- This release includes substantial fixes and additional features. Please upgrade soon!
- These release notes cover all improvements and fixes since version 0.4.29.
- Added sentry.io error and performance reporting for all customers, better enabling Red Canary to quickly identify sensor performance regressions, errors or otherwise
- Added support for memory limits that will automatically put the CWP sensor in safe mode when exceeded
- Sensors can now be put in safe mode manually via command line by running /opt/redcanary/cfctl safe --enable
- Added container attributes to process execution telemetry, including cgroups and container IDs
- Removed unnecessary stdout println statement caused by a process exiting before sensor processing, leading to excessive errors
- Removed OS compatibility check to better support containers using supported Linux distributions
- Updated behavioral rootkit detection to use a proprietary, userland technique, avoiding the need for a kernel module
- Improved CWP Enterprise detection capabilities
- Increased the network offload timeout to 30 seconds to prevent timeouts when offloading telemetry
- Changed cfdetect to use a unix domain socket to prevent clashing with port 22000, which may be used by other services running on the endpoint
- Unique netconns are now only reported every 30 seconds instead of at each individual connection. This introduces significant performance improvements (33% less memory, 50% less CPU).
- Fixed an issue where AWS metadata fetching might return incorrect data for fields
- Fixed an issue where the endpoint detection engine was attempting to offload a temporary file that was not ready, producing an alert
- cfsvcd no longer attempts to set file permissions when launched in a container
- Fixed an issue where cfsvcd would not restart after an upgrade
- Payloads for Enterprise customers secondary offload are no longer flattened
- Addressed an issue where the Process Memory Integrity plugin forced remote process pages to become resident, provoking the OOM killer
- Fixed an issue where the audit-socket wasn't handling EINTR during interrupt processing, which can lead to excessive memory usage