IMPORTANT: This site is planned to be decommissioned in 2026. Visit the Tanium Resource Center for all Tanium release notes, user guides, and support information. To view release notes in the Resource Center, see Tanium Release Notes.
IMPORTANT: If you are using semi-annual releases for on premises, see the Release notes for 2024H1 semiannual release, Release notes for 2024H2 semiannual release, or Release notes for 2025H1 semiannual release on the Tanium Resource Center.
Effective October 15, 2024: On prem release notes on the Tanium Knowledge Base are frozen. For release notes related to 7.4 or 7.5 Server and Solutions, see the Monthly updates for Tanium Version 7.4 and 7.5 Server and Solutions on the Tanium Resource Center.

Release Notes Threat Response (Version 3.10)

From Tanium Knowledge Base
Jump to navigation Jump to search

Tanium Threat Response 3.10.59

Release Date: 22 August 2023

Tools Versions

  • Includes Threat Response Tools: 3.10.59
  • Includes core-recorder 3.10.81
  • Includes Recorder 2.9.1338
  • Includes Driver Tool Version 3.10.81
  • Includes Driver binary version 3.1.2065
  • Includes THR-CX 1.11.2964
  • Includes Stream 1.7.5.2
  • Includes Index 3.3.2607
  • Includes core-python 2.2.23
  • Includes Incident Response 6.5.23

Fixes

  • Increased the limit on the size for Tanium Signals feed updates.

Known Issues

  • In instances where RecorderCX is not running, SHA256 hash detections of active long-running processes may fail to generate an alert.
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint is still quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • Live Response Memory Collection is not supported on Amazon Linux 2 (ARM) endpoints or macOS endpoints that use M1 ARM processors.
  • On-demand scans for IOCs created from a hash only search content from Tanium Index and do not search content from the recorder or live connection data for the hashes. This will be addressed in a future release of Threat Response.
  • When deleting Notifications from the Management > System Notifications page, if you apply filters and select to delete multiple notifications that match the filter criteria, all notifications are deleted. This is a known issue and will be resolved in a future version of Threat Response.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.

Tanium Threat Response 3.10.58

Release Date: 27 April 2023

Tools Versions

  • Includes core-recorder 3.10.81
  • Includes Recorder 2.9.1338
  • Includes Driver Tool Version 3.10.81
  • Includes Driver binary version 3.1.2065
  • Includes THR-CX 1.11.2964
  • Includes Stream 1.7.5.2
  • Includes Index 3.3.2607
  • Includes core-python 2.2.23
  • Includes Incident Response 6.5.23

Improvements

  • Added option to disable tracking of command-lines for forked processes on Linux

Fixes

  • Fixes an issue where Deep Instinct Alerts could be ignored for certain event types.
  • Fixes an issue where Windows Live Response scripts are not signed.
  • Fixes an issue where On-demand scans could fail with a timeout error.
  • Fixes an issue where certain registry events were not recorded when mounting an ISO
  • Fixes an issue where File Event timestamps could be out of sync in Recorder on macOS

Security Update

  • This release includes security updates. Details of the issue, including affected versions, and mitigation information, can be obtained within Tanium's Support Portal, or by contacting your TAM

Known Issues

  • In instances where RecorderCX is not running, SHA256 hash detections of active long-running processes may fail to generate an alert.
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint is still quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • Live Response Memory Collection is not supported on Amazon Linux 2 (ARM) endpoints or macOS endpoints that use M1 ARM processors.
  • On-demand scans for IOCs created from a hash only search content from Tanium Index and do not search content from the recorder or live connection data for the hashes. This will be addressed in a future release of Threat Response.
  • When deleting Notifications from the Management > System Notifications page, if you apply filters and select to delete multiple notifications that match the filter criteria, all notifications are deleted. This is a known issue and will be resolved in a future version of Threat Response.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.

Tanium Threat Response 3.10.44

Release Date: 14 February 2023

Fixes

  • Fixes an issue where driver events were not recorded on Windows endpoints.
  • Fixes an issue where duplicate Threat Response alerts could be sent to Tanium Connect destinations.

Tools Versions

  • Includes core-recorder 3.10.75
    • Includes Recorder 2.9.1334
  • Includes Driver Tool Version 3.10.75
    • Includes Driver binary version 3.1.2058
  • Includes THR-CX 1.11.2961
  • Includes Stream 1.7.4
  • Includes Index 3.3.2607
  • Includes core-python 2.2.23
  • Includes Incident Response 6.5.23

Known Issues

  • In instances where RecorderCX is not running, SHA256 hash detections of active long-running processes may fail to generate an alert.
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint is still quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • Live Response Memory Collection is not supported on Amazon Linux 2 (ARM) endpoints or macOS endpoints that use M1 ARM processors.
  • On-demand scans for IOCs created from a hash only search content from Tanium Index and do not search content from the recorder or live connection data for the hashes. This will be addressed in a future release of Threat Response.
  • When deleting Notifications from the Management > System Notifications page, if you apply filters and select to delete multiple notifications that match the filter criteria, all notifications are deleted. This is a known issue and will be resolved in a future version of Threat Response.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.

Tanium Threat Response 3.10.39

Release Date: 24 January 2023

Improvements

  • Improved behavior to limit memory usage when performing memory scoped YARA scans.

Fixes

  • Fixes an issue where the Threat Response - Acknowledge Findings package could use excessive CPU and timeout when running on endpoints with a large number of findings.
  • Fixes an issue where TaniumPersistenceAnalyzer.exe could fail to run with error: "TPA seems to have failed. code=3" if there are 2 SIDs associated with the same user profile.
  • Fixes an issue where STIX intel documents were not being parsed correctly.
  • Fixes an issue where YARA scans may not scan all search scopes as expected.

Tools Versions

  • Includes core-recorder 3.10.75
    • Includes Recorder 2.9.1334
  • Includes Driver Tool Version 3.10.75
    • Includes Driver binary version 3.1.2058
  • Includes THR-CX 1.11.2961
  • Includes Stream 1.7.4
  • Includes Index 3.3.2607
  • Includes core-python 2.2.23
  • Includes Incident Response 6.5.23

Known Issues

  • In instances where RecorderCX is not running, SHA256 hash detections of active long-running processes may fail to generate an alert.
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint is still quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • Live Response Memory Collection is not supported on Amazon Linux 2 (ARM) endpoints or macOS endpoints that use M1 ARM processors.
  • On-demand scans for IOCs created from a hash only search content from Tanium Index and do not search content from the recorder or live connection data for the hashes. This will be addressed in a future release of Threat Response.
  • When deleting Notifications from the Management > System Notifications page, if you apply filters and select to delete multiple notifications that match the filter criteria, all notifications are deleted. This is a known issue and will be resolved in a future version of Threat Response.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.

Tanium Threat Response 3.10.34

Release Date: 01 November 2022

Important Notes

  • Threat Response 3.10 is focused on further expansion of the existing integration with Deep Instinct (DI).
  • In the forthcoming Threat Response release, the Detect and Event services will be deprecated and replaced by the Threat Response service. The integration with the Threat Response service and the Threat Response Client Extension on the endpoints provides performance improvements and provides a platform for future capability, intelligence, and workflows around intel and alerting. These upcoming service changes require Threat Response API changes that will require customers and partners to reconfigure Threat Response API integrations. These upcoming Threat Response API changes will be documented and guidance provided to perform any necessary reconfiguration.
  • Auto deployment of tools might not work after upgrading to Threat Response 3.10 from Threat Response version 2.6. In such cases, you need to deploy profiles to enable endpoint tools upgrade.

Requirements

  • Tanium Interact 2.8.102 or later is a required dependency.
  • Tanium Client Management 1.5.0 or later is a required dependency.
  • Tanium Direct Connect 2.2.77 or later is a required dependency.
  • Tanium IR Quarantine 3.4.13 or later is required for isolating endpoints.
  • Tanium Reputation 6.2.0 or later is required for reputation data with Tanium Connect 4.11 or later.

New Features

  • Provides support for the Threat Response and Deep Instinct integration on macOS.
  • Supports additional Deep Instinct event types which allow consumption of the full breadth of Deep Instinct alerts in the Threat Response console.

Improvements

  • The version of Tanium Index that is provided with Threat Response 3.10 now indexes and hashes files inside ZIP archives.
  • Deep Instinct Alert details contain a new section called “Deep Instinct” that shows Event Type, Event Action, File Path, File Type, file Hash, and Signature where applicable.
  • A new "Malware Probability" section is included with types such as backdoor, virus, worm, etc.
  • Tanium Driver process injection monitoring exclusions for Deep Instinct are included by default.
  • EID manager logging moved to Trace level.
  • Updated Alert Throttling for the Deep Instinct Integration.
  • Improved performance for Trace Logon Events sensor queries.
  • Improved load times when browsing the Combined View in Live Connections.
  • Improved load times when viewing Driver events in Live Connections.
  • Endpoint troubleshooting bundles now include the entire IndexCX directory.

Tools Versions

  • Includes core-recorder 3.10.75
    • Includes Recorder 2.9.1334
  • Includes Driver Tool Version 3.10.75
    • Includes Driver binary version 3.1.2058
  • Includes THR-CX 1.11.2952
  • Includes Stream 1.7.4
  • Includes Index 3.3.2607
  • Includes core-python 2.2.23
  • Includes Incident Response 6.5.21

Fixes

  • Fixes an issue to resolve a potential conflict between the Tanium Driver and other 3rd party process injection drivers that could cause Microsoft Windows to become unresponsive when Tanium Process Injection alerts are enabled.
  • Fixes an issue where in the alert details panel, there is an errant entry in between the sections of 'Bystander' and 'Security Event'.
  • Fixes an On-Demand scanning failure for the Threat Response User role when the Reveal User role is also assigned.
  • Fixes an issue when action approval is in use that causes Response Activity status to change to "Stopped" even though the action was approved and executes successfully.
  • Fixes an issue where Defender alerts were not loading the details panel.
  • Fixes Defender Alert Details in the UI which show unknown under fields such as Detection Type and Process Ancestry.
  • Fixes an issue where the service continues to make requests when TDS is down.
  • Fixes an issue where the AutoRun Sensors description has misspelled reference to a package.
  • Fixes an issue where filters using network.port were not filtering disconnects with matching local ports.
  • Fixes an issue where Stream output would incorrectly grow the file size of extensions-stdout.txt.

Security Update

  • This release includes security updates. Details of the issue, including affected versions, and mitigation information, can be obtained within Tanium's Support Portal, or by contacting your TAM

Known Issues

  • In instances where RecorderCX is not running, SHA256 hash detections of active long-running processes may fail to generate an alert.
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint is still quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • Live Response Memory Collection is not supported on Amazon Linux 2 (ARM) endpoints or macOS endpoints that use M1 ARM processors.
  • On-demand scans for IOCs created from a hash only search content from Tanium Index and do not search content from the recorder or live connection data for the hashes. This will be addressed in a future release of Threat Response.
  • When deleting Notifications from the Management > System Notifications page, if you apply filters and select to delete multiple notifications that match the filter criteria, all notifications are deleted. This is a known issue and will be resolved in a future version of Threat Response.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.