REthink Security Blog

What’s New in E83.20
New Features
SandBlast Agent Browser Extension now supports the Microsoft Edge (Chromium) browser
The SandBlast Agent Edge (Chromium) extension supports all the functionality the SandBlast Agent Chrome extension supports:
URL Filtering (for Web Management users only)
File Download Protection
Credential Theft protection including Zero-Phishing and Corporate-password-reuse protection
The Edge (Chromium) extension installs automatically when you install the SandBlast Agent, or upgrade to the Endpoint Security Client E83.20 version.
Detection of malicious LNK (Windows Shortcut) files
Behavioral Guard now analyzes the target of LNK files to determine if the file is malicious.
Forensics Analysis now determines if the start of an attack is from an LNK file.
Forensics Reports show the targets of all LNK files in an incident.
Content view in the Forensics report
Available from the Incident Details menu
Shows all LNK targets in the incident
Shows all AMSI content in the incident
“Pass The Hash” detection
Behavioral Guard now recognizes the “Pass The Hash” attempts.
Full Disk Encryption
The Full Disk Encryption pre-boot has a modernized look and feel along with updates to the color-theme and background images.
Enhancements
Anti-Malware
Fixes an issue where Anti-Malware status reports to the Windows Security Center do not work, if there are errors, or if the reports are disabled in the policy.
Resolves a possible issue where the Anti-Malware process crashes during the Endpoint Security Client upgrade.
Resolves an Anti-Malware signature update issue from an external server through a proxy.
Resolves an issue where no UserCheck message pops up and no log about the detection goes to the Endpoint Security Server when a JAR file is detected as malicious.
Anti-Ransomware, Behavioral Guard, and Forensics
Behavioral Guard now detects the Pass-The-Hash technique.
The Forensics service does not shut down and restart anymore during the Behavioral Guard Signature updates. The update process is faster as a result.
Adds new default exclusions to Anti-Ransomware to decrease the number of false positives.
Fixes an issue where Forensics can stop its responses if multiple triggers are in the queue, and the current analysis takes a long time to complete.
If the Forensics database does not contain a detected file or process, it now generates a minimal report with reputation.
If a detected URL is not in the Forensics database, Forensics now generates a minimal report with reputation.
Fixes a very rare issue of an infinite loop in Forensics.
Improves the Forensics performance as the result of decreased number of unnecessary registry operations.
If the reputation service is not available, the Forensic Analysis no longer treats unsigned processes as trusted processes.
Fixes a very rare issue in the termination of trusted processes that are part of a Forensics incident.
Fixes a rare issue where Forensics can lock up when it receives a new policy.
Fixes an issue where the Forensic Analysis fails when the trigger file has a short name.
Enhances Forensics analysis to identify attacks that start with Windows shortcut (LNK) files.
Adds a new screen to view all AMSI and LNK target content in an incident.
Fixes a Forensics report issue where a terminated process can appear in the “Already Terminated Processes” and “Terminated Processes” sections of the Remediation view.
The Remediation section of the Forensics report now mentions failures to access or use the remediation service.
Compliance
Resolves the client non-compliant state when the Windows Server Update Service (WSUS) compliance check configures regardless of the value set in the rule. See sk164060 for policy configuration details.
Media Encryption & Port Protection
Resolves an issue with the 3rd party backup application Veeam that fails to create a recovery media, if Media Encryption & Port Protection is installed.
Full Disk Encryption
Resolves the UseRec.exe crash when a recovery file contains users from several domains.
Installation
Resolves an issue after an upgrade, when the client UI language switches back to the default system language.
Resolves a rare issue where the Endpoint Security upgrade process does not complete because of a crash, but a new version registers.
Resolves a possible issue where the Endpoint Security Client upgrade fails with the error: “Wait for Install Helper process failed”.
Resolves a possible issue where Endpoint Security Client upgrade fails with the error: “The paging file is too small for this operation”.
Resolves a rare issue where Firewall policy is not set after an Endpoint Security Client upgrade.
Resolves a possible issue where the Endpoint Security Client upgrade fails with the error: “Changing configuration is not allowed, check the password”.
Infrastructure
Endpoint Security Clients that are disconnected from the domain and use the same local SID can now connect to the management server as unique machines.
Resolves client registration issue where SmartEndpoint detects duplicates, when the client computer FQDN does not match the FQDN of its domain.
Optimizes the Endpoint Security processes monitor algorithm to decrease CPU consumption, when 3rd party Anti-Malware on-access scanners connect.
Introduces enhanced deployment capabilities for small fixes or patches with a new package type that installs changed files only.
Resolves CPDA.exe crashes where the Windows Management Instrumentation (WMI) service is disabled during a client upgrade.
Resolves the URL Filtering “waiting for policy” error after a client upgrade with the exported package, when the client is in the disconnected state.