IMPORTANT: This site is planned to be decommissioned in 2026. Visit the Tanium Resource Center for all Tanium release notes, user guides, and support information. To view release notes in the Resource Center, see Tanium Release Notes.
IMPORTANT: If you are using semi-annual releases for on premises, see the Release notes for 2024H1 semiannual release, Release notes for 2024H2 semiannual release, or Release notes for 2025H1 semiannual release on the Tanium Resource Center.
Effective October 15, 2024: On prem release notes on the Tanium Knowledge Base are frozen. For release notes related to 7.4 or 7.5 Server and Solutions, see the Monthly updates for Tanium Version 7.4 and 7.5 Server and Solutions on the Tanium Resource Center.
Release Notes Threat Response (Version 4.2)
Tanium Threat Response 4.2.39
Release Date: 2 April 2024
Upgrade Notes
- Threat Response 4.2.39 upgrades will fail with an "Import – Dependency Check error" if a version of Threat Response that is not supported is currently installed. In this case, review the upgrade notes and follow the required upgrade path.
- If you are using Tanium Server version 7.5.6, you must be on 7.5.6.1087 or later to prevent an issue where upgrades to Threat Response 4.0 or 4.2 will not complete successfully.
- When upgrading to Threat Response 4.0 or 4.2, it is only possible to upgrade from 3.8 or 3.10 to 4.0 or 4.2. Due to database schema changes during the migration, it is not possible to directly upgrade from Threat Response 3.7 (or earlier) to Threat Response 4.0. If you upgrade from 3.7 (or earlier) directly to Threat Response 4.0 or 4.2, the upgrade will fail, and you will need to recover Threat Response from a backup.
Improvements
- Updates the PowerShell signing certificate for Incident Response content.
- Updates 3rd party libraries in Tanium Stream.
Fixes
- Fixes an issue where migrating from some 4.0 versions of Threat Response could fail if Signals have invalid or duplicate mitreAttack.techniques defined.
Tools Versions
- Includes Threat Response Tools: 4.2.29
- Includes Threat Response CX binary: 1.12.923
- Includes Recorder Tool (Installer): 3.14.28
- Includes Recorder binary: 2.11.1584
- Includes Driver Tool (Installer): 3.14.28
- Includes Driver binary: 3.3.30
- Includes Index binary: 3.3.2634
- Includes Stream: 1.9.5
- Includes pycx: 2.5.1019
- Includes python38: 3.1.43
- Includes python27: 2.1.24
- Includes Incident Response: 6.6.32
Known Issues
- SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
- When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
- The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
- At this time, Threat Response is not fully supported on RHEL/OEL 9.x (ARM and x86) and Windows 11 ARM endpoints. Memory collection and Live Response may not be fully supported on ARM processors. This support will be provided in a future version of Threat Response.
- If you apply filters, select, and delete multiple notifications on the Management > System Notifications page, all notifications are deleted. This is a known issue and will be resolved in a future version of Threat Response.
- On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.
Tanium Threat Response 4.2.29
Release Date: 22 August 2023
Upgrade Notes
- Threat Response 4.2.29 upgrades will fail with an "Import – Dependency Check error" if a version of Threat Response that isn’t supported is currently installed. In this case, please review the upgrade notes and follow the required upgrade path.
- If using Tanium Server version 7.5.6, you must be on 7.5.6.1087 or higher to prevent an issue where upgrades to Threat Response 4.0 or 4.2 will not complete successfully.
- When upgrading to Threat Response 4.0 or 4.2 it is only possible to upgrade from 3.8 or 3.10 to 4.0 or 4.2. Due to database schema changes during the migration, it is NOT possible to directly upgrade from Threat Response 3.7 (or earlier) to Threat Response 4.0. If you upgrade from 3.7 (or earlier) directly to Threat Response 4.0 or 4.2, the upgrade will fail, and you will need to recover Threat Response from a backup.
Improvements
- Improves the Tanium Driver's compatibility with Windows 7 SP1 and Windows Server 2008 R2 SP1 systems that may not have all Windows updates installed.
- Improves the Tanium Driver's compatibility with Carbon Black's tamper protection behavior.
- Removed arbitrary limit on the size of the Tanium Signals feed.
Fixes
- Fixes an issue with the Tanium Driver installation process to make upgrades of the Tanium Driver more reliable and prevent partial Tanium Driver upgrades.
- Fixes an issue where a large number of throttles alerts could cause alerts to stop being gathered
Tools Versions
- Includes Threat Response Tools: 4.2.29
- Includes Threat Response CX binary: 1.12.923
- Includes Recorder Tool (Installer): 3.14.28
- Includes Recorder binary: 2.11.1584
- Includes Driver Tool (Installer): 3.14.28
- Includes Driver binary: 3.3.30
- Includes Index binary: 3.3.2634
- Includes Stream: 1.7.10
- Includes pycx: 2.5.1019
- Includes python38: 3.1.43
- Includes python27: 2.1.24
- Includes Incident Response: 6.6.31
Known Issues
- SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
- When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
- The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
- At this time, Threat Response is not fully supported on RHEL/OEL 9.x (ARM and x86) and Windows 11 ARM endpoints. Memory collection and Live Response may not be fully supported on ARM processors. This support will be provided in a future version of Threat Response.
- When deleting Notifications from the Management > System Notifications page, if you apply filters and select to delete multiple notifications that match the filter criteria, all notifications are deleted. This is a known issue and will be resolved in a future version of Threat Response.
- On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.
Tanium Threat Response 4.2.21
Release Date: 18 July 2023
Upgrade Notes
- Threat Response 4.2.13 upgrades will fail with an "Import – Dependency Check error" if a version of Threat Response that isn’t supported is currently installed. In this case, please review the upgrade notes and follow the required upgrade path.
- If using Tanium Server version 7.5.6, you must be on 7.5.6.1087 or higher to prevent an issue where upgrades to Threat Response 4.0 or 4.2 will not complete successfully.
- When upgrading to Threat Response 4.0 or 4.2 it is only possible to upgrade from 3.8 or 3.10 to 4.0 or 4.2. Due to database schema changes during the migration, it is NOT possible to directly upgrade from Threat Response 3.7 (or earlier) to Threat Response 4.0. If you upgrade from 3.7 (or earlier) directly to Threat Response 4.0 or 4.2, the upgrade will fail, and you will need to recover Threat Response from a backup.
Fixes
- Fixes an issue where intel document definitions were not converted after an upgrade causing intel documents to no longer show as having a definition in the user interface.
- Fixes an issue where long running intel deployment tasks could fail due to session timeouts.
- Fixes an issue that could cause a failure with air-gap installations because ThreatResponse.xml contained unprintable characters.
- Fixes an issue where blank MITRE ATT&CK names or IDs could cause a failed upgrade from Threat Response 3.8 or 3.10 to 4.0+
Tools Versions
- Includes Threat Response CX binary: 1.12.921
- Includes Recorder Tool (Installer): 3.14.19
- Includes Recorder binary: 2.11.1576
- Includes Driver Tool (Installer): 3.14.19
- Includes Driver binary: 3.3.18
- Includes Index binary: 3.3.2634
- Includes Stream: 1.7.10
- Includes pycx: 2.5.1019
- Includes python38: 3.1.43
- Includes python27: 2.1.24
- Includes Incident Response: 6.6.30
Known Issues
- There is currently a Tanium Driver compatibility issue when Carbon Black's Parity service when Carbon Black anti-tamper is enabled. A fix for this issue is being researched.
- SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
- When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
- The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
- At this time, Threat Response is not fully supported on RHEL/OEL 9.x (ARM and x86) and Windows 11 ARM endpoints. Memory collection and Live Response may not be fully supported on ARM processors. This support will be provided in a future version of Threat Response.
- When deleting Notifications from the Management > System Notifications page, if you apply filters and select to delete multiple notifications that match the filter criteria, all notifications are deleted. This is a known issue and will be resolved in a future version of Threat Response.
- On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.
Tanium Threat Response 4.2.13
Release Date: 13 June 2023
Upgrade Notes
- Threat Response 4.2.13 upgrades will fail with an "Import – Dependency Check error" if a version of Threat Response that isn’t supported is currently installed. In this case, please review the upgrade notes and follow the required upgrade path.
- If using Tanium Server version 7.5.6, you must be on 7.5.6.1087 or higher to prevent an issue where upgrades to Threat Response 4.0 or 4.2 will not complete successfully.
- When upgrading to Threat Response 4.0 or 4.2 it is only possible to upgrade from 3.8 or 3.10 to 4.0 or 4.2. Due to database schema changes during the migration, it is NOT possible to directly upgrade from Threat Response 3.7 (or earlier) to Threat Response 4.0. If you upgrade from 3.7 (or earlier) directly to Threat Response 4.0 or 4.2, the upgrade will fail, and you will need to recover Threat Response from a backup.
Improvements
- Enables support for Windows 11 (ARM) endpoints running in emulation mode. The following are areas where Windows 11 (ARM) running in emulation mode are not supported:
- Deep Instinct alert integration.
- Process Injection monitoring.
- Memory collection and Live Response may not be fully supported on ARM processors. This support will be provided in a future version of Threat Response.
- Added the option “Deploy as Service Account” in settings to always deploy Threat Response profiles with System User Service (SUS) permissions. This can help ensure systems are always targeted, even if a user’s computer group management rights are removed or restricted in the future. Note: If the “Deploy as Service Account” setting is enabled, all users who deploy profiles must have unrestricted computer group management rights or management rights to “All Computers”. If the “Deploy as Service Account” setting is not enabled, all users who deploy profiles must have unrestricted computer group management rights, management rights to “All Computers”, or management rights to all computer groups in the profile(s) the user is trying to deploy.
Fixes
- Fixes the possibility of a rare Tanium Driver crash on Windows
- Fixes an issue where Hyper-V application crash events may occur in the Windows Application Event log or VMs may fail to start when Tanium Driver Process Injection Monitoring is enabled.
- Fixes an issue where Threat Response profiles could be set to Not Configured on endpoints if the user that deployed the profile(s) had computer group management rights permissions removed after the profiles were deployed.
- Fixes an issue where On-Demand Scans did not search Tanium Recorder and live file data.
- Fixes an issue where when pivoting to a live connection from an alert, the live connection would filter to the latest process to reuse the PID as opposed to the correct process that was alerted on.
- Fixes an issue where unzipping an events export from a Process Tree in a direct connection would result in an empty file.
- Fixes an issue where alert pruning was not turned on by default in Tanium Cloud environments for new Threat Response installations.
- Fixes an issue where Deep Instinct and Defender alerts were incorrectly being throttled by service throttles.
- Fixes an issue where ISO mount registry events on Windows were not recorded.
- Fixes an issue where Recorder on Windows could hold certain binary files open and prevent that file from being deleted.
- Fixes a Tanium Driver compatibility issue with Cisco AMP when Tanium process injection monitoring is enabled.
Tools Versions
- Includes Threat Response CX binary: 1.12.921
- Includes Recorder Tool (Installer): 3.14.19
- Includes Recorder binary: 2.11.1576
- Includes Driver Tool (Installer): 3.14.19
- Includes Driver binary: 3.3.18
- Includes Index binary: 3.3.2634
- Includes Stream: 1.7.10
- Includes pycx: 2.5.1019
- Includes python38: 3.1.43
- Includes python27: 2.1.24
- Includes Incident Response: 6.6.30
Known Issues
- There is currently a Tanium Driver compatibility issue when Carbon Black's Parity service when Carbon Black anti-tamper is enabled. A fix for this issue is being researched.
- SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
- When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
- The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
- At this time, Threat Response is not fully supported on RHEL/OEL 9.x (ARM and x86) and Windows 11 ARM endpoints. Memory collection and Live Response may not be fully supported on ARM processors. This support will be provided in a future version of Threat Response.
- Threat Response installation in TanOS AirGap environments can fail to install due to unprintable characters in the ThreatResponse.xml file. This is fixed in 4.0.1113+ and 4.2.21+
- When deleting Notifications from the Management > System Notifications page, if you apply filters and select to delete multiple notifications that match the filter criteria, all notifications are deleted. This is a known issue and will be resolved in a future version of Threat Response.
- On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.