Skip to main content

vast limits GmbH and uberAgent are now part of Citrix, a business unit of Cloud Software Group. Learn more at Citrix.com.

Documentation

Version

  1. uberAgent
  2. 7.1
  3. About uberAgent
  4. Changelog and Release Notes
Previous document Next document
This documentation does not apply to the most recent version of uberAgent. Click here for the latest version.

Changelog and Release Notes

In this article

Version 7.1

New features

  • Agent core [I941]: fixed a possible crash of the service/daemon that could occur when MemoryStatistics were logged.
  • Application names (macOS) [B709]: application name extraction via class name or filename of a Java command line is now supported on macOS, too.
  • Browsers (macOS) [I895]: the fields SessionFgBrowserType and SessionFgBrowserActiveTabHost of the Sourcetype SessionDetail are now available on macOS.
  • Custom scripts (macOS) [B739]: the execution of user defined scripts is now available on macOS.
  • DNS exfiltration and tunneling [B766]: new Splunk dashboard and agent categorization of DNS queries focused on detecting DNS abuse.
  • File system monitoring [B341]: uberAgent now monitors file system activity via its uberAgent’s Threat Detection Engine, too.
  • Network monitoring (Windows) [B864]: the configuration stanza [NetworkTargetPerformanceProcess_Config] now has a new setting IgnoreLoopbackTraffic.
  • Process statistics (macOS) [B518]: uberAgent now collects additional process information: open file descriptor count, thread count, priority and page faults.
  • Root Certificates Dashboard [B813]: new dashboard with a focus on root certificates.
  • Security & Compliance Inventory [B640]: endpoints are now regularly checked for common security issues. The new Security Overview dashboard provides an entry point with ratings and drilldowns.
  • Security Score dashboard [B546]: new dashboard that visualizes security scores calculated by the events from uberAgent ESA’s two primary data sources, Security & Compliance Inventory and Threat Detection Engine.
  • Threat Detection Engine (macOS) [B738]: the macOS agent now supports the ESA Threat Detection Engine, too.
  • Threat Detection Engine (Windows) [B834]: added new event type: Image.DriverLoad with the same properties as Image.Load.
  • User input delay (Windows) [B287]: uberAgent now measures the user input delay per process and session.
  • Windows Services Dashboard [B813]: new dashboard with a focus on Windows services.

Improvements

  • Agent [I767]: the maximum number of events per send operation can now be limited per receiver.
  • Boot duration (Windows) [B63,B751]: the algorithm for capturing boot details has been aligned with the current Microsoft specification. In addition, uberAgent now reports user login screen wait time.
  • Citrix ADC [B819]: dashboards now display Mbps instead of MB for data throughput.
  • Citrix session monitoring (Windows) [I797, I880]: handle multi monitor environments correctly.
  • Daemon (macOS) [B735]: added mechanism for preventing multiple running uberAgent instances.
  • Daemon (macOS) [B871]: improved security of communication between uberAgent and its helpers.
  • Dashboards [B287]: new dashboards Session Input Delay, Application Input Delay, Process Input Delay.
  • Dashboards [B287]: added input delay metrics to the Single Application Performance and the Analyze Data Over Time dashboards.
  • Dashboards [B514]: the Shutdown Delays dashboard now shows the affected hosts.
  • Dashboards [B799]: drilldowns to other dashboards are now always opened in new tabs.
  • Dashboards [B858]: processes missing the AppId/AppName fields now get automatically assigned Unknwn/Unknown.
  • Experience score [B287]: added input delay scores to the Experience Score Overview, Session Scores, and Application Scores dashboards.
  • Experience score [B849]: added rating switch. You can now decide whether you want to evaluate the individual scores according to the daily average or the lowest value.
  • Logging (Windows) [I733]: removed unnecessarily logged messages if it is impossible to determine a Remote Desktop client IP.
  • Logon monitoring (Windows) [I872]: ShellAppRuntime.exe is now processed correctly when started as part of the logon script.
  • Machine inventory (macOS) [B742]: field BaseboardSerial is now collected on macOS.
  • Machine inventory (macOS) [B758]: field OsInstallDate is now collected on macOS.
  • Machine inventory [B761]: a new field OsInstallDateOriginal (date of the first clean OS installation) is now collected in addition to OsInstallDate (date of the current OS installation).
  • Performance counters [I792]: translate localized wildcard performance counters back to english.
  • Performance counters [I991]: capture external exceptions to not let uberAgent crash.
  • Performance summary (macOS) [B518]: the field HandleCount now returns the full open file descriptor count for the process, consistent with the output of the ‘lsof’ system utility.
  • Performance summary (macOS) [B754]: the I/O statistics are now calculated more accurately.
  • Process startup (macOS) [B737]: field IsSignedByOSVendor is now collected on macOS.
  • Service (Windows) [B63]: new ConfigFlags setting BootDetailTimeoutMinutes.
  • Service (Windows) [B625]: improved determination of information about processes started earlier than uberAgent.
  • Service (Windows) [B553]: string registry value data is collected as part of Reg.Key.Write events.
  • Service (Windows) [I833]: improved determination of the logon start time.
  • Service (Windows) [I850]: faster determination of GPU usage metrics (on Windows 10 1809 or newer).
  • Service (Windows) [I873]: new timer setting ScriptTimeout.
  • Service (Windows) [B386]: faster determination of WMI values and new configurable provider setting.
  • Service (Windows) [I999]: ignore empty [Receiver] stanza in configuration.
  • Service (Windows) [I1002]: improved service shutdown behavior.
  • Service (Windows) [I1030]: do not change permissions on the persistent output queue directory defined in the configuration option PersistentOutputQueuePathWindows/PersistentOutputQueuePathMacOS at every agent start as the default location is already secured by the installer.
  • Setup (Windows) [B283]: restart on failure service options are now configured.
  • Threat Detection Engine [B823]: the maximum risk score for a rule is now limited to 100 to avoid dashboard corruption.
  • uAQL [B683]: improved the uAQL execution performance with a new bytecode interpreter.

Bugfixes

  • Application name overriding (macOS) [I894]: fixed dysfunctional application name overriding for expressions containing the binary’s name.
  • Authenticode signature verification (Windows) [I801]: fixed only signed binaries were provided to Threat Detection Engine.
  • Authenticode signature verification (Windows) [I802]: fixed only embedded certificates were checked and not searched in the catalog.
  • Authenticode signature verification (Windows) [I1009]: builds the hash even if the PE header is corrupted.
  • Automatic application identification (macOS) [I982]: improved logging for privileged helper tools.
  • Browser/Chrome & Firefox add-on [I897, I904]: fixed empty SessionFgBrowserActiveTabHost field when using multiple browser profiles.
  • CitrixADC [I828]: the characters <, >, &, and ' could not be used in passwords because of a flaw in PowerShell’s ConvertTo-Json command.
  • CitrixADC [I939]: no data is sent to the backend if one of the configured servers is unavailable.
  • CitrixADC [I965]: no system performance data was sent when SSL sessions with TLS 1.3 were present.
  • Citrix site monitoring (Windows) [I1019]: the dashboard Citrix Virtual Apps and Desktops Databases did not handle multiple database servers/instances per site correctly.
  • Configuration [B825]: invalid negative values are now handled correctly.
  • Daemon (macOS) [I981]: fixed a rare race condition during the daemon’s startup that could falsely detect the occurrence of pid wrapping.
  • Daemon (macOS) [I1024]: the ProcCPUPercent metric is now reported using a more accurate calculation. The ProcCPUTimeMs now reports the full processor time that the process has used during its lifetime instead of just the difference between measurement intervals.
  • Daemon (macOS) [I1026]: timer scheduling did not account for the sleep time of the system so that timer execution could be delayed if the system was asleep.
  • Dashboards [I790]: fixed wrong calculation on the Process DNS dashboard in the chart DNS packet size distribution.
  • Dashboards [I812]: adjusted a limit option in the Network Communication dashboards, to make sure all connections are displayed as part of the drilldown.
  • Dashboards [I795]: fix empty charts on the Process performance and Application performance dashboards.
  • Dashboards [I866]: fix wrong description on the Shutdown duration dashboard.
  • Dashboards [I868]: removed wrong drilldowns on the Browser Web App Usage dashboard.
  • DNS query monitoring [I810]: queries for non-existent records or queries returning errors were ignored.
  • DNS query monitoring [I855]: empty queries that caused an OS error are now ignored and not send to the backends.
  • Experience Score [I827]: calculation of thresholds and weights of the network score were wrong for machines and applications.
  • Experience Score [I887]: fixed incorrect field name in application score calculation.
  • Invalid UTF-8 start byte (macOS) [I885]: fixed an error that sometimes appeared on the Kafka and/or Elastic backends regarding the encoding of the JSON message from uberAgent.
  • License Information (macOS) [I919]: fixed missing ESA license information in the backends for source type uberagent:License:LicenseInfo.
  • Logging (macOS) [I853]: removed an unnecessary warning about the failure to determine the IPv6 address if the system only had link-local or no addresses configured.
  • Logging (macOS) [I883]: fix broken mechanism for rotation of log files.
  • Logon monitoring (Windows) [I844]: in environments with Ivanti Workspace Control and a custom shell, the logon end was not detected.
  • Machine inventory (macOS) [I892]: removed a misleading warning regarding EDID versions.
  • Network monitoring (Windows) [I815]: fixed missing network metrics after waking up a machine from standby.
  • Network monitoring (Windows) [I815]: fixed rare circumstance of missing network metrics after network interrupts or connection losses.
  • Network monitoring (Windows) [I815]: new ConfigFlag: NetworkDriverMaximumConnectionLimit to limit the maximum number of concurrent monitored network connections.
  • Process names (macOS) [B784]: fix process name truncation which might have happened in some cases.
  • Process names (macOS) [I804]: in some very rare cases the name of a parent process might not be correct for processes which started immediately before uberAgent.
  • Service (Windows) [I587]: in some rare cases the registry-monitoring thread would be terminated prematurely.
  • Service (Windows) [I779]: fixed a possible crash of the service that could occur when a session had a logon timeout.
  • Service (Windows) [I811]: trailing slash in %TEMP% environment-variable causes 100% CPU load on one core.
  • Service (Windows) [I822]: fixed an issue that could cause a longer shutdown period under certain circumstances when Citrix metrics were on.
  • Service (Windows) [I835]: remove confusing log message on x86 systems when Bugcheck parameters were retrieved.
  • Service (Windows) [I836]: fixed retrieving of the process ID from the Application Error Event Log (event ID 1000) on Windows 11.
  • Service (Windows) [I1008]: fixed retrieving of the process version, process id, and process start time from the Application Hang Event Log (event ID 1002) on Windows 11.
  • Service (Windows) [I858]: fixed an issue where LogFileCount was not honored for uberAgentConfiguration logs.
  • Service (Windows) [I861]: user tags are sent to the receivers defined in the OnDemand section instead of to the receivers of the timer.
  • Service (Windows) [I782]: fixed crash in uAInSessionHelper on systems under heavy load.
  • Service (Windows) [I799]: remove all orphaned temporary files at service start.
  • Service (Windows) [I873]: new ConfigFlag: InternalScriptTimeoutMs to limit the maximum time of an internal/hard-coded script.
  • Service (Windows) [I881]: fixed missing Citrix HDX virtual channel metric on Windows 7.
  • Service (Windows) [I935]: fixed a memory leak when saving an internal Citrix DC/ADC PowerShell script temporarily on the local disc.
  • Service (Windows) [I944]: in very rare cases, the window title of an already stopped process is determined.
  • Service (Windows) [I889]: fixed rare deadlock during service shutdown.
  • Service (Windows) [I1013]: fix persistent timers sliding (run at later timepoint than their interval would suggest) after sleep- or hibernate-mode.
  • Service (Windows) [I1021]: fixed rare deadlock of two internal lists during EVT processing. The deadlock results in no more data being sent to the backend.
  • Service (Windows) [I1028]: in rare cases AD attribute determination crashes the agent during an agent shutdown.
  • Service (Windows) [I1049]: in rare cases performance counter determination stopped working in case of a timeout during data determination.
  • Setup (Windows) [I1050]: do not delete the %ProgramData%\vast directory\uberAgent\Configuration directory if uberAgent is already installed and another silent installation is performed via command line.
  • Shutdown of uberAgent (macOS) [I876]: fix unlikely case of broken shutdown procedure if the log file is inaccessible
  • Splunk [I826]: fixed outdated values in lookup_hostinfo.
  • Splunk data model [I796]: fixed incorrect calculation of the field CatalogId in the data model uberAgentUXM_Citrix.
  • System time change resilience (Windows) [I857]: fixed logging of time change events on Windows 11.
  • Tagging (Windows) [I900, I911]: user tags were not determined if the session ID was reused.

Release notes

  • Config file monitoring and agent auto restart [B408]: updated configurations are applied automatically by restarting the agent.
  • Dashboards [B766]: replaced the Process DNS Splunk dashboard with the new DNS Exfiltration and Tunneling.
  • Dashboards [B518]: moved the ProcPriorityDisplayName determination from a lookup to the data model. This is necessary to be able to map process priorities of Windows and macOS in one sourcetype.
  • Dashboards [B856]: updated the Splunk SDK for Python to version 1.7.4.
  • Sourcetype [B287]: uberAgent:Process:ProcessStatistics has new field(s): ProcInputDelayMaxMs, ProcInputDelaySumMs and ProcInputDelayCount.
  • Sourcetype [B287]: uberAgent:Session:SessionDetail has new field(s): SessionInputDelayMaxMs, SessionInputDelaySumMs and SessionInputDelayCount.
  • Sourcetype [B751]: uberAgent:OnOffTransition:BootDetail2 has new field(s): UserLogonWaitDurationMs.
  • Sourcetype [B766]: uberAgentESA:Process:DnsQuery has new field(s): DnsRisk52Chars, DnsRisk27UniqueChars, DnsRiskEmptyResponse, DnsRiskTXTRecord, DnsRiskHighEntropy, DnsResponseStatus.
  • Splunk data models [B546]:added the uberAgent ESA data model uberAgentESA_System_SecurityInventory. Data model acceleration is turned off. Otherwise, longer field contents may be truncated.
  • macOS OS versions [B760]: starting with this release, macOS 10.15 Catalina is no longer supported by uberAgent. The oldest supported version is now macOS 11.0 Big Sur.
  • Threat Detection Engine [B823]: rules now have a fixed valid range of 0-100 (integer) for the risk score. Rules with a risk score outside this range are considered invalid and are ignored.
  • Threat Detection Engine [B860]: renamed the ESA feature Activity Monitoring [Engine] to Threat Detection [Engine].

Known issues

  • Boot duration (Windows): the metrics TotalBootTimeMs, MainPathBootTimeMs and PostBootTimeMs cannot be determined for every system boot.
  • Browsers/IE add-on (Windows): metrics are not collected on page reload.
  • Browsers/IE add-on (Windows): metrics are collected incompletely for the configured start page.
  • Browsers/IE add-on (Windows): monitoring does not work if IE is published from Citrix Virtual Apps. It does work from Citrix Virtual Desktops, however.
  • Browsers/Firefox add-on: if the option privacy.resistFingerprinting is set to true, browser metrics are not available due to invalid data being sent from Firefox.
  • Citrix ADC: in very rare cases, the content of the Virtual Server Performance field vServerName contains spaces in wrong places.
  • Citrix site monitoring (Windows): data collection issue if the Citrix Remote Powershell SDK (required for Citrix Cloud monitoring) is installed on a CVAD controller.
  • Citrix XA/XD Machines (Windows): when running the Citrix VDA on a Citrix Delivery Controller, some per-machine information is missing.
  • Experience score [I377]: scheduled searches generate three warnings in Splunk’s _internal index every 30 minutes. The messages look like the following: DateParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (128) characters of event.. However, there is no impact on uberAgent’s functionality.
  • GPU (Windows) [I33]: values for the fields ComputeUsagePercentAllEngines, ComputeUsagePercentEngine0 and similar can be higher than 100 with Intel Iris GPUs on Windows Server 2016 1607.
  • Kafka [I291]: in rare cases sending data to Kafka results in a SEC_E_BUFFER_TOO_SMALL error message in the logfile. This should have no effect; the transmission is repeated and succeeds on the second try.
  • Network monitoring (Windows) [I815]: network metrics may be missing: 1) after resuming from a low-power state (e.g., suspend), or 2) after certain disastrous network events such as a crash of the default gateway.
  • Network monitoring (Windows) [I998]: in rare cases the determination of NetUtilizationPercent can lead to higher CPU load on Windows 7 x64.
  • Single Boot [I1052]: currently, under Windows 11, no information can be retrieved if there is no active session within the data collection period.
  • Update inventory (Windows): not all installed Windows updates may be reported due to API limitations.
  • UserInputDelay (Windows): can lead to a handle leak by Windows on Windows Server 2022 systems.
  • Volume inventory (macOS): the encryption status of mounted read-only APFS snapshots may not be reported due to API limitations. This includes the root directory volume in a default installation of macOS.

Comments

Your email address will not be published. Required fields are marked *