uberAgent 7.1
Changelog and Release Notes
Version 7.1
New features
- Agent core [I941]: fixed a possible crash of the service/daemon that could occur when MemoryStatistics were logged.
- Application names (macOS) [B709]: application name extraction via class name or filename of a Java command line is now supported on macOS, too.
-
Browsers (macOS) [I895]: the fields
SessionFgBrowserType
andSessionFgBrowserActiveTabHost
of the SourcetypeSessionDetail
are now available on macOS. - Custom scripts (macOS) [B739]: the execution of user defined scripts is now available on macOS.
- DNS exfiltration and tunneling [B766]: new Splunk dashboard and agent categorization of DNS queries focused on detecting DNS abuse.
- File system monitoring [B341]: uberAgent now monitors file system activity via its uberAgent’s Threat Detection Engine, too.
-
Network monitoring (Windows) [B864]: the configuration stanza
[NetworkTargetPerformanceProcess_Config]
now has a new settingIgnoreLoopbackTraffic
. - Process statistics (macOS) [B518]: uberAgent now collects additional process information: open file descriptor count, thread count, priority and page faults.
- Root Certificates Dashboard [B813]: new dashboard with a focus on root certificates.
- Security & Compliance Inventory [B640]: endpoints are now regularly checked for common security issues. The new Security Overview dashboard provides an entry point with ratings and drilldowns.
- Security Score dashboard [B546]: new dashboard that visualizes security scores calculated by the events from uberAgent ESA’s two primary data sources, Security & Compliance Inventory and Threat Detection Engine.
- Threat Detection Engine (macOS) [B738]: the macOS agent now supports the ESA Threat Detection Engine, too.
-
Threat Detection Engine (Windows) [B834]: added new event type:
Image.DriverLoad
with the same properties asImage.Load
. - User input delay (Windows) [B287]: uberAgent now measures the user input delay per process and session.
- Windows Services Dashboard [B813]: new dashboard with a focus on Windows services.
Improvements
- Agent [I767]: the maximum number of events per send operation can now be limited per receiver.
- Boot duration (Windows) [B63,B751]: the algorithm for capturing boot details has been aligned with the current Microsoft specification. In addition, uberAgent now reports user login screen wait time.
- Citrix ADC [B819]: dashboards now display Mbps instead of MB for data throughput.
- Citrix session monitoring (Windows) [I797, I880]: handle multi monitor environments correctly.
- Daemon (macOS) [B735]: added mechanism for preventing multiple running uberAgent instances.
- Daemon (macOS) [B871]: improved security of communication between uberAgent and its helpers.
- Dashboards [B287]: new dashboards Session Input Delay, Application Input Delay, Process Input Delay.
- Dashboards [B287]: added input delay metrics to the Single Application Performance and the Analyze Data Over Time dashboards.
- Dashboards [B514]: the Shutdown Delays dashboard now shows the affected hosts.
- Dashboards [B799]: drilldowns to other dashboards are now always opened in new tabs.
-
Dashboards [B858]: processes missing the
AppId/AppName
fields now get automatically assignedUnknwn/Unknown
. - Experience score [B287]: added input delay scores to the Experience Score Overview, Session Scores, and Application Scores dashboards.
- Experience score [B849]: added rating switch. You can now decide whether you want to evaluate the individual scores according to the daily average or the lowest value.
- Logging (Windows) [I733]: removed unnecessarily logged messages if it is impossible to determine a Remote Desktop client IP.
- Logon monitoring (Windows) [I872]: ShellAppRuntime.exe is now processed correctly when started as part of the logon script.
-
Machine inventory (macOS) [B742]: field
BaseboardSerial
is now collected on macOS. -
Machine inventory (macOS) [B758]: field
OsInstallDate
is now collected on macOS. -
Machine inventory [B761]: a new field
OsInstallDateOriginal
(date of the first clean OS installation) is now collected in addition toOsInstallDate
(date of the current OS installation). - Performance counters [I792]: translate localized wildcard performance counters back to english.
- Performance counters [I991]: capture external exceptions to not let uberAgent crash.
-
Performance summary (macOS) [B518]: the field
HandleCount
now returns the full open file descriptor count for the process, consistent with the output of the ‘lsof’ system utility. - Performance summary (macOS) [B754]: the I/O statistics are now calculated more accurately.
-
Process startup (macOS) [B737]: field
IsSignedByOSVendor
is now collected on macOS. -
Service (Windows) [B63]: new ConfigFlags setting
BootDetailTimeoutMinutes
. - Service (Windows) [B625]: improved determination of information about processes started earlier than uberAgent.
- Service (Windows) [B553]: string registry value data is collected as part of Reg.Key.Write events.
- Service (Windows) [I833]: improved determination of the logon start time.
- Service (Windows) [I850]: faster determination of GPU usage metrics (on Windows 10 1809 or newer).
-
Service (Windows) [I873]: new timer setting
ScriptTimeout
. - Service (Windows) [B386]: faster determination of WMI values and new configurable provider setting.
- Service (Windows) [I999]: ignore empty [Receiver] stanza in configuration.
- Service (Windows) [I1002]: improved service shutdown behavior.
-
Service (Windows) [I1030]: do not change permissions on the persistent output queue directory defined in the configuration option
PersistentOutputQueuePathWindows
/PersistentOutputQueuePathMacOS
at every agent start as the default location is already secured by the installer. - Setup (Windows) [B283]: restart on failure service options are now configured.
- Threat Detection Engine [B823]: the maximum risk score for a rule is now limited to 100 to avoid dashboard corruption.
- uAQL [B683]: improved the uAQL execution performance with a new bytecode interpreter.
Bugfixes
- Application name overriding (macOS) [I894]: fixed dysfunctional application name overriding for expressions containing the binary’s name.
- Authenticode signature verification (Windows) [I801]: fixed only signed binaries were provided to Threat Detection Engine.
- Authenticode signature verification (Windows) [I802]: fixed only embedded certificates were checked and not searched in the catalog.
- Authenticode signature verification (Windows) [I1009]: builds the hash even if the PE header is corrupted.
- Automatic application identification (macOS) [I982]: improved logging for privileged helper tools.
-
Browser/Chrome & Firefox add-on [I897, I904]: fixed empty
SessionFgBrowserActiveTabHost
field when using multiple browser profiles. -
CitrixADC [I828]: the characters
<
,>
,&
, and'
could not be used in passwords because of a flaw in PowerShell’sConvertTo-Json
command. - CitrixADC [I939]: no data is sent to the backend if one of the configured servers is unavailable.
- CitrixADC [I965]: no system performance data was sent when SSL sessions with TLS 1.3 were present.
- Citrix site monitoring (Windows) [I1019]: the dashboard Citrix Virtual Apps and Desktops Databases did not handle multiple database servers/instances per site correctly.
- Configuration [B825]: invalid negative values are now handled correctly.
- Daemon (macOS) [I981]: fixed a rare race condition during the daemon’s startup that could falsely detect the occurrence of pid wrapping.
- Daemon (macOS) [I1024]: the ProcCPUPercent metric is now reported using a more accurate calculation. The ProcCPUTimeMs now reports the full processor time that the process has used during its lifetime instead of just the difference between measurement intervals.
- Daemon (macOS) [I1026]: timer scheduling did not account for the sleep time of the system so that timer execution could be delayed if the system was asleep.
- Dashboards [I790]: fixed wrong calculation on the Process DNS dashboard in the chart DNS packet size distribution.
-
Dashboards [I812]: adjusted a
limit
option in the Network Communication dashboards, to make sure all connections are displayed as part of the drilldown. - Dashboards [I795]: fix empty charts on the Process performance and Application performance dashboards.
- Dashboards [I866]: fix wrong description on the Shutdown duration dashboard.
- Dashboards [I868]: removed wrong drilldowns on the Browser Web App Usage dashboard.
- DNS query monitoring [I810]: queries for non-existent records or queries returning errors were ignored.
- DNS query monitoring [I855]: empty queries that caused an OS error are now ignored and not send to the backends.
- Experience Score [I827]: calculation of thresholds and weights of the network score were wrong for machines and applications.
- Experience Score [I887]: fixed incorrect field name in application score calculation.
- Invalid UTF-8 start byte (macOS) [I885]: fixed an error that sometimes appeared on the Kafka and/or Elastic backends regarding the encoding of the JSON message from uberAgent.
- License Information (macOS) [I919]: fixed missing ESA license information in the backends for source type uberagent:License:LicenseInfo.
- Logging (macOS) [I853]: removed an unnecessary warning about the failure to determine the IPv6 address if the system only had link-local or no addresses configured.
- Logging (macOS) [I883]: fix broken mechanism for rotation of log files.
- Logon monitoring (Windows) [I844]: in environments with Ivanti Workspace Control and a custom shell, the logon end was not detected.
- Machine inventory (macOS) [I892]: removed a misleading warning regarding EDID versions.
- Network monitoring (Windows) [I815]: fixed missing network metrics after waking up a machine from standby.
- Network monitoring (Windows) [I815]: fixed rare circumstance of missing network metrics after network interrupts or connection losses.
-
Network monitoring (Windows) [I815]: new
ConfigFlag
:NetworkDriverMaximumConnectionLimit
to limit the maximum number of concurrent monitored network connections. - Process names (macOS) [B784]: fix process name truncation which might have happened in some cases.
- Process names (macOS) [I804]: in some very rare cases the name of a parent process might not be correct for processes which started immediately before uberAgent.
- Service (Windows) [I587]: in some rare cases the registry-monitoring thread would be terminated prematurely.
- Service (Windows) [I779]: fixed a possible crash of the service that could occur when a session had a logon timeout.
-
Service (Windows) [I811]: trailing slash in
%TEMP%
environment-variable causes 100% CPU load on one core. - Service (Windows) [I822]: fixed an issue that could cause a longer shutdown period under certain circumstances when Citrix metrics were on.
- Service (Windows) [I835]: remove confusing log message on x86 systems when Bugcheck parameters were retrieved.
- Service (Windows) [I836]: fixed retrieving of the process ID from the Application Error Event Log (event ID 1000) on Windows 11.
- Service (Windows) [I1008]: fixed retrieving of the process version, process id, and process start time from the Application Hang Event Log (event ID 1002) on Windows 11.
- Service (Windows) [I858]: fixed an issue where LogFileCount was not honored for uberAgentConfiguration logs.
- Service (Windows) [I861]: user tags are sent to the receivers defined in the OnDemand section instead of to the receivers of the timer.
- Service (Windows) [I782]: fixed crash in uAInSessionHelper on systems under heavy load.
- Service (Windows) [I799]: remove all orphaned temporary files at service start.
-
Service (Windows) [I873]: new
ConfigFlag
:InternalScriptTimeoutMs
to limit the maximum time of an internal/hard-coded script. - Service (Windows) [I881]: fixed missing Citrix HDX virtual channel metric on Windows 7.
- Service (Windows) [I935]: fixed a memory leak when saving an internal Citrix DC/ADC PowerShell script temporarily on the local disc.
- Service (Windows) [I944]: in very rare cases, the window title of an already stopped process is determined.
- Service (Windows) [I889]: fixed rare deadlock during service shutdown.
- Service (Windows) [I1013]: fix persistent timers sliding (run at later timepoint than their interval would suggest) after sleep- or hibernate-mode.
- Service (Windows) [I1021]: fixed rare deadlock of two internal lists during EVT processing. The deadlock results in no more data being sent to the backend.
- Service (Windows) [I1028]: in rare cases AD attribute determination crashes the agent during an agent shutdown.
- Service (Windows) [I1049]: in rare cases performance counter determination stopped working in case of a timeout during data determination.
- Setup (Windows) [I1050]: do not delete the %ProgramData%\vast directory\uberAgent\Configuration directory if uberAgent is already installed and another silent installation is performed via command line.
- Shutdown of uberAgent (macOS) [I876]: fix unlikely case of broken shutdown procedure if the log file is inaccessible
-
Splunk [I826]: fixed outdated values in
lookup_hostinfo
. -
Splunk data model [I796]: fixed incorrect calculation of the field
CatalogId
in the data model uberAgentUXM_Citrix. - System time change resilience (Windows) [I857]: fixed logging of time change events on Windows 11.
- Tagging (Windows) [I900, I911]: user tags were not determined if the session ID was reused.
Release notes
- Config file monitoring and agent auto restart [B408]: updated configurations are applied automatically by restarting the agent.
- Dashboards [B766]: replaced the Process DNS Splunk dashboard with the new DNS Exfiltration and Tunneling.
- Dashboards [B518]: moved the ProcPriorityDisplayName determination from a lookup to the data model. This is necessary to be able to map process priorities of Windows and macOS in one sourcetype.
- Dashboards [B856]: updated the Splunk SDK for Python to version 1.7.4.
-
Sourcetype [B287]:
uberAgent:Process:ProcessStatistics
has new field(s):ProcInputDelayMaxMs
,ProcInputDelaySumMs
andProcInputDelayCount
. -
Sourcetype [B287]:
uberAgent:Session:SessionDetail
has new field(s):SessionInputDelayMaxMs
,SessionInputDelaySumMs
andSessionInputDelayCount
. -
Sourcetype [B751]:
uberAgent:OnOffTransition:BootDetail2
has new field(s):UserLogonWaitDurationMs
. -
Sourcetype [B766]:
uberAgentESA:Process:DnsQuery
has new field(s):DnsRisk52Chars
,DnsRisk27UniqueChars
,DnsRiskEmptyResponse
,DnsRiskTXTRecord
,DnsRiskHighEntropy
,DnsResponseStatus
. - Splunk data models [B546]:added the uberAgent ESA data model uberAgentESA_System_SecurityInventory. Data model acceleration is turned off. Otherwise, longer field contents may be truncated.
- macOS OS versions [B760]: starting with this release, macOS 10.15 Catalina is no longer supported by uberAgent. The oldest supported version is now macOS 11.0 Big Sur.
- Threat Detection Engine [B823]: rules now have a fixed valid range of 0-100 (integer) for the risk score. Rules with a risk score outside this range are considered invalid and are ignored.
- Threat Detection Engine [B860]: renamed the ESA feature Activity Monitoring [Engine] to Threat Detection [Engine].
Known issues
-
Boot duration (Windows): the metrics
TotalBootTimeMs
,MainPathBootTimeMs
andPostBootTimeMs
cannot be determined for every system boot. - Browsers/IE add-on (Windows): metrics are not collected on page reload.
- Browsers/IE add-on (Windows): metrics are collected incompletely for the configured start page.
- Browsers/IE add-on (Windows): monitoring does not work if IE is published from Citrix Virtual Apps. It does work from Citrix Virtual Desktops, however.
-
Browsers/Firefox add-on: if the option
privacy.resistFingerprinting
is set to true, browser metrics are not available due to invalid data being sent from Firefox. -
Citrix ADC: in very rare cases, the content of the Virtual Server Performance field
vServerName
contains spaces in wrong places. - Citrix site monitoring (Windows): data collection issue if the Citrix Remote Powershell SDK (required for Citrix Cloud monitoring) is installed on a CVAD controller.
- Citrix XA/XD Machines (Windows): when running the Citrix VDA on a Citrix Delivery Controller, some per-machine information is missing.
-
Experience score [I377]: scheduled searches generate three warnings in Splunk’s
_internal
index every 30 minutes. The messages look like the following:DateParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (128) characters of event.
. However, there is no impact on uberAgent’s functionality. -
GPU (Windows) [I33]: values for the fields
ComputeUsagePercentAllEngines
,ComputeUsagePercentEngine0
and similar can be higher than 100 with Intel Iris GPUs on Windows Server 2016 1607. -
Kafka [I291]: in rare cases sending data to Kafka results in a
SEC_E_BUFFER_TOO_SMALL
error message in the logfile. This should have no effect; the transmission is repeated and succeeds on the second try. - Network monitoring (Windows) [I815]: network metrics may be missing: 1) after resuming from a low-power state (e.g., suspend), or 2) after certain disastrous network events such as a crash of the default gateway.
-
Network monitoring (Windows) [I998]: in rare cases the determination of
NetUtilizationPercent
can lead to higher CPU load on Windows 7 x64. - Single Boot [I1052]: currently, under Windows 11, no information can be retrieved if there is no active session within the data collection period.
- Update inventory (Windows): not all installed Windows updates may be reported due to API limitations.
- UserInputDelay (Windows): can lead to a handle leak by Windows on Windows Server 2022 systems.
- Volume inventory (macOS): the encryption status of mounted read-only APFS snapshots may not be reported due to API limitations. This includes the root directory volume in a default installation of macOS.
Changelog and Release Notes
In this article
Copied!
Failed!