Release Notes for Snare Windows Agent v5.9.0

Snare Windows Agent v5.9.0 was released on 3rd December 2024.

Since v5.8.0, upgrading Snare Agent from versions earlier than 5.4.0 for Agents that had password enabled is not supported.

Customers who need to upgrade the Agent from pre-5.4.0 version, are advised to perform a two-step upgrade:

Security Updates

3rd party libraries upgraded:
- OpenSSL upgraded to version 3.2.0
- Boost upgraded to version 1.84.0
- SQLite version updated to latest 3.44 series
Added support for CNG (Cryptography Next Generation) certificates
GUI password is now enforced for all agents. If no password was set, or the login password does not meet complexity criteria, the user will be required to set a GUI password
Password Complexity Requirements
Starting from Snare Agent version v5.9.0, the following GUI password complexity rules are enforced:
- 10 to 128 characters in length
- Not more than 2 identical characters in a row
- 3 out of the following 4 complexity rules:
  - At least 1 uppercase character (A-Z)
  - At least 1 lowercase character (a-z)
  - At least 1 digit (0-9)
  - At least 1 special character (punctuation or space)
Installer now requires password (with complexity requirements) if Agent web interface is enabled
Replaced usage of deprecated OpenSSL functions with appropriate alternatives.
The changes are related to TLS connection and certificates handling, RSA signing, hashes, signature generation and verification during licensing and remote upgrade.

Snare Agent can now generate and collect logs for CPU, Disk, Memory and Network Telemetry Monitoring

- New Telemetry Monitoring configuration allows to configure periodic scans for a variety of telemetry metrics available on the machine. A separate event log is generated for each metric.
- Refer to the User Guide for Telemetry Configuration and Appendix I - Telemetry Event Format
Snare Agent can now deliver event logs directly to Devo Syslog Event Load Balancers (ELB):
- New mutual TLS (mTLS) protocol was added to the Network Destination Configuration in the Agent
- New mTLS Certificate selector was added for mTLS Network Destinations in the Agent. Note: the certificate and its chain of trust is expected to be installed on the endpoint as a prerequisite of using it in the Agent.
- New DEVO and DEVO JSON formats were added to the Network Destination Configuration in the Agent.
  
  Use mTLS protocol with DEVO format to forward events to Devo Syslog ELB.
  DEVO JSON format is reserved for future use and is not supported by Devo at this time.
Snare Agents menu items were rearranged to group them under new submenus, such as Log Sources (that includes Audit Policies, FIM, RIM, Log Files and Filters) and Advanced (for the less commonly used items).
Some items were renamed: Audit Service Status > Agent Status; Audit Policy Configuration > Audit Policies; Log Configuration > Log Files; Log Filter Configuration > Log Files Filters

v5.8.1
v5.8.1 v5.9.0

Improvements to the Audit Service Statistics page to make labels clearer and display accurate data

v5.8.1 v5.9.0

Web GUI password can now be reset using Reset Password button added to Access Configuration Web Page
Web GUI password can now be reset from command line interface by running agent executable with -p flag followed by the new password

Complexity rules for the password are now enforced. See Password Complexity Requirements under Security Updates section above.
Added new configuration setting Disable License Pre-Expiry Heartbeats to allow disabling heartbeats related to upcoming license or support expiry. This is useful for scenarios where SAM issues Agent's license for a short period of time, and close expiry heartbeats are not desirable. This setting can be found on the HeartBeat & Agent Log page.
Improved the SAMC Agent status on Agent Status page for un-managed master agents
Improved mechanism ensuring that only one Agent service instance can run at a time
Improved Agent logging during service initialization, to help troubleshoot issues during service start up
Improved Agent logging related to IP addresses, to help troubleshoot relevant issues
Latest Events page now displays throughput for destinations (label change for clarity)
Removed the repeated log messages when agent is set to use TLSv1.3 as minimum
Removed usage of deprecated functions during Windows version recognition
Other code clean-up and usage of safer functions

Agents policies management via SAM:
- Fixed the issue where Agent configuration could get reset to defaults (and thus Agent would disconnect from SAM) after Agent Policy Group that managed this agent is deleted in SAM, and the Agent gets reassigned to the top-level Supported Agents group
- Fixed the issue where removal of all destinations, or all policies of certain type (Audit, Log, FIM, RIM, FAM or RAM) from the Master configuration in SAM was not reflected in the managed Agent.
  If SAM provided no policies of certain type, the Agent was incorrectly falling back on the pre-existing local policies.
- Corrected SAMC Status after agent receives a configuration from SAM
Removed DNS resolver check for IP Address allowed to remote control SNARE configuration setting. This will support scenarios, where IP/Hostname does not exist on the current domain but will be available in the future
Fixed leap year bug, where Agents installed on February 29 failed to create a self-signed certificate, which caused GUI to be unavailable
Fixed critical issues that could be caused by broken Windows events
Fixed the issue where Agent could crash when there is wrong/corrupted certificate in the certificate store
Resolved the issue where modified or deleted destination was still listed on the Latest Events page
Fixed potential memory leak that could cause growing memory usage by the Agent
Fixed disabled "Export HeartBeats to file?" checkbox on HeartBeat & Agent Log Configuration page

User Guide

The following is an offline version of the User Guide related to this release.

For an up-to-date version refer to the online version here.