Release Notes Threat Response (Version 1.3)
Important Note
The releases of Tanium Trace 2.9.0.0035, Threat Response 1.2.0.0037, Map 1.1.1.0006, and Integrity Monitor 1.7.0.0035 all include a significant update on how the endpoint recorder technology is distributed and managed. This update requires that if any one of the products is updated in an active environment, all of the others should be updated to at least the minimum versions specified above at the same time. Failure to do so may result in degraded functionality and potentially erroneous sensor results from those products that have not been updated. Tanium avoids the introduction of dependencies between product releases whenever possible, but it is required in this circumstance to support significant new functionality enhancements.
Threat Response 1.3.3
Release Date: 07/02/2019
Fixes
- Fixes an issue shutting down recorder tools when deploying Threat Response on Windows
- Fixes an issue where tools deployment can leave processes in a suspended state on Windows endpoints
- Fixes an issue restarting the recorder on Linux endpoints
Endpoint Python Fixes
- Prevents incorrect loading of VC++ runtime on Windows XP & Windows 2003
- Prevents potential network calls that fetch CRL lists when TPython.exe is invoked
- Prevents potential failures when restoring suspended threads
Endpoint Python Updates
- Updated python interpreter to 2.7.15
Threat Response 1.3.2
Release Date: 06/18/2019
Fixes
- Fixes an error when cancelling during creation of Live Response items
- Fixes an error upgrading endpoint tools
- Fixes an issue with a blank field in the Connect audit plugin for Threat Response
- Fixed an issue when deploying tools and enabling and disabling the recorder correctly
Recorder Updates
- Added APIs to allow defining the reason that the recorder was disabled
- Updated Windows Recorder to 1.1.31.3703
- Resolved an issue with the ConfirmFileWrites setting that can cause files to be locked, breaking some processes like SCCM and Dragon Dictation
- Resolved issue with holding files open on signature verification in way that caused issues with some applications
Threat Response 1.3.1
Release Date: 06/04/2019
Fixes
- Fixes issue where the Threat Response console was not working in Internet Explorer 11
- Fixes issue where users with the Threat Response Administrator role did not have access to the Service settings in the Top Rail
Recorder Updates
- Included Windows recorder 1.1.31.3648
- Resolved issue where events were lost in the Windows Event Recorder
- Included Mac/Linux recorder 1.0.34.13
- Resolved an issue where disabled recorder on Mac continuously logs messages
- Resolved an issue where disabling recorder could result in an empty auditd.conf
Security
- This release includes security updates. Details of the issue, including affected versions, and mitigation information, can be obtained within Tanium's Support Portal, or by contacting your TAM.
Threat Response 1.3.0
Release Date: 05/21/2019
The new Tanium Threat Response module combines the functionality of Tanium Detect and Tanium Trace with the content of Tanium Index and Tanium Incident Response.
Migration from existing installations of the these modules is possible in the Threat Response module.
The migration process includes significant changes to the content and distribution of tools and configurations that are sent to connected endpoints.
Tanium strongly recommends contacting your Technical Account Manager prior to performing the migration.
Enhancements
- Live Response configuration management and package creation in the Threat Response workbench
- Improved alert suppression with global suppression rules, suppression rule management page, and the ability to retroactively apply suppression rules to existing alerts
- Deploy Action from Alert
- Live connection file browser
- Threat Response audit log source available in Tanium Connect 4.10.5 and later
- Tanium Recorder Driver content
- Recorder update to address lost events in the Windows Event Recorder
- Recorder engine update using Client Extensions
- Indexing engine update
- IR tools update
Known Issues
- Linux Recorder may leave the auditd.conf file in a 0 byte file size when the auditd.conf.pretrace files were removed, and then disable command is called
- Mac Recorder may have issues where launchctl will continue to try to run the Mac Recorder when the Mac Recorder is in a disabled state
- Clicking “Generate Packages” on the Live Response management page sometimes produces packages that do not include all of the expected files (for example: some collection config JSON files may be missing). This only occurs when creating a “Threat Response - Live Response [*]” package that does not already exist. It does not occur when updating existing packages.
- Workaround: Click the “Generate Packages” button, again, to update the existing packages. The packages will then contain all of the expected files.
Security
- This release includes security updates. Details of the issue, including affected versions, and mitigation information, can be obtained within Tanium's Support Portal, or by contacting your TAM.