IMPORTANT: This site is planned to be decommissioned in 2026. Visit the Tanium Resource Center for all Tanium release notes, user guides, and support information. To view release notes in the Resource Center, see Tanium Release Notes.
IMPORTANT: If you are using semi-annual releases for on premises, see the Release notes for 2024H1 semiannual release, Release notes for 2024H2 semiannual release, or Release notes for 2025H1 semiannual release on the Tanium Resource Center.
Effective October 15, 2024: On prem release notes on the Tanium Knowledge Base are frozen. For release notes related to 7.4 or 7.5 Server and Solutions, see the Monthly updates for Tanium Version 7.4 and 7.5 Server and Solutions on the Tanium Resource Center.

Release Notes Incident Response (Version 4.4)

From Tanium Knowledge Base
Jump to navigation Jump to search

Thank you for choosing Tanium. These notes are intended to document changes between releases of the Tanium Incident Response module.

Tanium Incident Response 4.4.3

Release Date May 15, 2018

Incident Response Official Version 4.4.3.0002

Resolved Issues and Improvements

  • Updates 7za.exe to version 18.05.
  • improvement: All PowerForensics-based sensors use less memory and execute several orders of magnitude faster.
  • improvement: Raw NTFS parsing is significantly faster.
  • improvement: PowerForensics now supports NTFS file systems where the file record size is not 1024 bytes.
  • bugfix: PowerForensics would return in valid raw file data for highly fragmented files. Specifically, at some point during the reading of the data, only null bytes would be returned.
  • bugfix: PowerForensics would sometimes fail to parse directories, preventing access to its contents.
  • bugfix: PowerForensics would sometimes incorrectly parse NTFS file record attributes, preventing access to affected file records.
  • bugfix: PowerForensics parsing of resident registry values would always return 4 bytes of data as binary, regardless of the underlying data type or length.
  • bugfix: PowerForensics would throw an exception when trying to parse registry values that were zero bytes in length.

New Binaries

Operating System Binary Name Binary Version SHA256 Hash
Windows x86
7za.exe 18.05 77613cca716edf68b9d5bab951463ed7fade5bc0ec465b36190a76299c50f117
PowerForensics.dll 1.3.0 b72f1213a8bd468ce0b2fddb9553a9821b482c2eff8eced7157239f71d56a448
Windows x64
7za.exe 18.05 77613cca716edf68b9d5bab951463ed7fade5bc0ec465b36190a76299c50f117
PowerForensics.dll 1.3.0 b72f1213a8bd468ce0b2fddb9553a9821b482c2eff8eced7157239f71d56a448

Known Issues

  • PowerForensics does not currently support the reading of sparse NTFS file data. Support is planned for a future release.
  • Attempts to acquire the USN Journal ($Extend\$UsnJrnl) as a file will fail as PowerForensics currently lacks support for NTFS sparse files. The USN Journal may be parsed, though, using the Get-ForensicUsnJrnl cmdlet.

Tanium Incident Response 4.4.2

Release Date May 1, 2018

Incident Response Official Version 4.4.2.0001

Resolved Issues

  • The PowerForensics User Assist Search sensor no longer writes temporary files to the system defined temp directory.

Tanium Incident Response 4.4.1

Release Date April 10, 2018

Incident Response Official Version 4.4.1.0001

Important

Resolved Issues

  • The Running Processes with Hash sensor correctly handles a missing lsof utility on CentOS systems.
  • Write privileges were removed from the Incident Response User Role for RBAC-enabled installations.
    Note: Tanium Administrators must remove that privilege from existing Incident Response User Roles because the solution import process does not overwrite existing RBAC privileges.
  • The SSH Known Hosts sensor correctly handles searches by domain.
  • The Remote Desktop Event Log Search sensor now works correctly and more efficiently.
  • Sensors that return network related information (for example: established connections, listening ports, etc.) have an updated means of obtaining Tanium Client and Server ports.
  • The ARP Cache sensor for Mac now returns the correct Type.
  • PowerForensics Prefetch and PowerForensics Shim Cache sensors were updated to work on Windows 10.
  • The PowerForensics module is now digitally signed.

New Features

  • Added Mac Downloaded Files sensor for Mac.
Searches the ~/Library/Preferences/com.apple.LaunchServices.QuarantineEvent* file for downloaded files, returning the 20 most recent results.
  • Added iCloud Settings sensor for Mac.
Returns all iCloud settings for all users by default. Can also be run against a user name or specific iCloud settings.
  • Added SIP Settings sensor for Mac.
Returns status of System Integrity Protection settings.
  • Added Logon Security Event Log Search sensor for Mac.
Searches the com.apple.system.lastlog file for certain logon event types going back in time up to 168 hours.

New Binaries

Operating System Binary Name Binary Version SHA256 Hash
Windows x86
PowerForensics.dll 1.2.2 cd17e1054616dc1b8e1e1dcbb64f03ecc692d903c59c1625ddabdb35972699b2

Deprecated Content

  • No deprecated content in this release.

Notes for future releases

  • The Search for/in Files (Mac/Linux) package will be removed in a future release. Use Index sensors for the Search for functionality and Threat Response Detect's Yara capability for hex and string searches for Search in files functionality.
  • The Historical RDP sensor depends on an Windows Security Event Log event ID, which does not appear to be triggered on modern versions of Windows. This sensor will be deprecated in a future release.
  • Semaphore-related content will be removed in a future release.
  • The sensors and packages related to the MD5 Exploit List will be deprecated in a future release. This functionality is covered by both Detect and Index Blacklists.
  • Customers with workflows or saved questions that use the "stand-alone" MD5 or SHA1 hashing sensors, such as Running Processes with MD5 Hash, should replace these sensors with the new parameterized sensors that support multiple hash types. Tanium will remove the older sensors in a future release, with advance notice to be provided in release notes for preceding releases.

Additional Information