RSS

Windows Agent Release Notes

1.3.1 December 19, 2024

Supported sysdig-deploy version: 1.72.5

Feature Enhancements

Generate dump files when the Agent stops

Minidump files are generated when the Agent stops to enable swift debugging.

Defect Fixes

Fixed the issue where the container metadata was occasionally not attached to the process. Solidified the mechanism for container process matching to consider additional heuristics when deciding whether the created process pertains to the container.

Fixed the issue where the process token SID was obtained from an invalid memory buffer. Enhanced the Agent’s resilience against invalid memory buffers when retrieving the security identifier from the process token.

Vulnerability Fixes

1.3.0 November 28, 2024

Supported sysdig-deploy version: 1.69.0

Feature Enhancements

Policy Events Enhanced with AWS and Azure Metadata

Policy events are now enriched with metadata from supported cloud providers, currently AWS and Azure.

Retain Custom Agent Configuration during Upgrades

The configuration file generated during the installation is retained when the agent is upgraded.

Optimized Agent Architecture

Enhanced the Agent process architecture, improving reliability and performance while reducing the resource footprint.

Defect Fixes

Improved Process Tree Resiliency

Resolved an issue with process tree cycles that could cause agent unresponsiveness.

Instrumentation Engine Startup Failures

Fixed an issue preventing the instrumentation engine from bootstrapping the processing of event sources.

Fixed Proxy Connection Issue

Resolved proxy connection issue occurring when the Agent does not use the double-SSL connection style.

1.2.0 October 14, 2024

Feature Enhancements

Process Tree

Process tree is available in policy events. By default, all the policy events are decorated with the process lineage (tree) showing the hierarchy of process ancestors.

Defect Fixes

Fixed the Misbehavior Observed while Splitting the Empty Command Line Argument

The fix circumvents argument splitting for empty command line strings.

1.1.0 September 20, 2024

Feature Enhancements

Red Hat Openshift Support

The Windows Agent is now supported on Red Hat Openshift on SaaS and on-premises.

Defect Fixes

Mitigated an issue where the Windows Agent becomes unresponsive during shutdown.

1.0.2 July 25, 2024

Defect Fixes

Fixed the issue where enabling the Prometheus feature caused the Agent to crash during bootstrap. The fix now gracefully handles the presence of the incompatible Prometheus feature and discards it during Agent initialization.

1.0.1 July 5, 2024

Feature Enhancements

Enriched Policy Events Metadata

Policy events now include a container identifier in their metadata which is used to enrich events with additional Kubernetes metadata.

Improved Rule Matching Performance

Improved the performance of event processing to considerably reduce CPU utilization when evaluating security events against the rule set.

Reduced Event Load

Sysdig now prevents events that are irrelevant for threat detection from being processed to reduce CPU utilization.

Known Issues

The Windows Agent cannot start if Prometheus is enabled. To prevent this, disable Prometheus for Windows Agent in the dragent.yaml file:

prometheus:
  enabled: false

1.0.0 June 28, 2024

Feature Enhancements

Kubernetes Deployment Support

The Windows Agent can now be deployed to Kubernetes clusters by using the sysdig-deploy Helm chart.

Collect Kubernetes Events Enriched with Kubernetes Metadata

The agent exposes filter fields to collect Kubernetes metadata and automatically enrich every security event with the basic workload information.

Configurable Pipes CRI Container Engines

You can specify the additional CRI container engines named pipes by using the windows.cri_engine_named_pipes configuration property.

Ability to Collect Exceptions and Stack Traces for Root Cause Analysis

For unhandled exceptions such as accessing an invalid memory location, the agent now generates the backtrace and dumps it to a file. You can use the stack trace information for root cause triaging.

Defect Fixes

Security Review

The Windows Agent source code underwent a security review and incorporated mitigation steps for any potential issues.

Vulnerability Fixes

Updated the OpenSSL library to v3.2.2 in the Windows Agent and addressed the following:

0.9.2 May 22, 2024

Feature Enhancements

Performance Enhancements

Redesigned the interprocess communication system to improve overall stability and performance of the Windows Agent.

Defect Fixes

Remove Visual C++ 2015-2022 Redistributable Package Requirement

The Visual C++ 2015-2022 Redistributable package prerequisite is no longer required as it is now bundled with the Agent installer.

Eliminate Misleading Logs

Improved the timestamp calculation of the metrics messages to eliminate misleading and excessive logs

0.9.1 April 03, 2024

Feature Enhancements

Ability to deploy Windows Agent as Host Process Container

You can now deploy the Windows Agent container image as a Host Process Container to allow access to the host instrumentation facilities.

Ability to Automatically Detect vmcompute and containerd Services

The Agent can now detect both vmcompute and containerd processes even after the initial startup. This capability enhances resiliency in scenarios where these services may not be running during agent startup.

Defect Fixes

Fixed Memory Leak During Querying Object Types

The catalog of available system object types was being repeatedly repopulated every time a handle was fetched from the process handle table. This resulted in a memory leak as the catalog continued to grow indefinitely. This issue has been fixed in this release.

0.9.0 March 07, 2024

Feature Enhancements

Container Enrichment

The agent is now capable of gaining visibility into containerized processes, allowing the containerd-based containers to be secured along with the host operating system.

Availability of Docker Image for Windows Server v2019 and v2022

The Windows Agent is now available as a Docker image for Windows Server 2019 and Server 2022.

Defect Fixes

Vulnerability Fixes

Ability to Handle Wide Characters from AmsiScanBuffer Events

AMSI events carry the buffer parameter that contains the executed payload, such as Powershell cmdlet and loaded .NET assembly. This conveys that the parameter structure is dynamic and will greatly depend on the data source emitting the AMSI telemetry. As a consequence, the event parsing mechanism has been adapted to treat the parameters as dynamic, and thus derive the content of the AMSI buffer as dictated by the application type emitting the event.

0.8.0 December 20, 2023

Defect Fixes

Rule Detection Reliability

Improve the reliability of detection capabilities.

Vulnerability Fixes

Fixed the following vulnerabilities:

New Features

User Telemetry

Add audit telemetry for user-related activities including:

  • Login and logoff
  • Account creation and deletion

Enable Control Flow Guard

Enable Control Flow Guard for Windows Agent applications.

Enhanced Detection Capabilities

Improve event metadata parsing to enable more finely tuned rules.

0.7.0 October 25, 2023

Sysdig Windows Agent Released as Controlled Availability

Sysdig is pleased to announce the controlled availability of the Windows Agent that delivers enhanced threat detection and visibility into malicious activities on Windows systems in the cloud. It includes a comprehensive set of curated policies and rules designed to detect a wide range of malicious activities, from the execution of known malicious Powershell cmdlets to the addition of users to the Administrators group. Additional rules will continue to be developed during the CA.

For more information, see Sysdig Agent for Windows.