Insider risk agent release notes

Features

Updates

• File activity in the Microsoft Teams desktop app is now automatically evaluated for trust based on the username signed in to the app. For example, if the the signed-in username is an email address on your corporate domain, and your corporate domain is included in your list of trusted activity, the event is trusted. Trusting this activity can help you more easily identify riskier activity in personal Teams accounts. 
• Improved Active tab titles and URLs detection.
• Performance and stability improvements.

Bug fixes

Fixed issues where:

• On Windows devices, Active tab titles and URLs were not captured for browser events in specific circumstances.
• File activity in a non-default cloud sync folder could incorrectly report the name of the synced directory as the Account name.
• Git push activity could generate duplicate or false positive events in certain circumstances. 
• In rare cases, some exfiltrated files were not available for download.
• Previewing an HTML file in a browser could generate a false positive file event.
• Opening multiple copies of a recently downloaded file could generate a false positive file event. 
• On Mac devices, cloud sync file activity in some /Library directories was not being captured.
• Some background processes and system-generated activity could cause false positive events.
• In some cases, the username value in the app.log was missing and reported as null. 
• On Mac devices, downloading a large file via Safari could generate a false positive upload event for that file. 
• In rare cases, the insider risk agent did not deploy successfully to some Mac devices in restrictive network environments.
• The insider risk agent could inadvertently lock a file and prevent it from being deleted in rare cases.
• In rare cases, events were not captured on Windows devices for specific processes.

Features

Updates

• File contents are now collected (and available for download) for Git push file events. 
• For Macs, updated the command line syntax to uninstall the Code42 app. If you use scripts or MDM commands to uninstall the agent on Macs, you'll need to update them to be compatible with Code42 app version 1.7. 
• Improvements to Active tab titles and URLs detection.
• File event details now include File classification metadata (for example, MIP labels) for encrypted files. 
• Unregistered devices now automatically retry to register every two minutes for the first hour after deployment. Previously, if a device failed to register, the next attempt did not occur for 60 minutes. Retrying to register more frequently assists with troubleshooting registration and user detection script issues.
• Performance and stability improvements.
• Security updates.

Bug fixes

Fixed issues where:

• Uninstalling the Code42 app didn't properly remove all application files from the device.
• File downloads to a Mac device could generate duplicate download events.
• Renaming a removable media drive on a Mac could generate false positive Modified events for files on the drive. 
• Deleting a folder from within a cloud sync folder on a Windows device could generate a delete event for the folder, in addition to the files in the folder. Now, events are only created for the deleted files, not the parent folder. 
• Using the Code42 API to delete your customized list of monitored applications required updating the list to an empty value. Now, the DELETE method works as expected.
• Some OneDrive events were not captured on Mac devices under specific circumstances.
• Files uploaded via a non-browser process could indicate the tab title/URL was missing because it was "Unavailable." Now, these events provide more detail and specify the tab title/URL is "not used by this application." 
• Improvements to logging.
• Some file events for OneDrive sync folder activity on Macs reported the Destination user as "Unknown."

Features

Updates

• Added support for Ubuntu 22.04 and Red Hat Enterprise Linux (RHEL) version 9.
• For Macs, updated the command line syntax to uninstall the Code42 app. If you use scripts or MDM commands to uninstall the agent on Macs, you'll need to update them to be compatible with Code42 app version 1.6. 

Bug fixes

• On Mac devices, exfiltrated file collection could use an abnormally high amount of system resources under certain circumstances.
• Improvements to logging.
• Performance and stability improvements.

Fixed issues where:

• Some devices did not automatically upgrade to newer versions of the Code42 app.
• The Code42 app did not install successfully on some Windows devices if the operating system was installed with a non-English language.

• Fixed several issues to improve Active tab titles and URLs detection.
• Improved Salesforce report download detection.
• Fixed a rare issue where some removable media file events were not captured.
• On Mac devices, fixed an issue where deleting a file from a local cloud sync folder did not generate a file event in some circumstances.
• Fixed an issue where some file events were not reported if the Code42 app was unable to access the file contents (for example, if many files were transferred to removable media and the drive was disconnected before the Code42 app could collect all the files). Now, a more complete list of events is reported, but some events may not include all metadata, such as the MD5 and SHA256 hash values. 
• On Mac devices, fixed an issue for files in the Box sync folder where file contents were sometimes incorrectly collected and preserved for file activity not initiated by the local device. Now, a change to a synced file caused by other users or devices still generates a file event, but the file contents are not collected since the file was not exfiltrated from the device.
• Improved ability to capture very large bursts of events on Windows devices.

Updates

• Improved the ability to capture the tab title and URL for browser events on Mac devices. This update also simplifies the permissions required in the computer configuration profile (.mobileconfig file).
• Added support for file classification metadata from Microsoft Information Protection (MIP). This metadata can help provide additional risk context if you already use MIP in your organization.
• The Code42 API now enables you to confirm if full disk access permissions are configured correctly on your Mac devices. 
• Re-introduced support for Red Hat Enterprise Linux (RHEL) versions 7 and 8. 

• Security updates.
• Reduced CPU usage on Mac devices, especially for devices running macOS Monterey 12.3.
• On Windows devices, if the Code42 proxy is set to None, the Code42 app will always use a direct connection, even if a Windows system proxy is configured. This matches the existing behavior for Mac devices.
• File contents are now collected and preserved for files synced with cloud storage only when changes are made by the local device. Changes to the synced file caused by other users or devices still generate a file event, but the file contents are not collected since the file was not exfiltrated from the device. 
• Updated Code42 extended attributes on Mac devices to prevent Time Machine from backing up the Code42 application files.
• Improved support for non-LTS versions of Ubuntu.
• The app.log file now includes additional status information to better assist with troubleshooting. 
• Additional updates and improvements to logging. 
• Other miscellaneous performance and stability improvements. 

Bug fixes

Fixed issues where:

• Copying a folder to removable media could generate duplicate events for files in the folder.
• File download events could be incorrectly created under certain circumstances for files syncing with a cloud storage service that were not actually downloaded to a device. 
• Opening a local file (such as a PDF, image, or text file) with a web browser could generate a false positive file upload event under certain circumstances.
• Deactivated devices could not be reactivated from the Code42 console in some cases. Now, you have 30 days to reactivate a device.
• In rare circumstances, newly deployed devices did not apply the proxy auto-config (PAC) file until the device or the Code42 service restarted.

Fixed issues where:

• Google Drive for Desktop file activity was not captured in some circumstances.
• The Sync username could be missing or display "Unavailable" for file activity in personal (non-corporate) OneDrive accounts.
• File events were being reported for activity in some file paths that should be excluded.
• Uploading a file via a web browser could generate false positive file upload events for other files in the same folder under specific circumstances.
• Uninstalling the Code42 app .msi via the command line did not fully remove all components (the .exe was still visible in Add/Remove programs even though the app was removed).
• Uninstalling the Code42 app via the command line did not remove all log files. 
• Some Windows application cache files were not properly excluded from Incydr security event monitoring.
• The code42.deployment.properties file was not recognized if it contained a .txt extension.
• In rare cases, if a user accessed more than one tab while multiple uploads were in progress, not all possible tab titles/URLs visited during the upload were listed in the file event details.

Fixed issues where:

• Slack tab titles were not captured in many cases. 
• Uploads from network drives were not detected in some cases.
• If an external volume was reformatted, removable media events could include both the old and new volume name.
• When downloading a file in Safari, if the browser automatically changed the filename (for example, appending (1) because another file with that name already exists), duplicate file events could be created: one with the original filename appearing as a download, and one with the changed filename appearing as an upload. 
• File events could be incorrectly generated for cloud shortcut files. Now, file events are only captured for files syncing with a cloud service when the actual file contents exist on the device.
• Time Machine backups were not properly excluded from file event monitoring and could generate false positive exfiltration events under certain circumstances.

Fixed issues where:

• Removable media events for password-protected volumes were not captured properly.
• File events on mounted virtual drives were not captured properly. 
• Removable media events could report the wrong volume name if the volume was reformatted.
• Connecting a USB drive could create false positive events for all files on the drive under some circumstances.

Updates

• Security updates.
• Added Incydr monitoring and exfiltration detection for:
  • Salesforce report exports to unmonitored personal devices (requires the Salesforce data connection).
  • Google Drive for Desktop for Mac and Windows.
  • Files downloaded via a web browser.
• Added proxy support for System and PAC file configurations on Windows and Mac devices. 
• Improved ability to uninstall the Code42 app on macOS via an MDM tool without presenting a confirmation dialog to the user. 
• The Windows Code42 app can now read the deployment.properties file from drive letters other than C:/. This enables support for persistent AWS VDI workspaces.
• The SHA256 hash of the user detection script is now included in the Logs folder. This enables you to confirm the integrity of the script run on each device.
• The Code42 app installer can now be used to uninstall any version of the app. Previously, the same version was required. 

Bug fixes

• Improvements to logging.
• Windows devices now correctly apply proxy settings defined in the deployment.properties file.
• Files with alternate data steams (ADS) no longer display duplicate file events in Forensic Search.
• Deactivated devices now correctly stop Incydr monitoring.
• Some metadata for file events on removable media was not being captured correctly. Now it is. 
• Changes to a username are now reflected in the file event metadata for new events right away. Previously, a user's old username could continue to be associated with new events even after the username changed.
• Fixed an issue on Mac devices where opening local files with Firefox could generate false positive file upload events under specific circumstances. 
• Changing an organization's proxy method to None now stops devices from using the proxy immediately. Previously, the proxy was used until the device or the Code42 service restarted. 
• Fixed a rare issue where false positive upload file events were created for system files read by Google Chrome.
• Globally adjusting logging levels via the Code42 console command-line interface (CLI) now correctly updates all modules to the new level.
• Other minor bug fixes and performance improvements.

Known issue

• Code42 app installers for Red Hat Enterprise Linux (RHEL) are temporarily unavailable. 

Updates

• Added support for directing agent traffic through a named proxy.
• Improved logging by adding an app.log file, which provides additional device details to assist with troubleshooting. 
• Added a Code42 console command-line option for increased agent logging to assist with troubleshooting. 
• Added the option to block agent upgrades to a specific version. (This option is not visible by default. To enable version blocking, contact our Technical Support Engineers). 
• Added an optional second location to place the code42.deployment.properties file. The file can now also be placed in the application data folder, in addition to the system temp directory. 

Bug fixes

• Fixed an issue where agent logs were being overwritten after reaching the max size instead of "rolling over" to a new file. Now, older agent logs are preserved in a new file with .1 appended to the filename, and current activity continues to be logged in the original log file. 
• Fixed an issue where the agent did not automatically restart on Mac devices under certain circumstances.
• On Macs, fixed an issue where uninstalling the agent did not properly remove the Code42-AAT folder from the Application Support directory.
• Fixed an issue where exfiltrated files were not available for download under certain circumstances. 
• Other minor bug fixes and performance improvements.