Release Notes for Snare Windows Agent v5.8.0

Snare Windows Agent v5.8.0 was released on 5th December 2023.

Security Updates

  • Added configurable maximum failed logins limit. If this limit is exceeded, the user will be locked out for a period of time. The maximum number of failed login attempts and the lock timeout are configurable via Access Configuration.
  • 3rd party libraries upgraded: 
    • OpenSSL upgraded to version 3.1.1
    • Boost upgraded to version 1.81.0
    • SQLite upgraded to version 3.40.1
  • Improved failback certificate lookup logic to consider expiry and issuer, and reduce the need to re-create self-signed certificate
  • Added support of big key size token for TLS_AUTH connection
  • Switched to stronger encryption technique for sensitive data in INF file
  • Replaced usage of MD5 with stronger hashing algorithm in License Manager
  • In order to reinforce Agent security, removed dependency on MD5 hashing during Snare Agent upgrade

    After this change, upgrading Snare Agent from versions earlier than 5.4.0 for Agents that had password enabled is not supported.

    Customers who need to upgrade the Agent from pre-5.4.0 version, are advised to perform a two-step upgrade:

    • Step 1 - Upgrade from pre-5.4.0 version to v5.7.0 or 5.7.1
    • Step 2 - Upgrade from v5.7.* to the latest version

New Features and Enhancements

  • Starting from version 5.8.0 Snare Agent has the ability to pull configuration and policy updates from Snare Agent Manager (SAM).
    This functionality replaces previous method of pushing configuration from AMC (Snare Central component) to Snare Agents. 

    Recommendation

    Customers who use AMC to push configuration to the Agents, are encouraged to migrate to this new mechanism where Agent policies are defined in SAM, and Agents pull policy updates from SAM. 
    This new mechanism is more secure and provides ability to manage Agents configuration without having web access enabled on every managed endpoint.
    Please see AMC to SAM Migration Guide for details.

    The existing AMC in Snare Central will be deprecated at a future date still yet to be announced. 

    Starting from SAM v2.0.0 and Snare Agent 5.8.0, Agent's configuration and policies can be fully managed in Snare Agent Manager (SAM).
    SAM allows to define Agent groups, load and update master configuration, and provide it to the relevant Agents. Please see Release Notes of SAM v2.0.0 and the User Guide for more details.

  • Added ability to export Agent Setting in JSON format from command line, using -j flag. This JSON file can optionally be used as master configuration in SAM Agent Policies management.
  • Snare Agent can now be packaged and deployed in the same MSI package with Microsoft's Sysmon tool for System Monitoring. Use Snare MSI Builder 3.1.0 to package both products for deployment via a group policy.
    For further details see Snare MSI Documentation v3

    Reminder: Snare Agent is capable of collecting events generated by Sysmon out-of-the-box.
  • Added on-screen error notification when Snare Agent cannot subscribe to Application, System or Security audit logs (usually due to insufficient permissions)

Bug Fixes

  • Previously standalone-licensed Snare Agent now obtains the license correctly after MSI upgrade or reinstall with SAM IP set in template.inf
  • Fixed very high CPU usage when Snare Agent cannot subscribe to core Windows logs
  • Fixed possible truncation of very large audit logs (over 16kB)
  • Fixed form validation of custom Agent Heartbeat Frequency field
  • Fix for possible corner case when determining certificate name
  • Fixed possible error when accessing Access Configuration page
  • Fixed scenario where Agent UI was inaccessible if web certificate private key was missing. In such scenario Agent will generate and use a self-signed certificate
  • Added missing EventLogCounter field to SnareV2 format
  • Fixed SAM connectivity issue for Agents installed on a machine with wireless network connection

User Guide

The following is an offline version of the User Guide related to this release.

For an up-to-date version refer to the online version here.