Sysdig Windows Agent Release Notes

1.0.1 July 5, 2024

Feature Enhancements

Enriched Policy Events Metadata

Policy events now include a container identifier in their metadata which is used to enrich events with additional Kubernetes metadata.

Improved Rule Matching Performance

Improved the performance of event processing to considerably reduce CPU utilization when evaluating security events against the rule set.

Reduced Event Load

Sysdig now prevents events that are irrelevant for threat detection from being processed to reduce CPU utilization.

Known Issues

The Windows Agent cannot start if Prometheus is enabled. To prevent this, disable Prometheus for Windows Agent in the dragent.yaml file:

  enabled: false

1.0.0 June 28, 2024

Feature Enhancements

Kubernetes Deployment Support

The Windows Agent can now be deployed to Kubernetes clusters by using the sysdig-deploy Helm chart.

Collect Kubernetes Events Enriched with Kubernetes Metadata

The agent exposes filter fields to collect Kubernetes metadata and automatically enrich every security event with the basic workload information.

Configurable Pipes CRI Container Engines

You can specify the additional CRI container engines named pipes by using the windows.cri_engine_named_pipes configuration property.

Ability to Collect Exceptions and Stack Traces for Root Cause Analysis

For unhandled exceptions such as accessing an invalid memory location, the agent now generates the backtrace and dumps it to a file. You can use the stack trace information for root cause triaging.

Defect Fixes

Security Review

The Windows Agent source code underwent a security review and incorporated mitigation steps for any potential issues.

Vulnerability Fixes

Updated the OpenSSL library to v3.2.2 in the Windows Agent and addressed the following:

0.9.2 May 22, 2024

Feature Enhancements

Performance Enhancements

Redesigned the interprocess communication system to improve overall stability and performance of the Windows Agent.

Defect Fixes

Remove Visual C++ 2015-2022 Redistributable Package Requirement

The Visual C++ 2015-2022 Redistributable package prerequisite is no longer required as it is now bundled with the Agent installer.

Eliminate Misleading Logs

Improved the timestamp calculation of the metrics messages to eliminate misleading and excessive logs

0.9.1 April 03, 2024

Feature Enhancements

Ability to deploy Windows Agent as Host Process Container

You can now deploy the Windows Agent container image as a Host Process Container to allow access to the host instrumentation facilities.

Ability to Automatically Detect vmcompute and containerd Services.

The Agent can now detect both vmcompute and containerd processes even after the initial startup. This capability enhances resiliency in scenarios where these services may not be running during agent startup.

Defect Fixes

Fixed Memory Leak During Querying Object Types

The catalog of available system object types was being repeatedly repopulated every time a handle was fetched from the process handle table. This resulted in a memory leak as the catalog continued to grow indefinitely. This issue has been fixed in this release.

0.9.0 March 07, 2024

Feature Enhancements

Container Enrichment

The agent is now capable of gaining visibility into containerized processes, allowing the containerd-based containers to be secured along with the host operating system.

Availability of Docker Image for Windows Server v2019 and v2022

The Windows Agent is now available as a Docker image for Windows Server 2019 and Server 2022.

Defect Fixes

Vulnerability Fixes

Ability to Handle Wide Characters from AmsiScanBuffer Events

AMSI events carry the buffer parameter that contains the executed payload, such as Powershell cmdlet and loaded .NET assembly. This conveys that the parameter structure is dynamic and will greatly depend on the data source emitting the AMSI telemetry. As a consequence, the event parsing mechanism has been adapted to treat the parameters as dynamic, and thus derive the content of the AMSI buffer as dictated by the application type emitting the event.

0.8.0 December 20, 2023

Defect Fixes

Rule Detection Reliability

Improve the reliability of detection capabilities.

Vulnerability Fixes

Fixed the following vulnerabilities:

New Features

User Telemetry

Add audit telemetry for user-related activities including:

  • Login and logoff
  • Account creation and deletion

Enable Control Flow Guard

Enable Control Flow Guard for Windows Agent applications.

Enhanced Detection Capabilities

Improve event metadata parsing to enable more finely tuned rules.

0.7.0 October 25, 2023

Sysdig Windows Agent Released as Controlled Availability

Sysdig is pleased to announce the controlled availability of the Windows Agent that delivers enhanced threat detection and visibility into malicious activities on Windows systems in the cloud. It includes a comprehensive set of curated policies and rules designed to detect a wide range of malicious activities, from the execution of known malicious Powershell cmdlets to the addition of users to the Administrators group. Additional rules will continue to be developed during the CA.

For more information, see Sysdig Agent for Windows.