uberAgent 7.1: Security Score, Boot & File System Monitoring, Central Configuration

We are happy to announce the newest version of our digital employee experience monitoring & endpoint security analytics product. uberAgent 7.1 is chock-full of innovative new features, both for uberAgent UXM and for uberAgent ESA. Whether you’re into Windows/macOS security or application/endpoint management, this release is exciting for you!

For a full list of changes, please consult the release notes. As always, upgrading is highly recommended (instructions).

Core Features

The following features have been added to the core of uberAgent. They’re available both to users of uberAgent UXM and uberAgent ESA.

Central Config File Management

Central Config File Management (CCFM) combines the benefits of local config files with the advantages of Group Policy. It obviates the need for a deployment tool while easily supporting even large numbers of configuration files and frequent updates.

CCFM does this through an agent-based pull mechanism. This mechanism has been cleverly designed to offer the flexibility and scalability expected by our enterprise customers. CCFM even comes with built-in reporting and monitoring capabilities so that you can always be sure that endpoints are applying precisely the configuration set they’re supposed to.

See this blog post for details on Central Config File Management.

Native Support for Windows on Arm

The full functionality of uberAgent UXM and uberAgent ESA are now natively available on Windows on Arm. uberAgent’s binaries have been specifically compiled for the Arm platform. This includes uberAgent’s kernel drivers, of course. There is no software emulation necessary when running uberAgent on Arm.

See this blog post for details on support for Windows on Arm.

uberAgent UXM

Windows Boot Performance Monitoring Refresh

uberAgent has always had excellent boot performance monitoring. With this feature refresh, we’re upgrading and aligning the boot performance monitoring algorithm, making it compatible with the reference implementation in the Windows Assessment Toolkit. This means that uberAgent’s measurements can be compared with the numbers you got from the official Microsoft tools – which are, by the way, geared toward analyzing individual machines. In contrast, uberAgent’s strength is the monitoring of your entire fleet of PCs.

See this blog post for details on the Windows boot performance monitoring refresh.

User Input Delay & Application Responsiveness

uberAgent now collects user input delay metrics. This further improves uberAgent’s digital employee experience (DEX) rating capabilities. As an integral component of DEX, user input delay has been added to uberAgent’s experience score calculations, making the score an even more precise and relevant metric to gauge end-user experience.

See this blog post for details on user input delay & application responsiveness.

uberAgent ESA

Endpoint Security Testing & Rating With Security & Compliance Inventory

uberAgent Security & Compliance Inventory (SCI) is a testing and rating framework that checks the attack surface of your operating systems and applications. The test results are used to calculate security scores that pinpoint configuration and security hardening weaknesses. uberAgent comes with a comprehensive suite of SCI tests that cover a broad range of attack scenarios, including, but not limited to, man-in-the-middle attacks, PowerShell abuse, lateral movement, and passwordless login.

See this blog post for details on Security & Compliance Inventory.

File System Activity Monitoring

File system activity monitoring is uberAgent ESA’s new capability to detect changes to objects in the file system. The monitored object types include files, of course, but also named pipes. Use cases for file system activity monitoring include detecting a download, detecting persistence, and detecting the destruction of forensic evidence.

See this blog post for details on file system activity monitoring.

DNS Exfiltration & Tunneling Detection

uberAgent ESA 7.1 brings agent-based DNS risk calculation and a new dashboard focused on the detection of malicious DNS activity.

DNS exfiltration and tunneling are very dangerous even though they’re not new. DNS exfiltration techniques use the DNS protocol to funnel a data payload from a victim machine in a corporate network to an internet host controlled by the attacker. DNS tunneling, on the other hand, is a more generic term that not only applies to data exfiltration but also to command and control (C&C/C2).

See this blog post for details on DNS exfiltration & tunneling detection.

macOS

The macOS version of uberAgent’s endpoint agent has learned many new tricks, including:

• Custom script execution: have uberAgent run your own scripts and collect their output.
• Threat Detection Engine: this is one of ESA’s core features that is now fully supported on macOS, too.
• Process statistics metrics: open file descriptor count, thread count, priority and page faults.
• Active browser tab: track which tab the user is interacting with.

Miscellaneous

uberAgent 7.1 comes with a ton of additional improvements and fixes, e.g.:

• New ESA dashboards for monitoring changes to root certificates and Windows services.
• The data written to the Windows registry is now available in TDE rules.
• Improved uAQL execution performance with a new bytecode interpreter.
• New TDE event type for tracking driver loads.
• WMI queries are now faster and require fewer resources.
• Faster determination of GPU usage metrics.
• Loopback traffic can now optionally be collected by uberAgent’s network monitoring, too.
• The date of the first clean OS installation is now collected in addition to the date of the current OS installation.
• Multi-monitor setups are now handled correctly in Citrix session monitoring.
• Further improved agent performance, reliability, and security.