Skip to main content

vast limits GmbH and uberAgent are now part of Citrix, a business unit of Cloud Software Group. Learn more at


uberAgent 6.0 Beta 2: Registry Monitoring, PE Hashing, Query Language, macOS Beta

  • by Helge Klein
  • August 27, 2020

This is the second and last beta step on the road to our most important version ever. In a nutshell: uberAgent 6 adds a new product, supports a new platform, and brings exciting new capabilities.

We have used the time since uberAgent 6.0 beta 1 well. The changelog lists a slew of new features, improvements and bug fixes. Let’s take a look at the most important bits.

ESA: uAQL – uberAgent Query Language

This is what I’m personally most excited about. With the new ESA security analytics product, we have fantastic data from all corners of the OS. uAQL is what binds it all together: a powerful yet lightweight query language that lets you specify which type of behavior you’re interested in. uberAgent ESA Threat Detection Engine (TDE) will flag the corresponding events, highlighting suspicious or risky activity. uAQL queries are the heart of the uberAgent ESA TDE ruleset, a comprehensive set of queries for many of the most common attack vectors.

vast limits Rules & Sigma Signatures

But it does not stop there. In addition to curating vast limits vendor rules, we provide access to the Sigma project’s signature repository through a converter. This makes it possible to enable hundreds of additional detection rules simply by including another configuration file.

ESA: Registry Monitoring

On Windows, the registry is still by far the most important settings storage provider for applications and the operating system. uberAgent’s new registry monitoring capability extends ESA’s visibility to the registry, allowing ESA Threat Detection rules to cover all kinds of registry events, including changes to a key’s security descriptor.

ESA: PE Hashing

The ability to accurately identify specific process images is key to any endpoint security product. uberAgent ESA now calculates hashes of all executables (EXE, DLL, etc.) loaded into memory. Customers can choose between four different hash types: SHA-1, SHA-256, MD5, and ImpHash. PE hashes can be used within uAQL queries (and therefore ESA Threat Detection rules) along with dozens of other process properties – all of which are available in Splunk, too, of course, uberAgent’s preferred SIEM backend.

UXM: Improvements and Bugfixes

The list of things that have been improved or fixed is a long one (see the changelog). We’ll just highlight a select few of them here.

Config Flags

Certain aspects of uberAgent’s functionality can now be altered with the new ConfigFlags configuration setting. Cisco AnyConnect VPN adapters, for example, were not detected correctly because they presented themselves not as VPN but as Ethernet adapters to the OS. The new config flag NoGatewayCheck can be used to adjust uberAgent’s detection algorithm.

Splunk HEC Connection Count

Although both uberAgent and Splunk HTTP Event Collector (HEC) always supported HTTP/1.1 persistent connections, customers observed that the connection count was higher than it should be. It turned out that Splunk HEC falls back to HTTP/1.0 (which does not support persistent connections) if the client does not send a user agent string. uberAgent now does, which should significantly reduce the load on load balancers or Splunk HTTP Event Collectors.

UXM: macOS Beta

Our work on the macOS version of uberAgent is progressing well. So well, in fact, that we’re switching the “preview” label for “beta”. In other words: we consider the updated macOS agent that ships with uberAgent 6.0 beta 2 beta-grade stable. We hope to be able to further upgrade the label from “beta” to “release” soon. Please bear in mind that this does not mean that the macOS agent is feature-complete. It will take a while to reach feature parity with the Windows agent.

Automatic Application Identification

This is one of the hidden gems of uberAgent: the ability to automatically determine which application a running process is a part of. This is no small feat and all the more remarkable because operating systems don’t care about applications. All their APIs are geared towards processes. The fact that multiple processes form a logical entity humans like to call “application” is mostly being ignored by the OS.

With this release, we’re bringing automatic application identification to macOS. Just as you’d expect, it “just works” out of the box, grouping together even processes working together via XPC, like Safari, for example.


Download uberAgent 6.0 beta 2 here.

About uberAgent

The uberAgent product family offers innovative digital employee experience monitoring and endpoint security analytics for Windows and macOS.

uberAgent UXM highlights include detailed information about boot and logon duration, application unresponsiveness detection, network reliability drill-downs, process startup duration, application usage metering, browser performance, web app metrics, and Citrix insights. All these varied aspects of system performance and reliability are smartly brought together in the Experience Score dashboard.

uberAgent ESA excels with a sophisticated Threat Detection Engine, endpoint security & compliance rating, the uAQL query language, detection of risky activity, DNS query monitoring, hash calculation, registry monitoring, and Authenticode signature verification. uberAgent ESA comes with Sysmon and Sigma rule converters, a graphical rule editor, and uses a simple yet powerful query language instead of XML.

About vast limits

vast limits GmbH is the company behind uberAgent, the innovative digital employee experience monitoring and endpoint security analytics product. vast limits’ customer list includes organizations from industries like finance, healthcare, professional services, and education, ranging from medium-sized businesses to global enterprises. vast limits’ network of qualified solution partners ensures best-in-class service and support anywhere in the world.


Your email address will not be published. Required fields are marked *