Windows Agent Release Notes
1.3.1 December 19, 2024
Supported sysdig-deploy
version: 1.72.5
Feature Enhancements
Generate dump files when the Agent stops
Minidump files are generated when the Agent stops to enable swift debugging.
Defect Fixes
Fixed the issue where the container metadata was occasionally not attached to the process. Solidified the mechanism for container process matching to consider additional heuristics when deciding whether the created process pertains to the container.
Fixed the issue where the process token SID was obtained from an invalid memory buffer. Enhanced the Agent’s resilience against invalid memory buffers when retrieving the security identifier from the process token.
Vulnerability Fixes
1.3.0 November 28, 2024
Supported sysdig-deploy
version: 1.69.0
Feature Enhancements
Policy Events Enhanced with AWS and Azure Metadata
Policy events are now enriched with metadata from supported cloud providers, currently AWS and Azure.
Retain Custom Agent Configuration during Upgrades
The configuration file generated during the installation is retained when the agent is upgraded.
Optimized Agent Architecture
Enhanced the Agent process architecture, improving reliability and performance while reducing the resource footprint.
Defect Fixes
Improved Process Tree Resiliency
Resolved an issue with process tree cycles that could cause agent unresponsiveness.
Instrumentation Engine Startup Failures
Fixed an issue preventing the instrumentation engine from bootstrapping the processing of event sources.
Fixed Proxy Connection Issue
Resolved proxy connection issue occurring when the Agent does not use the double-SSL connection style.
1.2.0 October 14, 2024
Feature Enhancements
Process Tree
Process tree is available in policy events. By default, all the policy events are decorated with the process lineage (tree) showing the hierarchy of process ancestors.
Defect Fixes
Fixed the Misbehavior Observed while Splitting the Empty Command Line Argument
The fix circumvents argument splitting for empty command line strings.
1.1.0 September 20, 2024
Feature Enhancements
Red Hat Openshift Support
The Windows Agent is now supported on Red Hat Openshift on SaaS and on-premises.
Defect Fixes
Mitigated an issue where the Windows Agent becomes unresponsive during shutdown.
1.0.2 July 25, 2024
Defect Fixes
Fixed the issue where enabling the Prometheus feature caused the Agent to crash during bootstrap. The fix now gracefully handles the presence of the incompatible Prometheus feature and discards it during Agent initialization.
1.0.1 July 5, 2024
Feature Enhancements
Enriched Policy Events Metadata
Policy events now include a container identifier in their metadata which is used to enrich events with additional Kubernetes metadata.
Improved Rule Matching Performance
Improved the performance of event processing to considerably reduce CPU utilization when evaluating security events against the rule set.
Reduced Event Load
Sysdig now prevents events that are irrelevant for threat detection from being processed to reduce CPU utilization.
Known Issues
The Windows Agent cannot start if Prometheus is enabled. To prevent this, disable Prometheus for Windows Agent in the dragent.yaml
file:
prometheus:
enabled: false
1.0.0 June 28, 2024
Feature Enhancements
Kubernetes Deployment Support
The Windows Agent can now be deployed to Kubernetes clusters by using the sysdig-deploy Helm chart.
Collect Kubernetes Events Enriched with Kubernetes Metadata
The agent exposes filter fields to collect Kubernetes metadata and automatically enrich every security event with the basic workload information.
Configurable Pipes CRI Container Engines
You can specify the additional CRI container engines named pipes by using the windows.cri_engine_named_pipes
configuration property.
Ability to Collect Exceptions and Stack Traces for Root Cause Analysis
For unhandled exceptions such as accessing an invalid memory location, the agent now generates the backtrace and dumps it to a file. You can use the stack trace information for root cause triaging.
Defect Fixes
Security Review
The Windows Agent source code underwent a security review and incorporated mitigation steps for any potential issues.
Vulnerability Fixes
Updated the OpenSSL library to v3.2.2 in the Windows Agent and addressed the following:
0.9.2 May 22, 2024
Feature Enhancements
Performance Enhancements
Redesigned the interprocess communication system to improve overall stability and performance of the Windows Agent.
Defect Fixes
Remove Visual C++ 2015-2022 Redistributable Package Requirement
The Visual C++ 2015-2022 Redistributable package prerequisite is no longer required as it is now bundled with the Agent installer.
Eliminate Misleading Logs
Improved the timestamp calculation of the metrics messages to eliminate misleading and excessive logs
0.9.1 April 03, 2024
Feature Enhancements
Ability to deploy Windows Agent as Host Process Container
You can now deploy the Windows Agent container image as a Host Process Container to allow access to the host instrumentation facilities.
Ability to Automatically Detect vmcompute and containerd Services
The Agent can now detect both vmcompute
and containerd
processes even after the initial startup. This capability enhances resiliency in scenarios where these services may not be running during agent startup.
Defect Fixes
Fixed Memory Leak During Querying Object Types
The catalog of available system object types was being repeatedly repopulated every time a handle was fetched from the process handle table. This resulted in a memory leak as the catalog continued to grow indefinitely. This issue has been fixed in this release.
0.9.0 March 07, 2024
Feature Enhancements
Container Enrichment
The agent is now capable of gaining visibility into containerized processes, allowing the containerd
-based containers to be secured along with the host operating system.
Availability of Docker Image for Windows Server v2019 and v2022
The Windows Agent is now available as a Docker image for Windows Server 2019 and Server 2022.
Defect Fixes
Vulnerability Fixes
Ability to Handle Wide Characters from AmsiScanBuffer Events
AMSI events carry the buffer parameter that contains the executed payload, such as Powershell cmdlet and loaded .NET assembly. This conveys that the parameter structure is dynamic and will greatly depend on the data source emitting the AMSI telemetry. As a consequence, the event parsing mechanism has been adapted to treat the parameters as dynamic, and thus derive the content of the AMSI buffer as dictated by the application type emitting the event.
0.8.0 December 20, 2023
Defect Fixes
Rule Detection Reliability
Improve the reliability of detection capabilities.
Vulnerability Fixes
Fixed the following vulnerabilities:
- CVE-2020-1971
- CVE-2021-23840
- CVE-2021-23841
- CVE-2021-3449
- CVE-2021-3450
- CVE-2021-3711
- CVE-2021-3712
- CVE-2021-4160
- CVE-2022-0778
- CVE-2022-1292
- CVE-2022-2068
- CVE-2022-2097
- CVE-2022-4304
- CVE-2022-4450
- CVE-2023-0215
- CVE-2023-0286
- CVE-2023-0464
- CVE-2023-0465
- CVE-2023-0466
- CVE-2023-2650
- CVE-2023-3817
- CVE-2023-4807
- CVE-2023-5363
New Features
User Telemetry
Add audit telemetry for user-related activities including:
- Login and logoff
- Account creation and deletion
Enable Control Flow Guard
Enable Control Flow Guard for Windows Agent applications.
Enhanced Detection Capabilities
Improve event metadata parsing to enable more finely tuned rules.
0.7.0 October 25, 2023
Sysdig Windows Agent Released as Controlled Availability
Sysdig is pleased to announce the controlled availability of the Windows Agent that delivers enhanced threat detection and visibility into malicious activities on Windows systems in the cloud. It includes a comprehensive set of curated policies and rules designed to detect a wide range of malicious activities, from the execution of known malicious Powershell cmdlets to the addition of users to the Administrators group. Additional rules will continue to be developed during the CA.
For more information, see Sysdig Agent for Windows.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.