uberAgent 6.0 Beta 2: Registry Monitoring, PE Hashing, Query Language, macOS Beta
This is the second and last beta step on the road to our most important version ever. In a nutshell: uberAgent 6 adds a new product, supports a new platform, and brings exciting new capabilities.
We have used the time since uberAgent 6.0 beta 1 well. The changelog lists a slew of new features, improvements and bugfixes. Let’s take a look at the most important bits.
This is what I’m personally most excited about. With the new ESA security analytics product, we have fantastic data from all corners of the OS. uAQL is what binds it all together: a powerful yet lightweight query language that lets you specify which type of behavior you’re interested in. uberAgent ESA Activity Monitoring (AM) will flag the corresponding events, highlighting suspicious or risky activity. uAQL queries are the heart of the uberAgent ESA AM ruleset, a comprehensive set of queries for many of the most common attack vectors.
But it does not stop there. In addition to curating vast limits vendor rules, we provide access to the Sigma project’s signature repository through a converter. This makes it possible to enable hundreds of additional detection rules simply by including another configuration file.
On Windows, the registry is still by far the most important settings storage provider for applications and the operating system. uberAgent’s new registry monitoring capability extends ESA’s visibility to the registry, allowing ESA Activity Monitoring rules to cover all kinds of registry events, including changes to a key’s security descriptor.
The ability to accurately identify specific process images is key to any endpoint security product. uberAgent ESA now calculates hashes of all executables (EXE, DLL, etc.) loaded into memory. Customers can choose between four different hash types: SHA-1, SHA-256, MD5, and ImpHash. PE hashes can be used within uAQL queries (and therefore ESA Activity Monitoring rules) along with dozens of other process properties – all of which are available in Splunk, too, of course, uberAgent’s preferred SIEM backend.
The list of things that have been improved or fixed is a long one (see the changelog). We’ll just highlight a select few of them here.
Certain aspects of uberAgent’s functionality can now be altered with the new
ConfigFlags configuration setting. Cisco AnyConnect VPN adapters, for example, were not detected correctly because they presented themselves not as VPN but as Ethernet adapters to the OS. The new config flag
NoGatewayCheck can be used to adjust uberAgent’s detection algorithm.
Although both uberAgent and Splunk HTTP Event Collector (HEC) always supported HTTP/1.1 persistent connections, customers observed that the connection count was higher than it should be. It turned out that Splunk HEC falls back to HTTP/1.0 (which does not support persistent connections) if the client does not send a user agent string. uberAgent now does, which should significantly reduce the load on load balancers or Splunk HTTP Event Collectors.
Our work on the macOS version of uberAgent is progressing well. So well, in fact, that we’re switching the “preview” label for “beta”. In other words: we consider the updated macOS agent that ships with uberAgent 6.0 beta 2 beta-grade stable. We hope to be able to further upgrade the label from “beta” to “release” soon. Please bear in mind that this does not mean that the macOS agent is feature-complete. It will take a while to reach feature-parity with the Windows agent.
This is one of the hidden gems of uberAgent: the ability to automatically determine which application a running process is a part of. This is no small feat and all the more remarkable because operating systems don’t care about applications. All their APIs are geared towards processes. The fact that multiple processes form a logical entity humans like to call “application” is mostly being ignored by the OS.
With this release, we’re bringing automatic application identification to macOS. Just as you’d expect, it “just works” out of the box, grouping together even processes working together via XPC, like Safari, for example.
uberAgent is an innovative Windows and macOS user experience monitoring and endpoint security analytics product. Its highlights include detailed information about boot and logon duration (showing why and when boots/logons are slow), application unresponsiveness detection, network reliability drill-downs, process startup duration, application usage metering, browser performance per website and remoting protocol insights.
vast limits GmbH is the company behind uberAgent, the innovative user experience monitoring and endpoint security analytics product. vast limits’ customer list includes organizations from industries like finance, healthcare, professional services, and education, ranging from medium-sized businesses to global enterprises. vast limits’ network of qualified solution partners ensures best-in-class service and support anywhere in the world.