Insider risk agent release notes

Overview

This page lists new features and bug fixes for the insider risk agent. 

For the backup and legacy agents, see Incydr release notes.

Version 1.12.0

Full version number: 1.9.13.21 (1.12.0.61)
User devices automatically upgrade on February 22, 2024, unless you have configured an agent upgrade delay.

Features

Linux support for browser upload detection and preventative controls

The Incydr browser extension is now supported for Linux devices. Deploying the browser extension enables many features for Linux previously only available for Windows and Mac, including:

  • Browser upload detection
  • Preventative controls
    • Block or temporarily allow uploads
    • Block or temporarily allow pasting in web browsers
    • Block unsupported browsers
    • Block private browser modes

Updates

  • Improved support for monitoring activity in the new Microsoft Teams app.
  • Reduced CPU and memory use on devices with a high volume of Git activity, especially for git clone events.
  • To reduce confusion, Remote hostname is no longer reported for browser events. See the Source and Destination sections for the most relevant metadata about the browser at the time the file activity occurred.
  • Numerous other performance and stability improvements.
  • Security updates.

Bug fixes

Fixed issues where:

  • The Block unsupported browsers preventative control did not work as expected unless the Block browser uploads control was also enabled.
  • Uploads to a trusted Microsoft Teams destination were incorrectly marked as untrusted activity in certain circumstances.
  • In some cases, file activity on Linux devices was incorrectly attributed to the user who registered and installed the insider risk agent, which could differ from the current user. Now, file activity is more accurately attributed to the current user.
  • From Slack, opening a file in a web browser could generate a false positive download event in some cases. 
  • For Mac users on a watchlist configured to block browser uploads, file uploads were not blocked in the Edge browser in specific circumstances.
  • Git push events could report an incorrect repository URI for pushes to a cloned repo from a Mac or RHEL 8 device.
  • Git clone events could be incorrectly reported as Git push events in some cases. (Mac only)
  • In rare cases, some Git push events were not captured if multiple push events to different branches in the same repo were performed in quick succession.
  • The OneDrive username was not captured for some events. (Mac only)
  • Some OneDrive Create events were incorrectly reported as Move events. (Mac only)
  • Moving or modifying a file in a OneDrive folder could generate an unexpected Deleted event. (Mac only)
  • On Windows devices, files uploaded from a secondary drive were not detected under certain circumstances.
  • Downloading a Salesforce report to a monitored endpoint could generate a false positive exfiltration event in some circumstances.

Known issues

  • Linux users on a watchlist with the Block private browsing preventative control enabled may still see the option to open an incognito window in the browser's context menu. This is a display issue only; incognito does not launch if selected.

Version 1.11.0

Full version number: 1.9.0.12 (1.11.0.15)
User devices automatically upgrade on October 24, 2023, unless you have configured an agent upgrade delay.

Features

Island and Talon browser support

The insider risk agent now detects upload and download activity in the Island and Talon browsers. Requires the Incydr browser extension.

Updates

  • Performance and stability improvements

Bug fixes

  • Fixed an issue where uploads to Microsoft Teams that should be trusted were incorrectly marked as untrusted activity in certain circumstances.

Version 1.10.0

Full version number: 1.9.0.12 (1.10.0.34)
User devices automatically upgrade on September 12, 2023, unless you have configured an agent upgrade delay.

Features

Git clone detection

The insider risk agent now detects Git clone activity, in addition to the existing Git pull and push detection.

Better visibility of file contents in exfiltrated zip files

Exfiltrated zip files now generate a file event for each file in the .zip folder.

Updates

  • Updated the command line syntax to uninstall the insider risk agent. If you use scripts or MDM commands to uninstall the agent, you'll need to update them to be compatible with insider risk agent version 1.10.
  • Improved activity monitoring for devices using the Incydr browser extension, including additional metadata for file downloads and reduced false positive events in certain circumstances.
  • Numerous other performance and stability improvements.

Bug fixes

Fixed issues where:

  • In rare circumstances, downloading a file could create a false positive upload event for that file.
  • Reading a file from network-attached storage could generate a false positive file event in specific circumstances.
  • The AirDrop risk indicator was not applied to some AirDrop file events. (AirDrop file activity was still captured and visible in Forensic Search, but risk scores were not applied.)
  • In some cases, file contents were not captured for files exfiltrated from network-attached storage.
  • In some cases, file contents were not captured for large files exfiltrated to removable media.

Version 1.9.4

Version 1.9.3

Version 1.9.2

Version 1.9.1

Version 1.9.0

Version 1.8.0

Version 1.7.1

Version 1.7.0

Version 1.6.2

Version 1.6.1

Version 1.6.0

Version 1.5.1

Version 1.5.0

Version 1.4.1

Version 1.4.0

Version 1.3.0

Version 1.2.0