September 26, 2023 Service Pack
The following Service Pack versions were released:
Versions (Sensor and Server) |
|---|
22.1.442 23.1.243 |
The tables below describe the enhancements, fixed issues, and changes included in each version.
The Versions column indicates the versions that include the fix. (For more information, see the note above)
The Required Update column indicates if the fix requires sensor/server update.
IMPORTANT: If you want to upgrade your servers to this version, we recommend that you upgrade all components - Registration server, Detection servers, and WebApp server - to this version.
Version 22.1.442
Issue |
Area |
Description |
Required Update |
Supported OS |
|---|---|---|---|---|
DFND-54285 |
Sensor performance |
On sensors on Windows machines, when the sensor collected data related to the WMI persistent object Element, the sensor sometimes experienced performance problems, occasionally causing the sensor program to crash. We have updated the sensor’s internal mechanism to ensure that the sensor’s performance is not affected by data collection of items related to the WMI Persistent Object Element. |
Sensor and server |
Windows |
DFND-54077 |
Sensor installation |
On recent Cybereason versions, the sensor did not install correctly on the Windows Server 2019 Core operating system. We have resolved this error and the sensor installs without issue on Windows Server 2019 Core. |
Sensor and server |
Windows Server 2019 Core |
DFND-53231 |
Sensor performance |
When using Sensor Tampering Protection in machines running Windows 7 or Windows 8, the cramtray.exe program (that runs the System Tray icon) did not start. We have resolved this issue and the cramtray.exe program will now work on machines running Windows 7 and Windows 8. |
Sensor and server |
Windows 7/8 |
DFND-53214 |
Sensor performance |
When performing a sensor installation on Linux machines running the RHEL 9.X operating system, the sensor and sensor services were unable to start after installation. We have resolved this issue and the sensor should run as normal on RHEL 9.X operating systems. |
Sensor and server |
Linux (RHEL 9.X) |
DFND-53149 |
Sensor performance |
On machines running Linux operating systems, when the sensor state changed (such as from crash recovery state to normal state), the sensor had to restart its process, which at times may cause the sensor to crash during process shutdown. As most of the sensor parts were shut down already, a crashdump could have been created in the root directory (/), which led to exhaustion of endpoint storage. We have resolved this issue and the sensor should never create coredumps (if any) files at the wrong location. |
Sensor and server |
Linux |
DFND-52505 |
Device Control |
In recent Cybereason versions, when you enabled Device Control in a sensor policy, if you set the Device Control mode for devices to Read only, the Device control mode reported in the Sensors screen for sensors assigned to this policy was Disabled instead of Enabled. We have resolved this issue and updated the logic used by the server for the Read only mode for devices to report that Device Control is enabled instead of disabled. |
Server |
N/A |
DFND-269 |
Endpoint Controls |
The Device control screen enables system and security admins to view Device control events and easily monitor the usage of USB devices across their environment. This feature is currently in beta stage. Contact your Customer Success Manager to gain access to this feature. |
Server |
Windows |
Version 23.1.243
Issue |
Area |
Description |
Required Update |
Supported OS |
|---|---|---|---|---|
DFND-54285 |
Sensor performance |
On sensors on Windows machines, when the sensor collected data related to the WMI persistent object Element, the sensor sometimes experienced performance problems, occasionally causing the sensor program to crash. We have updated the sensor’s internal mechanism to ensure that the sensor’s performance is not affected by data collection of items related to the WMI Persistent Object Element. |
Sensor and server |
Windows |
DFND-54077 |
Sensor installation |
On recent Cybereason versions, the sensor did not install correctly on the Windows Server 2019 Core operating system. We have resolved this error and the sensor installs without issue on Windows Server 2019 Core. |
Sensor and server |
Windows Server 2019 Core |
DFND-53773 |
Sensor installation |
When performing a sensor installation on a Linux machine, if the machine used Python 3 instead of older Python versions to run the installer program, a Not found error message was printed in the machine’s terminal, even though there was no issue with the installation. We have resolved this issue and updated the sensor installer flow to not show this unnecessary message. |
Sensor and server |
Linux |
DFND-53642 |
User management |
After upgrading to recent Cybereason versions, if you enabled two-factor authentication (TFA) for users, the TFA no longer worked after the upgrade and you had to reset all user TFA keys. We have resolved this issue and TFA now works properly after the upgrade with no need to reset any TFA keys. |
Server |
N/A |
DFND-53231 |
Sensor performance |
When using Sensor Tampering Protection in machines running Windows 7 or Windows 8, the cramtray.exe program (that runs the System Tray icon) did not start. We have resolved this issue and the cramtray.exe program will now work on machines running Windows 7 and Windows 8. |
Sensor and server |
Windows 7/8 |
DFND-53214 |
Sensor performance |
When performing a sensor installation on Linux machines running the RHEL 9.X operating system, the sensor and sensor services were unable to start after installation. We have resolved this issue and the sensor should run as normal on RHEL 9.X operating systems. |
Sensor and server |
Linux (RHEL 9.X) |
DFND-53149 |
Sensor performance |
On machines running Linux operating systems, when the sensor state changed (such as from crash recovery state to normal state), the sensor had to restart its process, which at times may cause the sensor to crash during process shutdown. As most of the sensor parts were shut down already, a crashdump could have been created in the root directory (/), which led to exhaustion of endpoint storage. We have resolved this issue and the sensor should never create coredumps (if any) files at the wrong location. |
Sensor and server |
Linux |
DFND-52915 |
MalOp details |
Previously, if there was no start time for a MalOp, the Cybereason platform incorrectly automatically assigned another value like the current time or the close time for the MalOp as the MalOp start time. We have updated the MalOP creation logic to ensure that if the MalOp start time is not available, the Cybereason platform will use the start time for the first process associated with the MalOp as the start time. |
Server |
N/A |
DFND-52639 |
Sensor performance |
In some cases on Windows machines (usually related to unexpected termination or crashes in the sensor processes), the System tray icon was duplicated unnecessarily, with one icon for the former cramtray.exe process that stopped and one icon for the cramtray.exe process currently running. We have resolved this issue and updated the sensor’s internal flow to ensure that the sensor does not leave or cause extra system tray icons. |
Sensor and server |
Windows |
DFND-52505 |
Device Control |
In recent Cybereason versions, when you enabled Device Control in a sensor policy, if you set the Device Control mode for devices to Read only, the Device control mode reported in the Sensors screen for sensors assigned to this policy was Disabled instead of Enabled. We have resolved this issue and updated the logic used by the server for the Read only mode for devices to report that Device Control is enabled instead of disabled. |
Server |
N/A |
DFND-51863 |
Predictive Ransomware |
In some cases, Predictive Ransomware Protection incorrectly raised a false positive MalOp for possible encryption of a file due to an issue identifying the different streams for the file (a legitimate operating system functionality). We have resolved this issue and updated the configuration for Predictive Ransomware to ensure it handles streams for files correctly so as to not identify one of the streams for the file as encrypted. |
Sensor and server |
Windows |
DFND-50987 |
MalOps |
In recent Cybereason versions, on machines using Sensor Tampering Protection, MalOps based on Variant Payload Protection or Threat Intelligence services were not generated as expected. We have resolved this issue and Variant Payload Protection and Threat Intelligence will generate as expected, even with Sensor Tampering protection enabled. |
Server |
N/A |
DFND-50661 |
NGAV |
For Predictive Ransomware Protection, you can now add Regex-based command line exclusions. |
Sensor and Server |
Windows |
DFND-23530 |
NGAV exclusions |
In the sensor logs, if you added an exclusion for a specific folder or path that ended with a wildcard character, the sensor log indicates that the exclusion will be ignored since the exclusion does not end with a backslash character. The message is misleading as the exclusion still works as expected and is not ignored. We have resolved this issue and updated the log configuration to not report errors like this. |
Sensor and server |
Windows |