ZeroLock™ Endpoint Agent 1.x - Build notes

Item Number

Description

PM-98

Ransomware through cronjob not honoring response type.  When ransomware executable was run through cronjob, even though the response type was set to Remediate, it was still asking user to act on alert.

This behavior was seen on both Ubuntu and CentOS.

BALD-33

Add support to protect 32-bit processes.

PM-101

Logging back in after logging out of the UI on a protected system takes a long time.     Changes were incorporated so command, as well as GUI response, is markedly faster.

PM-75

More Intelligent Cron Job Determination.  The agent now parses the files in /etc/crod.d, /etc/cron.hourly, etc. find programs it should allow.

PM-79

Allow Specification of Individual Files to Remediate.  Users can now optionally specify a list of files they would like to roll back during a Remediation event.  This functionality deals with the use case where a customer is remediating an attack that also contains legitimate changes from other processes in the tree.

PM-92

Improved system performance on Ubuntu when doing a system update.

PM-90

Resolved infinite loop of overlay path contains symlink.  Fixed issue on the Bitbucket runner when a pipeline was run with a stage that contained a “-pipe” directive. This directive created an issue where you could not identify the overlay path of a container spawned by the runner.

PM-89

Resolved issue with systemctl commands not working on a protected Ubuntu 22.04. 

CJD-24

Not detecting XMRig when threads >= 2X cores.  Corrected issue of system failing to recognize cryptominer on machines experiencing overloaded CPUs.  

Item Number

Description

BALD-22

Improved Endpoint Agent Dependency Information.  Having detailed information about all the dependencies used by the Endpoint agent can be critical. Recognizing this, we now include the fully qualified versions of an agent’s dependencies and any relevant additional information, such as the system’s architecture in the Baldur log.

TYR-23

Baldur start delayed on Endpoint reboot.  Improved system security by addressing the brief delay between endpoint reboot and start of the Baldur process. 

PM-76

Syslog Reporting Functionality Enhancement.  ZeroLock for Linux now supports writing logs to the local syslog on protected systems.  This improvement allows you to obtain alert information through any of the SEIM/SOAR type solutions without necessarily having to write custom API integration for each one.

The logs being updated with information are the /var/log/messages (centos/rh) or /var/log/auth.log (ubuntu).  With this enhancement, and using native Linux syslog protocol functionality, our logging information can move to any log collector/consolidator.

PM-71

Improved Program Execution Rule Enforcement. We found an issue where a program restricted by Program Execution rules could be renamed or symlinked, allowing it to run improperly. This issue has been corrected by adding functionality to Program Execution rules such that any process which was blocked on a system by the rule is also prevented from being renamed, copied, or moved. 
 

PM-74

Program Execution Override. 

The system administrator is now allowed to add a Program Execution or File access rule to override the behavior analysis engines when the process or file behavior has been verified good. This feature makes it easier to handle false positives.

PM-77

Optimized Memory Usage.  Reduced the amount of memory Baldur uses, effectively increasing availability to the OS. 

AGENT-97

Re-install Endpoint Agent Failing when Curl is Missing.  For some Linux distributions, curl is not included on the endpoint running the ZeroLock Endpoint Agent.

If an endpoint was installed using one of the other three options:  wget, Self-Extracting script or the Tar file, and the Re-Install Agent Version option is selected from the ACTIONS drop-down list, it would fail because curl was not on the system.

To address this issue, the Re-Install Agent Version option will now use wget to do the reinstall if installed and available.

AGENT-100

ZeroLock container agent now supports running with SELinux enabled on RHEL/Centos.  The container-deployed agent is now allowed to install with SELinux enabled.

CJD-21

Multiple enhancements to the Cryptojacking engine’s machine learning model reducing false positives and improving efficacy. 

AGENT-115

ZeroLock endpoint agent enhancements were added to support WordPress and RabbitMQ while running Security Perf. 

PM-69

PID wrap causes misidentification of processes PIDs.     Linux PIDs may wrap after they grow to a certain value (as shown in /proc/sys/kernel/pid_max). Baldur was designed to use PIDs as a primary key but, when a PID wrapped, it was no longer recognized as a valid value. This issue has been resolved.

PM-70

Fix Baldur crash due to race condition. Resolved Baldur crash when socketInodesAndPaths variable is not being accessed in a thread-safe manner.

Reduce false positives from cron jobs. We improved performance and reduced false positives on protected endpoints running cron jobs.

Address the Jumpbox false positives. On protected endpoints running Jumpbox we improved performance and reduced false positives. 

Multiple performance enhancements when protecting docker containers. In addition to fixing a system issue related to the frequent stopping/starting of multiple containers several other performance enhancements were made. 

Item Number

Description

PM-63

Resolved issue with Teams for Linux on a system reboot.  Microsoft Teams is now supported.

TYR-22

Resolved issue related to ZeroLock Endpoint Agent Shutdown.  The agent shutdown process was adjusted so injected services will be restarted, Baldur detection engines will shut down, and ZeroLock service will be disabled.

AGENT-44

Installation issues on Fedora 36 & 37. Resolved installation issues on Fedora 36 & 37 caused by package naming in default repository.

LIBI-13

MongoDB Crash Issue. Resolved issue when protecting MongoDB concerning large signal stack for its threads.

TYR-18 

Changing Endpoint Agent version causes endpoint update failure.  When attempting to change the agent version on an endpoint while the endpoint is in the process of updating, the ZeroLock agent is stopped and will not run unless a reboot, or a restart of that agent is done. No update of the agent will occur.

Protection of the system is maintained by reverting to the previously running Endpoint Agent version.  

 TYR-21

Endpoint Agent not properly determining the machineId of ASUStor NAS systems. The system was using a non-standard location to store their machine ID information resulting in multiple agents appearing under the same database record in the UI. The resolution was to add the ability to identify machine ID from the /etc/nas.conf file when required.

Item Number

Description

BALD-15

Numerous Performance and False Positive Enhancements.

PM-35

Improved speed of fork when running many processes.  Several changes to Baldur were made that reduced the speed degradation that can occur when there is a buildup of processes.

CJD-13

Python3 False Positive.  On CentOS Stream 9, installing our agent and running “sudo dnf update” will generate a cryptojacking false positive caused by python3 partway into the update.  Cryptojacking enhancements, limiting identified false positives when doing system updates, has resolved this issue.

CJD-12

Resolved issues of scp file transfer generating a false positive for Cryptojacking.

BALD-19

Resolved issue with commands using sudo hanging for the non-root users when the container agent is installed.

CON-15

Multiple threads simultaneously accessing shared data. Identified and fixed locations where locking was not used properly. Multiple threads are now prevented from simultaneously accessing shared data.