Skip to main content
Red Canary help

Release v.0.4.7

  • Updated .

Released: 2019-12-20

Notes:

  • We highly recommend you install this update, as it includes important fixes for agent performance and data quality.
  • v0.4.1 - v0.4.6 were limited, controlled releases.


Added

  • Full container (Docker, LXC) support via Host OS
  • Agent version and telemetry collection details are displayed in the Portal
    • Agent ID
    • Agent Version
    • Last Checkin Time
    • Last Time Data Seen
    • Backlog Bytes

Changed

  • The agent starts earlier in the boot process to capture early activity and telemetry.

Deprecated

  • N/A

Removed/Disabled

  • NoteFile hashing (MD5, SHA256) is still temporarily disabled as we work on a fix (see prior release)

Fixed

  • Relative paths were recorded (./example) instead of absolute paths (/usr/bin/example).
  • Missing parent process details for cases involving pid namespaces or missing audit context.
  • Process start times were incorrect for systems with more or less than 4 logical CPUs.
  • Missing network connection telemetry for applications that utilize the 32-bit `socketcall` syscall
  • Missing process telemetry for applications that utilize the `execveat` syscall.
  • Premature recording of process exits for cases where exit() is utilized in a multi-threaded process
    (exit() in a multi-threaded process only indicates the ending of a thread).
  • In rare cases, the agent would read an unusable local resolver configuration, resulting in the agent believing there was no internet connectivity when there was. As a result, telemetry would continue to be locally spooled onto disk, until the agent or system was restarted.
  • When network connectivity was unavailable for a significant amount of time, the number of spooled uploads would accumulate and would rapidly be read, deleted, and re-written repeatedly until connectivity returned.
  • Improved process lineage by utilizing both the fork observation time as well as the process start time, in cases where they are slightly different.
  • Red Hat Enterprise Linux distributions (6, 7, 8) opted into agent safe-mode as a result of an error in parsing OS version details.
  • In rare cases, an error would occur when consuming telemetry from the audit netlink socket, resulting in the agent going into safe-mode for 5 minutes. 

Security

  • N/A

Comments

0 comments

Please sign in to leave a comment.