Skip to main content

vast limits GmbH and uberAgent are now part of Citrix, a business unit of Cloud Software Group. Learn more at Citrix.com.

Documentation

Version

  1. uberAgent
  2. 5.0.1
  3. About uberAgent
  4. Changelog and Release Notes
Previous document Next document
This documentation does not apply to the most recent version of uberAgent. Click here for the latest version.

Changelog and Release Notes

In this article

Version 7.2

New features

  • Agent [B883]: new supported backend: Azure Data Explorer (ADX) (via Azure Event Hubs).
  • Application hangs (macOS) [B846]: application hangs are now detected and reported under macOS.
  • Browsers [B638]: the Chrome/Firefox browser extensions have been rewritten to fully support Manifest V3 and improve performance as well as reliability.
  • Configuration [B600, B914]: credentials can now be securely retrieved from the operating system’s credential store.
  • Dashboards [B926]: added Japanese translation of the uberAgent ESA and uberAgent UXM Splunk dashboards.
  • Machine errors (macOS) [B847]: macOS kernel panics are now detected and reported.
  • Network monitoring (macOS) [B867]: loopback traffic monitoring. Can be enabled via IgnoreLoopbackTraffic in the [NetworkTargetPerformanceProcess_Config] stanza.
  • Security & Compliance Inventory (macOS) [B817]: the SCI feature is now supported on macOS.
  • Threat Detection Engine [B889]: TDE rule customization & postprocessing via the new stanza [ThreatDetectionRuleExtension].
  • uAQL [B568]: new operators regex and regex_envvars and their case-insensitive counterparts iregex, iregex_envvars that replace the uAQL functions regex_match and regex_match_path. The new builtin operators allow uberAgent to perform optimizations when using regular expressions in uAQL.

Improvements

  • Agent (macOS): after the installation, the daemon is only started if an active configuration can be found. Configuration template files are no longer copied to the configuration directory automatically.
  • Application errors (macOS) [I1125]: crash reports are now also evaluated when automatically marked as retired.
  • Application inventory (macOS) [B554]: all installed applications on all locally mounted volumes as well as the user home directories are now reported.
  • Automatic application identification (macOS) [B700]: improved mapping for privileged helper tools and applications installed with a package manager.
  • Browsers [I597]: reduced performance impact of the browser extensions, especially for websites with many requests.
  • Central config file management [I1128]: enhanced robustness versus external tampering with the cache or its metadata.
  • Configuration [B890]: added support for multiline uAQL queries in configuration files.
  • Configuration [I1129]: new ConfigFlags setting POQTimeoutMs.
  • Machine inventory (macOS) [B719]: virtual machine detection now works on ARM-based machines.
  • Machine inventory (macOS) [B833]: uberAgent now reports warranty information.
  • Network monitoring (macOS) [I1081,I1083]: improve accuracy of the flow-specific data traffic metrics.
  • Process startup (macOS) [B820]: distinguishing between fork and exec events is now supported. It is shown on the Process Tree, Process Startup, and Application Startup dashboards.
  • Process startup and stop (macOS) [B916]: added new option EnableCdHash to support collection of the code directory hash.
  • Process stop (macOS) [B819]: the sourcetype uberAgentESA:Process:ProcessStop is now available on macOS.
  • Security Score Splunk dashboard [B872]:transferred SCI score calculation searches to separate index and improved overall dashboard performance.
  • Setup (Windows) [I1179]: copy optional Security Inventory files when deploying uberAgent on endpoints using the Splunk app uberAgent_endpoint.
  • Threat Detection Engine [B807]: the rule author is now shown on the Threat Detection Events dashboard to adhere to Sigma’s detection rule license.
  • Threat Detection Engine [B889]: added new common event property: uberAgent.Pid.
  • Threat Detection Engine (macOS) [B816]: added event properties for team id, signing id and SHA256 hash.
  • Threat Detection Engine (Windows) [I1104]: added new registry event properties Reg.EventType and Reg.TargetObject to match Sigma and Sysmon specifications.
  • uAQL [I1122]: enhanced error messaging for unreferenced variables, dynamic expressions, or functions, now specifically identifying the non-existent referenced item by name.

Bugfixes

  • Agent (Windows) [I1166]: fixed a rare agent crash while retrieving machine inventory metrics.
  • Authenticode signature verification (Windows) [I1163]: fixed an issue that caused the current time to be used instead of the signing time.
  • Authenticode signature verification (Windows) [I1173]: fixed an issue that led to an incorrect result due to caching.
  • Boot duration (Windows) [I1119]: fixed an issue leading to incorrect PostBoot calculations in specific scenarios.
  • Citrix Cloud monitoring [I1186]: fixed query to check the existence of Citrix DaaS Remote PowerShell SDK.
  • Configuration [I1181]: SCI configuration changes are now monitored and trigger an agent restart.
  • Dashboards [B820]: the startup detail table on the Application Startup and Process Startup dashboards now correctly shows process starts on macOS.
  • Dashboards [I1150]: fixed incorrect token usage and a visualization issue on the Security Score dashboard when no SCI test description was found.
  • Dashboards [I1151]: aligned the hostinfo lookup across sourcetypes in props.conf to always output the same fields.
  • Dashboards [I1174]: the Security Score dashboard only displayed a maximum of ten SCI categories. Any additional categories were merged into “OTHER”.
  • Dashboards [I1178]: the overall score calculation on the Security Score dashboard did not match historical data.
  • Dashboards [I1182]: the filter option SessionUser led to faulty panels on the Session Scores dashboard.
  • GPU (Windows) [I515]: uberAgent now reinitializes GPU metrics in case of a graphics driver update.
  • Machine inventory (macOS) [I1138]: fixed missing virtualization status of physical machines.
  • Machine inventory (macOS) [I1160]: fixed incorrect values with the BatteryWearLevelPercent metric.
  • NetScaler [I1101]: fixed a bug where closing the NetScaler connection too early resulted in no further data being collected.
  • Network monitoring (macOS) [I1082]: incoming and outgoing packet counts now both only count packets with a payload. This was previously only the case for outgoing packets.
  • Network monitoring (macOS) [I1097]: network flows with unknown transport protocols (other than TCP/UDP) are now ignored.
  • Network monitoring (macOS) [I1118]: fixed faulty calculation of TCP retransmission count in sourcetype NetworkTargetperformance.
  • Network monitoring (Windows) [I1110]: uberAgent’s network driver could slow down network transfers or freeze the system with many incoming UDP packets in high-throughput environments.
  • Process monitoring (macOS) [I1133]: the ProcCPUTimeMs and SessionCPUTimeMs metrics are now reported as a delta for the current measurement interval instead of an absolute value.
  • Process monitoring (Windows) [I1141]: ProcessTampering no longer gets disabled when Hashing and Authenticode are turned off.
  • Registry monitoring [I1142]: prevent handling empty registry keys causing the log message: Failed to retrieve HIVE of.
  • Custom scripts (Windows) [I1116]: scripts couldn’t be started as SYSTEM in user sessions (UserSessionAsSystem).
  • uAQL [I1113]: fixed handling of improperly bracketed expressions and arrays that previously did not generate syntax errors.
  • uAQL [I1127]: fixed a possible crash on faulty queries.

Release notes

  • Browsers (Windows) [I1194]: the Chrome extension doesn’t work properly due to an error in the uAInSessionHelperChrome.json file (located in %PROGRAMFILES%\vast limits\uberAgent). To fix this issue, add a slash (/) at the end of the chrome-extension value. The correct value is: chrome-extension://jghgedlkcoafeakcaepncnlanjkbinpb/.
  • Dashboards [B924]: removed the deprecated dashboard Session Info:VMware in uberAgent UXM.
  • Libraries [B919]: updated third-party libraries to the following: Boost 1.84, {fmt} 10.2.1, JSON for Modern C++ 3.11.3, libcurl 8.5.0 (Windows).
  • NetScaler [B877]: renamed the Citrix ADC dashboards to NetScaler.
  • Setup (Windows) [I1171]: updated WiX Toolset to version 3.14.1.
  • Sourcetype (macOS) [B820]: uberAgent:Process:ProcessStartup has a new field: StartupEventSource.
  • Sourcetype (macOS) [B833]: uberAgent:System:MachineInventory has a new field: CoverageEndDate.
  • Sourcetype (macOS) [B916]: uberAgent:Process:ProcessStartup has a new field: CdHash.
  • Sourcetype (macOS) [B916]: uberAgentESA:Process:ProcessStop has a new field: CdHash.
  • Sourcetype (macOS) [B847]: new sourcetype uberAgent:System:MacOsErrors with fields: KernelBugType, KernelBuild, KernelCrashReporterKey, KernelErrorType, KernelIncident, KernelPanicFlags, KernelPanicString, KernelProduct, KernelVersion.
  • Splunk CIM [I1101]: changed the method from EXTRACT to EVAL for the fields src_nt_domain and user in the Authentication data model to work around a Splunk bug.
  • Splunk CIM [I1101]: the Authentication data model has new field(s): dest.
  • Splunk CIM [I1101]: the Inventory data model has new field(s): cpu_mhz, cpu_cores, cpu_count, status.
  • Splunk CIM [I1101]: the Network Traffic data model has new field(s): user.
  • Splunk CIM [I1101]: the Updates data model has new field(s): dvc, file_name, status, vendor_product.
  • Splunk data models [B872]: added the uberAgent ESA data model uberAgentESA_Score with the dataset uberAgentESA_Score_SCI.
  • Splunk data models [I1182]: added the field SessionUser to uberAgent UXM data set uberAgentUXM_Score.
  • Splunk index [B872]: added a new index score_uberagent_esa for security score calculations in uberAgent ESA. This index can be deleted if uberAgent ESA is not used.
  • Threat Detection Engine [B889]: renamed the stanzas [ActivityMonitoringRule], [ActivityMonitoringRule_Filter], [AddActivityMonitoringExpression] to [ThreatDetectionRule], [ThreatDetectionRule_Filter], [AddThreatDetectionExpression], respectively. The previous names are still supported, but deprecated from now on.
  • Threat Detection Engine (Windows) [I1104]: changed data type of Reg.Value.Data to string to simplify query rules using registry values.

Known issues

  • Agent (Windows) [I1154]: under heavy load the following message may be logged: “CheckEventRecord,Events were lost. This may affect uberAgent’s per-process disk, network, or UI-responsiveness metrics”.
  • Agent (Windows) [I1157]: under Windows 7/8, the user logoff is recognized too late, which leads to too many metrics being determined during this time.
  • Browsers [I1085]: on systems with many user sessions the URL of the foreground tab might not match the browser’s window title.

Comments

Your email address will not be published. Required fields are marked *