IMPORTANT: This site is planned to be decommissioned in 2026. Visit the Tanium Resource Center for all Tanium release notes, user guides, and support information. To view release notes in the Resource Center, see Tanium Release Notes.
IMPORTANT: If you are using semi-annual releases for on premises, see the Release notes for 2024H1 semiannual release, Release notes for 2024H2 semiannual release, or Release notes for 2025H1 semiannual release on the Tanium Resource Center.
Effective October 15, 2024: On prem release notes on the Tanium Knowledge Base are frozen. For release notes related to 7.4 or 7.5 Server and Solutions, see the Monthly updates for Tanium Version 7.4 and 7.5 Server and Solutions on the Tanium Resource Center.

Release Notes Incident Response (Version 3.1.0)

From Tanium Knowledge Base
Jump to navigation Jump to search

Thank you for choosing Tanium. This document is intended to document changes between releases of the Tanium Incident Response.

Tanium Incident Response 3.1.0

Release Date June 23, 2016

Incident Response Official Version 3.1.0.0025

IR Gatherer Official Version 3.1.0.0006

Features

  • Process Execution
Sensors that spawn external processes were rewritten to use a new utility for safe process execution. The utility, TaniumExecWrapper.exe, ensures all processes are spawned and killed safely and within a given timeout period.

New Sensors

  • Service Module Details with Hash
Provides details about running services including: path to the service executable (if it is a stand-alone service), the module (DLL) path, and the loaded modules if the service implements a COM application along with a configurable hash value of the service module.

IR Gatherer Improvements

  • Updated memory collection utility, winpmem

Minor Enhancements and Bug Fixes

  • Safety checks were added to sensors calling handles.exe to first check for the presence of Symantec Endpoint Encryption (SEE) and quit if found. In certain situations the interaction between these utilities could cause stability issues on a system.
  • Consolidated sensors to use standard libraries and binaries for functionality
  • SHA1 Hash Match Files Executing: Normalized output across supported operating systems
  • PowerForensics ShimChache: Added output message when no messages are found
  • PowerForensics File Record: Fixed file record filename collision bug


Known Issues and Workarounds

The latest version of handle.exe no longer supports running on Windows XP, Vista, or 2003. This impacts any sensor invoking this binary on one of the aforementioned operating systems.

No additional information to communicate to customers

New/Updated Binaries

  • TaniumFileInfo.exe (Update) - (sha256) ab8b4715b92c724642a52ee3bc009166b3d386fe18d41db73b049129755d3cb8
  • TaniumExecWrapper.exe (New) - (sha256) 4ec8259dbebf167cbf03e37e8316a3760b48e8c82adaaa310479c305142fd997
  • 7za.exe (Update) - (sha256) 7224bb4f4726e5d91b399982d89bb3353ec219c2a8edf837e214f517e5510238
  • yara32.exe (Update) - (sha256) e9bfb0389c9c1638dfe683acb5a2fe6c407cb650b48efdc9c17f5deaffe5b360
  • yara64.exe (Update) - (sha256) 427b46907aba3f1ce7dd8529605c1f94a65c8b90020f5cd1d76a5fbc7fc39993

Deprecated Content

  • Browser Cookie Search (sensor)
  • Running Processes with Yara Match (sensor)

Notes for future releases

  • We plan to deprecate the "Shim Cache Parser" and "MFT File Details" sensors with feature parity replacements using the PowerForensics framework

Additional Information