uberAgent 7.1

Changelog and Release Notes

Version 7.1

New features

  • Agent core [I941]: fixed a possible crash of the service/daemon that could occur when MemoryStatistics were logged.
  • Application names (macOS) [B709]: application name extraction via class name or filename of a Java command line is now supported on macOS, too.
  • Browsers (macOS) [I895]: the fields SessionFgBrowserType and SessionFgBrowserActiveTabHost of the Sourcetype SessionDetail are now available on macOS.
  • Custom scripts (macOS) [B739]: the execution of user defined scripts is now available on macOS.
  • DNS exfiltration and tunneling [B766]: new Splunk dashboard and agent categorization of DNS queries focused on detecting DNS abuse.
  • File system monitoring [B341]: uberAgent now monitors file system activity via its uberAgent’s Threat Detection Engine, too.
  • Network monitoring (Windows) [B864]: the configuration stanza [NetworkTargetPerformanceProcess_Config] now has a new setting IgnoreLoopbackTraffic.
  • Process statistics (macOS) [B518]: uberAgent now collects additional process information: open file descriptor count, thread count, priority and page faults.
  • Root Certificates Dashboard [B813]: new dashboard with a focus on root certificates.
  • Security & Compliance Inventory [B640]: endpoints are now regularly checked for common security issues. The new Security Overview dashboard provides an entry point with ratings and drilldowns.
  • Security Score dashboard [B546]: new dashboard that visualizes security scores calculated by the events from uberAgent ESA’s two primary data sources, Security & Compliance Inventory and Threat Detection Engine.
  • Threat Detection Engine (macOS) [B738]: the macOS agent now supports the ESA Threat Detection Engine, too.
  • Threat Detection Engine (Windows) [B834]: added new event type: Image.DriverLoad with the same properties as Image.Load.
  • User input delay (Windows) [B287]: uberAgent now measures the user input delay per process and session.
  • Windows Services Dashboard [B813]: new dashboard with a focus on Windows services.

Improvements

  • Agent [I767]: the maximum number of events per send operation can now be limited per receiver.
  • Boot duration (Windows) [B63,B751]: the algorithm for capturing boot details has been aligned with the current Microsoft specification. In addition, uberAgent now reports user login screen wait time.
  • Citrix ADC [B819]: dashboards now display Mbps instead of MB for data throughput.
  • Citrix session monitoring (Windows) [I797, I880]: handle multi monitor environments correctly.
  • Daemon (macOS) [B735]: added mechanism for preventing multiple running uberAgent instances.
  • Daemon (macOS) [B871]: improved security of communication between uberAgent and its helpers.
  • Dashboards [B287]: new dashboards Session Input Delay, Application Input Delay, Process Input Delay.
  • Dashboards [B287]: added input delay metrics to the Single Application Performance and the Analyze Data Over Time dashboards.
  • Dashboards [B514]: the Shutdown Delays dashboard now shows the affected hosts.
  • Dashboards [B799]: drilldowns to other dashboards are now always opened in new tabs.
  • Dashboards [B858]: processes missing the AppId/AppName fields now get automatically assigned Unknwn/Unknown.
  • Experience score [B287]: added input delay scores to the Experience Score Overview, Session Scores, and Application Scores dashboards.
  • Experience score [B849]: added rating switch. You can now decide whether you want to evaluate the individual scores according to the daily average or the lowest value.
  • Logging (Windows) [I733]: removed unnecessarily logged messages if it is impossible to determine a Remote Desktop client IP.
  • Logon monitoring (Windows) [I872]: ShellAppRuntime.exe is now processed correctly when started as part of the logon script.
  • Machine inventory (macOS) [B742]: field BaseboardSerial is now collected on macOS.
  • Machine inventory (macOS) [B758]: field OsInstallDate is now collected on macOS.
  • Machine inventory [B761]: a new field OsInstallDateOriginal (date of the first clean OS installation) is now collected in addition to OsInstallDate (date of the current OS installation).
  • Performance counters [I792]: translate localized wildcard performance counters back to english.
  • Performance counters [I991]: capture external exceptions to not let uberAgent crash.
  • Performance summary (macOS) [B518]: the field HandleCount now returns the full open file descriptor count for the process, consistent with the output of the ‘lsof’ system utility.
  • Performance summary (macOS) [B754]: the I/O statistics are now calculated more accurately.
  • Process startup (macOS) [B737]: field IsSignedByOSVendor is now collected on macOS.
  • Service (Windows) [B63]: new ConfigFlags setting BootDetailTimeoutMinutes.
  • Service (Windows) [B625]: improved determination of information about processes started earlier than uberAgent.
  • Service (Windows) [B553]: string registry value data is collected as part of Reg.Key.Write events.
  • Service (Windows) [I833]: improved determination of the logon start time.
  • Service (Windows) [I850]: faster determination of GPU usage metrics (on Windows 10 1809 or newer).
  • Service (Windows) [I873]: new timer setting ScriptTimeout.
  • Service (Windows) [B386]: faster determination of WMI values and new configurable provider setting.
  • Service (Windows) [I999]: ignore empty [Receiver] stanza in configuration.
  • Service (Windows) [I1002]: improved service shutdown behavior.
  • Service (Windows) [I1030]: do not change permissions on the persistent output queue directory defined in the configuration option PersistentOutputQueuePathWindows/PersistentOutputQueuePathMacOS at every agent start as the default location is already secured by the installer.
  • Setup (Windows) [B283]: restart on failure service options are now configured.
  • Threat Detection Engine [B823]: the maximum risk score for a rule is now limited to 100 to avoid dashboard corruption.
  • uAQL [B683]: improved the uAQL execution performance with a new bytecode interpreter.

Bugfixes

  • Application name overriding (macOS) [I894]: fixed dysfunctional application name overriding for expressions containing the binary’s name.
  • Authenticode signature verification (Windows) [I801]: fixed only signed binaries were provided to Threat Detection Engine.
  • Authenticode signature verification (Windows) [I802]: fixed only embedded certificates were checked and not searched in the catalog.
  • Authenticode signature verification (Windows) [I1009]: builds the hash even if the PE header is corrupted.
  • Automatic application identification (macOS) [I982]: improved logging for privileged helper tools.
  • Browser/Chrome & Firefox add-on [I897, I904]: fixed empty SessionFgBrowserActiveTabHost field when using multiple browser profiles.
  • CitrixADC [I828]: the characters <, >, &, and ' could not be used in passwords because of a flaw in PowerShell’s ConvertTo-Json command.
  • CitrixADC [I939]: no data is sent to the backend if one of the configured servers is unavailable.
  • CitrixADC [I965]: no system performance data was sent when SSL sessions with TLS 1.3 were present.
  • Citrix site monitoring (Windows) [I1019]: the dashboard Citrix Virtual Apps and Desktops Databases did not handle multiple database servers/instances per site correctly.
  • Configuration [B825]: invalid negative values are now handled correctly.
  • Daemon (macOS) [I981]: fixed a rare race condition during the daemon’s startup that could falsely detect the occurrence of pid wrapping.
  • Daemon (macOS) [I1024]: the ProcCPUPercent metric is now reported using a more accurate calculation. The ProcCPUTimeMs now reports the full processor time that the process has used during its lifetime instead of just the difference between measurement intervals.
  • Daemon (macOS) [I1026]: timer scheduling did not account for the sleep time of the system so that timer execution could be delayed if the system was asleep.
  • Dashboards [I790]: fixed wrong calculation on the Process DNS dashboard in the chart DNS packet size distribution.
  • Dashboards [I812]: adjusted a limit option in the Network Communication dashboards, to make sure all connections are displayed as part of the drilldown.
  • Dashboards [I795]: fix empty charts on the Process performance and Application performance dashboards.
  • Dashboards [I866]: fix wrong description on the Shutdown duration dashboard.
  • Dashboards [I868]: removed wrong drilldowns on the Browser Web App Usage dashboard.
  • DNS query monitoring [I810]: queries for non-existent records or queries returning errors were ignored.
  • DNS query monitoring [I855]: empty queries that caused an OS error are now ignored and not send to the backends.
  • Experience Score [I827]: calculation of thresholds and weights of the network score were wrong for machines and applications.
  • Experience Score [I887]: fixed incorrect field name in application score calculation.
  • Invalid UTF-8 start byte (macOS) [I885]: fixed an error that sometimes appeared on the Kafka and/or Elastic backends regarding the encoding of the JSON message from uberAgent.
  • License Information (macOS) [I919]: fixed missing ESA license information in the backends for source type uberagent:License:LicenseInfo.
  • Logging (macOS) [I853]: removed an unnecessary warning about the failure to determine the IPv6 address if the system only had link-local or no addresses configured.
  • Logging (macOS) [I883]: fix broken mechanism for rotation of log files.
  • Logon monitoring (Windows) [I844]: in environments with Ivanti Workspace Control and a custom shell, the logon end was not detected.
  • Machine inventory (macOS) [I892]: removed a misleading warning regarding EDID versions.
  • Network monitoring (Windows) [I815]: fixed missing network metrics after waking up a machine from standby.
  • Network monitoring (Windows) [I815]: fixed rare circumstance of missing network metrics after network interrupts or connection losses.
  • Network monitoring (Windows) [I815]: new ConfigFlag: NetworkDriverMaximumConnectionLimit to limit the maximum number of concurrent monitored network connections.
  • Process names (macOS) [B784]: fix process name truncation which might have happened in some cases.
  • Process names (macOS) [I804]: in some very rare cases the name of a parent process might not be correct for processes which started immediately before uberAgent.
  • Service (Windows) [I587]: in some rare cases the registry-monitoring thread would be terminated prematurely.
  • Service (Windows) [I779]: fixed a possible crash of the service that could occur when a session had a logon timeout.
  • Service (Windows) [I811]: trailing slash in %TEMP% environment-variable causes 100% CPU load on one core.
  • Service (Windows) [I822]: fixed an issue that could cause a longer shutdown period under certain circumstances when Citrix metrics were on.
  • Service (Windows) [I835]: remove confusing log message on x86 systems when Bugcheck parameters were retrieved.
  • Service (Windows) [I836]: fixed retrieving of the process ID from the Application Error Event Log (event ID 1000) on Windows 11.
  • Service (Windows) [I1008]: fixed retrieving of the process version, process id, and process start time from the Application Hang Event Log (event ID 1002) on Windows 11.
  • Service (Windows) [I858]: fixed an issue where LogFileCount was not honored for uberAgentConfiguration logs.
  • Service (Windows) [I861]: user tags are sent to the receivers defined in the OnDemand section instead of to the receivers of the timer.
  • Service (Windows) [I782]: fixed crash in uAInSessionHelper on systems under heavy load.
  • Service (Windows) [I799]: remove all orphaned temporary files at service start.
  • Service (Windows) [I873]: new ConfigFlag: InternalScriptTimeoutMs to limit the maximum time of an internal/hard-coded script.
  • Service (Windows) [I881]: fixed missing Citrix HDX virtual channel metric on Windows 7.
  • Service (Windows) [I935]: fixed a memory leak when saving an internal Citrix DC/ADC PowerShell script temporarily on the local disc.
  • Service (Windows) [I944]: in very rare cases, the window title of an already stopped process is determined.
  • Service (Windows) [I889]: fixed rare deadlock during service shutdown.
  • Service (Windows) [I1013]: fix persistent timers sliding (run at later timepoint than their interval would suggest) after sleep- or hibernate-mode.
  • Service (Windows) [I1021]: fixed rare deadlock of two internal lists during EVT processing. The deadlock results in no more data being sent to the backend.
  • Service (Windows) [I1028]: in rare cases AD attribute determination crashes the agent during an agent shutdown.
  • Service (Windows) [I1049]: in rare cases performance counter determination stopped working in case of a timeout during data determination.
  • Setup (Windows) [I1050]: do not delete the %ProgramData%\vast directory\uberAgent\Configuration directory if uberAgent is already installed and another silent installation is performed via command line.
  • Shutdown of uberAgent (macOS) [I876]: fix unlikely case of broken shutdown procedure if the log file is inaccessible
  • Splunk [I826]: fixed outdated values in lookup_hostinfo.
  • Splunk data model [I796]: fixed incorrect calculation of the field CatalogId in the data model uberAgentUXM_Citrix.
  • System time change resilience (Windows) [I857]: fixed logging of time change events on Windows 11.
  • Tagging (Windows) [I900, I911]: user tags were not determined if the session ID was reused.

Release notes

  • Config file monitoring and agent auto restart [B408]: updated configurations are applied automatically by restarting the agent.
  • Dashboards [B766]: replaced the Process DNS Splunk dashboard with the new DNS Exfiltration and Tunneling.
  • Dashboards [B518]: moved the ProcPriorityDisplayName determination from a lookup to the data model. This is necessary to be able to map process priorities of Windows and macOS in one sourcetype.
  • Dashboards [B856]: updated the Splunk SDK for Python to version 1.7.4.
  • Sourcetype [B287]: uberAgent:Process:ProcessStatistics has new field(s): ProcInputDelayMaxMs, ProcInputDelaySumMs and ProcInputDelayCount.
  • Sourcetype [B287]: uberAgent:Session:SessionDetail has new field(s): SessionInputDelayMaxMs, SessionInputDelaySumMs and SessionInputDelayCount.
  • Sourcetype [B751]: uberAgent:OnOffTransition:BootDetail2 has new field(s): UserLogonWaitDurationMs.
  • Sourcetype [B766]: uberAgentESA:Process:DnsQuery has new field(s): DnsRisk52Chars, DnsRisk27UniqueChars, DnsRiskEmptyResponse, DnsRiskTXTRecord, DnsRiskHighEntropy, DnsResponseStatus.
  • Splunk data models [B546]:added the uberAgent ESA data model uberAgentESA_System_SecurityInventory. Data model acceleration is turned off. Otherwise, longer field contents may be truncated.
  • macOS OS versions [B760]: starting with this release, macOS 10.15 Catalina is no longer supported by uberAgent. The oldest supported version is now macOS 11.0 Big Sur.
  • Threat Detection Engine [B823]: rules now have a fixed valid range of 0-100 (integer) for the risk score. Rules with a risk score outside this range are considered invalid and are ignored.
  • Threat Detection Engine [B860]: renamed the ESA feature Activity Monitoring [Engine] to Threat Detection [Engine].

Known issues

  • Boot duration (Windows): the metrics TotalBootTimeMs, MainPathBootTimeMs and PostBootTimeMs cannot be determined for every system boot.
  • Browsers/IE add-on (Windows): metrics are not collected on page reload.
  • Browsers/IE add-on (Windows): metrics are collected incompletely for the configured start page.
  • Browsers/IE add-on (Windows): monitoring does not work if IE is published from Citrix Virtual Apps. It does work from Citrix Virtual Desktops, however.
  • Browsers/Firefox add-on: if the option privacy.resistFingerprinting is set to true, browser metrics are not available due to invalid data being sent from Firefox.
  • Citrix ADC: in very rare cases, the content of the Virtual Server Performance field vServerName contains spaces in wrong places.
  • Citrix site monitoring (Windows): data collection issue if the Citrix Remote Powershell SDK (required for Citrix Cloud monitoring) is installed on a CVAD controller.
  • Citrix XA/XD Machines (Windows): when running the Citrix VDA on a Citrix Delivery Controller, some per-machine information is missing.
  • Experience score [I377]: scheduled searches generate three warnings in Splunk’s _internal index every 30 minutes. The messages look like the following: DateParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (128) characters of event.. However, there is no impact on uberAgent’s functionality.
  • GPU (Windows) [I33]: values for the fields ComputeUsagePercentAllEngines, ComputeUsagePercentEngine0 and similar can be higher than 100 with Intel Iris GPUs on Windows Server 2016 1607.
  • Kafka [I291]: in rare cases sending data to Kafka results in a SEC_E_BUFFER_TOO_SMALL error message in the logfile. This should have no effect; the transmission is repeated and succeeds on the second try.
  • Network monitoring (Windows) [I815]: network metrics may be missing: 1) after resuming from a low-power state (e.g., suspend), or 2) after certain disastrous network events such as a crash of the default gateway.
  • Network monitoring (Windows) [I998]: in rare cases the determination of NetUtilizationPercent can lead to higher CPU load on Windows 7 x64.
  • Single Boot [I1052]: currently, under Windows 11, no information can be retrieved if there is no active session within the data collection period.
  • Update inventory (Windows): not all installed Windows updates may be reported due to API limitations.
  • UserInputDelay (Windows): can lead to a handle leak by Windows on Windows Server 2022 systems.
  • Volume inventory (macOS): the encryption status of mounted read-only APFS snapshots may not be reported due to API limitations. This includes the root directory volume in a default installation of macOS.
Changelog and Release Notes