Contents and detection
A list of the improvements for the Contents and Detection that have been introduced in this release.
- The scan for Windows executable files for unknown protocols is now disabled by default. It can be enabled via a dedicated entry in the configuration file.
- Alerts stemming from YARA and Structured Threat Information Expression (STIX) rules about files in compressed archives now expose both the archive's and the extracted file's hashes.
- Retired legacy index matching and microsoft hotfixes engines. Those
capabilities have been improved and standardised in
cpe2cve. - STIX indicators can now be assigned a custom scoring to be reflected in the alert risk.
- Added DUALUSE and PUA alerts for STIX Indicator alerts.
- The extraction and analysis of files can now be enabled or disabled according to the node's identifier (ID), zone and type.
- Improved stability of packet rules when generating an alert during the reload of packet rules contents.
- Packet Rules and Sandbox Engine can now automatically scale the central processing unit (CPU) and random-access memory (RAM) allocation to offer increased protection under high network traffic.
- Improve the consistency of asset merge for passive and active discovery.
- Improved the robustness of the
byteoption for Packet Rules against malformed input. - Improved the ability to scan streams of unknown protocols for executable files. This is disabled by default and can be enabled via a documented instruction.
n2os_vais now considered under high load if more than 10% of recalculation tasks are discarded in the last minute.- Introduced generic Microsoft Windows signature for nodes and assets for which a precise build version cannot be inferred from passive monitoring. When more accurate information is captured from any other data ingress method, it will override the generic signature.
- Improve the robustness of Sandbox while analyzing invalid and corrupted VBA macros.