AIR Release Notes

Version 3.12

Features

Streamline your investigation

• DRONE analysis for macOS

  • MITRE ATT&CK Analyzer

    • As of v3.12 DRONE now has MITRE ATT&CK rules for macOS.

  • Dynamo Analyzer (Credit: Dilek G)

    • Dynamo will parse the AIR report generated as the result of a task assignment and highlight suspicious entries.

  • Browser History Analyzer

    • Chrome, Edge, IE (7-11), Firefox, Opera, Safari, Vivaldi, Waterfox and Brave are now all supported for macOS

  • Audit Event Analyzer

    • Brings advanced capability to AIR by scanning event records for keywords, hacker tools, and commands, setting verdicts based on criteria, guidelines, or Sigma rules.

• Tooltips added to DRONE findings within the Consolidate Report

  • When a user hovers above a Verdict or Score finding listed in the Table view, they will be presented with a to a tooltip that explains how the result is derived.

• Isolation of macOS endpoints

  • Expanding Isolation capability to the last major operating systems -macOS. (Fully supports Windows, Linux & macOS devices).

  • Regardless of the isolation state, the endpoint maintains communication with the AIR console to allow analysts performing their investigation by generating Tasks as usual.

• Addition of a "Retry Upload" action for failed Task Assignments (Credit: Daniel M) 

  • Should a failure occur during the evidence upload phase of a task, a "Retry Upload" feature is now available to resolve issues more efficiently. Key benefits include:

    • Elimination of the need for evidence re-acquisition, preserving the original data.

    • No additional disk space consumption.

    • The "Retry Upload" option repurposes the existing task assignment for the re-upload, preventing task duplication.

• Simpler access to Off-Network Agent logs & Drone log files

  • Agent logs and Drone log files of Off Network  are now saved in the same folder . This makes it easier to find any log files and share them with  Binalyze Technical support or for troubleshooting by yourselves. 

  • File name format is: Troubleshoot-[TIMESTAMP].zip.

Enriching evidence and artifacts

• New Artifact types collected for macOS:

  • Discord Desktop Cache

    • Discord instant messaging and VoIP social platform with voice calls, video calls, text messaging, media and files in private chats or as part of communities called "servers".

  • Parallels Logs

    • Parallels is a software company best-known for Parallels Desktop for Mac that allows users to run Microsoft Windows systems on macOS computers. 

  • Homebrew Logs

    • Homebrew is a free and open-source software package management system that simplifies the installation of software on macOS, as well as Linux.

  • Sophos Events Database

    • Sophos develops products for communication endpoint, encryption, network security, email security, mobile security and unified threat management. 

  • Sophos Antivirus Logs 

    • The AIR agent will now collect Sophos Antivirus logs.

• New Evidence types for macOS:

  • Shared File List

    • The SharedFileList (SFL) in macOS is a system feature that manages "recent items" lists for applications and the system itself. These lists could include recently used applications, documents, servers, or even volumes. The files with the extensions .sfl and .sfl2 are plist (property list) files in binary format.

  • Shell/Bash History

    • The .bash_history file holds significant value for various reasons including command tracking which may reveal the activity of an attacker. However, note that the .bash_history file can be manipulated, cleared, or even disabled by knowledgeable users.

Synchronization and collaboration between teams

• Customizable Banner Message  (Credit: Helen T)

Users can now display important announcements via a banner on the console GUI for events like maintenance, upgrades, or config changes. The banner interface allows:

• Scheduling via Start/End dates

• Message editing - up to 512 characters

• Color customization

• URL linking

• Banner dismissal to maximize screen space

This feature provides direct communication with AIR users and offers permission controls for message settings.

Enhancements

AIR Core Functions Enhancements

• • Timeline 

    Swipe through a Timeline Bar to view events, dates, or time periods that are outside the current visible area.

    • • Click-and-drag: The user clicks on the timeline bar and drags it left or right to scroll through the timeline. 

      • Swipe wheel: If the device supports a scroll wheel or touchpad gestures, the user can use it to scroll left or right on the timeline bar.

  • Triage

    Many more new triage rule templates are available to assist when constructing triage task assignments including:

    • • YARA - Find by size range

      • YARA - Find Portable Execution files only

      • YARA - Find PKZIP files only

      • YARA - Find by hash value after filtering by file size

      • Sigma - User account hidden by registry

      • osquery - Unusual Cron entries

      • osquery - Processes running with no binary on disk

Consolidated Reports Enhancements

• Consolidated Report Module refactoring to provide Generic Report Module

  • This new module generates individual task assignment reports that maintain the same view and structure as the existing Consolidated Reports.

• Triage results from osquery are now available in Consolidate Reports 

  • osquery results are now also searchable from the Global Search.

Security Enhancements

• Automatically renew default AIR SSL certificate (Credit: Ramesh P)

  • The Binalyze-generated self-signed certificate will now auto-renew when it's within 10 days of expiration.

Fixes

Version 3.11.0

Important Security Update (Credit - Caleb T and Tyler B)

We have added ACL settings to a driver object to prevent unauthorized access and potential privilege escalation.
Users should urgently deploy the updated agents to address this high-severity vulnerability

Version 3.9.2

Features

• Acquisition Profiles now display average time taken to complete

• • This great new feature displays to the user the average time it takes to run a particular acquisition profile in their own AIR environment. This will help analysts make decisions as to which Profile is best suited to a particular circumstance. (Credit: Daniel M)

  • This feature is unique to the users own environment, so the collection of metrics will start afresh with each new AIR console install.

• New wizard to add endpoints to a Timeline

  • This dedicated Timeline wizard will speed up and simplify the addition of endpoints to your Timelines.  The new flow allows you to select endpoints, define the Task and then choose the post acquisition analyzers such as DRONE or any of the other AIR analyzers needed for your specific investigations.

  • This feature is aligned with the new Quick Start feature introduced in v3.8 - Both designed to simplify and speed up your investigations.

• Five new Webhooks available in AIR:

  • Stellar EDR

  • LogicHub SOAR (DEVO)

  • Rapid7 InsightIDR

  • Fortigate SIEM

  • Dynatrace

Take advantage of AIR’s Webhooks to increase your SOC’s automated collections and analysis of data from endpoints and dramatically speed up all of your investigations.

• New macOS evidence support - Apple System Logs

  • Apple System Log Files (.asl files) contain detailed records of various system events, processes, errors, warnings, and activities that occur on a macOS device.

• New macOS evidence support - Apple Unified Logs

  • The Apple Unified Logs (AUL) system was introduced with macOS 10.12. It creates a standard log format used in all Apple operating systems, including macOS, iOS, watchOS, and tvOS. One of the most powerful filtering capabilities of AUL is the predicates.

  • AIR will present unified logs using the comprehensive set of predicates shown below:

    • User login events

    • Tccd events

    • Ssh activity events

    • Command line activity run with elevated privileges

    • Kernel extension events

    • Screen sharing events

    • Keychain unlock events

    • Sessions creation and destruction events

    • Detecting and blocking malicious software events

    • Failed sudo events

    • MDM Clients Events

Enhancements

• Consolidated Report improvements

  • To support collaboration between analysts by highlighting important evidence and findings, we have added the option to bookmark items within Consolidated reports.

  • Users can also see who bookmarked an item and when they did so. They can also apply filters to show ‘Bookmarks’ or ‘Bookmarked by’.

  • A new ‘event viewing’ window will display expanded details for any item selected in the main viewing area.

  • Global Search has been enhanced for faster search returns.

• YARA rule scans can be run via interACT

  • It is now possible to run YARA scans inside the AIR cross-platform remote shell, interACT.   (Credit: Ramesh P) 

• YARA and Sigma rules use the same verification method 

  • Binalyze AIR will now use matching validation methodologies for these two different rule types, so YARA and Sigma scanning can no longer be tasked to run any incompatible rules. (Credit: Antonio L)

     

Fixes

• AWS S3 upload failures

  • Simultaneous upload issues to AWS S3 bucket and all other repositories have been fixed by enforcing sequential uploads only. (Credit: Simon L)

• Reporting a Failed Status

  • When a Task is running, and something causes the agent to restart, a ‘failed’ status will be shown when the agent starts again if any of the tasks fail to complete.

• Timeline imports to Chrome

  • An issue preventing Chrome uploads to the AIR Timeline has been resolved.

• Authentication Errors for Public API's are fixed

Version 3.7

Features

• Triage Match Count Column

  • In the Task window it is now possible to select, from a column selector, to display a column for Match Counts, and if the user filters by Triage the Match Count column will be added automatically to the filtered results.

• New Webhook - Microsoft Sentinel

  • AIR now has built-in support for a Microsoft Sentinel Webhook (Credit to Elisa.com - Finland).

• Mandatory Case Selection Option

  • This new feature allows Enterprise and MSOC customers to enforce the selection of a case for all Acquisition and Triage tasks ensuring that all collections and tasking results are attributed to a case.  For FIS customers this feature will always be active by default.

• New Chrome artifacts for Mac Linux and Windows

  • For Mac, Linux and Windows support has been added for parsed evidence from Chrome; Bookmarks, Cookies, Downloads, User Profiles, Extensions and Browsing History

• Isolation Support for Linux

  • Linux endpoints can now be 'Isolated' from within the Endpoints Details UI window.

• New 'Last Seen' Endpoint Filter

  • AIR now allows for the date and time filtering of endpoints by;  'Last Seen After', 'Last Seen Before' and 'Last Seen Between'.

• Apple macOS TCC collection

  • AIR now supports the collection of Mac TCC (Transparency, Consent and Control) data.

IMPORTANT: In order to benefit from these new features,  you should install our new DataBase. Click here to learn more.

Enhancements

MITRE ATT&CK enhancements

• MITRE ATT&CK Rules with Drone for Acquisition and Triage Tasks

  • Users can now see and select the MITRE ATT&CK analyzer in both the Acquire Evidence and Triage Tasking windows. In these views it is now also possible to see when AIR last checked our MITRE ATT&CK database to ensure that the user has access to the latest MITRE ATT&CK definitions for AIR.

• MITRE ATT&CK Rules support for off-network tasks

  • The same level of support mentioned above for MITRE ATT&CK is now also available for off-network Evidence Acquisitions and Triaging.

• MITRE ATT&CK Tactics Widget View within Consolidated Report

  • The Consolidated Report now aligns and displays artifacts by the number of times a particular MITRE ATT&CK Tactic, Technique or Finding has been identified. The Technique and Sub-Technique identified will also be displayed along with a direct link to the relevant MITRE ATT&CK webpage.

• MITRE ATT&CK Auto update

  • Binalyze AIR will now automatically check for any new MITRE ATT&CK updates as soon as a user opens the Acquire Evidence or Triage Tasking windows. An internet connected AIR installation is required, ensuring customers always have access to the latest AIR MITRE ATT&CK definitions. (Off-Line support will be coming in future versions)

Consolidated Report enhancements

• Consolidated Report: MITRE ATT&CK Report View

  • The Consolidated Report front page now displays  a MITRE ATT&CK overview report.

• Consolidated Report: Event Records Consolidation

  • Event Records are now consolidated in human readable format for investigators.

• Consolidated Report: Global Search

  • Global Searching is now possible across Consolidated Reports.  This feature addition is super powerful, and allows users to search across all of the acquisition and triage data that constructs a Consolidated Report from multiple endpoints in any particular case.

• Consolidated Report: Process Details View

  • An event details module has been added at the bottom of the evidence item page, so when an item is selected in the upper window, if there is additional information available it will be displayed in the lower details window.

• Consolidated Report: Process Tree View

  • A Tree view is now available for processes within Consolidated Reports.

• Consolidated Report: CSV export

  • It is now possible to export Evidence Items from within the Consolidated Report to CSV.

Fixes

• Security fix related to endpoint isolation

• Security fix related to the installation process

• Security fix related to the password reset process

• Security fix related to access to server files

Version 3.5.1

Features

• Consolidated Report.

• The Consolidated report is a single, easy-to-read DFIR intelligence report, that displays Acquisition and Triage acquired data from multiple endpoints in one report.

• Triage with OSQuery.

• Analysts can now create, modify and run OSQuery queries across multiple assets in the AIR Triage GUI, along with our pre-existing YARA and Sigma capabilities.

• Timeline support was added for Linux and macOS.

• Investigators and analysts can add Linux and macOS artifacts to AIR Timelines.  Leverage this addition to have just one Timeline with multiple endpoints from all 3 operating systems; Windows, Mac and Linux. This is potentially another massive boost to speeding up investigation times.

• Importing Chrome/Chromebook collections to Binalyze AIR Console

• Investigators and analysts can now add standalone Chrome evidence acquisition results (PPC file) to Binalyze AIR

• New Artifacts and Evidence for macOS and Linux.

• More than 35 new artifacts and evidence types, such as Apache, Nginx, MySQL, PostgreSQL, MongoDB, Docker, KnowledgeC, and more system-related logs were added to Binalyze AIR

• Organization Tags

• Managed SOCs partners (MSSPs) can add, remove, list and group their Organizations by Tags. This  would simplify operational day to day needs, since it is much simpler to define and classify each Organization by 1 or multiple Tags. The new capability is available also via the API.

Enhancements

•  N/A

Fixes

• interACT get the command’s unresponsiveness bug fixed

• interACT session termination bug fixed

Version 3.3.1

Features

• Multiple Sigma Rule Upload

  • Investigators and Analysts can upload multiple Sigma rules to AIR Console at once

• Taking Full Logical Volume Images by using the user interface

  • Investigators and Analysts can create full logical volumes of images using either a user interface or a secure remote shell interACT.

  • Microsoft Windows, Linux, and Apple macOS operating systems are supported

• x64 support for Windows Agent

  • Beginning in version 3.3 64-bit version of the Microsoft Windows AIR Agent is available.

• Case ID Prefix

  • Customers using more than one Binalyze AIR Console instance can now add a prefix to their Case IDs. Therefore there will not be experienced any confusion about Case IDs anymore.

• Progress monitoring added to Get & Put commands on the interACT

  • Investigators and Analysts can see the file download progress from an endpoint (get command) and file upload to the endpoint from the library (put command) command outputs while using secure remote shell interACT.

• MITRE ATT&CK Scanner was added to Binalyze AIR Automated Threat Analyzer, DRONE

  • When Investigators and Analysts scan their systems with DRONE, they can see the MITRE ATT&CK mapped results in the report. DRONE rules are continuously developed and mapped to the MITRE ATT&CK framework.

Enhancements

• Some security improvements on AIR Console

• Some performance improvements on AIR Console

Fixes

• Minor bug fixes

Version 3.2.3

Hot Fix

• Hot fix that includes typo fixes, timeline date filtering, and browser back button navigation caused regarding the dashboard

Version 3.1

Features

• Golden image option was added to AIR Agent installation

  • AIR agent is now compatible with installation via a golden image for new device deployment. With this feature enabled, an administrator can prevent potential connection and availability problems that may have previously occurred on the AIR console for machines installed from a golden image.

• New File System Enumeration evidence for Linux and macOS

  • Investigators can list the creation, modification, and access dates and times of the files and folders on the Linux and macOS filesystem as CSV files.

Enhancements

• Baseline Comparison Reporting

• Collapse/Expand All items under the Acquisition Profile section.

• Acquisition Profile information was added to the Tasks list under the Endpoint details page.

• YARA 4.2 update

• FTPS support for full disk image

• SSL/TLS proxy server support was enhanced

Version 2.10.2

Features

• AWS EC2 one-click agent deployment

• Cloud forensics - Azure VM support

• Azure VM one-click agent deployment

• Auto Asset Tagging based on hostname, IP address, and subnet

• Auto Asset Tagging based on custom rules with osquery builder

• Linux full disc image via interACT

Enhancements

• 7x speed improvement for most evidence acquisitions on macOS and Linux

• You can now upload multiple YARA rules at once

• Improved troubleshooting logs

• Token support for MFA

Fixes

• Fixed an issue where sometimes recycle bin collection would fail

• Fixed an issue that prevented baseline comparison on unreachable endpoints

• Other minor bug fixes

Version 2.9.1

Features

• Added ability to enumerate Amazon AWS EC2 assets

• Added Yara triage support to macOS assets

• Added Baseline comparison for macOS assets

• Added full disk image collection with interACT for Windows assets

Enhancements

• Added ability to duplicate acquisition profiles

Fixes

• Fixed an issue where notifications were not shown about tasks in non-default Organisations

• Fixed the wrong warning message when deleting a task from a case.

• Fixed an issue where the user couldn't see the baseline comparison report even though the baseline acquisition task was finished.

• Fixed the name column sorting in the interACT Library

•  

Version 2.7.2

Fixes

• Fixed task migration scripts update

• Fixed scheduled task comparison is missing on Baseline Comparison

• Fixed connecting AD user with less than 5 characters

• Fixed spelling mistake is shown On ESXi Agent Deployment Page

• Fixed UI issues about ESXi tab

Version 2.7.0

Features

• Added support for Apple macOS assets

• Added Chromebook standalone collector (credit: Yuta K.)

• Added ESXi standalone collector (credit: Andres S. and Mason T.)

Enhancements

• Case selection is now optional with an Enterprise or MSOC license

• API now includes endpoints for Repositories, Baseline, Case and Organizations (Docs)

• Improved the retry process for interACT’s get and put commands

Fixes

• Fixed issue with downloading files with special characters via interACT

• Fixed acquisition history graph on the dashboard

• Fixed other minor functionality and UI issues

• Fixed UTC time mismatch in DRONE for Windows event logs and event records

• Fixed DRONE stability issue when using keyword search

Version 2.6.2

Feature

• Added public API (see details)

Version 2.5.1

Fix

• Fixed a bug in the DRONE configuration file migration process.

Version 2.4.0

Blog News: v2.4.0

Features

• Added e-Discovery collection to acquisition profiles (credit Yalkin D.)

• Added Tamper detection to agent

• Added agent support for Linux arm64 (aarch64)

• Added curl command to interACT

• Added hex command to interACT

Enhancements

• Added IP Address column to Endpoint table

• Added silent installation tooltip for SCCM agent deployment

• Added endpoint name to audit log filter

• DRONE keyword search capability is now more visible

• Improved zip command in interACT - Now zips to folder

• Added new metrics for case report memory section

Fixes

• Fixed unquoted service path issue after a config update (CVE-2021-42563)

• Fixed minor issues on timeline export

• Fixed duplicated user validation issue

• Fixed evidence repository name and path validation issue

• Fixed system resource usage not updating in interACT session issue

• Fixed renaming evidence repository issue

• Fixed an issue that allowed task assignment to endpoints with an old agent

• Fixed webhook addresses not updated after a change of console address

• Fixed SFTP current directory support

• Fixed opening report issue in Safari browser

• Fixed minor issue on Sigma rule parser

• Fixed minor issue on Drone table

• Fixed minor UI issues

Version 2.3.5

Blog News: v2.3.5

Features

• Added Sigma rule triage for Windows

• Added autocomplete functionality to interACT

• Added ServiceNow support to webhooks

Enhancements

• Added new privilege to allow changing endpoint label

• Added auto asset tag rules for Docker and Kubernetes

• Added version information to settings

• Added ability to handle Unicode file paths in YARA scanner

• Added ability to specify a temporary staging directory for acquisition tasks that use evidence repository

• Improved evidence collection on low capacity endpoints by letting AIR automatically select the volume with the greatest available free space (credits: Babak M.)

• Improved evidence repository background upload mechanism with persistent retries

• Improved case export functionality

Fixes

• Fixed minor memory leak of canceled tasks

• Fixed minor logging issues

• Fixed interACT exec command stdin issues on Windows

• Fixed a bug related to listing unsupported drone analyzers

• Fixed case filter issue

• Fixed policy list on task creation, missing policies

• Fixed case-sensitive username issues

• Fixed case day counter

• Fixed minor bugs on the report

• Fixed other minor bugs

Version 2.2.1 

Blog News: v2.2.1

• Added Slack integration support

• Added Mattermost integration support

• Fixed timeline sort issue

• Fixed viewing case.ppc issue on failed tasks

  
  

  Read the detailed notes

Version 2.1.5

• UI/UX improvements on case containers

• Fixed minor bugs related to case containers

• Fixed drone autopilot issue on scheduled tasks and webhooks.

• Fixed a bug about using azure storage as evidence repository on linux agents

Version 2.0.5

Version 2.0.1

Version 1.8.3

Version 1.8.0 (RC)

New:

• Added Docker-based installation support. Once a stable version of v1.8 is released, docker will be the only deployment option. Since then, the MSI installer will no longer be available. Our knowledge base page is available to show how to install the new version of AIR

• Added multiple organization support.

• Added Azure AD single sign-on support.

• Added 2FA support.

• Added stateless queue-based background worker system.

• Added network capture option to acquisition profile.

• Added device name and os on agent visit requests.

• Added deployment token to deploy endpoints more secure way.

• Added some rules to prevent confusion and irregularity on users/roles (Only Global Admins can create Roles, predefined roles cannot be updated).

• Added Wazuh integration support.

Version 1.7.60

• Fixed password reset bug.

• Improved endpoint console address migration feature.

Version 1.7.50

This is the stable release of the previous RC version (v.1.7.45)

• Blog News: v1.7.50

• Fixed a bug upgrading endpoints with old version to newer version

• Fixed notifying NATS for the endpoints that need to be upgraded to the new version

• Fixed a bug regarding database backup

• Added support for validating settings for Azure Blob Storage and AWS S3

Version 1.7.41

• Minor bug fixes

Version 1.7.35

• New feature: GNU/Linux support for Debian and Redhat based distributions (Preview)

• New feature: Added SFTP support to evidence repositories

• New feature: Added compression and encryption support for evidence

• New feature: Added endpoint isolation for Windows platform

• New feature: Added policy support that gives you the ability to manage evidence repository location, compression, encryption, and CPU limit based on rules (credits: Turkcell CDC)

• Added extended file information for triage files

• Added dependecy checking to evidence repository deletion process

• Added linux acquisition evidence list

• Added "Use options provided in policies" and "Use custom options" choices to the acquisition, triage, trigger process

• Added platform column to endpoint datagrid

• Added platform, isolation status, and policy filters to endpoint page

• Added Linux deploy steps to deploy page

• Added assigning log retrieval task to offline endpoints.

• Optimized caching to minimize performance bottlenecks caused by high request load

• Optimized security token check performance

• Optimized concurrent message handling on Nats server

• Refactored worker pool to works based on priority

• Refactored the endpoint task queue to work with the task configs in policies and custom configs

• Removed patrol from AIR

• Fixed XSS exploit on audit logs

• Fixed the performance bottleneck on the task progress update process

• Fixed a memory leak in the visit process on the windows agent

• Fixed a problem in windows agent installation version check

• Updated EULA

• Minor UX improvements

• Minor bug fixes

Version 1.7.30

• Improved triage match results

• Improved AD sync performance

• Improved audit log db write transactions

• Improved license capacity checks

• Improved LDAP login

• Highly optimized task core module performance

• Highly optimized endpoint task queue memory usage

• Highly optimized audit log storage

• Highly optimized realtime task assignment to endpoints

• Optimized logging on agent

• Optimized debugging log on worker tasks

• Optimized Agent Installer download performance

• Optimized task result upload performance

• Optimized db bulk operations

• Optimized triage rule storage

• Optimized task storage

• Refactored worker core module

• Fixed an issue related to sending triage task result

• Fixed performance issue caused by Patrol module

• Fixed disappearing endpoint tags after AD sync issue

• Fixed loading up tasks to endpoint queue issue caused by db migration

• Fixed the register required bug that is caused by latency on endpoint registration

• Fixed the performance issue on visit requests caused by agent update load balancer

• Fixed investigating same endpoints multiple times in the same investigation

• Fixed security token mismatch bug on visit requests

• Fixed the bug caused by reloading task details on the UI

• Fixed the bug related to license validation for online and offline environments

Version 1.7.23

• Improved endpoint connection error logging

• Changed max memory cache size to maximum

• Highly improved memory usage of the endpoint task queue

• Increased node's memory usage limit to 6GB

• Reduced effect of long-running tasks on the starting speed of the application

• Fixed performance and memory issue on sending events to Syslog and audit logs

• Fixed a minor bug on the endpoint registration issue

• Fixed a minor bug on fix endpoint issue task

• Fixed a minor bug on the installer

Version 1.7.20

• Fixed minor bugs

Version 1.7.13 (RC)

• Fixed an issue in agent installer

• Other minor bug fixes and improvements

Version 1.7.11 (RC Sunburst Edition)

Fixed minor typo

Version 1.7.8 (RC)

• Fixed an issue in event log parser

Version 1.7.6 (Beta)

• Minor improvements and bug fixes

Version 1.7.3 (Beta)

• Added support for downloading report as HTML (credits: Turkcell CDC)

• Improved Quick Acquisition Profile

• Improved agent update mechanism (credits: Orhan Solak - Barikat Cyber Security)

• Fixed an issue in agent task processing mechanism (credits: Burak Karapınar - HAVELSAN)

• Fixed an issue in agent manual uninstallation (credits: Orhan Solak - Barikat Cyber Security)

Version 1.6.14

• Added support for parsing SRUM Application Resource Usage

• Added support for parsing SRUM Network Data Usage

• Added new event records

• Added MAC time to crash dumps

• Added Custom Content collection from all drives (credits: Mason Toups)

• Added Triage on all disk drives (credits: Mason Toups)

• Added host content to report

• Added export process table as CSV (credits: Alexander Jarvis)

• Added Last Write Time for Installed Applications

• Added support for CPU usage limitation (credits: Turkcell CDC)

• Added Refresh button to the endpoint groups section

• Added Delete All Tags button to the endpoint tags section

• Added Delete button to all detail pages

• Improved settings page design

• Improved design of table action buttons

• Improved Browser History acquisition

• Improved Network Share connection check

• Improved exception handling

• Fixed an issue with event logs

• Fixed WMI query exception problem

• Fixed Downloads section processed count

• Fixed an issue with timestamping

Version 1.6.9

Version 1.6.4 (Code Name: Sirius)

Version 1.4

Version 1.3.5

Version 1.3