IMPORTANT: This site is planned to be decommissioned in 2026. Visit the Tanium Resource Center for all Tanium release notes, user guides, and support information. To view release notes in the Resource Center, see Tanium Release Notes.
IMPORTANT: If you are using semi-annual releases for on premises, see the Release notes for 2024H1 semiannual release, Release notes for 2024H2 semiannual release, or Release notes for 2025H1 semiannual release on the Tanium Resource Center.
Effective October 15, 2024: On prem release notes on the Tanium Knowledge Base are frozen. For release notes related to 7.4 or 7.5 Server and Solutions, see the Monthly updates for Tanium Version 7.4 and 7.5 Server and Solutions on the Tanium Resource Center.
Release Notes Incident Response (Version 4.4)
Thank you for choosing Tanium. These notes are intended to document changes between releases of the Tanium Incident Response module.
Tanium Incident Response 4.4.3
Release Date May 15, 2018
Incident Response Official Version 4.4.3.0002
Resolved Issues and Improvements
- Updates 7za.exe to version 18.05.
- improvement: All PowerForensics-based sensors use less memory and execute several orders of magnitude faster.
- improvement: Raw NTFS parsing is significantly faster.
- improvement: PowerForensics now supports NTFS file systems where the file record size is not 1024 bytes.
- bugfix: PowerForensics would return in valid raw file data for highly fragmented files. Specifically, at some point during the reading of the data, only null bytes would be returned.
- bugfix: PowerForensics would sometimes fail to parse directories, preventing access to its contents.
- bugfix: PowerForensics would sometimes incorrectly parse NTFS file record attributes, preventing access to affected file records.
- bugfix: PowerForensics parsing of resident registry values would always return 4 bytes of data as binary, regardless of the underlying data type or length.
- bugfix: PowerForensics would throw an exception when trying to parse registry values that were zero bytes in length.
New Binaries
| Operating System | Binary Name | Binary Version | SHA256 Hash |
|---|---|---|---|
| Windows x86 | |||
| 7za.exe | 18.05 | 77613cca716edf68b9d5bab951463ed7fade5bc0ec465b36190a76299c50f117 | |
| PowerForensics.dll | 1.3.0 | b72f1213a8bd468ce0b2fddb9553a9821b482c2eff8eced7157239f71d56a448 | |
| Windows x64 | |||
| 7za.exe | 18.05 | 77613cca716edf68b9d5bab951463ed7fade5bc0ec465b36190a76299c50f117 | |
| PowerForensics.dll | 1.3.0 | b72f1213a8bd468ce0b2fddb9553a9821b482c2eff8eced7157239f71d56a448 |
Known Issues
- PowerForensics does not currently support the reading of sparse NTFS file data. Support is planned for a future release.
- Attempts to acquire the USN Journal ($Extend\$UsnJrnl) as a file will fail as PowerForensics currently lacks support for NTFS sparse files. The USN Journal may be parsed, though, using the Get-ForensicUsnJrnl cmdlet.
Tanium Incident Response 4.4.2
Release Date May 1, 2018
Incident Response Official Version 4.4.2.0001
Resolved Issues
- The PowerForensics User Assist Search sensor no longer writes temporary files to the system defined temp directory.
Tanium Incident Response 4.4.1
Release Date April 10, 2018
Incident Response Official Version 4.4.1.0001
Important
- Customers wishing to use Autoruns related content will need to go to https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns and download and then upload/install SysInternals Autoruns.zip during the import of the Incident Response solution.
Resolved Issues
- The Running Processes with Hash sensor correctly handles a missing lsof utility on CentOS systems.
- Write privileges were removed from the Incident Response User Role for RBAC-enabled installations.
Note: Tanium Administrators must remove that privilege from existing Incident Response User Roles because the solution import process does not overwrite existing RBAC privileges. - The SSH Known Hosts sensor correctly handles searches by domain.
- The Remote Desktop Event Log Search sensor now works correctly and more efficiently.
- Sensors that return network related information (for example: established connections, listening ports, etc.) have an updated means of obtaining Tanium Client and Server ports.
- The ARP Cache sensor for Mac now returns the correct Type.
- PowerForensics Prefetch and PowerForensics Shim Cache sensors were updated to work on Windows 10.
- The PowerForensics module is now digitally signed.
New Features
- Added Mac Downloaded Files sensor for Mac.
- Searches the ~/Library/Preferences/com.apple.LaunchServices.QuarantineEvent* file for downloaded files, returning the 20 most recent results.
- Added iCloud Settings sensor for Mac.
- Returns all iCloud settings for all users by default. Can also be run against a user name or specific iCloud settings.
- Added SIP Settings sensor for Mac.
- Returns status of System Integrity Protection settings.
- Added Logon Security Event Log Search sensor for Mac.
- Searches the com.apple.system.lastlog file for certain logon event types going back in time up to 168 hours.
New Binaries
| Operating System | Binary Name | Binary Version | SHA256 Hash |
|---|---|---|---|
| Windows x86 | |||
| PowerForensics.dll | 1.2.2 | cd17e1054616dc1b8e1e1dcbb64f03ecc692d903c59c1625ddabdb35972699b2 |
Deprecated Content
- No deprecated content in this release.
Notes for future releases
- The Search for/in Files (Mac/Linux) package will be removed in a future release. Use Index sensors for the Search for functionality and Threat Response Detect's Yara capability for hex and string searches for Search in files functionality.
- The Historical RDP sensor depends on an Windows Security Event Log event ID, which does not appear to be triggered on modern versions of Windows. This sensor will be deprecated in a future release.
- Semaphore-related content will be removed in a future release.
- The sensors and packages related to the MD5 Exploit List will be deprecated in a future release. This functionality is covered by both Detect and Index Blacklists.
- Customers with workflows or saved questions that use the "stand-alone" MD5 or SHA1 hashing sensors, such as
Running Processes with MD5 Hash, should replace these sensors with the new parameterized sensors that support multiple hash types. Tanium will remove the older sensors in a future release, with advance notice to be provided in release notes for preceding releases.