Code42 cloud release notes

Last updated
Save as PDF
Share
1. Share
2. Tweet

Who is this article for?

Incydr, yes.

CrashPlan for Enterprise, yes.

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

Overview

This page lists new features and bug fixes released to the Code42 cloud. Click a month below to expand or collapse the details.

These updates primarily impact cloud-only Code42 environments (without on-site authority or storage servers), but some of the fixes and enhancements also apply to Code42 environments with on-premises authority servers that use Code42 cloud storage.

For the Code42 app, see Code42 app version 8.2 release notes.

January 2021

Features

Code42 Developer Portal

January 11, 2021

The Code42 Developer Portal is a new resource site for those who want to write scripts to automate Incydr tasks and set up integrations.

Benefits of the portal include:

A single access point for documentation of methods for Incydr, including Code42's REST API, Python SDK py42, and command-line interface (CLI)
A single request URL for Code42 API calls to each cloud instance
Code42 API reference documentation as well as articles that describe how to use the APIs
Open-source contributions to the portal using GitHub

Code42 Developer Portal

Get help
For help using the resources in the Code42 Developer Portal, contact your Customer Success Manager (CSM) to engage the Code42 Professional Services team.

Enhancements and updates

January 8, 2021

Case details now display additional risk context to provide a more holistic view of the user being investigated. Details include:
- If the user is on the High Risk Employees or Departing Employees lists.
- Other risk factor attributes in the user's profile (for example, High impact employee or Flight risk).
Added a Code42 support user type to the Audit Log search filter. Employ this user type to search for events triggered by Code42 support users who are given support access to your Code42 environment.

Bug fixes

January 13, 2021

Fixed an issue where permissions changes to folders in Box and OneDrive cloud services could be incorrectly attributed to the wrong actor in Forensic Search. In some cases, this fix may result in a blank value for File exposure changed to in Forensic Search for activity detected in Box and OneDrive.

December 2020

Features

Recommended rule templates in Alerts

December 9, 2020

Alerts adds new pre-configured, recommended rule templates. These templates allow you to quickly create rules from common default settings that you can modify as needed for your environment.

Recommended rule templates

Export case data

December 9, 2020

Cases now provides the option to export and download case details to PDF and CSV files. This enables you to more easily share case data with others in your organization.

Improved Code42 console navigation

December 8, 2020

The redesigned Code42 console navigation menu now appears across the top of the screen, instead of on the left.

December 2020 Code42 console navigation menu

Benefits of this update include:

Enhanced usability and organization
A more compact design increases the usable viewing area for all Code42 console screens

Most items have the same name and relative hierarchy within each top-level menu. However, some items changed names or appear in new places. See Changes to the Code42 console navigation for complete details.

Enhancements and updates

December 16, 2020

Security updates.
When retrieving agent logs from the Code42 console, adds the option to receive an email notification when logs are available.
Improved error messaging when adding a new SSO authentication provider via Identity Management > Authentication if there is a problem with the XML metadata file upload.
Updates to translations.

December 7, 2020

In the Forensic Search CSV export, the column heading Shared With changed to Shared With Users to match the label in the search interface. If you use customized scripts to parse this CSV export, you may need to update them to account for the new column name.

December 3, 2020

Added a Console login event type to the Audit Log to record logins to the Code42 console.

Bug fixes

December 16, 2020

Performance and stability improvements.
Fixed an issue where attempting to create a deployment policy with the same name as an existing policy resulted in an unknown error. Now, you can create multiple policies with the same name.
Fixed an issue where a user with an apostrophe in their username could not sign in to the Code42 console via SSO.
Fixed a rare issue where files could not be downloaded from Forensic Search if the capitalization of the filename or file path changed on a device. For example, files in the path Users/Clyde/Documents may not have been available to download if they previously existed in the path Users/clyde/documents.
Fixed a display issue where a very long backup exclusion could cause the Regular expression checkbox and Add + button to be hidden.

December 9, 2020

File events for files uploaded from cloud sync folders or removable media now more accurately indicate the activity that created the risk exposure by including only the Exposure Type Read by browser or other app. Previously, these events may have also included the Exposure Types Activity on removable media and Synced to cloud service.

December 7, 2020

Fixed an issue where the Forensic Search API documentation did not display the complete Base URL at the top of the page.

November 2020

Features

Automated integrations

November 13, 2020

Code42 automated integrations provide an option for automating systems and workflows, which Code42 manages and monitors. These integrations can help speed your processes for detecting, investigating, and responding to insider risks. For example, you might choose to connect systems as follows:

When an alert is triggered in Code42, a ticket is automatically opened in a system like ServiceNow.
Automatically add users to the Departing Employees list based on updates to information in your human resources system, such as Workday or ADP.
When an alert is triggered in Code42 for a departing employee, a user is added to a specific Okta group with lower permissions. Then, a ticket is opened in Jira with alert details for further investigation by your security team.

For more information, see Configure automated integrations.

Improved trusted domain support for OneDrive

November 5, 2020

The Microsoft OneDrive cloud data source now uses the same list of trusted domains as all other data sources and exposure events. This means:

The Trusted Domains for OneDrive setting is no longer needed and was removed from the Data Preferences > Trusted Domains tab.
For files shared outside your OneDrive instance to be categorized as Outside trusted domains, you must add at least one entry to the list of trusted domains.

Previously, the only domain you could configure to trust was your internal OneDrive instance and your list of trusted domains was not applied to OneDrive events.

Enhancements and updates

November 23, 2020

Released Code42 User Directory Sync version 1.5.2. For details, see the Code42 User Directory Sync release notes.

November 20, 2020

Adds the ability for administrators to use the Code42 console to retrieve Code42 app logs from user devices.

November 18, 2020

The Security Center User role now includes permissions to view user information for all organizations in your Code42 environment. Previously, the Security Center User role did not directly grant access to view or manage users and required applying an additional administrative role such as Org Admin.
Added a new Audit Log Viewer role to enable you to grant permissions for specific users to view the Audit Log.
Added File download and File download: IO error event types to the Audit Log to record when users download files using Forensic Search.
Added a Local auth only change event type to the Audit Log to record when users' authentication method is changed between local authentication and SSO.

November 12, 2020

The Forensic Search CSV export now only includes the fields applicable to your product plan. For example, if your subscription does not include email data sources, the CSV export no longer contains columns related to email exfiltration. Previously, the CSV export contained column headings but no data for features not included in your product plan. If you have customized scripts for parsing these CSV exports, you may need to update them to account for this change.

November 6, 2020

Cases now enables you to specify an Assignee for a case. This allows investigations to be assigned to a specific security analyst or administrator.

November 3, 2020

Forensic Search CSV exports now include a leading byte order mark (BOM) to more clearly indicate the file is UTF-8 encoded. This provides better support for international characters, especially when opening the CSV files in Microsoft Excel. If you have customized scripts for parsing these CSV exports, you may need to update them to account for this change. For example, in Python, open the file with the "utf-8-sig" encoding. In other implementations, you may need to account for the new BOM at the start of the file to ensure column headings are read correctly.

Bug fixes

November 19, 2020

For the Box and OneDrive cloud data sources, fixed an issue where the Actor reported in Forensic Search may not represent the user who made a sharing permission change. Previously, Code42 identified the Actor as the last user to update a file’s contents, which may not have accurately reflected who changed its sharing permissions. Now, Code42 correctly identifies the Actor who made a sharing permission change that increased exposure.

November 18, 2020

Improves Code42 console responsiveness when multiple device settings updates are being pushed to user devices.
In Code42 environments with an on-premises authority server using Code42 cloud storage, fixed an issue where administrators were unable to reset archives.
Fixed a rare issue where Code42 console search results could incorrectly show 0 results for a search term with at least one match.
For Code42 environments with Advanced Settings enabled for Client Updates, the list of versions to block now correctly lists the three most recent versions. Previously, only two versions appeared.
Apostrophes in users' names are now consistently formatted as single quotes ('). This fixed an issue where it was possible for the first and last name fields to use an apostrophe or "smart quote" while the email address used a single quote. This could cause inconsistent search results.
Fixed an issue where attempting to map an Azure SCIM group with no members to a Code42 organization caused an error.

November 3, 2020

In Forensic Search, fixed an issue where file events with more than one Exposure Type only displayed a single value under certain circumstances.

October 2020

Features

Confirm macOS full disk access status

October 19, 2020

Apple privacy restrictions require that you grant Code42 full disk access on user devices to enable security monitoring and backup activity for all files on the device. To help identify if devices have the required permissions, we've introduced two ways to confirm the full disk access status on a device:

For an individual device: In the Code42 app, enter the Code42 command fullDiskAccess.
For all devices in an organization: See our Code42 API tutorial for viewing full disk access status.

Requires Code42 app version 8.2 or later

Destination categories for file uploads

October 19, 2020

File event details in Forensic Search and Cases now include Destination Category and Destination Name fields to better categorize where a user sent a file. For example, it's now easier to search for all files sent via email, or to search specifically only for files sent via Gmail. This enables you to better focus your investigations on higher risk file activity in unsanctioned locations.

Configure macOS permission notifications

October 16, 2020

Beginning with Code42 app version 8.5, the Code42 app checks to ensure it has the full disk access permissions required to monitor and back up all files on Mac devices. For devices with missing permissions, the Code42 console enables you to show or hide a warning message for users in the Code42 app.

New alert rule to monitor filenames and extensions

October 7, 2020

The new Filename or extension rule notifies you about exfiltration activity involving files with specific filenames, extensions (such as TAR, ZIP, or CPP), or words within a filename (such as "forecast" or "sales"). This rule is automatically triggered when files that match the name criteria are:

Moved to removable media or cloud sync folders
Read by a browser or app
Made publicly accessible in cloud services
Shared outside of the domains you trust

You can enter multiple lines in one rule to monitor several different filenames or use wildcards to define common patterns in filenames to watch for.

Enhancements and updates

October 26, 2020

Updates to Forensic Search:
- The Shared With search filter and metadata field is now labeled Shared With Users.
- When adding a file event to a case, the Add to case dialog now displays the 10 most recent cases. Previously, all cases appeared. If the case you're looking for is not in the list of recent cases, you can still enter text to search for other cases.
- The search filter for selecting a date range changed the format to MM/DD/YYYY from YYYY-MM-DD.
The Case Details tab now displays the case created and modified dates.

October 22, 2020

In Cases, expanded filtering options to include case status, date created, and case subject.

October 21, 2020

Reverts a change introduced on September 23, 2020 which started emailing Directory Sync Reports to users with the Alert Emails role. Now, Directory Sync Reports are once again only sent to users with the Customer Cloud Admin role.
Devices using unsupported Windows 10 build 1709 will not upgrade to newer versions of the Code42 app. To upgrade, devices must run a supported Windows version (currently build 1803 or later).
Security updates.

October 16, 2020

In Alert details, added a Send email link that composes an email to the user to request more information about their file activity. You can customize this email as needed before sending it.

October 7, 2020

In Cases, added the option to filter by case name.

October 6, 2020

Added user event types to the Audit Log, such as when a user is added, deactivated, or undergoes a username change. In addition, added an External attributes change event that logs when a provisioning system updates a user's attributes, such as job title, manager, or department.
Added a search-results-export API command for the Audit Log that allows you to export up to 100,000 results at once. The older search-audit-log API only allowed you to export up to 10,000 results at at time.

October 2, 2020

On the Risk Exposure dashboard, added a View event details button to the Endpoint activity over time and Cloud sharing over time graphs for better visibility and performance. Previously, this information was available after clicking a value in the Users column below each graph.

Bug fixes

October 26, 2020

In Forensic Search:

Fixed an issue where a search could not be saved if the Event Type was empty.
Fixed several display and alignment issues with the Add to Case dialog.
Fixed an issue introduced on October 19, 2020 with the Trusted Activity filter where setting the value to Exclude caused an unexpected error.

October 21, 2020

Performance and stability improvements.
Fixed an issue with the email invitation for new users to register with Code42 where attempting to complete the registration form could result in the error message invite_error_SYSTEM.
Fixed an issue where older versions of a file were not visible in the Restore files view under certain circumstances. (Older versions were still available to restore via direct search, just not by navigating to the file via the parent directory.)
Improved error messaging when adding a new authentication provider via Identity Management > Authentication if the metadata file is too large or uses invalid parameters.
Fixed an issue where the Code42 console search and User Backup Report did not return results for users with apostrophes in their email addresses.
Fixed an issue on the Create New Customization Template screen where the links to View an example did not properly display the sample images.
Fixed an issue where navigating away from Forensic Search results to other Code42 console screens and then back to Forensic Search displayed the most recently-issued search. Now, Forensic Search correctly displays a new search.
Fixed a legal hold issue where releasing a custodian who was previously deactivated in Code42 did not properly deactivate the user under certain circumstances.

October 12, 2020

Fixed an issue where the High Risk Employees and Departing Employees badge remained after a user was removed from the lists via their User profile. The employee was removed from the list, but the badge remained.

October 5, 2020

From the Endpoint dashboard, fixed an issue where exporting a list of endpoints not reporting security events resulted in an error.

September 2020

Enhancements and updates

September 29, 2020

The initial file metadata collection scan no longer creates New file events for all files on the endpoint. This reduces the time required to complete the scan and uses fewer CPU resources. However, the initial scan does still index all files, which provides the visibility necessary to identify insider risks.

September 23, 2020

Provisioning provider settings now include a new Apply Org and Role Settings option in the Actions menu to perform an on-demand sync from the Code42 console. Previously, a sync could only be initiated via a scheduled job or the command prompt.
On the Organizations page, removed the Total and Cold Storage columns. This data is still visible in the detail view for each organization.
Improved error messaging when adding a new authentication provider via Identity Management > Authentication if there is a problem with the XML metadata URL.
In the provisioning provider Sync Log:
- Added new options for the number of results to display per page.
- Added a new Refresh Table button.
The directory sync report email now lists the affected provisioning providers in the body of the email. Previously, providers were included in the email subject.
Removed the Last Signed In date from the User Details screen and lastLoginDate field from the CSV export.
In the Code42 API, the User resource now allows requests with multiple roleName query parameters and returns results that match any of the supplied roles.
Security updates.

Updated the Code42 application in Azure AD to perform provisioning from Azure AD to Code42 in addition to providing SSO.

Added the ability to generate OAuth tokens for authentication of SCIM provisioning providers.

September 18, 2020

Added event details to the Audit Log to help you quickly view more information about the selected log event.
The User Profile and the Risk Exposure dashboard now list filenames and file paths associated with the file events of a particular user. Previously, this information was only available in Forensic Search.

September 11, 2020

User Profile made available for users with Incydr Basic and Code42 Diamond product plans and the Cross Org Security Viewer role. Previously, the User Profile was only available for Incydr Advanced and Code42 Platinum product plans.

September 8, 2020

Added a link to the alert details that lets you quickly edit the rule that generated the alert notification.

September 4, 2020

Added the destination category, application name, and tab name and URL (when available) to the alert details. This information is now listed for files that are uploaded to a browser or app and trigger the Exposure on an endpoint or Suspicious file mismatch rules.

Bug fixes

September 23, 2020

Performance and stability improvements.
Fixed an issue in which Directory Sync Reports were emailed to all users with the Customer Cloud Admin role. Now, reports are only sent to users who also have the Alert Emails role.
Fixed an issue in which the cold storage purge date could not be changed for archives with multiple backup sets.
On Mac devices, fixed a rare issue in which adding /Volumes to the list of backup exclusions could cause an error when trying to change the backup file selection or select files to restore.
Fixed an issue in which a user with an apostrophe in their email address could not be created or edited under certain circumstances.
When editing client delay settings, you can no longer remove the selected organization. Instead, you must select a different organization. This prevents an "unexpected error" when attempting to save a delay without specifying an organization.
When adding a client delay for a specific organization, fixed an issue in which text could not be entered in the search box.
In Code42 federal environments:
- Fixed an issue in which files from a deleted backup set could appear in search results when attempting to restore files, even though the files are no longer available to restore.
- Fixed an issue in which files with multiple versions could not be downloaded from Forensic Search.
Updates to Forensic Search:
- Fixed a very rare issue in which saved searches didn't load properly.
- After creating a saved search, fixed an issue in which the link in the confirmation message incorrectly opened the Risk Exposure dashboard instead of the newly-created search.
- Improved error messaging when attempting to add a duplicate event to a Case.
- File downloads for printed file events are now properly restricted to only users with either the Customer Cloud Admin or Security Center - Restore role.
- Updates to translations.
- Security updates.

September 14, 2020

In Forensic Search:

Navigating away from search results to other Code42 console screens and then back to Forensic Search now correctly displays a new search. Previously, the most recently-issued search re-appeared.
Fixed two minor styling issues in the Safari web browser when adding a file event to a case.

Known issues

When a user receives an email invitation to register with Code42, attempting to complete the registration form may result in the error message invite_error_SYSTEM. To complete the registration, leave the first and last names blank and only complete the password fields. If you need additional help inviting new users, contact our Customer Champions for support.

August 2020

Features

Early access: Case management for security investigations

August 31, 2020

A new Cases interface in the Code42 console helps you manage security investigations with tools that collect, organize, and retain user file activity.

Specifically, Cases enables you to:

Assemble evidence related to an investigation
Add notes to provide additional context
Summarize and share findings with others in your organization

For more details, see Create and edit cases.

Case details

Early access: View Forensic Search events in the Code42 Audit Log

August 26, 2020

The Code42 console added the Audit Log, a record that shows events in your Code42 environment. While in early access, the Audit Log is limited to Forensic Search events. To access the Audit Log, navigate to Reporting > Audit Log.

You can filter events in the Audit Log by username, date, and IP address, as well as export the results in comma-separated values (CSV) format. You can also use the Code42 API to export Audit Log events in CSV, CEF, or JSON format for import into your internal security team tools. The Audit Log records events for the last 90 days, but to maintain Audit Log output for a longer period, you can export the results to your own systems for storage. While there is no limit to the number of events recorded in the Audit Log, the maximum number of events that can be viewed or exported at once is 10,000.

Code42 Audit Log

Better control over delayed client upgrades

August 19, 2020

The Client Updates settings now offer additional options for customizing when Code42 app upgrades occur on user devices. Enhancements include:

Ability to set a one-time delay to deploy a specific Code42 app version on a specific date.
Ability to block a specific Code42 app version from ever being deployed to user devices. To request a block, contact our Customer Champions for support.
Organization Exceptions are renamed Recurring Delay to more clearly indicate the selected organization always receives new Code42 app versions after a specified delay.
The existing Global delay setting is unchanged and continues to provide the option to define a delay for your entire Code42 environment.

New roles for managing detection lists

August 19, 2020

New Departing Employee Manager and High Risk Employee Manager roles enable you to grant more granular permissions for application integrations that add and remove users from the Departing Employees and High Risk Employees lists.

New Code42 Insider Threat app for Splunk

August 18, 2020

A new Code42 Insider Threat app for Splunk is now available. This app adds Code42-specific dashboards to Spunk that show file exposure activity, which can help you identify insider risk. The previous Code42 app for Splunk is now listed as "Legacy," but remains available for customers already using it.

Username details for cloud sync activity

August 6, 2020

Synced to cloud service events now capture the name of the user signed in to the cloud sync application on the device. This enables you to identify the specific account connected to the sync destination. For example, you can now identify if a file synced with Google Drive is being stored in your corporate G Suite, or in an unsanctioned personal Google account.

In Forensic Search, use the new Sync username field to filter search results and provide additional context to file events.
Synced to cloud service events are now evaluated against your list of Trusted domains. Activity from users on domains you trust is excluded from Code42 dashboards and alerts. This reduces noise and helps you focus on higher-risk activity.

Enhancements and updates

August 28, 2020

The Forensic Search API now offers the option to retrieve more than the first 10,000 file events with the addition of pgToken and nextPgToken request fields. For implementation details, see the Model tab in the SearchRequest and FileEventResponse sections of the fileevent API documentation.

August 25, 2020

On the User Profile and Risk Exposure dashboard, added vendor details for removable media file events.

August 19, 2020

Removed the option to use a default user detection script in a Code42 cloud deployment policy. Deployment policies in the Code42 cloud have always required a custom script to establish user email addresses; removing the option from the Code42 console reduces the risk of inadvertently creating a deployment policy that would not be able to properly detect the username.
Standardized formatting and style for numerous emails sent from Code42.

August 13, 2020

Updated the alert details for files moved to cloud sync folders to list the username signed in to the cloud sync application.

Updates to User Directory Sync (UDS). Version 1.5.1 introduces:

Correction for an issue where selecting the NONE value for the ldap.bind.authtype UDS configuration property did not result in anonymous binding. In addition, the STRONG value is removed from the list of valid values for the property.
Improved handling of directory services that don't support paging controls.
Improved handling of success codes during missing user deactivation.

August 6, 2020

In Forensic Search, the dropdown menu to select a search filter now supports manual text entry to search all possible filters. This helps you more easily find and select search filters.

Bug fixes

August 19, 2020

Performance and stability improvements.
Fixed an issue in which settings changed in the Code42 console could take an unexpectedly long time to apply to a single user with many devices.
Fixed an issue in which the /scim-server/apply-configuration-to-users API incorrectly applied role assignment mapping changes to local users. (Local users are exempt from SCIM management.)

August 17, 2020

In Forensic Search:

Fixed an issue in which removing a search filter could cause the remaining search filters to have incorrect values.
Fixed an issue in which searches with the Exposure Type value exists or does not exist did not display properly after refreshing the page or when accessing the search via a direct URL.

August 6, 2020

Fixed an issue in which file events on subdomains were considered trusted if the list of Trusted domains contained the "parent" domain without a wildcard (*). For example, now you must enter *.example.com to also trust activity on subdomains like sub.example.com. Before, entering example.com (with no leading wildcard) trusted both the "parent" domain and any subdomains.

Known issues

If you use Code42 User Directory Sync version 1.5.0 or earlier with the missed.user.check=true configuration property, the User Directory Sync logging does not show that users were deactivated. To fix this issue, upgrade to the latest version of Code42 User Directory Sync (version 1.5.1 or later).

July 2020

Features

Improved visibility of files shared in cloud services

July 29, 2020

On the User Profile and Risk Exposure dashboard, a new Cloud sharing tab improves visibility of file sharing permission increases. Permission increases occur when files are shared publicly.

New Cloud sharing tab on the User Profile and Risk Exposure dashboard

AirDrop file exfiltration detection

July 22, 2020

For Mac devices, AirDrop is now included in the list of browsers and other applications monitored for file exfiltration.

In Forensic Search, AirDrop activity is indicated by the process name /usr/libexec/sharingd in the Exposure > Executable Name field.
In dashboards and other places that report browser activity, AirDrop is included in the totals for Read by browser or other app activity.

Email notifications for administrator access changes

July 22, 2020

To provide better visibility into who has administrator permissions and to help you identify potential unauthorized access, Code42 administrators now receive email notifications when:

Code42 Support Access is granted or removed.
An administrator role is added to a user, both for existing user permission changes and for new user creation.

Enhancements and updates

July 30, 2020

Updates Alerts to:
- Add new statuses to alert notifications to provide more context about an alert or record stages of its investigation.
- Add a link to the User Profile in alert notifications when the Code42 username is available or the actor's cloud alias is associated with a Code42 user.

July 22, 2020

Security updates.
Devices using unsupported Red Hat Enterprise Linux (RHEL) 7.5 will not upgrade to newer versions of the Code42 app. To upgrade, devices must run a supported Linux version.
Removed the ruleName column from the User Activity CSV export. ruleName data only applied to the Pattern Matching detection type, which is no longer supported.

July 16, 2020

Adds new filters to Alerts to make it easier to narrow down the Review alerts list to show notifications of interest.

July 15, 2020

On the User Profile and Risk Exposure dashboard, adds vendor details for removable media file events.
In Forensic Search file event details:
- Fields with multiple values now display each value on a separate line. Previously, multiple values were displayed on a single line in a comma-separated list.
- Very long values now wrap text to a new line to ensure the entire value is visible. Previously, some very long values were truncated with an ellipsis (...).

July 7, 2020

For Box cloud services, improves the onboarding of newly authorized Box connections by monitoring all drives immediately while indexing those drives at the same time.

July 6, 2020

Adds APIs to work with security alert notifications and rules. You can dismiss and reopen notifications, add notes to notifications about investigations, and manage the users monitored by alert rules.

Bug fixes

July 22, 2020

Performance and stability improvements.
In the Code42 console:
- Improved messaging to explain that sending limits cannot be changed for individual devices if the setting is locked at the organization level.
- Fixed an issue that could cause an error message to occur while scrolling through a list of devices.
- Fixed an issue in which clicking Save in the Device Backup Default Settings screen did not close the window under certain circumstances.
- On the Investigation > Activity Notifications screen, fixed a translation issue which prevented the Learn more about migrating alerts link from appearing for non-English languages.

June 2020

Enhancements and updates

June 17, 2020

Security updates.
When performing a web restore and selecting a previous file version to restore:
- Deleted versions are now more clearly labeled as "Deleted" and cannot be selected to restore.
- Timestamps for each version are now presented in Coordinated Universal Time (UTC).
Removed the Pattern Matching graph from the Investigation > User Activity screen.
Removed the following references to the deprecated Code42 for Enterprise mobile app:
- Backup user mobile quota field in the Code42 console.
- The # Mobile Devices column in the User Backup report and Organization Backup Report and CSV exports.
Enhances readability for Data Source details. Previously, the Data Sources list included complete information about a connection. Now the list provides brief details at a glance, with full information for the selected data source accessible when you click for more details.

June 16, 2020

Adds a new Username (signed in to device) filter in Forensic Search to capture the signed-in user, as reported by the device's operating system. For devices with multiple user accounts, this enables you to see which user was active when the file activity was observed.

June 10, 2020

Adds notes to alert notifications to record further details, give context, or describe the status of an investigation. You can add notes to alert details or choose to add a note when dismissing or reopening an alert.

June 9, 2020

For the Departing Employees and High Risk Employees lists, adds file category details for cloud share permission changes. Previously, clicking View event details only showed cloud share permission changes by sync destination.

June 8, 2020

Version 0.7.0 of the Code42 command-line interface (CLI) is now available. This update includes:

User management options for alert rules and legal hold custodians
Options for integrating alerts with a SIEM tool
Options to bulk add and remove risk factors from high-risk employees

Bug fixes

June 17, 2020

Performance and stability improvements.
Fixed an issue in which changes could not be saved to existing client customization templates.
In child organizations that do not inherit settings from the parent organization, fixed an issue in which changed settings did not save properly when User Profile Backup (USMT) is enabled for the parent organization but not for the child organization.
Fixed an issue in which sort arrow icons incorrectly appeared in the column headings of the Last Backup Activity and Stored columns in the Devices list. These columns are not sortable.
Fixed an issue in which selecting Administration > Settings > Keystore collapsed the Administration section of navigation menu and expanded the Investigation section. While the Keystore page did remain on the screen, the menu navigation no longer matched the active window.
Fixed a rare intermittent issue in which backup storage statistics and graphs could incorrectly report 0 MB backed up. This was a display issue only; backup archive integrity was not affected.
Improvements to logging.

June 15, 2020

On the Risk Exposure dashboard, fixed an issue in which clicking the Investigate in Forensic Search icon did not load the correct search results under certain circumstances.

May 2020

Features

Trusted domain filtering expanded to dashboards, alerts, and more

May 18, 2020

Domains on your list of Trusted domains now apply to more than just Forensic Search results:

File events on the Risk Exposure dashboard, Departing Employee and High Risk Employee lists, User Profiles, and in Alert notifications are now automatically filtered to only show events outside your trusted domains.
A new Trusted Activity filter in Forensic Search lets you easily include or exclude results for endpoint and email activity on trusted domains.
For Read by browser or other app events, trusted domain filtering now also applies to the Tab/Window Title and Tab URL fields.

This helps you focus investigations on higher-risk activity by filtering out events for domains you trust.

Remote file activity detection by IP address

May 18, 2020

Data Preferences in the Code42 console now includes a new tab to define your in-network IP addresses. Listing your in-network IP addresses enables Code42 to label activity from any IP address not on this list as remote activity, and lets you customize search results and dashboards to include in-network activity, remote activity, or both.

To view remote activity:

In Forensic Search, add the Remote Activity filter. In the file event details, remote events include a Remote activity label in the IP Address (public) field.
In Alert notifications, look for the Remote activity label next to the IP address.
On the Risk exposure dashboard:
- In the Top file activity section, click View by remote activity.
- Click the Remote activity tab within the All activity view.

Remote activity tab on Risk Exposure dashboard

Early access: Printer activity detection

May 5, 2020

On Mac and Linux devices, Code42 now detects files sent to printers. Once you enable print detection, print events are searchable in Forensic Search and you can download images of printed files. Monitoring printer activity gives you visibility into one more method of possible file exfiltration. Requires Code42 app version 8.0.0.

Enhancements and updates

May 20, 2020

Security updates.
In the Code42 console, non-administrator users now have permission to view restore history only for restores they performed. Restores performed by administrators are no longer visible to non-administrators.

May 19, 2020

For the Departing Employees and High Risk Employees lists, adds cloud share permission changes to file event details. Previously, clicking View event details only showed details for events that occurred from an employee's endpoint.
Updates creating or editing an alert rule with simplified steps and modular panels, for easier navigation and reduced scrolling.

May 7, 2020

Security updates.

Bug fixes

May 20, 2020

Performance and stability improvements.
Fixed several slow page load issues. It is now much faster to:
- Edit a user's details
- Edit an organization's details
- Load pages after making multiple settings updates
Fixed an issue in which the Administration > Organizations > Deactivated page did not properly load in Code42 environments with a very large number of deactivated organizations.
On the Identity Management > Provisioning screen, fixed an issue for narrow browser windows in which very long passwords did not display properly or provide the option to Copy to clipboard.
Improved error messaging for failed imports of identity provider XML metadata to better to describe the error and to provide a suggested resolution.
Updates to First Name, Last Name, and Email initiated by an authentication provider are now included in the Code42 Sync Log.
On the Organization details screen, fixed a display issue in which very long organization names could be truncated with an ellipsis (…), making it difficult to determine exactly where a child organization existed in the organizational hierarchy. Now, long names wrap to additional lines.
Fixed an issue in which attempting to reactivate a device resulted in an unexpected error message under certain circumstances.
Fixed an issue in which two-factor authentication for local users could not be enabled for users with passwords containing certain non-alphanumeric characters.

April 2020

Features

Manage access for Code42 support users

April 27, 2020

The Code42 console adds a new control for you to manage permissions for Code42 "support" users. A support user is a user account created by a Code42 Customer Champion in response to a support ticket. This allows Code42 to temporarily access your environment for the purpose of troubleshooting. To configure settings, navigate to Administration > Settings > Code42 Support Access.

Early access: Visual risk indicators for anomalous behavior

April 23, 2020

The User Profile now adds a risk indicator icon to file activity that may indicate greater risk, such as activity during hours when a user is not typically active or when file contents do not match the file extension. This enables you to better prioritize which file activity to investigate:

Off hours - Categorizes file activity that occurs at times a user is not typically active as an added risk. The off hours determination is unique to each user and based on the user's past patterns of behavior on their endpoint. This enables you to focus investigations on unusual file activity.
File mismatch - Highlights file activity where files have extensions that do not match the file contents as an added risk. File mismatch determinations are shown for both endpoint and cloud file activity. This allows you to more quickly investigate anomalous file activity.

Early access: Off hours risk indicator in Forensic Search

April 23, 2020

The Risk Indicator filter in Forensic Search adds a new option to search for Off hours file activity. The off hours determination is unique to each user and is based on the user's past patterns of behavior. This enables you to focus investigations on unusual file activity that may indicate greater risk.

Early access: New Suspicious file mismatch alert rule

April 17, 2020

Code42 adds a new Suspicious file mismatch alert rule to notify you when activity is detected for a file with an extension that doesn't appear to match its contents—for example, when the file's contents indicate that the file is a ZIP file, but it has a PNG extension. This rule is automatically triggered for endpoint or cloud share permissions exposures.

Early access: Filter by risk indicators in Forensic Search

April 10, 2020

Forensic Search adds a new search filter and a risk indicator icon Yellow diamond risk indicator icon to highlight file activity that may indicate greater risk, such as a file extension that does not match the file contents. This enables you to better prioritize which file activity to investigate, and may indicate an attempt to disguise and exfiltrate data.

Forensic Search file mismatch risk indicator: search filter and file event details

Enhancements and updates

April 30, 2020

Updates the Code42 application in PingOne to perform provisioning from PingOne to Code42 in addition to providing SSO.

April 17, 2020

Improves visibility of file activity details with a new View event details option on the Top file activity by remote employees tile and the High Risk Employees and Departing Employees lists.

April 16, 2020

Security updates.
Performance and stability improvements.

Allows the Deactivation Delay setting to be edited for Code42 User Directory Sync providers in the Code42 console. Click the edit icon to set the length of time to delay deactivation after synchronization is performed.
Displays additions, updates, and removals for all user attributes in the provisioning Sync Log. In addition, all Organization attribute values displayed in the Sync Log now include the orgId of the organization, and all Manager attribute values now include the userId.

April 15, 2020

Adds a View event details button to the Remote employee file activity tile of the Risk Exposure dashboard and to the User Profile. Previously, you had to click a bar in the graph to view file event details.
On the User Profile, the File Activity Last 30 days tile is now split into two separate tiles: File events by destination and File events by file category group.
Adds SCIM attributes to the remote employees view allowing you to see information such as the employee's department and role.

April 6, 2020

In the Code42 console navigation menu, Trusted Domains is renamed Data Preferences.
Updates APIs for managing departing employees, and adds APIs for managing high risk employees. Use these APIs to automate adding and removing users from the High Risk Employees or Departing Employees lists.

April 2, 2020

Added the IP addresses involved in file activity to alert details and email notifications for the Exposure on an endpoint alert rule.

Bug fixes

April 30, 2020

In Forensic Search, improved messaging if a file is not available for download. Previously, an incorrect message appeared in some situations indicating the device was not backing up to Code42, even though it was backing up. Now, the messaging correctly explains the reason the file is unavailable.

April 16, 2020

Improved error messaging if you enter only one character in the Code42 console search box.
Improved logging for a rare circumstance in which the Code42 app is unable to connect to the Code42 cloud.
Fixed an issue on the Code42 console sign-in page in which translations for some non-English languages did not display properly.
For Code42 environments using Okta as the authentication provider, fixed an issue in which deactivating a user in Okta did not properly deactivate the Code42 user, under certain circumstances.

March 2020

Features

Greater visibility into file activity of employees working from home

March 20, 2020

Code42's new remote employee view provides organization-wide visibility into file activity on removable media, in cloud sync folders, and browser uploads for remote workers. The Detection > Risk Exposure dashboard enables you to:

Quickly identify suspicious file activity over the past 90 days for employees working from home
Easily review both endpoint and cloud sync file activity
Detect organization-wide usage of Dropbox, iCloud, Box, OneDrive and Google Drive

Remote employee

Code42 app for Demisto now available

March 19, 2020

The Code42 app for Demisto (now Cortex XSOAR) is now available. Using the Code42 app for Demisto, you can view and search Code42 data in Demisto, as well as manage Code42 Departing Employees from Demisto.

Code42 CLI tool now available for SIEM integration

March 18, 2020

The Code42 command-line interface (CLI) tool offers a way to extract Code42 data for use in a security information and event management (SIEM) tool like LogRhythm, Sumo Logic, or IBM QRadar. Use this command-line interface tool to get the security events in either a JSON or CEF format for use by your SIEM tool.

Early access: Code42 federal environment now available

March 12, 2020

The new Code42 federal environment is now available. This environment offers the same high level of security as all Code42 environments to government agencies in compliance with FedRAMP requirements.

The Federal Risk and Authorization Management Program (FedRAMP) from the United States Government provides a standard method for the security assessment, authorization, and continual monitoring of cloud products and services. Government agencies (and companies who partner with them) are required to choose FedRAMP authorized providers when using cloud products and services to ensure the security of their data. The Code42 federal environment is one such solution for organizations seeking a FedRAMP authorized service to protect against insider threat and data loss.

Government agencies can request access to the Code42 security package using the request form available on the FedRAMP marketplace. To access the form, select Code42 from the marketplace list and then click the Package Access Request Form link. More information is also available at https://www.code42.com/go/federal-solutions.

Enhancements and updates

March 31, 2020

The High Risk Employees and Departing Employees lists now alert you by default when file activity happens outside the trusted domains you have configured for cloud share permission changes. Pre-existing default alerts for both High Risk Employees and Departing Employees have been updated to have this new default value.
From the Risk Exposure dashboard, streamlined the process for adding an employee to the High Risk Employees or Departing Employees lists. Previously, clicking Add to list brought you to that list and you had to navigate back to the Risk Exposure dashboard.

March 26, 2020

Added new alert rule configuration options to notify you when files are shared outside of the domains you trust. The first ten untrusted domains and email addresses with which the file has been shared are listed in the Cloud share permission changes notification email and alert details and can be investigated further in Forensic Search.
Added the name and path of the first ten files that generated an alert to the notification email and alert details. You can investigate further in Forensic Search and view all of the file events that triggered the alert.

March 19, 2020

Security updates.
When initiating Code42 app upgrades from the administration console, the confirmation messaging improved to make it clearer that only devices on supported operating systems receive the upgrade.
Added a new exclusions resource for managing backup exclusions via the Code42 API.
Updates to search behavior in the administration console:
- When entering a search term, auto-complete suggestions now only appear after at least four characters are entered.
- Searching for a partial term now only returns results that begin with those characters. Previously, search results included matches that contained the characters anywhere (not just at the beginning).

March 18, 2020

Updates to User Directory Sync (UDS). Version 1.5.0 introduces:

New properties in the config.properties file:
- ldap.connection.allowunsafecerts: Allows for self-signed certificates.
- scim.client.threads: Sets the number of processing threads to use during synchronization.
New --changed-since flag for the C42UserDirectorySync executable that synchronizes all users who haven't been updated since the specified date.
Faster synchronization through the introduction of multi-threaded processing.
Faster queries for missing users.
Improved log messaging.
Fixes an issue where installation of the embedded JRE incorrectly overwrote the existing JAVA_HOME variable.
Known issue: If you run a synchronization with the the scim.client.threads property set to a value higher than 1, and you use org scripts to automatically create new organizations in Code42, a new organization will be created for each thread, resulting in duplicate organizations. To work around the issue, you must create all the organizations needed by users before running a synchronization.

March 17, 2020

Updates to Forensic Search:

Improves visibility of the column selector within search results by adding the text label Modify columns and moving it to the upper right. Previously, the column selector was an icon with no text label and appeared in the column heading row of the search results.
The File Path column is now included in search results by default.
When exporting search results to CSV, fields containing a list of values (for example, IP Address, Shared With, and Exposure Type) no longer include line breaks. Now, all lists within a single field are comma-separated. Line breaks are only used to indicate a new record.

March 16, 2020

From the User Profile page, you can now add an employee to the Departing Employees and High Risk Employees lists. Additionally, improves the appearance and scaling of the File Activity Last 30 Days graph to make it easier to interact with smaller file event counts.
Improved experience while viewing Alerts details. Previously, you could expand a row in the list of notifications to see details. Now the list of notifications stays intact while the details for the selected notification slide in from the right side of the screen.
In Forensic Search, the File exposure changed to filter adds the option to search for files Outside trusted domain. This enables you to easily identify exactly when a file was shared with a user outside your list of Trusted Domains.
Various accessibility improvements

March 12, 2020

If you have a Code42 Platinum or Diamond product plan, File Activity Notification profiles will soon be discontinued, given the new and improved options available in Alerts. You must recreate any existing File Activity Notification profiles in Alerts to continue notifications. See Migrate Activity Notification profiles to alerts for more information.

March 10, 2020

Updates to Forensic Search:

In the Device section of the file event details, adds a link to the User Profile for the Code42 user associated with the file event. The User Profile highlights file activity for that user over the past 90 days that may indicate a file exfiltration risk.
Adds support for wildcard characters (*, ?) to all search filters except MD5 hash, SHA256 hash, IP address, and file size.

March 9, 2020

Cleans up data shown in the file activity graphs of the User Profile to no longer show line items where file events are equal to zero in the summary previews.

March 6, 2020

Updates to the Departing Employees list:
- Adds columns for Total File Events and Total Size of Files
- Removes the Date Added column
- Results are now sorted by Total File Events by default. Previously, the default sort order was by Date Added.

March 3, 2020

Updates to Forensic Search:

Improvements to the search filter interface:
- Updated styling
- Improved accessibility
- New searches now default to the Filename filter. Previously, the default was MD5 Hash.
For cloud and email events, clicking the filename in the event details now opens the file in a new browser tab. Previously, the file opened in the same tab as the search results.

March 2, 2020

Alerts now lists the first ten files impacted by file events in notification emails.

Bug fixes

March 19, 2020

Performance and stability improvements.
In Code42 environments with an on-premises authority server that use Code42 cloud storage, fixed an issue which could prevent devices from being able to connect to the Code42 cloud under a very specific set of network port configuration circumstances.
Authentication and directory services settings now properly inherit values from the parent organization by default.
Fixed an issue in which attempting to search for a GUID in the administration console returned an error.
Fixed an issue for Code42 environments using SCIM provisioning: deleting a SCIM group now applies the default Code42 roles (Desktop User and PROe User) to any users in that group. Previously, the role mapping defined by the deleted group remained in place.
Fixed a rare display issue in which the web restore date picker could continue to appear at the bottom of the administration console after navigating to a different page.
Fixed an issue in which restoring files from the administration console could fail if you selected a folder to restore and then deselected sub-folders within the selected folder.

February 2020

Features

Video summary

Watch the short video below for a summary of features released this month.

Greater visibility into file activity of high risk employees

February 19, 2020

Code42's new High Risk Employee lens provides comprehensive insight into file activity of employees you identify as a risk (for example, users with elevated permissions, access to sensitive data, on a performance improvement plan, etc.). The Detection > High Risk Employees section of the administration console enables you to:

Quickly identify suspicious file activity of high risk employees over the past 90 days
Assign risk factors to employees to provide more context for insider threat investigations
Easily review both endpoint and cloud sync file activity

High Risk Employee user profile and activity

Forensic File Search now searches backups from all users to locate and download file contents

February 12, 2020

When downloading file contents in Forensic File Search, the file event details now offers the option to search other locations if the file isn't found in the user's backup archive. Clicking Search Other Locations searches the backups of all users in your Code42 environment, which greatly increases the chance the file will be available for download. Previously, files could only be downloaded if there was an exact filename and file path match in the backup archive of the user associated with the event.

More subscription options for monitoring insider threats

February 11, 2020

The Code42 Diamond product plan offers a new subscription option for many of Code42's most advanced insider threat features, including:

The Risk Exposure dashboard, which highlights suspicious file activity
A highly customizable Alerts framework to notify you when when important data may be leaving your organization
The powerful Forensic Search interface, which offers advanced search capabilities for investigating file exfiltration activity

Previously, some of this information was available via a CSV export, but full access to these features required the Code42 Platinum product plan.

Requires Code42 app version 7.7.0.

Code42 insider threat features

Use one deployment policy to register users in multiple organizations

February 11, 2020

Deployment policies can now leverage custom user detection scripts that dynamically assign users to different organizations. Previously, deployment policies could only register users to a single organization.

Requires Code42 app version 7.7.0.

Other enhancements and updates

February 25, 2020

In the User Profile, file activity for the last 30 days now defaults to an exfiltration type with recent activity. Previously, the Synced to Cloud Service filter was always selected by default, even if there was no cloud service file activity for the user.

February 24, 2020

In Forensic Search, custom column preferences are now maintained upon page refresh and across sessions.

February 19, 2020

On the Device Details screen and in the list of active devices, Destination Status is now labeled Authority Connection. This is a label change only. The status continues to indicate if the device is connected to the Code42 cloud.

February 13, 2020

Updates the process of adding a departing employee so that the window slides in from the right rather than appearing in a pop-up modal.
Adds the ability to remove a user from the list of departing employees from within the User Profile.
On the Endpoint dashboard, the Data Summary columns are now sortable.

Bug fixes

February 19, 2020

Security updates.
Performance and stability improvements.
Fixed an issue in which the text-only version of the backup status report email displayed some fields incorrectly.
In Code42 environments with an on-premises authority server also using Code42 cloud storage, fixed a rare issue in which backup storage statistics did not update properly.
Fixed a rare issue in which clicking the link in an activity notification email to view user activity did not display any results.

Known issues

In activity notification emails sent before February 19, 2020, clicking a link to user activity details results in an error. To see details for this activity, search for the user.

January 2020

Features

Video summary

Watch the short video below for a summary of features released this month.

Endpoint dashboard provides visibility for devices not reporting security events

January 30, 2020

A new Endpoint dashboard identifies user devices not sending file event data to Forensic File Search. This improved visibility can help you troubleshoot specific devices to ensure Code42's security monitoring is capturing file activity on all active devices in your Code42 environment.
Endpoint dashboard - endpoints not reporting security events graph

Better visibility into endpoint and cloud services file activity for all users

January 30, 2020

A new User Profile search interface provides comprehensive insight into file exfiltration risk for all users. The Investigation > User Activity section of the administration console now enables you to review both endpoint and cloud sync file activity for the last 90 days to quickly identify suspicious file activity.

Previously, much of this information was only available for users added to a departing employee profile or via CSV export.

Requires the Code42 Platinum product plan.

Sync destinations added to Risk Exposure dashboard

January 27, 2020

The Risk Exposure dashboard now shows you where employees are syncing files. By reviewing the Synced to Cloud Service details, you can quickly see if users are syncing files to unapproved cloud services.

Sync Destination shown on Synced to Cloud Service

Forensic File Search adds search filter for files shared with trusted domains

January 17, 2020

Trusted Domains settings enable you to easily exclude files shared with approved domains from search results in Forensic File Search.

To use the new search filter:

Add domains you trust to Administration > Settings > Trusted Domains.
From Investigation > Forensic Search, add the Exposure Type filter to your search criteria and select the value Outside trusted domain.

File categories added to Alerts

January 16, 2020

You can now add file category filters to Alerts to help you more easily determine what types of files (spreadsheets, zip files, source code, and multimedia, for example) are leaving your organization.

Sync destinations added to Departing Employees lens

January 13, 2020

The Departing Employees lens now shows you where employees are syncing files. By reviewing the sync destination details, you can quickly see if users are syncing files to unapproved cloud services.

Sync Destination on the Departing Employees lens

Risk Exposure dashboard highlights departing employee activity

January 2, 2020

The Risk Exposure dashboard now includes a summary of potential exposure events gathered from the Departing Employees lens. Click any value for more details.

Departing Employees tile on the Risk Exposure Dashboard

Enhancements and updates

January 29, 2020

The Administration > Dashboard menu now contains sub-menus for Endpoint and Usage.
- Endpoint provides visibility for devices not sending file event data to Forensic File Search.
- Usage (the previous landing page) displays a summary of users and backup storage in your Code42 environment.
Updates to endpoint monitoring settings:
- Forensic search is renamed File Metadata Collection.
- Removes the options to enable/disable the File restore and Pattern matching detection types.
Updates to SCIM provisioning:
- The Sync Log now includes entries for changes to any of the following user attributes: Title, Division, Department, Manager, Employment Type, Manager, Locality, Region, and Country.
- When using the Code42 API to customize SAML attributes, the authnContextComparison attribute is now optional.
Alerts notifications now indicate if the alert is due to a departing employee's activity.
Devices using unsupported Windows 10 versions (builds 1507, 1511, and 1703) will not upgrade to newer versions of the Code42 app. To upgrade, Windows 10 devices must run supported versions.
Streamlined the process of creating a security alert.

January 8, 2020

Updates to Forensic File Search:

The label for the file category archive is renamed zip.
Improves keyboard navigation accessibility in the Save Search and Export Results to CSV dialogs.

Bug fixes

January 29, 2020

Performance and stability improvements.
Fixed: The Administration > Organizations screen now loads much faster for Code42 environments with many child organizations.
Fixed a web restore issue: filenames containing apostrophes now properly appear in search results. Previously, searching for a filename containing an apostrophe could return no results even if the file was backed up and available to restore.
Fixed: Exporting organization details to CSV now reports correct values for selectedFiles, totdoBytes and todoFiles. Previously, these fields could incorrectly report zero or null under certain circumstances even though there were files selected for backup.
Improvements to logging.
Fixed: Two-factor authentication for local users can now be enabled if a user's password contains special characters.
Fixed: Using the action menu to block or unblock a user now immediately updates the status icon next to that user. Previously, even though the blocking or unblocking succeeded, refreshing the page was required to see the current status for the user.
For Code42 environments managing their own external keystore, connection failures now display more specific error messaging on the Administration > Settings > Keystore page and in the logs.
Fixed an intermittent display issue which could cause page styles to render incorrectly when navigating between specific screens in the administration console.
Updates to translations.

January 8, 2020

Fixes an issue in which downloading files from Forensic File Search was not available in the Safari web browser.
Improves error messaging if File Size search criteria is blank.

Previous release notes

For release notes prior to January 2020, see Code42 cloud 2019 release notes.