Overview
This page lists new features and bug fixes for the insider risk agent.
For release notes for other agent types and the Code42 cloud, see Incydr release notes.
Version 2.1.0
Full version number: 1.11.6.5 (2.1.0.14)
User devices automatically upgrade beginning October 1, 2024, unless you have configured an agent upgrade delay.
Updates
- Added support for detecting files exfiltrated to the macOS ChatGPT desktop app. (OpenAI has not released a Windows desktop app yet.) Support for the macOS app enhances Incydr's existing ChatGPT exfiltration detection via web browsers.
- Performance and stability improvements.
- Improvements to logging.
Bug fixes
Fixed issues where:
- Users performing normal web development tasks could generate false positive file upload events under specific circumstances.
- On Windows devices, enabling the Block removable media mounting preventative control did not immediately block removable media in rare cases.
- On macOS Sequoia, the Block browsers and apps preventative control did not properly block the Safari browser in some cases.
- In some cases, events for files uploaded via SCP reported an incorrect Remote hostname, which could result in trust not being applied correctly for SCP activity.
- The insider risk agent used more memory than expected on devices with many open Git files.
- Some file activity was not captured from Git environments using a custom Git wrapper.
Version 2.0.0
Full version number: 1.10.11.14 (2.0.0.59)
User devices automatically upgrade beginning August 15, 2024, unless you have configured an agent upgrade delay.
Updates
- Updated Incydr monitoring support for the Prisma Access Browser (formerly Talon).
- Updated the display names for some Windows components to standardize on Code42 Incydr Agent and Code42-AAT naming patterns. These changes only apply to the names visible in Task Manager and the File description field in the file properties. The executable names did not change.
- Reduced CPU and memory use on devices with a high volume of Git activity, especially for Git clone events.
- Numerous other performance and stability improvements.
- Security updates.
Bug fixes
Fixed issues where:
- Slack events could list the wrong workspace name in specific circumstances.
- On macOS, some file events on removable media did not collect the file contents.
- OneDrive activity was not detected on some macOS devices.
- The insider risk agent could prevent USB devices from cleanly unmounting on Linux devices.
- The Windows agent was not properly signed.
- On Windows devices, the timestamp for some Print events was incorrect.
- Print events from before the insider risk agent was installed could be reported as having occurred "today."
- Git fetch events from remote repositories were not captured in some circumstances.
- Agents that failed to register due to a missing username did not appear on the Agent registration issues report.
-
Remote hostname was missing from some FileZilla, WinSCP, and cURL events.
- The Process User was missing from some event types.
- In the file event details, the MD5 and SHA256 hash values were blank for some large files. Now, they correctly display the message "Hash unavailable - File size is too large."
- Opening a local file in the Firefox or Opera browser on a Windows device could generate a false-positive file upload event under certain circumstances.
- The Logged-in user was missing from some Windows Teams app events.
- Paste events in the Talon and Island browsers incorrectly listed the Process > Web browser name as Chrome.
- Some OneDrive remote sync events were not captured on Windows devices under specific circumstances.
Version 1.13.0
Full version number: 1.10.0.31 (1.13.0.268)
User devices automatically upgrade on May 9, 2024, unless you have configured an agent upgrade delay.
Updates
- Added support for Windows devices with ARM-based processors.
- Added support for Ubuntu 24.04 LTS.
- Numerous performance and stability improvements.
Bug fixes
Fixed issues where:
- Classification metadata was not captured for files in a Google Drive folder on Windows devices.
- Some file upload events could have the same tab title listed more than once.
- Linux devices could generate duplicate file upload events for very large files.
- On Macs, file uploads via the Brave browser from network locations were not detected in some circumstances.
- Moving and renaming files in the Google Drive folder was not detected in some cases if the folder existed in a non-standard location.
- Some AirDrop activity was not detected on devices running macOS Sonoma.
- On Macs, file activity in personal OneDrive accounts could report the wrong sync direction under specific circumstances. (OneDrive for Business was not affected.)
- On RedHat Linux devices, some unsupported browsers weren't blocked as expected for users on a watchlist with the Block unsupported browsers preventative control enabled.
- Git push events to remote repositories were not captured in some circumstances.
- The file event details for some Moved and Renamed file events were missing the Username.
- On Windows devices, moving a file to a different directory could generate both a Moved and Deleted event under specific circumstances. Now, only a Moved event is generated.
- On Windows devices with Microsoft Teams for Home, some activity in Teams was not detected.
- On devices with the Incydr browser extension installed, file upload events could report the wrong Active tab title and URL in rare cases.
- In rare cases, trusted uploads to Microsoft Teams were incorrectly identified as untrusted activity.
- On devices running macOS Sonoma, AirDrop events were missing the device name. Version 1.13 does capture the device name, but you must first deploy an updated configuration profile.
Known issues
- Attempting to install an older insider risk agent version on a Windows device with version 1.13.0 already installed may cause a duplicate entry to appear in the Windows Control Panel Programs and Features list.
- This is a display issue only: version 1.13.0 remains operational and there are not actually two agents running. You can safely uninstall the older Code42 Incydr Agent entry to clean up the list without affecting version 1.13.0.
- Upgrades from an older version to 1.13.0 (including automatic upgrades) are not affected.
Version 1.12.2
Full version number: 1.9.13.21 (1.12.2.1)
User devices automatically upgrade on April 22, 2024, unless you have configured an agent upgrade delay.
Bug fixes
- Fixed an issue which could have interfered with Linux device upgrades to future versions of the insider risk agent.
Version 1.12.1
Full version number: 1.9.13.21 (1.12.1.1)
User devices automatically upgrade on March 26, 2024, unless you have configured an agent upgrade delay.
Bug fixes
- Fixed a performance issue affecting some Mac devices running macOS Sonoma.
- Fixed a rare issue for environments using the CLI to query specific agent attributes.
Version 1.12.0
Full version number: 1.9.13.21 (1.12.0.61)
User devices automatically upgrade on February 22, 2024, unless you have configured an agent upgrade delay.
Features
Linux support for browser upload detection and preventative controls
The Incydr browser extension is now supported for Linux devices. Deploying the browser extension enables many features for Linux previously only available for Windows and Mac, including:
- Browser upload detection
- Preventative controls
- Block or temporarily allow uploads
- Block or temporarily allow pasting in web browsers
- Block unsupported browsers
- Block private browser modes
Updates
- Improved support for monitoring activity in the new Microsoft Teams app.
- Reduced CPU and memory use on devices with a high volume of Git activity, especially for git clone events.
- To reduce confusion, Remote hostname is no longer reported for browser events. See the Source and Destination sections for the most relevant metadata about the browser at the time the file activity occurred.
- Numerous other performance and stability improvements.
- Security updates.
Bug fixes
Fixed issues where:
- The Block unsupported browsers preventative control did not work as expected unless the Block browser uploads control was also enabled.
- Uploads to a trusted Microsoft Teams destination were incorrectly marked as untrusted activity in certain circumstances.
- In some cases, file activity on Linux devices was incorrectly attributed to the user who registered and installed the insider risk agent, which could differ from the current user. Now, file activity is more accurately attributed to the current user.
- From Slack, opening a file in a web browser could generate a false positive download event in some cases.
- For Mac users on a watchlist configured to block browser uploads, file uploads were not blocked in the Edge browser in specific circumstances.
- Git push events could report an incorrect repository URI for pushes to a cloned repo from a Mac or RHEL 8 device.
-
Git clone events could be incorrectly reported as Git push events in some cases. (Mac only)
- In rare cases, some Git push events were not captured if multiple push events to different branches in the same repo were performed in quick succession.
- The OneDrive username was not captured for some events. (Mac only)
- Some OneDrive Create events were incorrectly reported as Move events. (Mac only)
- Moving or modifying a file in a OneDrive folder could generate an unexpected Deleted event. (Mac only)
- On Windows devices, files uploaded from a secondary drive were not detected under certain circumstances.
- Downloading a Salesforce report to a monitored endpoint could generate a false positive exfiltration event in some circumstances.
Known issues
- Linux users on a watchlist with the Block private browsing preventative control enabled may still see the option to open an incognito window in the browser's context menu. This is a display issue only; incognito does not launch if selected.
Version 1.11.0
Full version number: 1.9.0.12 (1.11.0.15)
User devices automatically upgrade on October 24, 2023, unless you have configured an agent upgrade delay.
Features
Island and Talon browser support
The insider risk agent now detects upload and download activity in the Island and Talon browsers. Requires the Incydr browser extension.
Updates
- Performance and stability improvements
Bug fixes
- Fixed an issue where uploads to Microsoft Teams that should be trusted were incorrectly marked as untrusted activity in certain circumstances.
Version 1.10.0
Full version number: 1.9.0.12 (1.10.0.34)
User devices automatically upgrade on September 12, 2023, unless you have configured an agent upgrade delay.
Features
Git clone detection
The insider risk agent now detects Git clone activity, in addition to the existing Git pull and push detection.
Better visibility of file contents in exfiltrated zip files
Exfiltrated zip files now generate a file event for each file in the .zip folder.
Updates
- Updated the command line syntax to uninstall the insider risk agent. If you use scripts or MDM commands to uninstall the agent, you'll need to update them to be compatible with insider risk agent version 1.10.
- Improved activity monitoring for devices using the Incydr browser extension, including additional metadata for file downloads and reduced false positive events in certain circumstances.
- Numerous other performance and stability improvements.
Bug fixes
Fixed issues where:
- In rare circumstances, downloading a file could create a false positive upload event for that file.
- Reading a file from network-attached storage could generate a false positive file event in specific circumstances.
- The AirDrop risk indicator was not applied to some AirDrop file events. (AirDrop file activity was still captured and visible in Forensic Search, but risk scores were not applied.)
- In some cases, file contents were not captured for files exfiltrated from network-attached storage.
- In some cases, file contents were not captured for large files exfiltrated to removable media.
Version 1.9.4
Full version number: 1.6.23.33 (1.9.4.8)
User devices automatically upgrade on July 24, 2023, unless you have configured an agent upgrade delay.
Bug fixes
- Fixed a very rare issue which could cause abnormally high memory usage and unexpected restarts on Windows devices.
Version 1.9.3
Full version number: 1.6.23.33 (1.9.3.28)
User devices automatically upgrade on June 14, 2023, unless you have configured an agent upgrade delay.
Bug fixes
Fixed issues where:
- Some devices incorrectly reported the agent version as 0.0.0.
- The Incydr browser extension did not start automatically under specific circumstances.
- In rare cases, file event reporting could be delayed.
- In very restrictive network environments, the insider risk agent did not deploy successfully to some Macs with the M1 processor.
Version 1.9.2
Full version number: 1.6.22.111 (1.9.2.6)
User devices automatically upgrade on May 30, 2023, unless you have configured an agent upgrade delay.
Bug fixes
- Fixed an application compatibility issue introduced in version 1.9.1 for Mac devices with the M1 processor.
Version 1.9.1
Full version number: 1.6.22.96 (1.9.1.82)
User devices automatically upgrade on May 23, 2023, unless you have configured an agent upgrade delay.
Features
Git pull detection
The insider risk agent now detects the source repository for Git pull activity. This helps you identify files obtained from repositories identified as high-value sources of company information that are later sent to an untrusted destination. Requires a supported product plan.
Updates
- Added new Moved and Renamed event types to make it easier to track file movement. Previously, moves and renames were categorized as separate Delete and Create events.
- As part of security hardening efforts on Mac devices, the insider risk agent can no longer be uninstalled by dragging it to the Trash. To uninstall the agent, run the uninstall script from the command line or your mobile device management (MDM) tool.
- On Windows devices, improved ability to capture a PDF of printed documents.
- Improved accuracy of Remote hostname detection for files moved via file transfer tools, such as SFTP, SCP, FTP, and cURL.
- Improvements to logging.
- Performance and stability improvements.
Bug fixes
Fixed issues where:
- In rare cases, file events could report an incorrect Slack workspace name.
- In rare cases, Git push activity was not detected.
- On Windows devices, user registration could fail if the email address contained international characters.
- In very rare cases, updating a bare Git repository could cause the insider risk agent to create a new empty .git directory in the bare repository.
- Files modified in a local Google Drive sync folder were not detected under certain circumstances.
Version 1.9.0
Full version number: 1.6.21.2 (1.9.0.56)
User devices automatically upgrade on April 11, 2023, unless you have configured an agent upgrade delay.
Updates
- The agent logs folder moved from the Data sub-directory to the Code42-AAT directory.
-
macOS
- Old: /Library/Application Support/Code42-AAT/Data/logs
- New: /Library/Application Support/Code42-AAT/logs
-
Linux
- Old: /var/opt/code42-aat/data/logs
- New: /var/opt/code42-aat/logs
-
Windows
- Old: C:\ProgramData\Code42-AAT\Data\logs
- New: C:\ProgramData\Code42-AAT\logs
- Added support for detecting files uploaded via a web browser from network storage (NAS).
- Improved Active tab titles and URLs detection.
- For iMessage events, Active tab titles and URLs now includes the phone number or username (when it is available).
- Improvements to logging.
- Improved ability to capture the Slack workspace name for upload events, which helps reduce false positive alerts by more accurately identifying trusted Slack activity.
- Performance and stability improvements.
Bug fixes
Fixed issues where:
- The insider risk agent could use unexpectedly high amounts of memory and CPU resources under some circumstances.
- The C:/ProgramData/Code42-AAT folder was not deleted after uninstalling the Windows agent.
- In rare cases, exfiltrated files with MIP classification tags did not include the classification data in the file event details.
- Opening a local file with a web browser could generate a false positive file upload event under certain circumstances.
- User registration could fail if the email address contained international characters.
Version 1.8.0
Full version number: 1.6.11.30 (1.8.0.81)
User devices automatically upgrade on February 1, 2023, unless you have configured an agent upgrade delay.
Features
File activity monitoring for many new sources
Incydr now monitors risk and captures activity from many new vectors, including:
- File exfiltration and downloads from additional desktop messaging apps: Discord, iMessage, Microsoft Teams, Viber, WhatsApp
- Download events for files acquired from the Slack app on Windows endpoints (already supported for Mac)
- File activity in the Brave web browser
Updates
- File activity in the Microsoft Teams desktop app is now automatically evaluated for trust based on the username signed in to the app. For example, if the the signed-in username is an email address on your corporate domain, and your corporate domain is included in your list of trusted activity, the event is trusted. Trusting this activity can help you more easily identify riskier activity in personal Teams accounts.
- Improved Active tab titles and URLs detection.
- Performance and stability improvements.
Bug fixes
Fixed issues where:
- On Windows devices, Active tab titles and URLs were not captured for browser events in specific circumstances.
- File activity in a non-default cloud sync folder could incorrectly report the name of the synced directory as the Account name.
- Git push activity could generate duplicate or false positive events in certain circumstances.
- In rare cases, some exfiltrated files were not available for download.
- Previewing an HTML file in a browser could generate a false positive file event.
- Opening multiple copies of a recently downloaded file could generate a false positive file event.
- On Mac devices, cloud sync file activity in some /Library directories was not being captured.
- Some background processes and system-generated activity could cause false positive events.
- In some cases, the username value in the app.log was missing and reported as null.
- On Mac devices, downloading a large file via Safari could generate a false positive upload event for that file.
- In rare cases, the insider risk agent did not deploy successfully to some Mac devices in restrictive network environments.
- The insider risk agent could inadvertently lock a file and prevent it from being deleted in rare cases.
- In rare cases, events were not captured on Windows devices for specific processes.
Version 1.7.1
Full version number: 1.6.2.23 (1.7.1.11)
User devices automatically upgrade on November 7, 2022, unless you have configured an agent upgrade delay.
- Fixed an intermittent issue where exfiltrated files were not available for download under some circumstances.
Version 1.7.0
Full version number: 1.6.2.23 (1.7.0.53)
User devices automatically upgrade on October 6, 2022, unless you have configured an agent upgrade delay.
Features
Printer activity detection for Windows
Limited early access
Windows devices now monitor print jobs, enabling detection of printed files as an exfiltration vector. (Print detection is already supported for Mac and Linux devices.)
Windows printer detection is disabled by default in Code42 app version 1.7. Contact your Customer Success Manager (CSM) if you are interested in enabling it. Windows printer detection will be enabled by default in an upcoming release.
Updates
- File contents are now collected (and available for download) for Git push file events.
- For Macs, updated the command line syntax to uninstall the Code42 app. If you use scripts or MDM commands to uninstall the agent on Macs, you'll need to update them to be compatible with Code42 app version 1.7.
- Improvements to Active tab titles and URLs detection.
- File event details now include File classification metadata (for example, MIP labels) for encrypted files.
- Unregistered devices now automatically retry to register every two minutes for the first hour after deployment. Previously, if a device failed to register, the next attempt did not occur for 60 minutes. Retrying to register more frequently assists with troubleshooting registration and user detection script issues.
- Performance and stability improvements.
- Security updates.
Bug fixes
Fixed issues where:
- Uninstalling the Code42 app didn't properly remove all application files from the device.
- File downloads to a Mac device could generate duplicate download events.
- Renaming a removable media drive on a Mac could generate false positive Modified events for files on the drive.
- Deleting a folder from within a cloud sync folder on a Windows device could generate a delete event for the folder, in addition to the files in the folder. Now, events are only created for the deleted files, not the parent folder.
- Using the Code42 API to delete your customized list of monitored applications required updating the list to an empty value. Now, the
DELETE
method works as expected.
- Some OneDrive events were not captured on Mac devices under specific circumstances.
- Files uploaded via a non-browser process could indicate the tab title/URL was missing because it was "Unavailable." Now, these events provide more detail and specify the tab title/URL is "not used by this application."
- Improvements to logging.
- Some file events for OneDrive sync folder activity on Macs reported the Destination user as "Unknown."
Version 1.6.2
Version number 1.6.3 known issue
In the Code42 console, the Administration > Agent Management > Downloads screen incorrectly labels the most recent App version as 1.6.3.
Version 1.6.2 is the most recent version; downloading a package labeled 1.6.3 actually downloads version 1.6.2, which is the correct version.
Full version number: 1.6.0.40 (1.6.2.1)
User devices automatically upgrade on September 1, 2022, unless you have configured an agent upgrade delay.
- Fixed an intermittent issue on Windows devices where the destination tab title and URL was not captured for some browser upload events.
Version 1.6.1
User devices automatically upgrade on July 15, 2022, unless you have configured an agent upgrade delay.
- Fixed an issue introduced with the version 1.6.0 release on July 14th where some macOS devices experienced delays in event reporting.
Version 1.6.0
Code42 app version 1.6.0 is no longer available. It has been replaced by version 1.6.1, which contains all of the 1.6.0 updates below, plus one additional bug fix.
Features
Printer activity detection
Mac and Linux devices now monitor files sent to printers. Print detection enables you to view and download images of printed files, which provides visibility into one more method of possible file exfiltration.
Updates
- Added support for Ubuntu 22.04 and Red Hat Enterprise Linux (RHEL) version 9.
- For Macs, updated the command line syntax to uninstall the Code42 app. If you use scripts or MDM commands to uninstall the agent on Macs, you'll need to update them to be compatible with Code42 app version 1.6.
Bug fixes
General
- On Mac devices, exfiltrated file collection could use an abnormally high amount of system resources under certain circumstances.
- Improvements to logging.
- Performance and stability improvements.
Deployment, installation, and upgrades
Fixed issues where:
- Some devices did not automatically upgrade to newer versions of the Code42 app.
- The Code42 app did not install successfully on some Windows devices if the operating system was installed with a non-English language.
Insider risk detection
- Fixed several issues to improve Active tab titles and URLs detection.
- Improved Salesforce report download detection.
- Fixed a rare issue where some removable media file events were not captured.
- On Mac devices, fixed an issue where deleting a file from a local cloud sync folder did not generate a file event in some circumstances.
- Fixed an issue where some file events were not reported if the Code42 app was unable to access the file contents (for example, if many files were transferred to removable media and the drive was disconnected before the Code42 app could collect all the files). Now, a more complete list of events is reported, but some events may not include all metadata, such as the MD5 and SHA256 hash values.
- On Mac devices, fixed an issue for files in the Box sync folder where file contents were sometimes incorrectly collected and preserved for file activity not initiated by the local device. Now, a change to a synced file caused by other users or devices still generates a file event, but the file contents are not collected since the file was not exfiltrated from the device.
- Improved ability to capture very large bursts of events on Windows devices.
Version 1.5.1
User devices automatically upgrade on May 26, 2022, unless you have configured an agent upgrade delay.
- Improved Salesforce report download detection.
- Fixed a rare, intermittent issue on Windows devices where file events could display the wrong Process name.
Version 1.5.0
User devices automatically upgrade on April 7, 2022, unless you have configured an agent upgrade delay.
Updates
Highlights
- Improved the ability to capture the tab title and URL for browser events on Mac devices. This update also simplifies the permissions required in the computer configuration profile (.mobileconfig file).
- Added support for file classification metadata from Microsoft Information Protection (MIP). This metadata can help provide additional risk context if you already use MIP in your organization.
- The Code42 API now enables you to confirm if full disk access permissions are configured correctly on your Mac devices.
- Re-introduced support for Red Hat Enterprise Linux (RHEL) versions 7 and 8.
Other updates
- Security updates.
- Reduced CPU usage on Mac devices, especially for devices running macOS Monterey 12.3.
- On Windows devices, if the Code42 proxy is set to None, the Code42 app will always use a direct connection, even if a Windows system proxy is configured. This matches the existing behavior for Mac devices.
- File contents are now collected and preserved for files synced with cloud storage only when changes are made by the local device. Changes to the synced file caused by other users or devices still generate a file event, but the file contents are not collected since the file was not exfiltrated from the device.
- Updated Code42 extended attributes on Mac devices to prevent Time Machine from backing up the Code42 application files.
- Improved support for non-LTS versions of Ubuntu.
- The app.log file now includes additional status information to better assist with troubleshooting.
- Additional updates and improvements to logging.
- Other miscellaneous performance and stability improvements.
Bug fixes
All operating systems
Fixed issues where:
- Copying a folder to removable media could generate duplicate events for files in the folder.
- File download events could be incorrectly created under certain circumstances for files syncing with a cloud storage service that were not actually downloaded to a device.
- Opening a local file (such as a PDF, image, or text file) with a web browser could generate a false positive file upload event under certain circumstances.
- Deactivated devices could not be reactivated from the Code42 console in some cases. Now, you have 30 days to reactivate a device.
- In rare circumstances, newly deployed devices did not apply the proxy auto-config (PAC) file until the device or the Code42 service restarted.
Windows
Fixed issues where:
- Google Drive for Desktop file activity was not captured in some circumstances.
- The Sync username could be missing or display "Unavailable" for file activity in personal (non-corporate) OneDrive accounts.
- File events were being reported for activity in some file paths that should be excluded.
- Uploading a file via a web browser could generate false positive file upload events for other files in the same folder under specific circumstances.
- Uninstalling the Code42 app .msi via the command line did not fully remove all components (the .exe was still visible in Add/Remove programs even though the app was removed).
- Uninstalling the Code42 app via the command line did not remove all log files.
- Some Windows application cache files were not properly excluded from Incydr security event monitoring.
- The code42.deployment.properties file was not recognized if it contained a .txt extension.
- In rare cases, if a user accessed more than one tab while multiple uploads were in progress, not all possible tab titles/URLs visited during the upload were listed in the file event details.
Mac
Fixed issues where:
- Slack tab titles were not captured in many cases.
- Uploads from network drives were not detected in some cases.
- If an external volume was reformatted, removable media events could include both the old and new volume name.
- When downloading a file in Safari, if the browser automatically changed the filename (for example, appending (1) because another file with that name already exists), duplicate file events could be created: one with the original filename appearing as a download, and one with the changed filename appearing as an upload.
- File events could be incorrectly generated for cloud shortcut files. Now, file events are only captured for files syncing with a cloud service when the actual file contents exist on the device.
- Time Machine backups were not properly excluded from file event monitoring and could generate false positive exfiltration events under certain circumstances.
Linux
Fixed issues where:
- Removable media events for password-protected volumes were not captured properly.
- File events on mounted virtual drives were not captured properly.
- Removable media events could report the wrong volume name if the volume was reformatted.
- Connecting a USB drive could create false positive events for all files on the drive under some circumstances.
Version 1.4.1
User devices automatically upgrade on January 25, 2022, unless you have configured an agent upgrade delay.
- Fixed an issue introduced with the 1.4.0 release on January 6th which could cause abnormally high memory usage and unexpected restarts on Mac devices.
Version 1.4.0
User devices automatically upgrade on January 6, 2022, unless you have configured an agent upgrade delay.
Updates
- Security updates.
- Added Incydr monitoring and exfiltration detection for:
- Salesforce report exports to unmonitored personal devices (requires the Salesforce data connection).
- Google Drive for Desktop for Mac and Windows.
- Files downloaded via a web browser.
- Added proxy support for System and PAC file configurations on Windows and Mac devices.
- Improved ability to uninstall the Code42 app on macOS via an MDM tool without presenting a confirmation dialog to the user.
- The Windows Code42 app can now read the deployment.properties file from drive letters other than C:/. This enables support for persistent AWS VDI workspaces.
- The SHA256 hash of the user detection script is now included in the Logs folder. This enables you to confirm the integrity of the script run on each device.
- The Code42 app installer can now be used to uninstall any version of the app. Previously, the same version was required.
Bug fixes
- Improvements to logging.
- Windows devices now correctly apply proxy settings defined in the deployment.properties file.
- Files with alternate data steams (ADS) no longer display duplicate file events in Forensic Search.
- Deactivated devices now correctly stop Incydr monitoring.
- Some metadata for file events on removable media was not being captured correctly. Now it is.
- Changes to a username are now reflected in the file event metadata for new events right away. Previously, a user's old username could continue to be associated with new events even after the username changed.
- Fixed an issue on Mac devices where opening local files with Firefox could generate false positive file upload events under specific circumstances.
- Changing an organization's proxy method to None now stops devices from using the proxy immediately. Previously, the proxy was used until the device or the Code42 service restarted.
- Fixed a rare issue where false positive upload file events were created for system files read by Google Chrome.
- Globally adjusting logging levels via the Code42 console command-line interface (CLI) now correctly updates all modules to the new level.
- Other minor bug fixes and performance improvements.
Known issue
- Code42 app installers for Red Hat Enterprise Linux (RHEL) are temporarily unavailable.
Version 1.3.0
Windows, Mac, and Red Hat Enterprise Linux (RHEL) devices automatically upgrade on October 12, 2021, unless you have configured an agent upgrade delay. Ubuntu Linux devices remain on version 1.2.0.
Bug fixes
- Fixed an issue where agent logs were being overwritten after reaching the max size instead of "rolling over" to a new file. Now, older agent logs are preserved in a new file with .1 appended to the filename, and current activity continues to be logged in the original log file.
- Fixed an issue where the agent did not automatically restart on Mac devices under certain circumstances.
- On Macs, fixed an issue where uninstalling the agent did not properly remove the Code42-AAT folder from the Application Support directory.
- Fixed an issue where exfiltrated files were not available for download under certain circumstances.
- Other minor bug fixes and performance improvements.
Version 1.2.0
User devices automatically upgrade on August 26, 2021, unless you have configured an agent upgrade delay.
- Security updates.
- Added support for Linux devices.
- Improved user detection script logging.
- Fixed an issue where the Windows MSI installer was not properly signed.
- Fixed a rare issue where Forensic Search incorrectly displayed a Download link for files not available to download.
- Numerous other minor bug fixes and improvements.