Insider risk agent release notes

Overview

This page lists new features and bug fixes for the insider risk agent. 

For release notes for other agent types and the Code42 cloud, see Incydr release notes.

Version 1.13.0

Full version number: 1.10.0.31 (1.13.0.268)
User devices automatically upgrade on May 9, 2024, unless you have configured an agent upgrade delay.

Updates

  • Added support for Windows devices with ARM-based processors.
  • Added support for Ubuntu 24.04 LTS.
  • Numerous performance and stability improvements.

Bug fixes

Fixed issues where:

  • Classification metadata was not captured for files in a Google Drive folder on Windows devices. 
  • Some file upload events could have the same tab title listed more than once.
  • Linux devices could generate duplicate file upload events for very large files. 
  • On Macs, file uploads via the Brave browser from network locations were not detected in some circumstances.
  • Moving and renaming files in the Google Drive folder was not detected in some cases if the folder existed in a non-standard location. 
  • Some AirDrop activity was not detected on devices running macOS Sonoma.
  • On Macs, file activity in personal OneDrive accounts could report the wrong sync direction under specific circumstances. (OneDrive for Business was not affected.)
  • On RedHat Linux devices, some unsupported browsers weren't blocked as expected for users on a watchlist with the Block unsupported browsers preventative control enabled. 
  • Git push events to remote repositories were not captured in some circumstances.
  • The file event details for some Moved and Renamed file events were missing the Username.
  • On Windows devices, moving a file to a different directory could generate both a Moved and Deleted event under specific circumstances. Now, only a Moved event is generated.
  • On Windows devices with Microsoft Teams for Home, some activity in Teams was not detected.
  • On devices with the Incydr browser extension installed, file upload events could report the wrong Active tab title and URL in rare cases.
  • In rare cases, trusted uploads to Microsoft Teams were incorrectly identified as untrusted activity.
  • On devices running macOS Sonoma, AirDrop events were missing the device name. Version 1.13 does capture the device name, but you must first deploy an updated configuration profile.

Known issues

  • Attempting to install an older insider risk agent version on a Windows device with version 1.13.0 already installed may cause a duplicate entry to appear in the Windows Control Panel Programs and Features list.
    • This is a display issue only: version 1.13.0 remains operational and there are not actually two agents running. You can safely uninstall the older Code42 Incydr Agent entry to clean up the list without affecting version 1.13.0.
    • Upgrades from an older version to 1.13.0 (including automatic upgrades) are not affected.

Version 1.12.2

Full version number: 1.9.13.21 (1.12.2.1)
User devices automatically upgrade on April 22, 2024, unless you have configured an agent upgrade delay.

Bug fixes

  • Fixed an issue which could have interfered with Linux device upgrades to future versions of the insider risk agent.

Version 1.12.1

Full version number: 1.9.13.21 (1.12.1.1)
User devices automatically upgrade on March 26, 2024, unless you have configured an agent upgrade delay.

Bug fixes

  • Fixed a performance issue affecting some Mac devices running macOS Sonoma.
  • Fixed a rare issue for environments using the CLI to query specific agent attributes.

Version 1.12.0

Full version number: 1.9.13.21 (1.12.0.61)
User devices automatically upgrade on February 22, 2024, unless you have configured an agent upgrade delay.

Features

Linux support for browser upload detection and preventative controls

The Incydr browser extension is now supported for Linux devices. Deploying the browser extension enables many features for Linux previously only available for Windows and Mac, including:

  • Browser upload detection
  • Preventative controls
    • Block or temporarily allow uploads
    • Block or temporarily allow pasting in web browsers
    • Block unsupported browsers
    • Block private browser modes

Updates

  • Improved support for monitoring activity in the new Microsoft Teams app.
  • Reduced CPU and memory use on devices with a high volume of Git activity, especially for git clone events.
  • To reduce confusion, Remote hostname is no longer reported for browser events. See the Source and Destination sections for the most relevant metadata about the browser at the time the file activity occurred.
  • Numerous other performance and stability improvements.
  • Security updates.

Bug fixes

Fixed issues where:

  • The Block unsupported browsers preventative control did not work as expected unless the Block browser uploads control was also enabled.
  • Uploads to a trusted Microsoft Teams destination were incorrectly marked as untrusted activity in certain circumstances.
  • In some cases, file activity on Linux devices was incorrectly attributed to the user who registered and installed the insider risk agent, which could differ from the current user. Now, file activity is more accurately attributed to the current user.
  • From Slack, opening a file in a web browser could generate a false positive download event in some cases. 
  • For Mac users on a watchlist configured to block browser uploads, file uploads were not blocked in the Edge browser in specific circumstances.
  • Git push events could report an incorrect repository URI for pushes to a cloned repo from a Mac or RHEL 8 device.
  • Git clone events could be incorrectly reported as Git push events in some cases. (Mac only)
  • In rare cases, some Git push events were not captured if multiple push events to different branches in the same repo were performed in quick succession.
  • The OneDrive username was not captured for some events. (Mac only)
  • Some OneDrive Create events were incorrectly reported as Move events. (Mac only)
  • Moving or modifying a file in a OneDrive folder could generate an unexpected Deleted event. (Mac only)
  • On Windows devices, files uploaded from a secondary drive were not detected under certain circumstances.
  • Downloading a Salesforce report to a monitored endpoint could generate a false positive exfiltration event in some circumstances.

Known issues

  • Linux users on a watchlist with the Block private browsing preventative control enabled may still see the option to open an incognito window in the browser's context menu. This is a display issue only; incognito does not launch if selected.

Version 1.11.0

Full version number: 1.9.0.12 (1.11.0.15)
User devices automatically upgrade on October 24, 2023, unless you have configured an agent upgrade delay.

Features

Island and Talon browser support

The insider risk agent now detects upload and download activity in the Island and Talon browsers. Requires the Incydr browser extension.

Updates

  • Performance and stability improvements

Bug fixes

  • Fixed an issue where uploads to Microsoft Teams that should be trusted were incorrectly marked as untrusted activity in certain circumstances.

Version 1.10.0

Full version number: 1.9.0.12 (1.10.0.34)
User devices automatically upgrade on September 12, 2023, unless you have configured an agent upgrade delay.

Features

Git clone detection

The insider risk agent now detects Git clone activity, in addition to the existing Git pull and push detection.

Better visibility of file contents in exfiltrated zip files

Exfiltrated zip files now generate a file event for each file in the .zip folder.

Updates

  • Updated the command line syntax to uninstall the insider risk agent. If you use scripts or MDM commands to uninstall the agent, you'll need to update them to be compatible with insider risk agent version 1.10.
  • Improved activity monitoring for devices using the Incydr browser extension, including additional metadata for file downloads and reduced false positive events in certain circumstances.
  • Numerous other performance and stability improvements.

Bug fixes

Fixed issues where:

  • In rare circumstances, downloading a file could create a false positive upload event for that file.
  • Reading a file from network-attached storage could generate a false positive file event in specific circumstances.
  • The AirDrop risk indicator was not applied to some AirDrop file events. (AirDrop file activity was still captured and visible in Forensic Search, but risk scores were not applied.)
  • In some cases, file contents were not captured for files exfiltrated from network-attached storage.
  • In some cases, file contents were not captured for large files exfiltrated to removable media.

Version 1.9.4

Version 1.9.3

Version 1.9.2

Version 1.9.1

Version 1.9.0

Version 1.8.0

Version 1.7.1

Version 1.7.0

Version 1.6.2

Version 1.6.1

Version 1.6.0

Version 1.5.1

Version 1.5.0

Version 1.4.1

Version 1.4.0

Version 1.3.0

Version 1.2.0