IMPORTANT: This site is planned to be decommissioned in 2026. Visit the Tanium Resource Center for all Tanium release notes, user guides, and support information. To view release notes in the Resource Center, see Tanium Release Notes.
IMPORTANT: If you are using semi-annual releases for on premises, see the Release notes for 2024H1 semiannual release, Release notes for 2024H2 semiannual release, or Release notes for 2025H1 semiannual release on the Tanium Resource Center.
Effective October 15, 2024: On prem release notes on the Tanium Knowledge Base are frozen. For release notes related to 7.4 or 7.5 Server and Solutions, see the Monthly updates for Tanium Version 7.4 and 7.5 Server and Solutions on the Tanium Resource Center.

Release Notes Threat Response (Version 3.5)

From Tanium Knowledge Base
Jump to navigation Jump to search

Tanium Threat Response 3.5.292

Release Date: 12 April 2022

Fixes

  • Improves Tanium Index database read performance.
  • Improves Tanium Recorder database read performance.
  • Improves Tanium Index database performance by increasing SQLite cache size.

Tools versions

  • Includes Core Recorder 3.7.156
  • Includes Recorder 2.6.1286
  • Includes Index 3.1.966

Known issues

  • Memory Collection on Windows 10 2004 or newer might fail to load the winpmem driver and create a 0 byte collection file.
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This should resolve over time. Every client resent (4 hours by default) reattempts the installation.
  • Threat Response provides YARA 4.1 on endpoints, however YARA has not been updated on the Threat Response service. The Threat Response service uses YARA 3.8.1. The implications of this version mismatch are that the service does not validate rules that use YARA 4.1 specific features. This will be addressed in a future release of Threat Response.

Tanium Threat Response 3.5.290

Release Date: 08 March 2022

Fixes

  • Fixes an issue where the size of a file appears incorrectly in the file browser in a live endpoint connection.
  • Fixes an issue where the alert dates displayed on the Threat Response home page start with the date of the Threat Response installation.
  • Fixes a memory leak with event detection.

Tools versions

  • Includes Core Recorder 3.7.155
  • Includes Recorder 2.6.1285

Known issues

  • Memory Collection on Windows 10 2004 or newer might fail to load the winpmem driver and create a 0 byte collection file.
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This should resolve over time. Every client resent (4 hours by default) reattempts the installation.
  • Threat Response provides YARA 4.1 on endpoints, however YARA has not been updated on the Threat Response service. The Threat Response service uses YARA 3.8.1. The implications of this version mismatch are that the service does not validate rules that use YARA 4.1 specific features. This will be addressed in a future release of Threat Response.

Tanium Threat Response 3.5.284

Release Date: 15 February 2022

Important notes

  • Features Deep Instinct integration for alerts. Deep Instinct incorporates advanced artificial intelligence to prevent and detect malware. Deep Instinct integration allows customers access to the full list of Threat Response remediation actions when handling Deep Instinct alerts. The Deep Instinct integration requires enabling the “Generate Deep Instinct Alerts” setting in an engine configuration for a deployed profile. Once enabled, Threat Response will display Deep Instinct alerts in the Threat Response workbench. By default, this setting is disabled for new configurations. For alerts to be returned from endpoints, the Deep Instinct agent must be running on the endpoint.
  • The Tanium Event Recorder Driver is required and installed for all Windows deployments. The Tanium Driver no longer has a version requirement for Windows 10 and will install on any version of Windows 10. Driver 3.0 introduces a new service on Windows endpoints named TaniumDriverSvc.

Improvements

  • Threat Response CX has been updated to cache autorun persistent data every 24 hours by default.

Fixes

  • Fixes an issue where the detect engine fails to query Index when checking for file names and hashes.

Tools versions

  • Includes Driver: 3.0.1300
  • Includes Core Recorder 3.7.154
  • Includes Index 3.1.963
  • Includes Recorder: 2.6.1280.0
  • Includes Core-python (python38): 2.1.39.0
  • Includes THR-CX: 1.7.67.0
  • Includes Detect Engine 3.20.2.0
  • Includes Incident Response: 6.4.6.0
  • Includes Stream: 1.6.8.0

Known issues

  • Memory Collection on Windows 10 2004 or newer might fail to load the winpmem driver and create a 0 byte collection file.
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This should resolve over time. Every client resent (4 hours by default) reattempts the installation.
  • Threat Response provides YARA 4.1 on endpoints, however YARA has not been updated on the Threat Response service. The Threat Response service uses YARA 3.8.1. The implications of this version mismatch are that the service does not validate rules that use YARA 4.1 specific features. This will be addressed in a future release of Threat Response.

Tanium Threat Response 3.5.276

Release Date: 18 January 2022

Important notes

  • Features Deep Instinct integration for alerts. Deep Instinct incorporates advanced artificial intelligence to prevent and detect malware. Deep Instinct integration allows customers access to the full list of Threat Response remediation actions when handling Deep Instinct alerts. The Deep Instinct integration requires enabling the “Generate Deep Instinct Alerts” setting in an engine configuration for a deployed profile. Once enabled, Threat Response will display Deep Instinct alerts in the Threat Response workbench. By default, this setting is disabled for new configurations. For alerts to be returned from endpoints, the Deep Instinct agent must be running on the endpoint.
  • The Tanium Event Recorder Driver is required and installed for all Windows deployments. The Tanium Driver no longer has a version requirement for Windows 10 and will install on any version of Windows 10. Driver 3.0 introduces a new service on Windows endpoints named TaniumDriverSvc.

Improvements

  • Improved alert storm protection by extending pruning to the event service.

Fixes

  • Resolved the inability to delete signal suppression rules in some cases.
  • Removed several overly verbose debug log messages causing the event service log to roll over too frequently.
  • Resolved issue where event service would fail due to KNEX SQLite errors.
  • Resolved issue where event service metrics were not registering successfully in Grafana.

Known issues

  • Memory Collection on Windows 10 2004 or newer might fail to load the winpmem driver and create a 0 byte collection file.
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This should resolve over time. Every client resent (4 hours by default) reattempts the installation.
  • Threat Response provides YARA 4.1 on endpoints, however YARA has not been updated on the Threat Response service. The Threat Response service uses YARA 3.8.1. The implications of this version mismatch are that the service does not validate rules that use YARA 4.1 specific features. This will be addressed in a future release of Threat Response.

Tanium Threat Response 3.5.275

Release Date: 04 January 2022

Important notes

  • Features Deep Instinct integration for alerts. Deep Instinct incorporates advanced artificial intelligence to prevent and detect malware. Deep Instinct integration allows customers access to the full list of Threat Response remediation actions when handling Deep Instinct alerts. The Deep Instinct integration requires enabling the “Generate Deep Instinct Alerts” setting in an engine configuration for a deployed profile. Once enabled, Threat Response will display Deep Instinct alerts in the Threat Response workbench. By default, this setting is disabled for new configurations. For alerts to be returned from endpoints, the Deep Instinct agent must be running on the endpoint.
  • The Tanium Event Recorder Driver is required and installed for all Windows deployments. The Tanium Driver no longer has a version requirement for Windows 10 and will install on any version of Windows 10. Driver 3.0 introduces a new service on Windows endpoints named TaniumDriverSvc.

Upgrade recommendations

  • Customers who have saved questions using the Autorun Files / Autoruns By Category / Autorun Program Details sensors will need to recreate the saved questions to take advantage of improvements in the autoruns implementation.
  • The following additional security exclusions have been added for the latest version of the Tanium driver. Refer to the Threat Response User Guide for a complete list of required security exclusions.

C:\Windows\SysWOW64\TaniumProcessMonitor.dll

C:\Windows\system32\drivers\TaniumProcessMonitor.dll

<Tanium Client>\tools\driver\TaniumDriverCtl.exe

<Tanium Client>\tools\driver\TaniumDriverCtl64.exe

<Tanium Client>\tools\driver\TaniumDriverSvc.exe

<Tanium Client>\tools\driver\TaniumDriverSvc64.exe

<Tanium Client>\tools\driver\service\TaniumDriverSvc.exe

<Tanium Client>\tools\driver\service\TaniumDriverSvc64.exe

Improvements

  • Adds endpoint Integration with Deep Instinct (DI) with the ability to use Deep Instinct Alerts in Threat Response.
  • Tanium Driver updated to version 3.0.
  • Autoruns Content has been migrated to generate and use cached results for improved performance.
  • Includes a new sensor: Threat Response - Security Events.
  • Includes Live Endpoint UI and feature enhancements.
  • Adds more clearer alert source details.
  • Improves alert filtering.
  • Improves the logging of saved evidence.
  • Improves Tanium process filtering.
  • Allows Intel to bypass Endpoint Configuration Approval.
  • UUID is now part of the Saved Evidence API.
  • Includes a Download File link for file Items.
  • Includes stream improvements to Windows security events only configurations.
  • Includes Stream improvements for Library Loads.
  • Features a Trends update to correct permissions and remove legacy boards.
  • Standardizes process ancestry across alert views.
  • Adds support for diffie-hellman-group-exchange-sha256 keys in TaniumFileTransfer.
  • Includes file collector sets for Edge and IE browser data.
  • eBPF is supported for Ubuntu 18.04 - 20.04
  • Recording of DNS events is now supported on Linux endpoints that have eBPF enabled.

Tools versions

  • Includes Recorder: 2.6.1280.0
  • Includes Index: 3.1.955.0
  • Includes Driver: 3.0.1288.0
  • Includes Core-python (python38): 2.1.39.0
  • Includes THR-CX: 1.7.67.0
  • Includes Detect Engine 3.20.2.0
  • Includes Incident Response: 6.4.6.0
  • Includes Stream: 1.6.8.0

Fixes

  • Fixes malformed Detect Gather with EID sensors.
  • Allows Index configurations without hashing.
  • Fixes download file response actions failing for offline endpoints.
  • Increased snapshot upload max size to 2.5 GB.
  • Fixes file browser breadcrumb navigation.
  • Supports filtering on Windows Defender alerts.
  • Fixes an issue where the base64 checkbox under Services >Misc did not function properly.
  • Fixes Live Response PowerShell's ability to run with various GPO settings.
  • Features updates to Trends boards.
  • Fixes the support for the LogPath variable.
  • Updates Threat Response Read Only User Permissions.
  • Removes TrustedCertPath log spam.
  • Fixes Signal validation in the text editor and filter builder.
  • Importing intel from a local directory now works correctly with subdirectories.
  • Fixes timestamps in response actions.
  • Removes extraneous "k" from UI display.
  • Updates DNS resolver cache hosts to support Japanese character sets.
  • Fixes "Uninstall Threat Response" to no longer leave entry in module dropdown.

Known issues

  • Memory Collection on Windows 10 2004 or newer might fail to load the winpmem driver and create a 0 byte collection file.
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This should resolve over time. Every client resent (4 hours by default) reattempts the installation.
  • Threat Response provides YARA 4.1 on endpoints, however YARA has not been updated on the Threat Response service. The Threat Response service uses YARA 3.8.1. The implications of this version mismatch are that the service does not validate rules that use YARA 4.1 specific features. This will be addressed in a future release of Threat Response.