Sysdig Windows Agent Release Notes
1.0.0 June 28, 2024
Feature Enhancements
Kubernetes Deployment Support
The Windows Agent can now be deployed to Kubernetes clusters by using the sysdig-deploy Helm chart.
Collect Kubernetes Events Enriched with Kubernetes Metadata
The agent exposes filter fields to collect Kubernetes metadata and automatically enrich every security event with the basic workload information.
Configurable Pipes CRI Container Engines
You can specify the additional CRI container engines named pipes by using the windows.cri_engine_named_pipes configuration property.
Ability to Collect Exceptions and Stack Traces for Root Cause Analysis
For unhandled exceptions such as accessing an invalid memory location, the agent now generates the backtrace and dumps it to a file. You can use the stack trace information for root cause triaging.
Defect Fixes
Security Review
The Windows Agent source code underwent a security review and incorporated mitigation steps for any potential issues.
Vulnerability Fixes
Updated the OpenSSL library to v3.2.2 in the Windows Agent and addressed the following:
0.9.2 May 22, 2024
Feature Enhancements
Performance Enhancements
Redesigned the interprocess communication system to improve overall stability and performance of the Windows Agent.
Defect Fixes
Remove Visual C++ 2015-2022 Redistributable Package Requirement
The Visual C++ 2015-2022 Redistributable package prerequisite is no longer required as it is now bundled with the Agent installer.
Eliminate Misleading Logs
Improved the timestamp calculation of the metrics messages to eliminate misleading and excessive logs
0.9.1 April 03, 2024
Feature Enhancements
Ability to deploy Windows Agent as Host Process Container
You can now deploy the Windows Agent container image as a Host Process Container to allow access to the host instrumentation facilities.
Ability to Automatically Detect vmcompute and containerd Services.
The Agent can now detect both vmcompute and containerd processes even after the initial startup. This capability enhances resiliency in scenarios where these services may not be running during agent startup.
Defect Fixes
Fixed Memory Leak During Querying Object Types
The catalog of available system object types was being repeatedly repopulated every time a handle was fetched from the process handle table. This resulted in a memory leak as the catalog continued to grow indefinitely. This issue has been fixed in this release.
0.9.0 March 07, 2024
Feature Enhancements
Container Enrichment
The agent is now capable of gaining visibility into containerized processes, allowing the containerd-based containers to be secured along with the host operating system.
Availability of Docker Image for Windows Server v2019 and v2022
The Windows Agent is now available as a Docker image for Windows Server 2019 and Server 2022.
Defect Fixes
Vulnerability Fixes
Ability to Handle Wide Characters from AmsiScanBuffer Events
AMSI events carry the buffer parameter that contains the executed payload, such as Powershell cmdlet and loaded .NET assembly. This conveys that the parameter structure is dynamic and will greatly depend on the data source emitting the AMSI telemetry. As a consequence, the event parsing mechanism has been adapted to treat the parameters as dynamic, and thus derive the content of the AMSI buffer as dictated by the application type emitting the event.
0.8.0 December 20, 2023
Defect Fixes
Rule Detection Reliability
Improve the reliability of detection capabilities.
Vulnerability Fixes
Fixed the following vulnerabilities:
- CVE-2020-1971
- CVE-2021-23840
- CVE-2021-23841
- CVE-2021-3449
- CVE-2021-3450
- CVE-2021-3711
- CVE-2021-3712
- CVE-2021-4160
- CVE-2022-0778
- CVE-2022-1292
- CVE-2022-2068
- CVE-2022-2097
- CVE-2022-4304
- CVE-2022-4450
- CVE-2023-0215
- CVE-2023-0286
- CVE-2023-0464
- CVE-2023-0465
- CVE-2023-0466
- CVE-2023-2650
- CVE-2023-3817
- CVE-2023-4807
- CVE-2023-5363
New Features
User Telemetry
Add audit telemetry for user-related activities including:
- Login and logoff
- Account creation and deletion
Enable Control Flow Guard
Enable Control Flow Guard for Windows Agent applications.
Enhanced Detection Capabilities
Improve event metadata parsing to enable more finely tuned rules.
0.7.0 October 25, 2023
Sysdig Windows Agent Released as Controlled Availability
Sysdig is pleased to announce the controlled availability of the Windows Agent that delivers enhanced threat detection and visibility into malicious activities on Windows systems in the cloud. It includes a comprehensive set of curated policies and rules designed to detect a wide range of malicious activities, from the execution of known malicious Powershell cmdlets to the addition of users to the Administrators group. Additional rules will continue to be developed during the CA.
For more information, see Sysdig Agent for Windows.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.