23.2 All Features
The tables in the following sections list all the features included in all releases included in version 23.2.
The tables contain the following information about each feature:
The feature area
A description of the changes
Whether you need to update your server or sensor to the version listed
The supported operating system for the machines for the sensor
The sensor and server versions required to utilize the feature
Note
Some features are released outside of formal release version on a continous basis. For details on the items added, see Continuous Delivery Features.
In this topic:
Version 23.2.201 (Service Pack)
Note
Presently, it is not possible to upgrade from version 23.2.163 (LTS) to this version. This issue will be resolved in the upcoming weeks.
Issue |
Area |
Description |
Required Update |
Supported OS |
|---|---|---|---|---|
DFND-66202 |
NGAV |
In some cases, when working with Technical Support to allow other AV products to work alongside your Cybereason sensor, the exclusion did not work in the environment. We have updated the configuration of the AV exclusion mechanism to enable for all products to be entered and run alongside Cybereason sensors successfuly. |
Sensor and server |
All |
DFND-65417 |
Sensor upgrade |
In the most recent Cybereason version, performing an upgrade to this version led to an error requiring an unexpected restart of the machine. We have resolved this issue and you do not need to restart after performing the upgrade. |
Sensor and server |
Windows |
DFND-64117 |
Sensor upgrade, Sensor proxy connection |
At times, the proxy connection configuration settings to connect to the Anti-Malware service did not work correctly after you performed a sensor upgrade and sensors were not able to connect correctly if you set up a proxy connection in your network. We have resolved this issue and all connection settings for connection through a proxy server work as expected after a sensor upgrade. |
Sensor and server |
All |
Version 23.2.163
Feature |
Description |
Required Update |
OS |
Default On/Off? |
|---|---|---|---|---|
Sensors screen |
We have updated the OS mapping used by the Sensors screen so you are now able to filter by the following operating systems (which were previously not able to use in filters):
|
Server |
N/A |
On |
NGAV |
The macOS sensor can now report file metadata to Cybereason headquarters for analysis that will impact the accuracy rate of our Anti-Malware engines and help reduce false positives (this feature was already introduced in a previous version for Windows and Linux sensors). |
Sensor and server |
macOS |
On |
Version 23.2.148
Feature |
Description |
Required Update |
OS |
Default On/Off? |
|---|---|---|---|---|
Investigation |
We have updated the names of many Features used throughout the Cybereason platform (such as in Investigation queries) to better reflect the actual meaning of these Features. |
Server |
N/A |
On |
Remediation |
We have added the Quarantined files screen to enable you to unquarantine multiple files at the same time, and also to be able to unquarantine files without having to open each MalOp associated with these files. Learn more This screen is disabled by default. Open a Technical Support case to gain access to this screen. |
Server |
N/A |
Off |
NGAV |
The Linux sensor can now report file metadata to Cybereason headquarters for analysis that will impact the accuracy rate of our Anti-Malware engines and help reduce false positives (this feature was already introduced in a previous version for Windows sensors). |
Sensor and server |
Linux |
On |
NGAV |
You can now disable on-access Anti-Malware > Signatures scans for macOS sensors, to reduce performance impact on the machine. By default, on-access scans are enabled. |
Sensor and server |
macOS |
On |
NGAV |
Command exclusions added to Predictive Ransomware Protection will now also take effect on MBR protection (a subcategory of Predictive Ransomware Protection). Learn more |
Sensor |
Windows |
On |
NGAV |
In some cases, the Anti-Malware > Artificial Intelligence mode detected the cramtray.exe process used by the sensor as malicious due to a certificate issue. We have resolved this issue and the Anti-Malware > Artificial Intelligence mode will not detect sensor processes as malicious. |
Sensor and server |
Windows |
On |
Machine isolation |
Machine isolation now also supports isolation using IPv6 addresses. |
Sensor |
All |
On |
OS Support |
macOS Mojave (10.4) is no longer a supported operating system. The last supported sensor version for macOS Mojave is 23.1 (including all 23.1 minor versions). |
Sensor |
macOS |
N/A |
Sensor infrastructure |
We improved the mechanism for automatically identifying potential memory leaks on the sensor. |
Sensor |
macOS, Linux |
On |
Sensor management |
You can now uninstall Linux sensors via the Sensors with the Actions menu. Learn more |
Sensor and server |
Linux |
On |
Sensor management |
The Sensor Actions (beta) screen is now available by default. The Sensor Actions screen enables you to view and monitor the results of essential sensor actions such as a sensor upgrade, installation, or uninstall. Learn more |
Sensor and Server |
Windows |
On |
Sensor management |
The sensor uninstall file is now available by default from the Sensors screen > Actions menu. This feature is supported on sensor versions 23.2.4/23.1.202 and later. |
Sensor and server |
Windows |
On |
Sensor tampering |
Sensor tampering protection is now generally available and enabled by default. There is also an option to prevent sensor maintenance actions in addition to tampering protection - this option requires downloading a passkey in order to perform sensor maintenance actions. Learn more |
Sensor and server |
Windows |
On |
Sensor updates |
The Authenticated URL feature introduced in version 23.2.8x is now available by default. This feature enables faster and more scalable delivery of content to sensors. |
Sensor and Server |
All |
On |
Sensor upgrade |
The more efficient sensor upgrade process introduced in version 21.2 is now available by default. In the scaled upgrade process, the sensor checks for an updated package every 10 minutes and downloads the new package from the server. When an Administrator triggers an upgrade from the Sensors screen, the sensor installs the new package. If you want to use the previous method for sensor upgrade (e.g. via SCCM), open a Technical Support case to disable this feature. |
Sensor and server |
Windows |
On |
Sensor upgrade |
Sensor upgrades/installations are now blocked on machines with insufficient disk space, and on non-supported locations such as non-fixed drives (network drives, removable drives, etc.). Errors related to these issues are reported on the Sensors screen. |
Sensor |
Windows |
On |
Endpoint UI |
On macOS sensors, a Cybereason system tray icon is now displayed. In future versions, this icon is planned to include notifications functionality. |
Sensor |
macOS |
On |
Behavioral allowlisting |
When creating a behavioral allowlisting rule, if the logic of the rule used a file hash value Feature, the option to preview the rule did not work and display the MalOps that would have been prevented by this rule. We have resolved this issue and the preview for behavioral allowlisting rules using file hash value Features works as expected. |
Server |
N/A |
On |
Version 23.2.129
Issue |
Area |
Description |
Required Update |
Supported OS |
|---|---|---|---|---|
DFND-65417 |
Sensor installation |
In the most recent Cybereason version, performing an upgrade to this version led to an error requiring an unexpected restart of the machine. We have resolved this issue and you do not need to restart after performing the upgrade. |
Sensor and server |
Windows |
Version 23.2.126
Feature |
Description |
Required Update |
OS |
Default On/Off? |
|---|---|---|---|---|
File search |
The File search feature is now available for macOS sensors. This feature is disabled by default. Open a Technical Support case to enable this feature. |
Sensor |
macOS |
Off |
Device Control |
The Device Control screen is now available by default. |
Server |
Windows and Linux |
On |
NGAV |
It is now possible to exclude multiple third-party AV products. You must request this from Cybereason Support. Note Excluding third-party AV products while running Cybereason AV is not recommended and may cause unexpected and undesirable behavior on the endpoint. |
Server and Sensor |
Windows |
Off |
NGAV |
A performance optimization is available for macOS on-access Signature scans. The optimization involves skipping scanning for close-on-write filesystem events, which can be performance-heavy under some workloads. This optimization has a minimal impact on security coverage and ensures a good balance between performance and coverage. |
Sensor and Server |
macOS |
Off |
NGAV |
Variant Payload Prevention is now in Early Availability (EA) stage for Linux machines. Contact Support to access this feature for Linux. |
Sensor and Server |
Linux |
Off |
Sensor updates |
The Endpoint Management Channel feature, including Authenticated URL for content delivery, is fully supported for macOS machines. This feature enables faster and more frequent sensor updates. |
Sensor and Server |
macOS |
Off |
NGAV, Fileless protection |
In recent versions, if a sensor was assigned to a policy with Fileless Protection DISABLED but the environment variable was set to COR_ENABLE_PROFILING to COR_ENABLE_PROFILING=1, the cramtray.exe process used by the sensor stopped working and was continuously crashing in a loop. We have resolved this issue and the cramtray.exe process will no longer crash in this scenario. |
Sensor and server |
Windows |
On |
NGAV |
You can now easily report false positives for Anti-Malware > Signatures generated MalOps. This helps Cybereason improve our detection accuracy and reduces false positives in the future. This feature is available from the MalOps Management screen and from the MalOp Details screen (from both the Exclude screen and from the three-dot menu) Learn more. |
Server |
All |
Off |
NGAV |
When scanning documents on network drives using Behavioral Document Protection, at times the Anti-Malware service performed unexpectedly or crashed. We have resolved this error and the Anti-Malware service will perform as expected even when scanning network drives. |
Sensor and server |
Windows |
On |
NGAV |
In recent Cybereason sensor versions, when the Anti-Malware service was enabled, machines experienced unexpected and intermittent performance problems, such as machine crashes or blue screens on the machine. We have resolved this issue and the machine will perform as expected with Anti-Malware enabled. |
Sensor and server |
Windows |
On |
NGAV |
At times, when Anti-Malware mode was set to Quarantine, the file was prevented successfully, but quarantine failed. This issue was resolved, and in such cases the file is now quarantined successfully. |
Sensor and server |
Windows |
On |
NGAV |
On macOS machines with the Intel i9 CPU, the Anti-Malware process crashed unexpectedly. We have resolved this issue and the Anti-Malware process will run without issues on macOS machines with the Intel i9 CPU. |
Sensor and server |
macOS |
On |
NGAV |
When updating a sensor policy or reloading the Anti-Malware service on macOS M1 machines, the Anti-Malware service was repeatedly crashing. We have resolved this issue and the Anti-Malware service will no longer crash on macOS M1 machines during policy updates and the reloading of the Anti-Malware service. |
Sensor and server |
macOS |
On |
NGAV |
On a Windows sensor with Anti-Ransomware enabled, if you performed rename operations on files where the new file name was the same as the old file name, the sensor’s Anti-Ransomware service showed unexpected behaviors, such as frequent crashes and restarts. We have resolved this issue and the Anti-Ransomware service no longer crashes/restarts often when performing the rename operations. |
Sensor and server |
Windows |
On |
MalOps management |
In the Malops management screen, when viewing the MalOp details, if you exported the MalOp to a PDF, the exported PDF did not contain the information from the Machines or Users sections of the MalOp. We have resolved this issue and the exported PDF for the MalOp contains the machines and users sections. |
Server |
N/A |
On |
MalOps management |
In environments using the new Data Platform infrastructure, to help you better filter MalOps when using the API, we have added a new field called metadataUpdateTime to the request and response to return a list of MalOps. This field enables you to return MalOps based on changes in a MalOp field such as the MalOp status or addition of a MalOp comment. |
Server |
N/A |
On |
MalOps management |
In environments that use the new Data Platform infrastructure, to simplify the process of filtering the list of MalOps in the MalOps Management screen, we have added a filter to select all EDR (AI Hunting) or NGAV (Endpoint Protection) MalOps. Previously , to view Endpoint Protection MalOps, you had to select multiple different options, such as Fileless Protection, Anti-Ransomware, and so forth. |
Server |
N/A |
On |
MalOps management |
In Japanese environments, in the MalOps management screen, when viewing details on filters or sorting above the MalOp grid, the Clear sorting string was not translated into Japanese. We have resolved this issue and Clear sorting is displayed in Japanese as expected. |
Server |
N/A |
On |
MalOp details |
In the MalOp details screen, at times the Total transmitted bytes field reported no data with an empty value. We have resolved this issue and updated the configuration used by the Cybereason platform to ensure that there is a value for this field. |
Server |
N/A |
On |
Sensor management |
You can now uninstall macOS sensors via the Sensors with the Actions menu. |
Sensor and server |
macOS |
On |
Sensor management |
Restarting the sensor from the UI will now trigger the sensor’s activeconsole and minionhost processes to restart (previously this only triggered the minionhost process to restart). |
Sensor |
All |
On |
Sensor performance |
On machines running CentOS 7.1, if the Anti-Malware > Signatures scans attempted to scan a file larger than 2 GB, the file became locked and other processes also could not open the file, due to issues with dependencies in the operating system. We have resolved this issue so that the sensor does not lock the access to these large files, and customers will be able to access these files on CentOS 7.1 machines. |
Sensor and server |
Linux CentOS 7.1 |
On |
Data collection |
On macOS machines, sensors now collect information on loaded modules, including short-term and long-term loaded modules. |
Sensor and server |
macOS |
On |
Custom detection rules |
In environments using the new Data Platform infrastructure and the Virtual Cache feature, for detections generated based on custom detection rules, the Last triggered value was not reported for the detection. We have resolved this issue and the Last triggered value will display in these environments. |
Server |
N/A |
On |
Custom detection rules |
In the Custom detection rules, after upgrading an environment, the date and time for the Last triggered column will be missing from the screen (when it was displayed before the upgrade). |
Server |
N/A |
On |
Behavioral allowlisting |
You can now create Behavioral allowlisting rules with special characters, such as (, ), and so forth. |
Server |
N/A |
On |
Sensor management |
In environments with a large number of sensors, including very large numbers of archived or decommissioned sensors, sensor operations and viewing the Sensors screen would not work as expected with performance problems in sending commands or viewing the Sensors screen. We have resolved this issue and optimized how the Cybereason platform processes sensor commands to ensure that these commands work as expected. |
Server |
N/A |
On |
Notifications |
In environments with sensor grouping enabled, when an email notification for a new MalOp was sent to users with the Local Analyst L1 role assigned, the email notification contained a MalOp ID for the MalOP, but the MalOp ID was not a clickable link. We have resolved this issue and the email notification sent to Local Analyst L1 users will contain the MalOp ID as a clickable link to enable these users to open up the MalOp in their Cybereason environment. |
Server |
N/A |
On |
User management |
In the Users screen, if you selected the Local Analyst or Local Responder role for a user along with another global role (such as Policy Admin, User Admin, and so forth), the option to select the sensor groups for the user remained visible on the page, even though the user had no ability to be assigned to groups since they have a role that was global in nature. We have resolved this issue and when you select a Local Analyst or Local Responder role along with another role, the option to select groups for the user is no longer displayed. |
Server |
N/A |
On |
Syslog |
In the MalOp syslog file, we now report the Product version in a syslog message. For example, a syslog entry for a MalOp created event would report CEF:0|Cybereason|Cybereason|23.2|Malop|Malop Created|10|. Previously, this value was empty. |
Server |
N/A |
On |
Malware alerts |
In Japanese environments, when exporting a CSV file of malware alerts from the Malware Alerts screen, at times the CSV file would unexpectedly change from Japanese to English (such as after a restart of the platform’s servers). We have resolved this issue and the CSV file will export in the correct language, based on the language settings for the user that is performing the export. |
Server |
N/A |
On |
Data collection |
On the sensor, connections to the same service or from the same client detected by the a sensor are now aggregated to reduce the number of data updates sent from the sensor for connection information. This aggregation will help improve the performance of your detection server as the amount of data sent for connections is more manageable. |
Sensor and server |
Windows |
On |
Version 23.2.87
Feature |
Description |
Required Update |
OS |
Default On/Off? |
|---|---|---|---|---|
EULA license agreement |
When upgrading to this version, we have updated the End-User License Agreement (EULA). One user will be required to sign in to the Cybereason platform through the admin console and must sign this agreement to use both the UI for the Cybereason platform and to run API scripts. |
Server |
On |
|
Sensor updates |
As part of the Endpoint Management Channel feature that enables frequent sensor updates, we have introduced an Authenticated URL to help support faster and more scalable delivery of content to sensors. Instead of downloading directly from the Cybereason server, the sensor will download its contents via a CDN Learn more |
Sensor and Server |
All |
Off |
Predictive Ransomware |
At times, if a folder path or file contained non-English characters, Predictive Ransomware Protection did not respond as expected to ransomware execution in these paths. We have resolved this issue and Predictive Ransomware Protection works as expected when a folder or file path contains non-English characters. |
Sensor and server |
Windows |
On |
NGAV |
The sensor can report file metadata to Cybereason headquarters for analysis that will impact the accuracy rate of our anti-malware engines and help reduce false positives. This feature is now on by default. |
Sensor and server |
Windows |
On |
NGAV Anti-Malware |
On machines running Windows 10 32-bit with Fileless protection enabled, an error was caused by the DLL used to implement Microsoft Anti-Malware Scan Interface (AMSI)-based Fileless Protection. This issue has been resolved and this error message no longer displays. |
Sensor and server |
Windows |
On |
NGAV Anti-Malware |
On machines running Linux and macOS operating systems, when adding an exclusion that ended with a forward slash (/), the sub-folders under the entered path were also unexpectedly excluded from Anti-Malware scans. We have resolved this issue and the sub-folders for the entered path will not be excluded from Anti-Malware scans. |
Sensor and server |
macOS, Linux |
On |
MalOp details, Investigation, Malware Alerts |
At times, in the Malware Alerts, Investigation, and Response History screens, the full machine name for the malware alert did not display if the malware was detected in a scan. This was due to a limitation of the Windows OS API used to collect information about a machine. We have resolved this issue and the machine name displays correctly. |
Sensor and server |
Windows |
On |
Data collection |
As part of the effort to improve collection on process activities, we have added the ability to collect data on changes to the input or output used by a process. If a process uses a non-standard input or output, the Cybereason platform will report details on this change. This helps find instances of malicious activity by many known malicious tool packages, such as Cobalt Strike, Meterpreter, or living of the land binary files which use non-standard inputs and outputs for their activities. To help you find this data when investigation process activities, the Cybereason platform now contains a number of Features to the Process Element to help you understand more about protected process and find instances of changes to the input/output used by a the process:
You can see these Features (if there is data available) in the Element details screen, and these are available as columns in the Investigation screen. |
Sensor and server |
Windows |
On |
Investigation |
In recent Cybereason versions, when after upgrading to the newer version and enabling sensor grouping in the environment, in the Investigation screen, you were unable to group the results by some of the available Features. We have resolved this error and you can now sort investigation query results by all Features when you enable sensor grouping in the environment. |
Server |
N/A |
On |
Investigation |
In the Investigation screen, when viewing investigation query results, if you selected the option to limit the total number of results, the results displayed per page were not always correct. We have resolved this issue and investigation query results will report totals (all total results and per page) correctly. |
Server |
N/A |
On |
Custom detection rules |
In environments using the new Data Platform infrastructure and the Virtual Cache feature, for detections generated based on custom detection rules, the Last triggered value was not reported for the detection. We have resolved this issue and the Last triggered value will display in these environments. |
Server |
N/A |
On |
OS Support,Sensor installation |
Starting from this version, sensor installation will fail on macOS machines running macOS versions older than 10.13. |
Sensor |
macOS |
On |
Remote Shell |
At times, if a sensor was unable to start a Remote Shell utility session, the sensor would crash unexpectedly. We have resolved this issue and the sensors will not crash when there is a failure to start the Remote Shell utility. |
Sensor and server |
Windows |
On |
System tray icon |
On machines running Windows operating systems, there were issues with the Cybereason system tray icon displaying when it should not, such as displaying after a restart even though the sensor policy said not to display the system tray icon, or frequent stopping of the cramtray.exe process. We have improved the configuration of the system tray icon process to ensure that icons do not display (such as multiple icons or icons unexpectedly displaying). |
Sensor and server |
Windows |
On |
Version 23.2.67
Feature |
Description |
Required Update |
OS |
Default On/Off? |
|---|---|---|---|---|
NGAV exclusions |
Beginning in this version, you can use the Policy exclusions to add exclusions to different NGAV protection engines. You add all exclusions in a single place, based on the type of item, either one by one through the sensor policy or by importing a CSV file with the exclusion details. These exclusions are also added in the respective screens in other parts of the sensor policy. |
Server |
N/A |
On |
Sensor Management |
This version introduces the Sensor Actions screen. The Sensor Actions screen enables you to view and monitor the results of essential sensor actions such as a sensor upgrade, installation, or uninstall. This screen is not yet generally available. Contact Support to enable this screen. Learn more |
Sensor and Server |
Windows |
Off |
NGAV |
The sensor can now report file metadata to Cybereason headquarters for analysis that will impact the accuracy rate of our anti-malware engines and help reduce false positives. |
Sensor and server |
Windows |
Off |
NGAV |
Predictive Ransomware Protection (PRP) can now prevent ransomware in cases where another machine on the network is that is not protected by PRP attempts to execute the ransomware on a machine that is protected by PRP (for example, by using shared folders). In previous versions, this behavior was detected by PRP, but not prevented. |
Sensor |
Windows |
On |
NGAV, Mac AV |
On machines running supported macOS versions, if in the sensor policy you had configured a scheduled scan to start and the machine was not online, the scan did not start even when the machine came online later, as expected from the sensor policy settings. We have resolved this issue and the scan will start when a machine comes online. |
Sensor and server |
macOS |
On |
NGAV |
In recent Cybereason versions, on machines using Sensor Tampering Protection, MalOps based on Variant Payload Protection or Threat Intelligence services were not generated as expected. We have resolved this issue and Variant Payload Protection and Threat Intelligence will generate as expected, even with Sensor Tampering protection enabled. |
Sensor and server |
Windows |
On |
NGAV, Behavioral Document Protection |
At times, AI-based Behavioral Document Protection triggered false positive MalOps for files that did not have a macro but containing suspicious strings of characters. We have resolved this issue and the Cybereason platform’s AI-based Behavioral Document Protection will not trigger MalOps for files with suspicious strings but no macros. |
Sensor and server |
Windows |
On |
DFIR, File search |
In environments with File Search enabled or with the DFIR package, the Live File Search on Linux machines is on by default. You do not need to ask Technical Support to enable this feature. Learn more |
Sensor and server |
Linux |
On |
MalOps management |
In environments managed through the Defense Console, in the Malops management screen, if you clicked Clear filters, the environment redirected back to the Defense Console home page instead of simply clearing the filters. We have resolved this issue and the filters clear as expected. |
Server |
N/A |
On |
Machine isolation exceptions |
The ability to assign Machine Isolation Exception rules to specific sensor groups is now available by default, without the need for Technical Support to enable this feature. |
Server |
N/A |
On |
Data collection |
To improve the quality and accuracy of collected data from Windows machines, the Cybereason platform has changed the way in which process creation events are collected from the Cybereason driver. This method captures process creation events directly from the Cybereason driver, which extracts the events from the Kernel. This methodology ensures that Cybereason retrieves the most accurate real-time data that includes all relevant creation parameters and arguments, such as command lines. This provides more accurate data and better insights into short-lived processes. Prior to this feature, Cybereason collected the creation event of a process, as well as other product data, through the Event Tracing for Windows (ETW) mechanism, an asynchronous event provider. Although this collection mechanism collected data about processes, particularly in the context of short-lived processes, mismatches occurred. This collection method will now be the default collection method for sensors on Windows machines. |
Sensor and server |
Windows |
On |
Sensor infrastructure |
The sensor now supports SNI. Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) computer networking protocol by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process. |
Sensor |
Windows |
Off |
Sensor installation |
In recent Cybereason versions, when trying to upgrade sensors, an error about Downgrade is not supported was displayed, even though the operation was not a downgrade operation. This was due to issues with the sensor installation report that is created as part of the sensor installation/upgrade process. We have resolved this error and the downgrade message should not display. |
Sensor and server |
Windows |
On |
Linux sensors |
On Linux sensors, the eBPF framework used by the sensor to collect data is now embedded in the Linux sensor by default for all Linux packages. This framework improves process collection on Linux machines through the use of newest Linux capabilities, including the ability to collect details on a process’s capabilities as well as information on the real and effective users for the process. |
Sensor and server |
Linux |
On |
Linux sensors |
On machines running the SUSE 15.3 operating system on Azure provisioned server machines, the sensor was unable to run due to a Could not verify minion signature error message. We have resolved this issue and the sensor can run on these machines without issue. |
Sensor and server |
Linux - SUSE 15.3 |
On |
Sensor logs |
When retrieving sensor logs from the Sensors screen, the exclusions in the sensor policy will be decrypted as part of the retrieval operation to enable administrators to read clear text in the exclusions entries in the log. |
Sensor and server |
Windows |
On |
User notifications |
In recent versions, email notifications sometimes were not sent in the language set by the user for their access to the Cybereason platform. Instead, the mail notifications used the language set for the machine on which the WebApp server was running. We have resolved this issue and the mail notifications will use the user-defined language setting. |
Server |
N/A |
On |
User notifications |
In environments that use sensor grouping, if a MalOp was triggered on a machine a sensor groups, local analysts for other groups in which the sensor was not assigned also received an email notifying that there were 0 MalOps detected. We have resolved this issue and analysts from other groups not associated with the machine in the MalOp will not receive email notifications for machines not in their assigned groups. |
Server |
N/A |
On |
Version 23.2.47
Issue |
Area |
Description |
Required Update |
Supported OS |
|---|---|---|---|---|
DFND-56958, DFND-57639 |
Sensor system tray icon |
On machines running Windows operating systems, there were issues with the Cybereason system tray icon displaying when it should not, such as displaying after a restart even though the sensor policy said not to display the system tray icon, or frequent stopping of the cramtray.exe process. We have improved the configuration of the system tray icon process to ensure that icons do not display (such as multiple icons or icons unexpectedly displaying). |
Sensor and server |
Windows |
Version 23.2.46
Feature |
Description |
Required Update |
OS |
Default On/Off? |
|---|---|---|---|---|
Behavioral allowlisting |
On the most recent Cybereason version, after creating a behavioral allowlisting rule, you were not able to go back and edit the rule’s logic (which was possible in previous versions). We have resolved this issue and you now can edit all behavioral allowlisting rules as expected. |
Server |
N/A |
On |
Version 23.2.45
Issue |
Area |
Description |
Required Update |
Supported OS |
|---|---|---|---|---|
DFND-56196 |
Sensor management |
In the most recent version, in the Sensors > Overview screen, no sensor data was displayed for all connected endpoint machines. We have resolved this issue and the Overview screen will display data for all endpoint machine sensors. |
Server |
N/A |
Version 23.2.44
Feature |
Description |
Required Update |
OS |
Default On/Off? |
|---|---|---|---|---|
NGAV |
The Fileless protection enhancements added in recent versions, including the Sensitivity level, .NET processes and AMSI protection improvements, and the ability to exclude processes by path) are now available by default. Learn more |
Sensor and server |
Windows |
On |
NGAV |
For Predictive Ransomware Protection, you can now add Regex-based command line exclusions. |
Sensor and Server |
Windows |
On |
NGAV exclusions |
In the sensor logs, if you added an exclusion for a specific folder or path that ended with a wildcard character, the sensor log indicates that the exclusion will be ignored since the exclusion does not end with a backslash character. The message is misleading as the exclusion still works as expected and is not ignored. We have resolved this issue and updated the log configuration to not report errors like this. |
Sensor and server |
Windows |
On |
MalOps management |
When working with a MalOp, we have updated the workflow to exclude the MalOp from future detection as a MalOp. Now you have the choice to:
|
Server |
N/A |
On |
MalOps |
In recent Cybereason versions, on machines using Sensor Tampering Protection, MalOps based on Variant Payload Protection or Threat Intelligence services were not generated as expected. We have resolved this issue and Variant Payload Protection and Threat Intelligence will generate as expected, even with Sensor Tampering protection enabled. |
Server |
N/A |
On |
MalOp details |
Previously, if there was no start time for a MalOp, the Cybereason platform incorrectly automatically assigned another value like the current time or the close time for the MalOp as the MalOp start time. We have updated the MalOp creation logic to ensure that if the MalOp start time is not available, the Cybereason platform will use the start time for the first process associated with the MalOp as the start time. |
Server |
N/A |
On |
MalOp details |
In the Malops management screen, in the MalOp details screen for a specific MalOp, when viewing connection details, if you wanted to view the connections for a specific machine, the MalOp details returned the connection details for all machines associated with the MalOp (not just the specific machine). We have updated the logic used by the Cybereason platform for the connection details in the MalOp details to return the connections for a specific machine instead of all machines. |
Server |
N/A |
On |
Investigation |
In the Investigation screen, when viewing the results from a query, the results displayed in a page of the results did not alway match the number selected. For example, if you selected to display 1000 results in a page, the first page might have displayed only 950 when there were more than 1000 results. We have resolved this issue and the number of results that display will match the number of results selected to display (for example, display 1000 if there are 1000 results to display). |
Server |
N/A |
On |
Sensor Platform |
The sensor now supports Windows AM-PPL. This service provides self-protection for the Cybereason sensor. For example, it protects Cybereason processes against malicious actions such as terminating the application. This feature is not available by default. Open a Technical Support case to enable this feature. |
Sensor |
Windows |
Off |
Sensor installation |
On recent Cybereason versions, the sensor did not install correctly on the Windows Server 2019 Core operating system. We have resolved this error and the sensor installs without issue on Windows Server 2019 Core. |
Sensor and server |
Windows Server 2019 Core |
On |
Sensor installation |
When performing a sensor installation on a Linux machine, if the machine used Python 3 instead of older Python versions to run the installer program, a Not found error message was printed in the machine’s terminal, even though there was no issue with the installation. We have resolved this issue and updated the sensor installer flow to not show this unnecessary message. |
Sensor and server |
Linux |
On |
Sensor performance |
On sensors on Windows machines, when the sensor collected data related to the WMI persistent object Element, the sensor sometimes experienced performance problems, occasionally causing the sensor program to crash. We have updated the sensor’s internal mechanism to ensure that the sensor’s performance is not affected by data collection of items related to the WMI Persistent Object Element. |
Sensor and server |
Windows |
On |
Sensor performance |
When using Sensor Tampering Protection in machines running Windows 7 or Windows 8, the cramtray.exe program (that runs the System Tray icon) did not start. We have resolved this issue and the cramtray.exe program will now work on machines running Windows 7 and Windows 8. |
Sensor and server |
Windows 7/8 |
On |
Sensor performance |
When performing a sensor installation on Linux machines running the RHEL 9.X operating system, the sensor and sensor services were unable to start after installation. We have resolved this issue and the sensor should run as normal on RHEL 9.X operating systems. |
Sensor and server |
Linux RHEL 9.X |
On |
Sensor performance |
On machines running Linux operating systems, when the sensor state changed (such as from crash recovery state to normal state), the sensor had to restart its process, which at times may cause the sensor to crash during process shutdown. As most of the sensor parts were shut down already, a crashdump could have been created in the root directory (/), which led to exhaustion of endpoint storage. We have resolved this issue and the sensor should never create coredumps (if any) files at the wrong location. |
Sensor and server |
Linux |
On |
Sensor performance |
In some cases on Windows machines (usually related to unexpected termination or crashes in the sensor processes), the System tray icon was duplicated unnecessarily, with one icon for the former cramtray.exe process that stopped and one icon for the cramtray.exe process currently running. We have resolved this issue and updated the sensor’s internal flow to ensure that the sensor does not leave or cause extra system tray icons. |
Sensor and server |
Windows |
On |
User management |
After upgrading to recent Cybereason versions, if you enabled two-factor authentication (TFA) for users, the TFA no longer worked after the upgrade and you had to reset all user TFA keys. We have resolved this issue and TFA now works properly after the upgrade with no need to reset any TFA keys. |
Server |
N/A |
On |
OS Support |
Cybereason now provides an early access version of the sensor that supports Linux ARM. This sensor supports core security functionality. Visibility in the Cybereason UI is now supported. Automated installation is not yet supported. Open a Technical Support case to request the sensor package. |
Sensor |
Linux |
Off |
Version 23.2.24
Feature |
Description |
Required Update |
OS |
Default On/Off? |
|---|---|---|---|---|
Malops management |
In the MalOps management screen, we have added a new filter called Detection type. You can use this filter to display MalOps classified as Potentially Unwanted Programs (PUP). |
Server |
N/A |
On |
Predictive Ransomware |
In some cases, Predictive Ransomware Protection incorrectly raised a false positive MalOp for possible encryption of a file due to an issue identifying the different streams for the file (a legitimate operating system functionality). We have resolved this issue and updated the configuration for Predictive Ransomware to ensure it handles streams for files correctly so as to not identify one of the streams for the file as encrypted. |
Sensor and server |
Windows |
On |
NGAV |
On sensors using Behavioral Document Protection AI, sensors did not report the behavior ID to the Cybereason Detection server as part of the event details for the detected event. In turn, the Behavior ID associated with the detected event was not included in the MalOp details or Investigation screens for analysts to understand the event. We have resolved this issue and the event behavior ID is now reported by the sensor and included in the MalOp details and Investigation query results for a detected event. |
Sensor and server |
Windows |
On |
NGAV |
When using canary-based Anti-Ransomware, if a command was added to the Anti-Ransomware exclusions, the command continued to be detected and reported as a detection by the Cybereason platform. This is due to the fact that the Anti-Ransomware exclusions only stopped the suspension of the excluded command only (but still detected the performance of the command). We have updated the flow used by the Cybereason platform when adding an Anti-Ransomware exclusion to both not suspend the command and not detect the performance of the command entered in the exclusions. |
Server |
N/A |
On |
Sensor installation |
If you ran the installer package for the sensor from a network drive (instead of a local drive), the installation failed with an error about the sensor installer being unable to verify the certificate of the bundle. We have resolved this issue and you can run the sensor installer from a network drive also. |
Sensor and server |
Windows |
On |
Sensor upgrade |
When upgrading from 20.1 versions to the latest Cybereason versions, the sensor did not start due to an issue with upgrade of files required by the sensor and the sensor services. We have resolved this issue and all files will upgrade successfully and allow the sensor and sensor services to start and run as expected. |
Sensor and server |
Windows |
On |
Investigation |
In the Investigation screen, when exporting query results, the time for different items in the CSV is now represented in the local time shown in the investigation screen instead of GMT. |
Server |
N/A |
On |
Device Control |
In recent Cybereason versions, when you enabled Device Control in a sensor policy, if you set the Device Control mode for devices to Read only, the Device control mode reported in the Sensors screen for sensors assigned to this policy was Disabled instead of Enabled. We have resolved this issue and updated the logic used by the server for the Read only mode for devices to report that Device Control is enabled instead of disabled. |
Server |
N/A |
On |
Data collection, Linux sensors |
On environments with sensors running Linux operating systems, at times the Investigation screen would report strange and unexplained connection and port details that did not match the real connection details (i.e. the IP addresses for the connections). We have resolved this issue and updated the configuration used by the sensor around collecting communication data to ensure that the details reported about communication on Linux machines is collected and reported correctly. |
Sensor and server |
Linux |
On |
Sensor management |
In the Sensors screen, when you used the search to find sensors that had a group assignment of Dynamic or Manual, the filtering did not work correctly. We have resolved this issue and filtering by sensor groups works as expected. |
Server |
N/A |
On |
Sensor Platform |
From this version, the sensor can run on a FIPS enabled Windows machine. This was made possible via removing the usage of any local sockets such as zeromq. |
Sensor |
Windows |
On |
Version 23.2.4
Feature |
Description |
Required Update |
OS |
Default On/Off? |
|---|---|---|---|---|
Sensor Deployment |
You can now uninstall sensors using an uninstall file. You can generate this file from the Sensors screen in the Actions menu. You can run the file on endpoints and it is capable of uninstalling both online and offline sensors without requiring the uninstall password. This feature is available for early access and is disabled by default. Contact Cybereason Support to enable this feature. |
Sensor and Senver |
Windows |
Off |
Remediation |
We have updated the logic used by the Cybereason platform’s file quarantine feature to ensure that the sensor cannot quarantine sensor-related files. |
Server |
N/A |
On |
Malops |
We have made some adjustments to how the Cybereason platform retains data, especially related to MalOp details, to reduce the time for a MalOp to be generated and to ensure that as many details for the MalOp are reported in the MalOp details. |
Server |
N/A |
On |
Malops management |
In the MalOp details screen, if you selected the View activity since remediated option, no additional data displayed even though there had been associated activity for that MalOp. We have updated the View activity since remediation option to View activity since closed to more accurately reflect what the option displays. |
Server |
N/A |
On |
Malops management |
In Japanese environments, In the MalOp details screen, we have updated the string 件を開始 (as part of the Process started/ended) to を開始 to make the string a more accurate translation. |
Server |
N/A |
On |
Malops management |
In the Malops management screen, in environments that use the new Data Platform infrastructure, if you selected Today from the list of time filter options, the dialog box to select a date also displayed unexpectedly. We have resolved this issue and the date selector does not appear when you select the Today option. |
Server |
N/A |
On |
NGAV |
You can now disable on access scans on Linux sensors in a sensor policy in the using the Advanced options in the Anti-Malware screen of the sensor policy. |
Sensor and Server |
Linux |
On |
NGAV |
On recent Cybereason versions, after upgrading to the version, numerous false positive detections were generated by the Cybereason Artificial Intelligence feature. We have resolved this issue and modified the configuration used by the server to analyze PE files to ensure there are fewer false positives. |
Sensor and server |
Windows |
On |
NGAV |
In the most recent Cybereason version, if you enabled Anti-Ransomware, the Anti-Ransomware did not work due to a problem with upgrading files required by the Anti-Ransomware service. We have resolved this issue and all files upgrade successfully and you will be able to use Anti-Ransomware as expected. |
Sensor and server |
Windows |
On |
Behavioral allowlisting |
To help you build more effective behavioral allowlisting rules that address additional scenarios, you can now add Grandparent Process and Great-Grandparent Process Elements in the rule. |
Server |
N/A |
On |
Investigation |
In Japanese environments, when exporting query results to a CSV file, the exported CSV file did not include the AM or PM designation on times. We have resolved this issue and the exported CSV files will now include the AM or PM with the time. |
Server |
N/A |
On |
Investigation |
In the Investigation screen, when using the Timeline filter to select a time range for results, the timestamp for the query creation time did not match the timestamp visible in the Cybereason UI. We have resolved this issue and timestamps used by the Timeline filter will match the actual timestamp in the Cybereason platform. |
Server |
N/A |
On |
Sensor installation |
When installing Linux sensors, at times you would see warning messages in the installation logs about missing libraries, even though the sensor was working properly and the library may have been installed on the machine. We have updated the sensor installation logic and these warnings will be reported in a more meaningful way or not reported at all in some cases. |
Sensor and server |
Linux |
On |
Sensor upgrade |
When upgrading sensors on Windows machines from recent versions, the sensor would not run as expected due to repeated crashes in the minionhost.exe process. We have resolved this issue and the sensors will upgrade successfully without the repeated crashes. |
Sensor and server |
Windows |
On |
Sensor upgrade |
In the most recent version, in some cases, when performing a sensor upgrade the sensor upgrade did not work and remained in progress indefinitely. We have resolved this issue and sensor upgrades will work properly. |
Sensor and server |
All |
|
User roles |
In a sensor policy, users with the System Viewer were unable to scroll and view the full list of exclusions available in the sensor policy. We have resolved this issue and users with this role will be able to scroll and see policy exclusions, not just the few exclusions that display in the first few rows of the table. |
Server |
N/A |
On |
Sensor performance |
When upgrading sensors on Windows machines from recent versions, the sensor would not run as expected due to repeated crashes in the minionhost.exe process. We have resolved this issue and the sensors will upgrade successfully without the repeated crashes. |
Sensor and server |
Windows |
On |