor program configuration to continue to work in these situations, and the sensor should not continue to have crash loops if there are WMI issues on the machine.	Sensor and server	Windows	On
Sensor performance	When performing an installation, upgrade, or uninstallation of a sensor on Windows machines, the Cybereason installer caused applications that use the Powereason.dll file to shutdown or restart due to the installer needing to access shared locker files used by the other programs. We have updated the installer program configuration to resolve this issue, so that other programs will work as expected during installation, upgrade, or uninstallation.	Sensor and server	Windows	On
Sensor performance	On some machines, a number of empty Cybereason processes were created due to crashes in sensor-related processes. These extra processes caused performance issues on the machine. We have resolved this issue and these extra processes should not appear even when sensor processes crash or have other issues.	Sensor and server	Linux	On
Reputations	When viewing reputations in the Reputations screen, if you tried to sort the table of reputations by the Description column, a message was displayed, claiming that there were no reputations in the platform. We have resolved this issue and you can now sort by the Description column without issue.	Server	N/A	On
Data collection	When viewing details on Services (such as the image file path or the command line arguments), the details for Service Elements were often reported incorrectly or incomplete in the Element Details screen. We have updated the configuration used by the sensor collector and details about Services are collected and reported accurately in the Element Details screen.	Sensor and server	Windows	On
Device Control	On endpoint machines, when the setting for the Device control mode was set to Read only in the associated sensor policy for the machine, the machine continued to display a notification on the machine indicating that a USB device was blocked (although the machine user was able to access and read the device properly). We have resolved the issue and this notification is no longer displayed on the machine.	Sensor and server	Windows	On
Personal firewall control	When creating a custom firewall rules for inbound and outbound communication in the Endpoint Controls section of your sensor policy, the communication was not blocked on the specified ports on Linux machines. We have resolved this issue and the communication on Linux machines is now blocked according to the custom firewall rules.	Sensor and server	Linux	On
Detections	In recent versions, the Cybereason platform did not always detect process injections - both injection into processes and processes injecting into other processes) correctly. We have updated the configuration for this detection and related sensor collections to improve the accuracy of these detections.	Sensor and server	Windows	On
User roles	We have limited access to the XDR screen (containing the XDR Dashboard, XDR MalOps, and Suspicious Events tabs) to users with the following roles: Executive Analyst L1/L2/L3 Responder L1/L2 Malop Viewer Users with other roles will not have the XDR screen in the left navigation menu, even if XDR is enabled in the environment.	Server	N/A	On
Behavioral allowlisting	When building a Behavioral allowlisting rule, you can click the Preview to see how many existing malops be allowed by this rule. Previously, when you clicked Preview, the Cybereason platform retrieved all Malops with the matching root cause to check the impact of the rule. If you had a large number (such as thousands) of MalOps, the Cybereason UI would not be able to load due to a timeout issue. We have updated the platform configuration for the Behavioral allowlisting screen to limit the total number of previewed MalOps to 500 MalOps.	Server	N/A	On
Server performance	In some environments that use the new Data Platform Infrastructure, servers experienced unexpected memory and performance problems and were required to restart frequently. We have updated the server configuration to better utilize resources and memory and servers should not experience frequent restarts.	Server	N/A	On
Proxy, Linux sensors	When trying to connect to the Global Update server through a proxy connection (configured in the installed sensor package through sensor personalization), sensors on Linux machines were not able to access the Global Update server successfully. We have resolved this issue and you can now connect Linux machines to the Global Update server through a proxy connection.	Sensor and server	Linux	On
Sensor tagging	When trying to add sensor tags through the CSV file upload, if the CSV file had duplicate FQDN identifiers for sensors, the tagging operation failed. We have updated the flow used by the upload process and sensors with duplicate FQDN identifiers now successfully have sensor tags added.	Server	N/A	On
Sensor tagging	When adding sensor tags by uploading a CSV files, if the CSV file contained more than 10,000 rows, some sensors did not get sensor tags with an unknown entity id error message. We have updated the sensor tag upload flow to successfully upload CSV files with more than 10,000 rows.	Server	N/A	On
Sensor grouping	When building assignment logic for sensor groups, the OS and FQDN filter options are now available by default.	Server	N/A	On
Machine isolation	In rare cases in environments that use DHCP connections, when isolating an endpoint machine, the endpoint machine staye offline permanently and was unable to communicate with Cybereason servers or rejoin the network in any way. We have resolved this issue to address the issue of DHCP connections on isolated machines so that the machines do not stay offline permanently.	Sensor and server	Windows	On
Sensor logs	In the latest Cybereason, after running an on-demand scan on an endpoint machine, log entries for the scan on the endpoint machine contained strange characters that did not help understand the log entry about the scan. We have resolved this issue and strange characters should not be part of the scan logs on the endpoint machine, which will allow you to use the log entries effectively.	Sensor and server	Windows	On

Version 23.1.50

Feature	Description	Required Update	OS	Default On/Off?
Reputations	We have added the ability to specify sensor groups for item reputations in your environment. When you add or update an item’s reputation, you can specify if the reputation should apply either to specific groups, or to your entire environment. This feature is disabled by default. Open a Technical Support case to get access to this feature. Learn more	Server	N/A	Off
Response history	To help you better understand and analyze all remediation actions in your environment, we have added the Response History screen. This screen shows all response actions, on all machines, taken by all users. This feature is not generally available. Contact your Customer Success Manager to gain access to this feature. Learn more	Server	N/A	Off
User roles	To allow users to view MalOp information and details without the ability to edit MalOp details (e.g. Comments, Labels) or change MalOp Investigation statuses, we have added the Analyst L1 Viewer or Local Analyst L1 Viewer roles. Users with these roles can view MalOps and MalOp details and the Investigation screen, but cannot edit items in these screens.	Server	N/A	On
Discovery dashboard	For environments with the new Data Platform infrastructure, to provide you a more useful overview of detected activity in your environment, you can use the Discovery Dashboard screen, with a variety of different charts and graphs related to detected activity. This screen is not generally available. Contact your Customer Success Manager to gain access to this feature. Learn more	Server	N/A	Off
MalOps management	In environments using the new Data Platform, in the Malops management screen. to help you filter and find Endpoint Protection MalOps, we have added a filter category Protection type. You can filter by the different types of protection actions, including Quarantined, Prevented, Suspended, Disinfected, and Detected. Learn more	Server	N/A	On
MalOps management	In environments with the new Data Platform, in the Malops management screen, Endpoint Protection MalOps and MalOps created from custom detection rules did not display the detection description in the MalOp details. We have resolved this issue and the detection description displays for all MalOps.	Server	N/A	On
MalOps management	When loading MalOps created based on a Logon Session Element (MalopLogonSession), the Malops management screen unexpected reported an error and was unable to load the MalOp. We have resolved this error to ensure all the data related to the MalOp can load and MalOps based on Logon Sessions load without issue.	Server	N/A	On
Data collection	On machines running supported versions of macOS, we now collect the device model and serial number of the machine. You can find this data in the Device model and Serial number Features for the Machine Element.	Sensor and server	macOS	Yes
NGAV exclusions	The obfuscation of sensor policy exclusions is now supported for sensors running supported versions of macOS and Linux. This feature is not generally available. Contact your Customer Success Manager to gain access to this feature.	Sensor and server	macOS, Linux	On
Remediation	In environments with the new Data Platform infrastructure, at times you were unable to view a machine’s remediation history until performing a remediation action, even when previous remediation actions had been performed. We have resolved this error and the remediation history should be available at all times.	Server	N/A	On
Sensor installation/upgrade	In the latest Cybereason version, on Windows machines, you were unable to install or upgrade sensors due to a certificate error warning from Microsoft for a specific Microsoft policy configuration. We have resolved this issue and you can now install or upgrade sensors as expected on Windows machines.	Sensor and server	Windows	On
Sensor upgrade	When upgrading sensors from older versions that used the cybereason-av service, the service was not removed from the machine with the upgrade version installation, causing sensor performance issues. We have resolved this issue and the upgrade removes old versions of the sensor services on upgrade.	Sensor and server	Windows	On
Sensor upgrade	On some supported Linux operating systems (such as RHEL 6 or CentOS 6), upgrades failed due to the sensor upgrade installer not being able to find the correct services. We have resolved this error and upgrades on all supported Linux operating systems work properly.	Sensor and server	Linux	On
Sensor upgrade	We have updated the sensor upgrade configuration used by the Cybereason platform to retry a sensor upgrade if the initial upgrade request fails. Previously, if an upgrade request failed, the platform reported an error and you needed to manually resolve the error.	Sensor and server	Windows
Sensor upgrade	When upgrading multiple sensors through the Sensors screen, the Action log would report a upgrade failure for some of the machines even though the sensors were successfully upgraded (as seen in the sensor information in the sensor grid). We have resolved this issue and the Action log report matches the actual sensor upgrade status.	Server	N/A	On
Sensor performance	In some cases, when Sensor Tampering protection was enabled on sensors, users had delays in performing network operations remotely from the machine. We have resolved this issue and network operations should not be affected when Sensor Tampering protection is enabled.	Sensor and server	Windows	Off
UI	When trying to open any of the tabs in the System screen (such as System > Sensors, System > Overview, and so forth), sometimes the Cybereason UI experienced unexpected performance with slow load times, such as when many different remediation requests were performed in a short time period. We have resolved this error and screens in the Cybereason UI should load even when other requests are being processed by the Cybereason platform’s servers.	Server	N/A	On
UI	At times, the System > Sensors screen did not load due to a request to view a large number of sensors (tens of thousands) We have resolved this issue and updated the server configuration to limit the number of sensors retrieved in a single request to help manage the performance of this page to load properly. In particular, the /rest/sensors/query API endpoint now has a maximum limit of 30,000 sensors in a single request.	Server	N/A	On
Artificial intelligence	We have introduced a new model for Anti-Malware > Artificial Intelligence mode that includes improved detection of malicious .dll, exe, .NET files. This model is not generally available yet. To enable this model, open a Technical Support case.	Sensor and Server	Windows	Off
NGAV	You can enable the Disable USN Journals option in a the Anti-Malware > Signatures section of your sensor policy. Selecting this checkbox disables the utlization of the Windows USN Journals feature by Anti-Malware. Learn more	Sensor and Server	Windows	On
NGAV	Fileless protection MalOps include descriptions for rule-based (pattern) Fileless detection events. Descriptions of the malicious behavior associated with the pattern help analysts better understand the context of the event. You can view these descriptions in the Malop Details and Investigation screens. This feature is not available by default. Open a Technical Support case to gain access to this feature. Learn more	Server	Windows	Off
OS Support	Windows 7 SP1 (a legacy OS) is now compatible with the sensor if the following procedure is followed: Windows 7 Support.	Sensor	Windows	On
OS Support	AlmaLinux 8.6 and 9.0 is supported. Note that the Sensors screen filter does not display this OS.	Sensor	Linux	On
Fileless Protection	When adding domain exclusions for Fileless Protection (in the Fileless Protection > Domain exclusions section of the sensor policy), if a machine had a slower network connection or performance, the exclusion details did not propagate to the endpoint machine before the timeout period and domains were blocked when they should have been allowed. We have resolved this and Domain exclusions will propagate correctly for all endpoint machines.	Sensor and server	Windows	On
Linux sensors	On some machines, a number of empty Cybereason processes were created due to crashes in sensor-related processes. These extra processes caused performance issues on the machine. We have resolved this issue and these extra processes should not appear even when sensor processes crash or have other issues.	Sensor and server	Linux	On

Version 23.1.31

Feature	Description	Required Update	OS	Default On/Off?
Decommission sensors	To help you remove sensors that you no longer manage or cannot reach to uninstall a sensor, we have added the ability to Decommission a sensor. Decommissioning a sensor removes the sensor’s connection with the Cybereason platform and adds the sensor to a schedule to uninstall the sensor and delete it from your Cybereason environment. The Decommission action also works with existing Stale and Archived sensor flows, as you can configure the ability and time interval from when to automatically decommission archived sensors. This feature is disabled by default. Contact Technical Support to enable this feature. Learn more	Sensor and server	All	Off
Malops management	To help you streamline your Malops analysis and triage workflow, in environments using the new Data Platform, for the Investigation status field, we have changed the Pending status to New to more accurately represent the investigation of these MalOps as new Malops that the system has generated. Learn more	Server	N/A	On
MalOps management	We have added the Sensor Tampering Protection value to the Detection Engine filter in the Malops management screen to enable you to locate MalOps generated as a result of Sensor Tampering protection enabled in your environment. Learn more	Server	N/A	On
MalOps management	In the Malops management screen, if your environment uses the newer Data Platform, you could not filter by MalOps with a state of Reopened,. We have resolved the issue and the filter for Reopened works as expected.	Server	N/A
Malops	When viewing MalOps in the Malop inbox, the MalOps displayed were different depending on how you accessed the Malop Inbox screen. For example, if you navigated from certain pages like the Discovery Board or refreshed the Malop Inbox screen, the Malops would be different. To help with this issue, we have updated the configuration used by the Cybereason platform to ensure that the MalOps displayed in the Malop Inbox screen are always the same.	Server	N/A	On
Malop notifications	When the Cybereason platform reopened an existing MalOp for new activity related to the MalOp, analysts who enabled notifications for MalOps did not receive a notification with the MalOp report as expected due to an error in the update time in the platform. We have resolved this error and all analysts with notifications enabled should receive MalOp reports as expected when MalOps are opened again.	Server	N/A	On
Attack Tree	At times, if the Attack Tree contained a large number of processes in the tree (both parent/ancestor and child/descendant processes), the Attack Tree did not load at all. We have updated the configuration used by the Cybereason platform to load the Attack Tree with a partial list of processes, even when the Tree contains a large number of processes.	Server	N/A	On
Sensor performance	On sensors on Linux machines, some machines reported very high memory and CPU usage. We have resolved this issue and sensors on Linux machines should run as expected with normal performance.	Sensor and server	Linux	On
Predictive Ransomware Protection	In the Sensors screen, the value of the Anti-Ransomware mode column now correctly reflects the actual value of Anti-Ransomware mode if Predictive Ransomware Protection is enabled on the sensor (previously, if using Predictive Ransomware Protection, the displayed value did not reflect the actual value).	Server	Windows	On
Windows sensor data collection	We have updated the configuration used by the collectors on Windows sensors to reduce the load of events and data from the endpoint machine and improve the Cybereason platform’s ability to analyze the total data and find events of interest.	Sensor and server	Windows	On

Version 23.1.10

Feature	Description	Required Update	OS	Default On/Off?
Communication	TLS 1.3 is now supported for communication between sensors and servers.	Sensor and Server	All	On
Malops	In environments using the new Data Platform, Malops were not being created for malicious logon sessions. This issue has been resolved and all Malops are created as expected.	Server	N/A	On
Malops	Sometimes, when viewing the Malop details, the description was reported as NULL. We have updated the server configuration to better ensure that the Malop description reports an actual description instead of a empty NULL value.	Server	All	On
Malops management	To help you review the Malops in the Malops management screen, we have increased the number of Malops you can view on a page. By default, the Malops management screen displays 50 Malops. You can also select to view 100, 250, or 500 Malops per page.	Server	All	On
Malops management	In the Malops management screen, if you are using the newer Data Platform, when you open a Malop, it now opens in a separate tab.	Server	All	On
Malops management	In the Malops management screen, for the Detection engine filter, we have added options for Behavioral Execution Prevention and Application Control to find Malops detected by Behavioral Execution Prevention and Application Control engines.	Server	All	On
Malops management	In the Malops management screen, if your environment uses the newer Data Platform, if the Malop had a state of Reopened, the Investigation status displayed an incorrect value. We have resolved the issue and the correct Investigation status displays for Malops with the Reopened state.	Server	All	On
Malops management	In the Malops management screen, when exporting the list of Malops, we have added the Affected machines count and Affected users count columns to the exported CSV file to enable you to see how many machines and users are associated with a Malop.	Server	All	On
Malops management	In the Malops management screen, if your environment uses the newer Data Platform, you did not have the option to add additional columns in the Malops grid. We have resolved this issue and you now have the option to add columns in the grid.	Server	All	On
Malops management	In Japanese environments using the new Data Platform, in the Malops management screen, the Investigation Status filters listed Pending twice instead of Pending and On Hold. We have resolved this issue and the filters display correctly now.	Server	N/A	On
Malops management	In environments using the new Data Platform, when adding a comment to Malop in non-English languages (such as Japanese), the comments were displayed in the Malop with strange characters instead of the proper language characters. We have resolved this issue and comments should display correctly.	Server	N/A	On
MalOps notifications	MalOps notification emails now include the environment name in the Subject of the email. For example: MalOp Report for: <xyz.cybereason.net>.	Server	All	On
Attack Tree	We have updated the configuration of the Cybereason platform for the Attack Tree to improve the tree loading times, most notably when the Attack Tree has a large number of child processes and suspicious processes.	Server	N/A	On
NGAV	On demand scans on the end point (Right-click scan and CLI scan) are now generally available. These features are now enabled by default. Learn more.	Sensor	Windows	On
NGAV	The Predictive Ransomware Protection feature is in beta phase. This new type of ransomware protection uses a multi-layered detection mechanism to identify typical ransomware behavior and prevent unknown strains of ransomware. Contact Support to enable this feature. Learn more	Sensor and Server	Windows	Off
NGAV	Anti-Malware > Artificial Intelligence can now scan .NET files. This feature is in beta phase, you can request Support to enable it.	Sensor	Windows	Off
DFIR	Users that have the Local Responder role in environments with sensor grouping can now use the Live File Search screen. When you perform a live file search in these environments, each Local Responder will see the results from machines in the groups to which the user is assigned.	Server	All	On
Process collection	We have added a number of Features to the Process Element to help you understand more about protected processes: Is process debugged Signer Protection type You can see these Features (if there is data available) in the Element details screen, and these are available as columns in the Investigation screen.	Sensor and server	Windows	On
Process collection	For processes, we now collect the Logon Session UID from the machine.	Sensor and server	Windows	On
Sensor grouping	When creating assignment logic for sensor groups, based on the OS versions filter option, when you begin entering a string for the operating system, the Cybereason platform automatically displays a list of possible supported operating systems to help you more easily select and enter the operating system correctly.	Server	All	On
Sensor management, notifications	At times, the Cybereason platform sent email notifications for sensors that were manually unarchived (as opposed to automatic unarchive due to platform settings). For example, if you manually unarchived a sensor, the platform would still send a notification that the sensor was archived. We have resolved this issue and you should not receive email notifications about a sensor being archived even though it was unarchived.	Server	All	On
Sensor management	We have updated the Signature mode current status column in the Sensors screen to Signatures mode state.	Server	N/A	On
User management	When selecting the Super User roles for a user, if the user already had the Responder L2 role, the Responder L2 role was changed to Responder L1 instead. We have resolved this issue and when you select Super user, all roles are selected.	Server	N/A	On
Investigation	In Cybereason versions 22.1.168 and later, investigation queries may have had unexpected loading times and results. We have resolved this issue and queries should load with appropriate performance times (relative to the amount of data being retrieved) and with correct results.	Server	N/A	On
Investigation	When adding filters for Elements in an investigation query, for some Elements, unexpected filters, such as {{$ctrl.feature.translatedName}} were added as filters. We have resolved this issue and no unexpected filters should be available for Elements when building queries.	Server	N/A	On
Endpoint controls	When adding custom firewall rules through a CSV file, you were unable to later edit the rule through the firewall rules table in your sensor policy. We have resolved this issue and you can now edit firewall rules even when they are created through a CSV file.	Server	N/A	On