Release Notes Integrity Monitor (Version 2.3)
Thank you for choosing Tanium. This document is intended to document the release of Tanium Integrity Monitor.
Important Notes
Integrity Monitor 2.3.0.0018 has removed support for Windows Legacy operating systems (Windows older than Windows 7 / Server 2008R2). The Integrity Monitor team will continue to support any existing customers who are still using Integrity Monitor versions released prior to version 2.3.0.0014 and will provide guidance to customers who need assistance with migration to the latest releases. Prior versions containing these features will continue to be supported per your support agreement with Tanium.
Integrity Monitor 2.3.0.0018 Windows client minimum version has been raised to 7.2.314.3211, which is in line with the minimum Linux client version. Integrity Monitor tools will not install on client versions lower than 7.2.314.3211 now. The recommended version for all supported OSes can be found in the documentation.
Integrity Monitor 2.2.0.0064 adds support for the 7.4 version of the Tanium Client, including updates to the python runtime version and supporting libraries.
Integrity Monitor 2.1.0.0057 includes an update to the AIX/Solaris tooling that filters out any files that are not regular files or directories (e.g. named pipes). This requires a new baseline to be established, which means that when upgrading to this version, the first install of tools can potentially have a number of false events reported. After this, there should be no more false events. Talk with your TAM if you would like to know more or would like a workaround for not receiving these false events.
The releases of Tanium Threat Response 2.0, Integrity Monitor 2.0, and Map 2.0 all include a significant update to the Client Recorder Extension. This upgrade does not require that all three products be updated at the same time, but when more than one impacted product is deployed to an endpoint, conditional logic is applied to determine whether to upgrade the recorder component from 1.x to 2.0 versions. Please consult your Technical Account Manager to better understand how to best plan for your deployments if you have more than one impacted product installed.
Tanium Integrity Monitor 2.3.0.0018
Release Date: March 31, 2020
Feature Improvements
- Tanium Integrity Monitor now integrates with Tanium Trends to show Integrity Monitor charts through the Trends initial gallery (Requires Tanium Trends 2.4 or later).
- For the integration to work properly, both Trends and Integrity Monitor must be configured (service accounts, respective groups, etc).
- The board, named Integrity Monitor, will be importable via the Trends Gallery after the solution is installed/upgraded.
- If the gallery entry does not appear after 10 minutes, please contact your TAM.
- Trends 2.4.5.0002 or Trends 3.1.1.0008 is necessary for all boards to function properly.
Resolved Issues
- Resolves an issue with the description used during automatic import and configuration of the module. It erroneously said that the user would need to deploy monitors after import, and has been corrected to say that deployment is done automatically.
Known Issues
- The on endpoint database used to store events (im.db) is limited in the number of events it will keep but not in the amount of baseline data, which can cause large databases, particularly when there are a large number of files captured by the watchlist definition. There are a couple of issues being resolved for this and a version with those fixes will be available shortly.
- A large number of paths, includes, and excludes used across a number of monitors can cause the monitors page to become unresponsive or fail to load. This will be addressed in the next release.
Important Notes
- Integrity Monitor 2.3.0.0018 has removed support for Windows legacy operating systems (Windows older than Windows 7 / Server 2008R2).
- On upgrade, the following data is removed from Integrity Monitor, for all legacy Windows monitors:
- Custom labels
- Rules
- Events and event labels
- Reports
- Monitor defintions
- All saved questions, packages, and actions generated by the Integrity Monitor service for Windows legacy monitors will be removed on the next monitor deployment.
- A new package is available, Integrity Monitor Remove Windows Legacy Tools, to allow for removal of tools from the endpoints as you see fit.
- Events from the endpoint are still available through the Integrity Monitor File Events Overview/Details sensors.
- On upgrade, the following data is removed from Integrity Monitor, for all legacy Windows monitors:
Dependencies
- Index 2.5.3.0005
- Tanium Client Recorder Extension: Upgraded from 2.1.0.1679 to 2.1.0.1696
- Includes better logging and various improvements for ancestry information on processes.
- Tanium Python Version (2.7): 1.3.0.44
- Tanium Python Version (3.8): 1.3.0.44
- Tanium Client Extensions: Upgraded from 2.0.1.3930 to 2.2.0.1113
- Adds a separate process for client extensions (TaniumCX), running under the client.
- This will require new anti-virus exclusions. Work with your TAM to ensure these are set up properly.
- These changes were made to make the client extensions more robust, supportable, and allow more functionality than previously possible.
- Adds a separate process for client extensions (TaniumCX), running under the client.
Additional Information
Known Issues and Workarounds
- The Endpoints Recording count always reports 0 when not viewing with Tanium Administrator permissions.
- Hybrid/Hashing mode can have issues when changing watchlists, including reporting events incorrectly.
- Some delete events may not contain the entire path on Linux endpoints.
Requirements
- Tanium Connect 4.0 and above.
- Monitoring permission change events.
- Windows NT 6.1 (Windows 7 / Windows Server 2008 R2) or above requires enabling System Audit Policies.
Supported Tanium Platforms
Tanium Server 7.2, 7.3, 7.4