IMPORTANT: This site is planned to be decommissioned in 2026. Visit the Tanium Resource Center for all Tanium release notes, user guides, and support information. To view release notes in the Resource Center, see Tanium Release Notes.
IMPORTANT: If you are using semi-annual releases for on premises, see the Release notes for 2024H1 semiannual release, Release notes for 2024H2 semiannual release, or Release notes for 2025H1 semiannual release on the Tanium Resource Center.
Effective October 15, 2024: On prem release notes on the Tanium Knowledge Base are frozen. For release notes related to 7.4 or 7.5 Server and Solutions, see the Monthly updates for Tanium Version 7.4 and 7.5 Server and Solutions on the Tanium Resource Center.

Release Notes Threat Response (Version 4.5)

From Tanium Knowledge Base
Jump to navigation Jump to search

Tanium Threat Response 4.5.201

Release Date: 21 January 2025

Upgrade Notes

  • Tanium Server version 7.6+ is only compatible with Threat Response 4.3+. It is recommended that Threat Response 4.3+ be installed prior to upgrading to Tanium Server version 7.6+.
  • Threat Response upgrades will fail with an "Import – Dependency Check error" if a version of Threat Response that isn’t supported is currently installed. In this case, please review the upgrade notes and follow the required upgrade path.
  • If using Tanium Server version 7.5.6, you must be on 7.5.6.1087 or higher to prevent an issue where upgrades to Threat Response 4.0+ will not complete successfully.
  • Required Upgrade Path for Threat Response:
    • Please review and follow the following required Threat Response upgrade path to avoid upgrade failures.
    • 3.7 (Or lower) ---> 3.8 or 3.10 ---> 4.0 or 4.2 ---> 4.3+
  • Increases the minimum version of ECF to 2.0.241 to support Server 7.4/Console 2.1.
  • All Threat Response sensors have been configured to use external execution to enable support for Tanium Client 7.2 with python 3.
  • New security exclusions have been added for macOS Universal. Review Threat Response security exclusions for endpoints in the Threat Response User Guide for more information.

Endpoint Configuration Toolset

Improvements

  • Added support for downloading of files larger than 4GB from saved evidence.

Fixes

  • Fixed an issue where when sending alert data to Tanium Connect, alerts could be skipped if there are over 1000 to flush.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only.
  • When using Management > Audit > Logs, searching for the name Intel Document does not return events related to that intel document. This will be addressed in a future version of Threat Response.
  • When using the PATCH /configs API route, if a description is not provided, any existing descriptions are set to empty as opposed to persisting.
  • When the Microsoft Defender Process Actions setting is selected, unknown Microsoft Defender event types such as 1007, or using older versions of Microsoft Defender can cause the alerts grid to crash.
  • Globally disabled intel documents, when deployed, will still run on the endpoint.
  • When creating a new signal intel document, deselecting the Intel Safeguards setting under the Advanced Setting section does not persist when the signal is created.
  • Alerts will not be properly acknowledged on an endpoint if PowerShell Constrained Language mode is not enabled.

Tanium Threat Response 4.5.157

Release Date: 06 August 2024

Upgrade Notes

  • If you install this version of Threat Response, and later upgrade to SAR 2024H1 or SAR 2024H1 Update 1, the problem where Process Injection alerts were not initiated will resume. The fix contained in this release will be provided in a subsequent SAR release.
  • Tanium Server version 7.6+ is only compatible with Threat Response 4.3+. It is recommended that Threat Response 4.3+ be installed prior to upgrading to Tanium Server version 7.6+.
  • Threat Response upgrades will fail with an "Import – Dependency Check error" if a version of Threat Response that isn’t supported is currently installed. In this case, please review the upgrade notes and follow the required upgrade path.
  • If using Tanium Server version 7.5.6, you must be on 7.5.6.1087 or higher to prevent an issue where upgrades to Threat Response 4.0+ will not complete successfully.
  • Required Upgrade Path for Threat Response:
    • Please review and follow the following required Threat Response upgrade path to avoid upgrade failures.
    • 3.7 (Or lower) ---> 3.8 or 3.10 ---> 4.0 or 4.2 ---> 4.3+
  • Increases the minimum version of ECF to 2.0.241 to support Server 7.4/Console 2.1.
  • All Threat Response sensors have been configured to use external execution to enable support for Tanium Client 7.2 with python 3.
  • New security exclusions have been added for macOS Universal. Review Threat Response security exclusions for endpoints in the Threat Response User Guide for more information.

Endpoint Configuration Toolset

Improvements

  • Upgraded various third-party libraries to newer versions.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only.
  • When using Management > Audit > Logs, searching for the name Intel Document does not return events related to that intel document. This will be addressed in a future version of Threat Response.
  • When using the PATCH /configs API route, if a description is not provided, any existing descriptions are set to empty as opposed to persisting.
  • When the Microsoft Defender Process Actions setting is selected, unknown Microsoft Defender event types such as 1007, or using older versions of Microsoft Defender can cause the alerts grid to crash.
  • Globally disabled intel documents, when deployed, will still run on the endpoint.
  • When creating a new signal intel document, deselecting the Intel Safeguards setting under the Advanced Setting section does not persist when the signal is created.
  • Alerts will not be properly acknowledged on an endpoint if PowerShell Constrained Language mode is not enabled.

Tanium Threat Response 4.5.155

Release Date: 15 July 2024

Upgrade Notes

  • If you install this version of Threat Response, and later upgrade to SAR 2024H1 or SAR 2024H1 Update 1, the problem where Process Injection alerts were not initiated will resume. The fix contained in this release will be provided in a subsequent SAR release.
  • Tanium Server version 7.6+ is only compatible with Threat Response 4.3+. It is recommended that Threat Response 4.3+ be installed prior to upgrading to Tanium Server version 7.6+.
  • Threat Response upgrades will fail with an "Import – Dependency Check error" if a version of Threat Response that isn’t supported is currently installed. In this case, please review the upgrade notes and follow the required upgrade path.
  • If using Tanium Server version 7.5.6, you must be on 7.5.6.1087 or higher to prevent an issue where upgrades to Threat Response 4.0+ will not complete successfully.
  • Required Upgrade Path for Threat Response:
    • Please review and follow the following required Threat Response upgrade path to avoid upgrade failures.
    • 3.7 (Or lower) ---> 3.8 or 3.10 ---> 4.0 or 4.2 ---> 4.3+
  • Increases the minimum version of ECF to 2.0.241 to support Server 7.4/Console 2.1.
  • All Threat Response sensors have been configured to use external execution to enable support for Tanium Client 7.2 with python 3.
  • New security exclusions have been added for macOS Universal. Review Threat Response security exclusions for endpoints in the Threat Response User Guide for more information.

Endpoint Configuration Toolset

Fixes

  • Fixes an issue where Threat Response could fail to gather all alerts after Tanium Server connection errors are encountered.
  • Removed usage of discontinued tanium_recorder Python module.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only.
  • When using Management > Audit > Logs, searching for the name Intel Document does not return events related to that intel document. This will be addressed in a future version of Threat Response.
  • When using the PATCH /configs API route, if a description is not provided, any existing descriptions are set to empty as opposed to persisting.
  • When the Microsoft Defender Process Actions setting is selected, unknown Microsoft Defender event types such as 1007, or using older versions of Microsoft Defender can cause the alerts grid to crash.
  • Globally disabled intel documents, when deployed, will still run on the endpoint.
  • When creating a new signal intel document, deselecting the Intel Safeguards setting under the Advanced Setting section does not persist when the signal is created.
  • Alerts will not be properly acknowledged on an endpoint if PowerShell Constrained Language mode is not enabled.

Tanium Threat Response 4.5.148

Release Date: 04 June 2024

Upgrade Notes

  • If you install this version of Threat Response, and later upgrade to SAR 2024H1 or SAR 2024H1 Update 1, the problem where Process Injection alerts were not initiated will resume. The fix contained in this release will be provided in a subsequent SAR release.
  • Tanium Server version 7.6+ is only compatible with Threat Response 4.3+. It is recommended that Threat Response 4.3+ be installed prior to upgrading to Tanium Server version 7.6+.
  • Threat Response upgrades will fail with an "Import – Dependency Check error" if a version of Threat Response that isn’t supported is currently installed. In this case, please review the upgrade notes and follow the required upgrade path.
  • If using Tanium Server version 7.5.6, you must be on 7.5.6.1087 or higher to prevent an issue where upgrades to Threat Response 4.0+ will not complete successfully.
  • Required Upgrade Path for Threat Response:
    • Please review and follow the following required Threat Response upgrade path to avoid upgrade failures.
    • 3.7 (Or lower) ---> 3.8 or 3.10 ---> 4.0 or 4.2 ---> 4.3+
  • Increases the minimum version of ECF to 2.0.241 to support Server 7.4/Console 2.1.
  • All Threat Response sensors have been configured to use external execution to enable support for Tanium Client 7.2 with python 3.
  • New security exclusions have been added for macOS Universal. Review Threat Response security exclusions for endpoints in the Threat Response User Guide for more information.

Endpoint Configuration Toolset

Improvements

  • Upgraded various third-party libraries to newer versions.

Fixes

  • Fixes an issue where the Threat Response service used MD5 hashes on several database tables, which was not compatible with FIPS mode on TanOS 1.8.3 Appliances.
  • Fixes an issue reported in limited customer environments related to the installation of Microsoft Patch KB5037771. Please refer to the article on the Tanium Resource Center for more information.
  • Fixes an issue where Process Injection alerts were not initiated. NOTE: If you install this version of Threat Response, and later upgrade to SAR 2024H1 or SAR 2024H1 Update 1, the problem where Process Injection alerts were not initiated will resume. The fix contained in this release will be provided in a subsequent SAR release.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.
  • When using Management > Audit > Logs, searching for the name Intel Document does not return events related to that intel document. This will be addressed in a future version of Threat Response.
  • When using the PATCH /configs API route, if a description is not provided, any existing descriptions are set to empty as opposed to persisting.
  • When the Microsoft Defender Process Actions setting is selected, unknown Microsoft Defender event types such as 1007, or using older versions of Microsoft Defender can cause the alerts grid to crash.
  • Globally disabled intel documents, when deployed, will still run on the endpoint.
  • When creating a new signal intel document, deselecting the Intel Safeguards setting under the Advanced Setting section does not persist when the signal is created.
  • Alerts will not be properly acknowledged on an endpoint if PowerShell Constrained Language mode is not enabled.

Tanium Threat Response 4.5.143

Release Date: 16 May 2024

Upgrade Notes

  • Tanium Server version 7.6+ is only compatible with Threat Response 4.3+. It is recommended that Threat Response 4.3+ be installed prior to upgrading to Tanium Server version 7.6+.
  • Threat Response upgrades will fail with an "Import – Dependency Check error" if a version of Threat Response that isn’t supported is currently installed. In this case, please review the upgrade notes and follow the required upgrade path.
  • If using Tanium Server version 7.5.6, you must be on 7.5.6.1087 or higher to prevent an issue where upgrades to Threat Response 4.0+ will not complete successfully.
  • Required Upgrade Path for Threat Response:
    • Please review and follow the following required Threat Response upgrade path to avoid upgrade failures.
    • 3.7 (Or lower) ---> 3.8 or 3.10 ---> 4.0 or 4.2 ---> 4.3+
  • Increases the minimum version of ECF to 2.0.241 to support Server 7.4/Console 2.1.
  • This release removes the "Threat Response - Status Gather" Saved Question.
  • All Threat Response sensors have been configured to use external execution to enable support for Tanium Client 7.2 with python 3.
  • New security exclusions have been added for macOS Universal. Review Threat Response security exclusions for endpoints in the Threat Response User Guide for more information.

Endpoint Configuration Toolset

Improvements

  • Upgraded various third-party libraries to newer versions.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.
  • When using Management > Audit > Logs, searching for the name Intel Document does not return events related to that intel document. This will be addressed in a future version of Threat Response.
  • When using the PATCH /configs API route, if a description is not provided, any existing descriptions are set to empty as opposed to persisting.
  • When the Microsoft Defender Process Actions setting is selected, unknown Microsoft Defender event types such as 1007, or using older versions of Microsoft Defender can cause the alerts grid to crash.
  • Globally disabled intel documents, when deployed, will still run on the endpoint.
  • When creating a new signal intel document, deselecting the Intel Safeguards setting under the Advanced Setting section does not persist when the signal is created.
  • Alerts will not be properly acknowledged on an endpoint if PowerShell Constrained Language mode is not enabled.

Tanium Threat Response 4.5.138

Release Date: 09 April 2024

Upgrade Notes

  • Tanium Server version 7.6+ is only compatible with Threat Response 4.3+. It is recommended that Threat Response 4.3+ be installed prior to upgrading to Tanium Server version 7.6+.
  • Threat Response upgrades will fail with an "Import – Dependency Check error" if a version of Threat Response that isn’t supported is currently installed. In this case, please review the upgrade notes and follow the required upgrade path.
  • If using Tanium Server version 7.5.6, you must be on 7.5.6.1087 or higher to prevent an issue where upgrades to Threat Response 4.0+ will not complete successfully.
  • Required Upgrade Path for Threat Response:
    • Please review and follow the following required Threat Response upgrade path to avoid upgrade failures.
    • 3.7 (Or lower) ---> 3.8 or 3.10 ---> 4.0 or 4.2 ---> 4.3+
  • Increases the minimum version of ECF to 2.0.241 to support Server 7.4/Console 2.1.
  • This release removes the "Threat Response - Status Gather" Saved Question.
  • All Threat Response sensors have been configured to use external execution to enable support for Tanium Client 7.2 with python 3.
  • New security exclusions have been added for macOS Universal. Review Threat Response security exclusions for endpoints in the Threat Response User Guide for more information.

Improvements

  • Upgraded various third-party libraries to newer versions.

Tools Versions

  • Includes Threat Response Tools: 4.5.138
  • Includes Threat Response CX binary: 1.14.1254
  • Includes Recorder Tool (Installer): 3.15.131
  • Includes Recorder binary: 2.12.1943
  • Includes Driver Tool (Installer): 3.15.131
  • Includes Driver binary: 3.3.30
  • Includes Index binary: 3.5.1753
  • Includes Stream: 2.1.1422
  • Includes python38: 3.3.59
  • Includes Incident Response: 7.0.22

Fixes

  • Fixes an issue where in certain circumstances the Threat Response client extension could crash if the Recorder extension was disabled.
  • Fixes an issue where migrating from some 4.0 versions of Threat Response could fail if Signals have duplicate mitreAttack.techniques defined.
  • Fixes an issue where the Response action API would not send all fields correctly for Quarantine actions.

Known Issues

  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.
  • When using Management > Audit > Logs, searching for the name Intel Document does not return events related to that intel document. This will be addressed in a future version of Threat Response.
  • When using the PATCH /configs API route, if a description is not provided, any existing descriptions are set to empty as opposed to persisting.
  • When the Microsoft Defender Process Actions setting is selected, unknown Microsoft Defender event types such as 1007, or using older versions of Microsoft Defender can cause the alerts grid to crash.
  • Globally disabled intel documents, when deployed, will still run on the endpoint.
  • When creating a new signal intel document, deselecting the Intel Safeguards setting under the Advanced Setting section does not persist when the signal is created.
  • Alerts will not be properly acknowledged on an endpoint if PowerShell Constrained Language mode is not enabled.

Tanium Threat Response 4.5.127

Release Date: 05 March 2024

Upgrade Notes

  • Tanium Server version 7.6+ is only compatible with Threat Response 4.3+. It is recommended that Threat Response 4.3+ be installed prior to upgrading to Tanium Server version 7.6+.
  • Threat Response upgrades will fail with an "Import – Dependency Check error" if a version of Threat Response that isn’t supported is currently installed. In this case, please review the upgrade notes and follow the required upgrade path.
  • If using Tanium Server version 7.5.6, you must be on 7.5.6.1087 or higher to prevent an issue where upgrades to Threat Response 4.0+ will not complete successfully.
  • Required Upgrade Path for Threat Response:
    • Please review and follow the following required Threat Response upgrade path to avoid upgrade failures.
    • 3.7 (Or lower) ---> 3.8 or 3.10 ---> 4.0 or 4.2 ---> 4.3+
  • Increases the minimum version of ECF to 2.0.241 to support Server 7.4/Console 2.1.
  • This release removes the "Threat Response - Status Gather" Saved Question.
  • All Threat Response sensors have been configured to use external execution to enable support for Tanium Client 7.2 with python 3.
  • New security exclusions have been added for macOS Universal. Review Threat Response security exclusions for endpoints in the Threat Response User Guide for more information.
  • If ECF 2.2 or newer is installed, the Threat Response service is not able to start on Threat Response 4.5.127. This issue occurs if upgrading to Threat Response 4.5.127, or restarting the Threat Response 4.5.127 service after ECF 2.2 has been installed. Upgrading to Threat Response 4.5.138+ allows the Threat Response service to start.

Improvements

  • Adds support for Endpoint Change Management. When Endpoint Change Management is enabled, endpoint tools get upgraded according to upgrade workflows defined in Endpoint Change Management and the automatic upgrade option in the Threat Response workbench is not available.
  • Recorder: Adds support for macOS Endpoint Security Framework (ESF).
  • Recorder: Adds support for eBPF as an event source on RHEL 9.3 endpoints.
  • Upgraded various third-party libraries to newer versions.

Tools Versions

  • Includes Threat Response Tools: 4.5.127
  • Includes Threat Response CX binary: 1.14.1253
  • Includes Recorder Tool (Installer): 3.15.131
  • Includes Recorder binary: 2.12.1943
  • Includes Driver Tool (Installer): 3.15.131
  • Includes Driver binary: 3.3.30
  • Includes Index binary: 3.5.1753
  • Includes Stream: 2.1.1422
  • Includes python38: 3.3.59
  • Includes Incident Response: 7.0.18

Fixes

  • Fixes an issue with the Context Analyzer where the Start Time now shows the event time, and not the process start time for items.
  • Fixes an issue with Direct Connect where the time filter modal displayed the local time instead of UTC.
  • Fixes an issue that prevented some IR sensors from running correctly on ARM Linux endpoints.
  • Fixes an issue where a negative number of alerts could display for an intel doc.
  • Fixes an issue where macOS 14 Sonoma disables BSM process auditing by default on upgrade and Recorder would not work until BSM audit is re-enabled.
  • Fixes an issue where The MacOS Autoruns Sensor did not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • Fixes an issue where the Live Response package files could be left behind on Windows endpoints and not cleaned up after the action completes.
  • Fixes an issue where exporting Signals via the API could cause an error when reimporting the same signals.
  • Fixes an issue where migrating from some 4.0 versions of Threat Response could fail if Signals have mitreAttack.techniques defined.
  • Fixes an issue where Read-Only Users could experience display issues when viewing the On Demand Scans tab in an intel document.
  • Fixes an issue where users without the User without Snapshot Write permission could gather snapshots.
  • Fixes an issue where values added to filters in the Context Analyzer are be added with OR instead of AND.
  • Fixes an issue where exporting a CSV of Reputation based alerts did not contain hash type and hash value.
  • Fixes an issue where Live Response package files were not cleaned up.
  • Fixes an issue where PowerShell Errors were returned when trying to delete items from downloads.
  • Fixes an issue where Linux and Mac profiles unexpectedly displayed as requiring deployment.
  • Fixes an issue where when upgrading from Threat Response versions 4.2.13 and later the Alert page filter "Alert Content" has become case sensitive.
  • Fixes an issue where users could not edit or upload some IOC files.
  • Index: Fixes an issue where High CPU or Disk IO could occur if a directory had a significant number of files.
  • Recorder: Fixes an issue where Process Exits were not being correctly reported from the Tanium BPF Driver in RHEL 9.3.
  • Recorder: Fixes an issue where Recorder could hit a “boost::filesystem::rename: Operation Not Permitted” error.
  • Recorder: Fixes an issue where certain Windows file events could be missed.
  • Recorder: Fixes an issue where Recorder may not start on Linux endpoints if tanium.conf already exists.

Known Issues

  • If ECF 2.2 or newer is installed, the Threat Response service is not able to start on Threat Response 4.5.127. This issue occurs if upgrading to Threat Response 4.5.127, or restarting the Threat Response 4.5.127 service after ECF 2.2 has been installed. Upgrading to Threat Response 4.5.138+ allows the Threat Response service to start.
  • SELinux policies might fail to install on endpoints that have low resource provisioning. This issue may be resolved over time. Installation is reattempted during Tanium Client resets (approximately every 4 hours by default).
  • When using quarantine rules to block the ICMP protocol, the MTU negotiation packages can become blocked when the size of the MTU package on the endpoint is larger than the routers allowed MTU size. Normally the router will see a packet that is too large and send an ICMP packet to the endpoint to identify that the packet is too large and advises lowering the permissible MTU size. If the negotiation packet is not able to reach the destination due to quarantine, the endpoint can become unresponsive. The endpoint still is quarantined but loses communication with the Tanium server. Disabling ICMP traffic while quarantined should only be done after proper testing.
  • The MacOS Autoruns Sensor does not properly parse autorun information on MacOS 13 Ventura due to a change by Apple on where this information is stored.
  • On Mac OS 13.4+, Yara memory scanning is limited to processes without hardened runtimes only. This is a known issue and will be addressed in a future release of Threat Response.
  • When using Management > Audit > Logs, searching for the name Intel Document does not return events related to that intel document. This will be addressed in a future version of Threat Response.
  • When using the PATCH /configs API route, if a description is not provided, any existing descriptions are set to empty as opposed to persisting.
  • When the Microsoft Defender Process Actions setting is selected, unknown Microsoft Defender event types such as 1007, or using older versions of Microsoft Defender can cause the alerts grid to crash.
  • Globally disabled intel documents, when deployed, will still run on the endpoint.
  • When creating a new signal intel document, deselecting the Intel Safeguards setting under the Advanced Setting section does not persist when the signal is created.
  • Alerts will not be properly acknowledged on an endpoint if PowerShell Constrained Language mode is not enabled.