Skip to main content

vast limits GmbH and uberAgent are now part of Citrix, a business unit of Cloud Software Group. Learn more at


uberAgent 6.2: Persistent Output Queue, Process Tampering Detection

  • by Helge Klein
  • November 17, 2021

We are happy to announce the newest version of our user experience monitoring & endpoint security analytics product. uberAgent 6.2 introduces the persistent output queue, which guarantees that no events are lost in transit, and comes with a ton of improvements for UXM and ESA.

For a full list of changes, please consult the release notes. As always, upgrading is highly recommended (instructions).

uberAgent UXM

Persistent Output Queue (Disk Buffering)

uberAgent’s persistent output queue (POQ) buffers the generated events on the endpoint’s disk before the agent attempts to send them to the backend. Only when an event has been delivered successfully is it removed from the POQ’s buffer.

The persistent output queue ensures that no data is lost even in situations where the backend is unavailable for prolonged periods of time. The most important use case for the POQ is with laptops.

On mobile devices, uberAgent was traditionally coupled with Splunk’s Universal Forwarder due to UF’s persistent queue functionality. With uberAgent’s new built-in persistent output queue, it’s not necessary anymore to deploy Universal Forwarder just for its disk buffering feature.

See this blog post for details on the persistent output queue.

Citrix Cloud Monitoring

Introduced with uberAgent 6.1, Citrix Cloud monitoring is uberAgent’s capability to monitor the Citrix Virtual Apps and Desktops (CVAD) control plane in Citrix Cloud (announcement). Since the original release, we’ve been hard at work improving the speed and reliability of the queries to Citrix Cloud. The result is a fast and resilient Citrix Cloud connection that supports the latest API changes introduced by Citrix (e.g., pagination).

uberAgent ESA

Detection of Process Tampering & Remote Thread Creation

uberAgent ESA now detects remote thread creation (a form of code injection) and multiple process tampering techniques (process hollowing, herpaderping, doppelganging). All the relevant event properties are available via the Threat Detection Engine. See this blog post for details.

Splunk Enterprise Security

While uberAgent had CIM support for a long time, we have extended the integration greatly with uberAgent 6.2. If you are used to working with Sysmon data in ES, you will notice no difference when switching to uberAgent. uberAgent supports all CIM fields populated by popular Sysmon add-ons found in Splunkbase, and more!

See this blog post for details on uberAgent’s Splunk Enterprise Security integration.


uberAgent’s macOS agent has learned many new tricks, including:

  • Application crash reporting.
  • Network monitoring now includes the remote (target) name in addition to the IP address.
  • DNS query monitoring.
  • Improved detection of SSH sessions.


uberAgent 6.2 comes with dozens of additional improvements and fixes, e.g.:

  • The converted Sigma ruleset has been updated and now supports more categories.
  • Authenticode signature verification improvements.
  • Further optimized the network monitoring driver for even higher throughput.

About uberAgent

The uberAgent product family offers innovative digital employee experience monitoring and endpoint security analytics for Windows and macOS.

uberAgent UXM highlights include detailed information about boot and logon duration, application unresponsiveness detection, network reliability drill-downs, process startup duration, application usage metering, browser performance, web app metrics, and Citrix insights. All these varied aspects of system performance and reliability are smartly brought together in the Experience Score dashboard.

uberAgent ESA excels with a sophisticated Threat Detection Engine, endpoint security & compliance rating, the uAQL query language, detection of risky activity, DNS query monitoring, hash calculation, registry monitoring, and Authenticode signature verification. uberAgent ESA comes with Sysmon and Sigma rule converters, a graphical rule editor, and uses a simple yet powerful query language instead of XML.

About vast limits

vast limits GmbH is the company behind uberAgent, the innovative digital employee experience monitoring and endpoint security analytics product. vast limits’ customer list includes organizations from industries like finance, healthcare, professional services, and education, ranging from medium-sized businesses to global enterprises. vast limits’ network of qualified solution partners ensures best-in-class service and support anywhere in the world.


Your email address will not be published. Required fields are marked *