ObserveIT Version 7.7.3 Release Notes This document provides information about new features, issues that were discovered and fixed since the previous release of ObserveIT, and limitations of the release. 7.7.3 It is important that you read this document before you install and configure ObserveIT 7.7.3. Documentation for the release is available here . For information about how to install and upgrade, see: ObserveIT Installation Upgrading ObserveIT RESOLVED ISSUES FOR 7.7.3 [Issue 66042]: CMD is no longer Flash with Agent Silent Deployment. [Issue 65786]: Agent 32 bit mode initiation issue fixed. [Issue 65918]: Live message from player reaches the Agent when installed from Master Image. [Issue 66217]: Agent installation on Linux does not fail with invalid interfaces. [Issue 66259]: OIT FAM driver is now digitally signed with Microsoft Digital Signature. [Issues 65604, 66418, 63473, 65674]: Improved Session Packing mechanism. [Issues 66378, 66379, 66444, 66569, 66613, 66653, 65672, 66892]: Improved database performance for all large deployments. [Issue 66883]: Analytic service does not fail when an endpoint returns from offline with a configured future date. [Issue 67225]: Improved Screenshot Optimizer. [Issue 67336]: For Mac, resolved issue when tracked file removed from tracking too early. FEATURES ObserveIT 7.7.3 also includes the following features from versions previous versions 7.7.x Data exfiltration to USB devices: Gain visibility and detect file exfiltration to removable media (Storage, USB, Smart Phones, Tab- lets and SD cards) by monitoring copying and downloading files to USB devices. Differ between white-listed (corporate) and unlisted USB devices (by serial number). ObserveIT Version 7.7.3 Release Notes 1
Transcript
ObserveIT Version 7.7.3 Release NotesThis document provides information about new features, issues that were discovered and fixed since theprevious release of ObserveIT, and limitations of the release. 7.7.3
It is important that you read this document before you install and configure ObserveIT 7.7.3.
Documentation for the release is available here.
For information about how to install and upgrade, see:
ObserveIT Installation
Upgrading ObserveIT
RESOLVED ISSUES FOR 7.7.3
[Issue 66042]: CMD is no longer Flash with Agent Silent Deployment.[Issue 65786]: Agent 32 bit mode initiation issue fixed.[Issue 65918]: Live message from player reaches the Agent when installed from Master Image.[Issue 66217]: Agent installation on Linux does not fail with invalid interfaces.[Issue 66259]: OIT FAM driver is now digitally signed with Microsoft Digital Signature.[Issues 65604, 66418, 63473, 65674]: Improved Session Packing mechanism.[Issues 66378, 66379, 66444, 66569, 66613, 66653, 65672, 66892]: Improved database performancefor all large deployments.[Issue 66883]: Analytic service does not fail when an endpoint returns from offline with a configuredfuture date.[Issue 67225]: Improved Screenshot Optimizer.[Issue 67336]: For Mac, resolved issue when tracked file removed from tracking too early.
FEATURESObserveIT 7.7.3 also includes the following features from versions previous versions 7.7.x
Data exfiltration to USB devices:
Gain visibility and detect file exfiltration to removable media (Storage, USB, Smart Phones, Tab-lets and SD cards) bymonitoring copying and downloading files to USB devices.Differ between white-listed (corporate) and unlisted USB devices (by serial number).
Detect and investigate when files are exfiltrated using non-corporate USBs.Define alerts triggered by exfiltration to USB devices.Search for files copied or downloaded to USB devices.Generate reports with USB device details, including the serial number, model, vendor and label.
See: Detecting Exfiltration to a USB Device
File ActivityMonitoring policies enabling high granularity:
Granular control of the websites and file extensions you want monitored and tracked by FAM,resulting in enhanced relevance and quality if metadata.Define which downloads/uploads are monitored (using URL with wildcards) and by file exten-sions so only relevant file activity shows up in ObserveIT system.
See: File ActivityMonitoring Policies
Keylogger detection for special keys and key combinations:
Detect non-file based exfiltration attempts through customizable alerts that trigger when specialkey or key combinations are used on Windows and Mac system, such as Prtscr, Alt-PrtScr, Cmd-Shift-3.
See: ObserveIT Keylogging
Detect Paste Activity: (Beta)
Detect paste activity triggered by either keyboard shortcuts (such as Ctrl-V, Shift-Insert, Cmd-Shift-3) or right-menu paste of images, files/folders and text. The detection covers standardimplementation of right-menu Paste and standard usage by clicking mouse right button andthen choosing the Paste menu item with themouse.Capture paste activity including the content that is pasted. When pasting text, the text contentis captured. When files/folders are pasted, the list of files/folders and the source folders fromwhich they are copied is also captured. If Paste is done within Windows Explorer, the destinationfolder is captured as well.Define alerts on paste activity triggered by either keyboard or right-menu paste.Search for pasting activity of images, files/folders and text. When pasting text, you can searchwithin the pasted text. In addition, when pasting files and folders, you can search within thename of the pasted files/folders and source folders.Generate reports that show paste activity and the pasted content.Notes:
This feature is in beta phase. By default it is not enabled. To enable select Enable detec-tion of paste in the Recording Policy Settings.
This feature will detect paste activity as described, however it is recommended that youlimit the number of endpoints for which this capability is turned on.
Detection of paste activity of text captures the pasted text in plain text and this text is vis-ible when the session data in theWeb console diaries displays.
See: Detecting Paste Activity
New RESTful API for controlling agent start/stop and retrieving session screenshots:
Control when Agent starts and stops recording screenshots from outside of ObserveIT applic-ation by using a new RESTful API.Recording Policy assigned for the endpoint is applied when recording is started using this API.Retrieving screenshots via this API, lets you implement customizable session players.
New File ActivityMonitor driver (Beta) with optimized performance:
Next-Gen FAMdriver provides further enhanced agent performance for File ActivityMonitoring.See: File ActivityMonitoring Global Settings
The FAMdriver is enabled from the Recording Policies menu. (Select Configuration > RecordingPolicies and select the File ActivityMonitoring Policies tab.)
The FAM driver takes effect only when you select both:
Enable File ActivityMonitoring
Enhanced performancemode
USB Connect Enhancement:
Detect an already connected USB device and devices plugged in when no user is logged in.See: Detecting the Insertion of a USB Device
New rules for taking screenshots using keyboard shortcutsNew rules for paste activity (on text, files/folders, images)
Rules that were defined with a frequency of “once per session” under certain conditions, triggeredmultiple times per session. From 7.7.0, this has been resolved and any rule defined with a fre-quency of “once per session” will only trigger once per session.
See: ObserveIT Insider Threat Library
New requirements for ObserveIT Database server password provides security enhancement andincreased compatibility:
Password is now highly complex, randomly generated and with a minimum of 26 charactersPassword provides increased compatibility with newer Microsoft database systems
This version includes support for:
macOS Mojave 10.14Splunk 1.2 CertificationUbuntu 18.04USB type C is now supported on Mac, only Thunderbolt is not supported
LIMITATIONSObserveIT 7.7.3 also includes the following limitations from versions previous versions 7.7.x
Limitations for 7.7.x
USB connection of iphone does not grant writing access to the iphone, so USB connection of iphone isignored as a USB-connect event.
USB Thunderbolt is not supported.
Microsoft signature is encrypted with SHA-256 hashing algorithm so installation of Security Update forWindows 7 (KB3033929) which adds support for SHA-2 is requiredhttps://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2015/3033929
File Activity Monitoring Limitations
While FAM activity is exported via Developers Portal RESTful API, it is not currently exported via CEFLogs and Monitor Logs.
Right-menu paste is not detected in the following:
Non-standard implementation of right-menu (Microsoft Office, Paint, Visual Studio, SSMS,WordPad, Wireshark, Slack, Fiddler)Opening menu by right-click and choosing paste (not with themouse), for example, using arrow keys& ENTER or keyboard shortcuts such as Shift-PPaste by clicking on the paste icon
Opening right menu on Mac with the Touch Barwithout releasing your finger from the Touch Bar, drag-ging your finger and choosing the Paste menu item.
If however, after opening the right menu, you release your finger from the Touch Bar and then click thePaste menu item, paste activity is detected.
DeprecationThe following have been deprecated as they are no longer supported from version 7.7.x:
They are supported up to version 7.6.2 on best effort.
macOS VersionsmacOS Yosemite 10.10macOS El Capitan 10.11
Unix/LinuxRHEL/CentOS 4.8-4.9 i386/x86_64Debian 6Oracle Linux 4.8-4.9 i386/x86_64
Microsoft SQL Server 2008 - blocked on installation
API CHANGES
Authentication:
From now on, the session-operation API (../v2/apis/endpoint/session-operations) requiresauthentication token by default.
ObserveIT Version 7.7.3 Release Notes 5
Deprecation:
GetUsers.aspx API: (Application server) Returned the list of web console usersTest.aspx API: (Application server) Used to check the application server is up and running(Replaced by API - HeartBeat.asmx/IsAlive)
DOCUMENTATION CHANGESFrom release 7.6.2, the link to ObserveIT online documentation has been modified so some older book-marks and hyperlinks to specific pages may need to be updated.
