Endpoint Agent
- _General
- 4.4.0.9
- 4.4.0.9.1
- 4.4.1.0
- 4.4.1.1
- 4.4.1.2
- 4.4.1.3
- 4.4.1.4
- 4.4.2.0
- 4.4.2.1
- 4.4.2.2
- 4.4.2.3
- 4.4.2.4
- 4.4.2.5
- 4.4.2.6
- 4.4.2.7
- 4.4.2.8
- 4.4.3.0
- 4.4.3.2
- 4.4.3.1
- 4.4.4.0
- 4.4.4.4
- 4.4.5.1
- 4.4.5.2
- 4.4.5.3
- 4.4.5.9
- 4.4.5.8
- 4.4.5.5
- 4.4.5.6
- 4.4.5.7
- 4.4.5.4
- 4.4.6.0
- 4.4.6.1
- 4.4.6.2
- 4.4.6.3
- 4.4.6.4
- 4.4.7.0
- 4.4.7.1
- 4.4.7.3
- 4.4.8.0
- 4.4.8.1
- 4.4.8.2
- 4.4.9.0
- 4.4.9.1
- 4.4.9.2
- 4.4.9.4
- 4.5.0.0
- 4.5.0.1
- 4.5.0.2
- 4.5.0.3
- 4.5.1.0
- 4.5.1.2
- 4.5.2.1
- 4.5.2.2
- 4.5.3.0
- 4.5.3.1
- 4.5.3.2
_General
- 4.4.0.9
- 4.4.0.9.1
- 4.4.1.0
- 4.4.1.1
- 4.4.1.2
- 4.4.1.3
- 4.4.1.4
- 4.4.2.0
- 4.4.2.1
- 4.4.2.2
- 4.4.2.3
- 4.4.2.4
- 4.4.2.5
- 4.4.2.6
- 4.4.2.7
- 4.4.2.8
- 4.4.3.0
- 4.4.3.1
- 4.4.3.2
- 4.4.4.0
- 4.4.4.4
- 4.4.5.1
- 4.4.5.2
- 4.4.5.3
- 4.4.5.4
- 4.4.5.5
- 4.4.5.6
- 4.4.5.7
- 4.4.5.8
- 4.4.5.9
- 4.4.6.0
- 4.4.6.1
- 4.4.6.2
- 4.4.6.3
- 4.4.6.4
- 4.4.7.0
- 4.4.7.1
- 4.4.7.3
- 4.4.8.0
- 4.4.8.1
- 4.4.8.2
- 4.4.9.0
- 4.4.9.1
- 4.4.9.2
- 4.4.9.4
- 4.5.0.0
- 4.5.0.1
- 4.5.0.2
- 4.5.0.3
- 4.5.1.0
- 4.5.1.2
- 4.5.2.1
- 4.5.2.2
- 4.5.3.0
4.4.0.9
Features
For telementry-enabled groups, added Active Directory data to credential theft watch list
Fixes
Remove duplicate local volumes and network share entries in some environments.
Refined behavior for some thumbnail database rebuilds causing incidents
Fixed license validation bug which could increase startup time
Refined behavior for file access to write-once media such as CD’s and WORM tape drives
WHCP/WHQL Validation Status
Validated
MD5 Hashes
service.exe = c32c54381666cbd075fba2b1078b518b
assistant.exe = 2e4266bf1527f384665f57dc979c4c79
CCRRSecMon.sys (Windows10) = 35472ab324221af5fb459badb937f899
CCRRSecMon.sys (Windows8) = 04132be3deb9dff52166f2dd39488874
CCRRSecMon.sys (Windows7) = fc7f480d417d0bf650bef3e5770f49c2
4.4.0.9.1
Features
None - maintenance update.
Fixes
Fixed some network shares connected by a user being initially ignored in analytics.
Refined false positive behavior associated with shares appearing during user sessions, followed quickly by a Save As dialog box.
WHCP/WHQL Validation Status
Validated.
MD5 Hashes
service.exe = 52e03ed57dab0fac936364899140af59
assistant.exe = a90ad6f6544c2c3b2fb44bb57b70180b
CCRRSecMon.sys (Windows10) = 6201b1a056d85c7576e4357e4ec9494e
CCRRSecMon.sys (Windows8) = bd86ede6922503890f6d9b69871660e4
CCRRSecMon.sys (Windows7) = ffcfbdda88faac6743b2de00c2cc4530
4.4.1.0
Features
Expanded support for processes injection analytics, to dramatically increase the accuracy of detecting malicious vs benign intent for applications.
This became especially important due to a small number (<0.02%) of machines in Cyber Crucible telemetry alerting on aggressive process injection behaviors of system processes.
Increased monitoring capability of unsigned system processes.
This was partially in response to attackers focusing heavily on involving those processes during lateral movement operations (on a system, and between systems).
Fixes
Changed a file modification behavior to decrease false positives by no longer triggering on certain benign actions, through additional kernel-level context to a process' file-access behaviors.
WHCP/WHQL Validation Status
Validated.
MD5 Hashes
service.exe = 0bab8404900c6a16ac3ad0293c45de5c
assistant.exe = 98f013fd4fdb7325f903d07c87b999ac
CCRRSecMon.sys (Windows10) = 452719399d9bb98dc6b14fb8787d8415
CCRRSecMon.sys (Windows8) = a974c7cc46db3759a2da34f37caaa72e
CCRRSecMon.sys (Windows7) = 6a0f2e55d6a7b66bd9bbe318d5dbbebf
4.4.1.1
Features
Improved analytical processing for parent-child relationships, when the parent process quickly dies before Cyber Crucible completes processing (milliseconds).
The extremely common scenario here is that attackers (and legitimate programs) will often open up multiple programs, sometimes in a muli-step “daisy-chain”. This may be on purpose, or due to Windows or other application behavior “under the hood”.
Cyber Crucible behavioral models leverage activity & state variables for all processes in a chain of executions to achieve maximum accuracy and context.
Fixes
Cyber Crucible had a loss in behavioral model decision making accuracy, due to the loss of telemetry when multiple programs each call each other, but one of the programs died in milliseconds.
In a chain where Program A executes Program B. Program B starts Program C, but Program B dies within milliseconds (usually a silent crash, but not always). Cyber Crucible behavioral analysis has Program A and Program C variables, but did not have time to completely analyze program B, since it expected it to be running.
This has been correcting, resulting in more accurate decision making by the Cyber Crucible hyper-automated decision making engine.
WHCP/WHQL Validation Status
Validated.
MD5 Hashes
service.exe = db76d0abc8f4bc4b2a093435bc314bde
assistant.exe = a5bac35d839d7a57fcccfceb011083c1
CCRRSecMon.sys (Windows10) = 935e43368fa95ae740a3f04defcc390d
CCRRSecMon.sys (Windows8) = ee555ad0f282f36dd11deada8d1ca9c7
CCRRSecMon.sys (Windows7) = a6a5073c6565361b443651ef29e49490
4.4.1.2
Features
Increased available specificity for whitelists, such as parent process path and arguments.
Expanded support for identity access analytics to more credential databases.
Identity access is now also monitored for Slack, Opera, Thunderbird, Discord, and Vivaldi.
Expanded whitelist support to include identity access.
Fixes
Reduced the bandwidth used between agents and the rest API.
Fixed some older Windows Server editions displaying canaries on in Explorer.
Fixed some identify access logs missing certificate trust indicators.
WHCP/WHQL Validation Status
Validated
MD5 Hashes
service.exe = e289ef44c5a1bca39d57861ff9d05bee
assistant.exe = d8e83309372b43ffc70feaf2bd538f36
CCRRSecMon.sys (Windows10) = db736330f5a690a2e828472a357ee6b6
CCRRSecMon.sys (Windows8) = b9d644930fc52495229dc7f96ffea299
CCRRSecMon.sys (Windows7) = 7b1ece332986dadfcc6463574fd16616
4.4.1.3
Features
Credential/Identity Monitoring now includes various VPN, cryptocurrency wallet, and other applications.
In a (this is common) chain of affected processes during an attack (attacker moves from running program A, to B, to C, and D is used for data theft), the “patient 0” program A is suspended, but patient D is reported as the process performing the theft behavior.
Memory state is preserved and reported throughout the process chains, for future forensic analysis.
In the event of an automated response in which a running process' memory was modified, that memory modification is configurably uploaded to Cyber Crucible for reverse engineering and further analysis.
In the event of a non-malicious memory modification bug in an application, behavioral exceptions (“whitelists”) now have the ability to flag certain memory corruption events as benign. This will not stop the program itself from crashing or losing data due to the bug, but Cyber Crucible will know to ignore the bug while searching for malicious injection of code into running processes (process injection/hollowing).
Fixes
Removed vulnerability where binaries could be deleted by a privileged process while CC binaries are updating.
Removed vulnerability where registry keys could be deleted or altered by a privileged process while CC binaries are updating.
Corrected memory state tracking when a process is patched in-memory during Cyber Crucible evaluation of the memory.
Corrected memory state tracking under certain conditions where memory is re-allocated between memory pages.
Minor CPU efficiency updates, that are likely too minor to register in Task Manager, since usage is normally <1%
WHCP/WHQL Validation Status
Validated
MD5 Hashes
service.exe = 90a6ca2f5b7a76b847052f3d420f0c9b
assistant.exe = b62ee623f74171f4a3f34ff129188174
CCRRSecMon.sys (Windows10) = dfdce4016f6920e844615b3d506ec2e2
CCRRSecMon.sys (Windows8) = 59bbd41c883ca0205fd3adbfdbb5dbb6
CCRRSecMon.sys (Windows7) = 88e6f047f7fa26e717a24f5fd7b33dc54.4.1.3.1
Gained visibility into some system processes that initialize before the Cyber Crucible driver loads.
MD5 Hashes:
service.exe: a03b91df83f86ffe322f7b16960f503c
assistant.exe: e22641924d3a1811b86a0f4357f74720
win7/CCRRSecMon.sys: b64b63c04f00afd1020a7a43fc0bb67d
win8/CCRRSecMon.sys: c50aacb4aac6ac9f1e95e4ffa749cb2a
win10/CCRRSecMon.sys: 77dd029b8e4b2cf5a2354787402ecc174.4.1.3.2
Added additional telemetry for the now-visible system processes due to 4.4.1.3.1.
MD5 Hashes:
service.exe: 47f408d6102eb06a94f2244cf139a0a5
assistant.exe: 86733da51ee703f93dcda9346231cca6
win7/CCRRSecMon.sys: b01e8933fa9ac9f0a049527b20d9f679
win8/CCRRSecMon.sys: 4467124cf7e8b5ab5652169f9eb41663
win10/CCRRSecMon.sys: 8f06de95303eeac038002ec27c2978114.4.1.3.3
Fixed some incident reports including data for the wrong process, when a process dies mid-calculation.
MD5 Hashes:
service.exe: f2a341ca4856ab3f8a15b7cf725cd0cc
assistant.exe: 5d5d2213e276bc066f4d42ab751c7317
win7/CCRRSecMon.sys: 13da73b66751d12f5f3e65cde0602266
win8/CCRRSecMon.sys: 08fe8cb3391c9215bc37a997ec59b0a2
win10/CCRRSecMon.sys: 4c8a1707839f0d28c386f17ce2dbc8ed4.4.1.3.4
Optimization of memory calculations, in preparation for 4.4.1.4.
MD5 Hashes:
service.exe = 4a5bd9822ea28c10f399afe437837a2a
assistant.exe = 7070e61862bc2ede3205c4bfdc6805d2
CCRRSecMon.sys (Windows10) = 4e9b790522fe61e9206140e15e37b7fe
CCRRSecMon.sys (Windows8) = 7b477503840f882028ff8bdbbfc72121
CCRRSecMon.sys (Windows7) = 65e95b4dd58cb1c9a5dab398155e2113
4.4.1.4
Features
Upgraded pattern matching capabilities in the behavioral model.
This is especially relevant for additional coverage of identity store locations, such as cryptocurrency wallet locations.
Increased software dependency functionality for (Cyber Crucible) libraries in use for upcoming fully automated identity access protection.
Opt-in capability to run the agent in safe mode
Fixes
Optimize memory usage in the service. This would only have been experienced on very busy servers with lots of behavioral analysis occurring (by Cyber Crucible) simultaneously.
MD5 Hashes
service.exe = 1cb8e19fc9ed2788189684f23693087a
assistant.exe = c60e851d9836955b078474270e04d0c1
CCRRSecMon.sys (Windows7) = 3b7656b24a0e2387389f0ce9db375379
CCRRSecMon.sys (Windows8) = 204689e666bb704621ebbd5d606a1274
CCRRSecMon.sys (Windows10) = f9839b8b2437a3a7b6a099d2598dc639
4.4.2.0
Features
Upgraded monitoring and prevention capabilities for automated identity access protection.
Optimize network usage through variable communication rates dependent on client behaviors.
Fixes
N/A
MD5 Hashes
service.exe = 408d8ae9e35ee65c8e208cfa76c67df6
assistant.exe = 8ba7fa2a201ae92f595e85e4cf52b804
CCRRSecMon.sys (Windows7) = 359ff6e23107798fd01a3afb33716f78
CCRRSecMon.sys (Windows8) = 2bd4267eeea697a137447d91a8b38e1c
CCRRSecMon.sys (Windows10) = fcf979529c13eba5f93bf6c6d0096d6f
4.4.2.1
Fixes
Optimized identity information tracking for applications with large number of deeply nested directories.
MD5 Hashes
service.exe = 9c6474e44959e8eba54876c46e13fb25
assistant.exe = 03d671ffa567ac8dc783ce905d624351
CCRRSecMon.sys (Windows7) = 5fbd3b4a9066299c9ce3d619dc6fca17
CCRRSecMon.sys (Windows8) = 0ee960548846da463d4c66381dea0841
CCRRSecMon.sys (Windows10) = bda977682effcd61e6d478da750c966b
4.4.2.2
Features
None
Fixes
Optimization of variable handling for one genre of behavior.
Cause: One unspecified security product produced a very large number of behaviors on a couple large servers, which cause excessive memory usage of Cyber Crucible.
Symptoms: Cyber Crucible’s memory usage jumps from a few MB to GB’s. The security product’s memory usage also jumped by 100 fold as well, to over 250GB. If you experience this, as that may be independent of Cyber Crucible, please open a support ticket so we may help you. We suspect this was an issue with the security product as well, independent of Cyber Crucible’s optimization.
Fix: This behavior variable tracking was migrated from an algorithm which expected low-volume population to a high-volume algorithm like in use elsewhere in the driver.
Who is affected? Only one customer was observed with this issue, and only on a small portion of their large servers. Regardless - this update is deployed to all customers.
MD5 Hashes
service.exe = bbfb0bf47d942d30438a260b497c04cd
assistant.exe = 280d746ed3edea9b7267955a94b97a8e
CCRRSecMon.sys (Windows7) = cded2aaa7dd0c2fe446694451bd17960
CCRRSecMon.sys (Windows8) = a06dce5e19627fe1f982cbde632fc313
CCRRSecMon.sys (Windows10) = 14e0c4e7f86405562701187fac93aea2
4.4.2.3
Features
None
Fixes
Fixed Acronis compatibility issues
MD5 Hashes
service.exe = 4747ae6372a0f3a410c145e64314123c
assistant.exe = f7c0ac0044a3b186d2f6db2a8a1989f0
CCRRSecMon.sys (Windows10) = f69661a61bb9364d6f25f5f4b410729c
CCRRSecMon.sys (Windows8) = 25b496529282e6c973b53a14a94a3480
CCRRSecMon.sys (Windows7) = ca9ee3cde474ea3b6b5b61b8bc26f170
4.4.2.4
Features
Credential protection support for Microsoft Teams and Signal Messenger
Fixes
Suppressed network related logs when in safe mode without networking
Backup some agent data on uninstall to the Windows temporary storage folder
MD5 Hashes
service.exe = 23735f3ca870b1d70017c433d5e24d17
assistant.exe = 57d8742b1bbc27b73dd134fb3ac6ebc2
CCRRSecMon.sys (Windows8) = 99262ee4a93e4751adb8b4b1ef2102ce
CCRRSecMon.sys (Windows10) = 0f2809c32a22af2eda0fe606c361d6d2
CCRRSecMon.sys (Windows7) = 0d73a497bebfad7b85441ae981ed4be1
4.4.2.5
Features
None
Fixes
Reduced network usage when sending large amounts of reports at once
Fix handling of some certificate data
MD5 Hashes
service.exe = a54087913a6ddd451853ffce64112e21
assistant.exe = 14859d6c32192a073c0518b0d3e957ee
CCRRSecMon.sys (Windows8) = 99262ee4a93e4751adb8b4b1ef2102ce
CCRRSecMon.sys (Windows10) = 0f2809c32a22af2eda0fe606c361d6d2
CCRRSecMon.sys (Windows7) = 0d73a497bebfad7b85441ae981ed4be1
4.4.2.6
Features
None
Fixes
Reduced memory usage in servers with many unique program certificates
MD5 Hashes
service.exe = c7afcb665f6849d39430df2271703cd6
assistant.exe = d6ed1b6f2d6d914e9bb08396a3d03a57
CCRRSecMon.sys (Windows8) = 1a399a22cecdca9b5ffefe69a211fc66
CCRRSecMon.sys (Windows7) = 57363998c02e1334f6fda931c6c194ba
CCRRSecMon.sys (Windows10) = d15ddd4035830b80a67e9057456560c2
4.4.2.7
Features
None
Fixes
Reduced memory usage during handling of programs that use undefined behavior in querying directories
MD5 Hashes
service.exe = 7bf08deada69a09e2c0362337554c124
assistant.exe = ced782e4c6793e4b8a2ec2d4580b90f8
CCRRSecMon.sys (Windows10) = 1eea1da529c0251a5438a0169ace53b7
CCRRSecMon.sys (Windows7) = f82d5fbe2b22b70158dbbfb57949e948
CCRRSecMon.sys (Windows8) = 9ff7406c41c583337357163a8dd8aeb2
4.4.2.8
Features
None
Fixes
Increased logging and telemetry for bad machine states
Stability increase for Identity protections at boot time
MD5 Hashes
service.exe = 5f33211e1c36f31439a9d5efb8e7b029
assistant.exe = ced782e4c6793e4b8a2ec2d4580b90f8
CCRRSecMon.sys (Windows10) = 49c474f127041672509d31f013653259
CCRRSecMon.sys (Windows7) = 411f80c24854874d81b80a7d7af03ac9
CCRRSecMon.sys (Windows8) = fac1a12c4d1bbebd1e7ed1c21bf9fc2f
4.4.3.0
Features
In addition to existing service protections, the kernel mode driver will restart the service if it terminates for any reason.
Fixes
None
MD5 Hashes
service.exe = 65c8d59a22f376a8918347166def50a3
assistant.exe = ced782e4c6793e4b8a2ec2d4580b90f8
CCRRSecMon.sys (Windows7) = 3a336be46b11c5875dda0e94340eb62a
CCRRSecMon.sys (Windows8) = 8ddef1c798f94931ef8131674ad9ebf6
CCRRSecMon.sys (Windows10) = 9fb3336a3c1990be3a1c4c3fdd8c53e2
4.4.3.2
Features
None
Fixes
Reduced CPU usage during process starts.
Reduced CPU usage in trust determinations during consecutive directory queries.
MD5 Hashes
service.exe = a1e5c45b87f914343c772c05e18b153e
CCRRSecMon.sys (Windows7) = c995f7efeb88ef42425cf54b0b210dc7
CCRRSecMon.sys (Windows8) = 3135a7787076286f3e8d82ca384582e9
CCRRSecMon.sys (Windows10) = 0f6be8ec8806d4acabb8d03904c1b148
4.4.3.1
Features
None
Fixes
Fixed some machines with unusual Windows installation characteristics having visible canaries in Explorer.
MD5 Hashes
service.exe = b2a62cc2285afe01a28f4859afc03511
CCRRSecMon.sys (Windows7) = 16b9d8946189feb7d620351a4d9c6a9f
CCRRSecMon.sys (Windows8) = 24f55af4414447ec46f450eeca35c92e
CCRRSecMon.sys (Windows10) = 2305ebd13864355ef384099dae1bee57
4.4.4.0
Features
Reports for incidents and telemetry are stored on disk for offline scenarios.
Due to tampering attempts observed against multiple EDR/XDR logging stores, Cyber Crucible enabled kernel-level protection against the disk-stored data before deploying this capability.
Increased protection of the service process used for backend communication and updates, as part of look-ahead zero-trust hardening.
This was not in response to an existing threat, but proactive for one the Team sees upcoming.
Fixes
Fixed processes that load at boot not being available in the dashboard under process creations.
Prevented two installers from running at the same time, which would use register the same machine twice.
MD5 Hashes
service.exe = 116dab615aab07d804667b13ecfe821a
CCRRSecMon.sys (Windows7) = db358b3d6e784d11827ff899722e3070
CCRRSecMon.sys (Windows8) = a95dd87d2ea9944e8643de787f11d71c
CCRRSecMon.sys (Windows10) = 6eb017a5cb3a9dd45bc065b466fb4789
4.4.4.4
Features
None
Fixes
Improved performance for parsing certificate data on system startup.
MD5 Hashes
service.exe = 69395e14240c91bc4df73168615927d9
CCRRSecMon.sys (Windows7) = 2dd89c52e5a2914289371d4c3fd80ef8
CCRRSecMon.sys (Windows8) = 41f25ea44e1f1a6ba11c7e7181554467
CCRRSecMon.sys (Windows10) = ecc7f1f0a1d63f801a3a84f7b52b850c
4.4.5.1
Features
Reduced bandwidth usage:
Use compression for larger telemetry data and larger server responses
Use HTTP/2 for compressed headers and greater socket efficiency
Increased insight into certificate operations.
Fixes
Encode certificate metadata in raw telemetry when non-RFC-compliant labels exist. Network security infrastructure was corrupting or deleting the payloads, causing the agent to re-transmit until success.
MD5 Hashes
service.exe = 686e91ca0f1bab7a0f3b09d2052d7e4c
CCRRSecMon.sys (Windows7) = 25c194ee5f3c4ef25ef86124303aec82
CCRRSecMon.sys (Windows8) = 6b4b8b6cc960a718464fd3ebb89b1fe8
CCRRSecMon.sys (Windows10) = 8c668fe57652530d77d323b8563d3f4e
4.4.5.2
Features
New kernel level access telemetry for network-based behaviors, to better identify possible client-side networking bugs, or opportunities to optimize
Outbound telemetry is now bundled and sent together, just like inbound settings
Transmitted with a 25% timing variance, so that every machine will not be sending packets simultaneously across a client network
HTTP/2 is now fully utilized end to end
Fixes
Reduced minimum threads in use in userspace
Reduced CPU usage for userspace service
Agent-Server authentication is now performed more efficiently
Replaced previous service sleep <> restart algorithm when licenses were not available.
Previous algorithm caused a "service exited unexpectedly" in event manager every 15 minutes.
Allowing the Operating System to tell the service to shut off (something abused by criminals and other security tools) would have allowed a “clean” service restart without event manager logs. Instead of creating that vulnerability, Cyber Crucible’s service restarted itself without Windows involvement, causing the event log.
MD5 Hashes
service.exe = b17a2a528a4424771fdeca8559b9f56b
CCRRSecMon.sys (Windows7) = c2b051b1001474419e7572fd23625d84
CCRRSecMon.sys (Windows8) = 335d355bbd492c390e67ac615c5252b0
CCRRSecMon.sys (Windows10) = 0d1fc32fba2cb878ce8cb0f549b8d167
4.4.5.3
Features
Added a second domain for server communication (see domain list here).
If there are communication issues with one domain the agent will automatically switch to the other.
Fixes
Changed some old legacy strings that referred to “Ransomware Rewind” to now refer to “Cyber Crucible”.
MD5 Hashes
service.exe = 8cf710b96d15ec9ff0b88bba12dcd142
CCRRSecMon.sys (Windows7) = c2b051b1001474419e7572fd23625d84
CCRRSecMon.sys (Windows8) = 335d355bbd492c390e67ac615c5252b0
CCRRSecMon.sys (Windows10) = 0d1fc32fba2cb878ce8cb0f549b8d167
4.4.5.9
Features
Increased hardening of portions of functionality previously conducted by the Windows cryptography libraries are done conducted by the Cyber Crucible kernel driver.
This is both general hardening, and an increase in telemetry indicating possible attacks against Windows cryptography libraries and APIs.
This is a milestone release from incremental releases found in 4.4.5.4 - 4.4.5.8, all aligned on the previous cryptography analysis hardening functionality.
Early telemetry indicates the failures in Windows certificate and cryptography libraries were legitimately responded to by Cyber Crucible.
It is unknown at this time what percentage of issues were due to exploitation vs a Windows core library bug. Please contact your Cyber Crucible representative to discuss further as necessary.
Fixes
Fixed some process reports incorrectly reporting the listed certificate as “not trusted”, due to Windows certificate library functionality loss.
MD5 Hashes
service.exe = 79650eea0a93b8f480b4247d57ddd03b
CCRRSecMon.sys (Windows7) = 06a647c897f9f385416482a4e899e204
CCRRSecMon.sys (Windows8) = 72c1b462e3e8e3fa4dcf6344ce3b0acd
CCRRSecMon.sys (Windows10) = 02b1c53268059ae38427fe43152d593c
4.4.5.8
Features
Increased hardening of portions of functionality previously conducted by the Windows cryptography libraries are done conducted by the Cyber Crucible kernel driver.
This is both general hardening, and an increase in telemetry indicating possible attacks against Windows cryptography libraries and APIs.
Fixes
Fixed some process reports incorrectly reporting the listed certificate as “not trusted”, due to Windows certificate library functionality loss.
MD5 Hashes
service.exe = d8187cf4468cba634470772fe8e7ba8b
CCRRSecMon.sys (Windows7) = b97b6bc79529be5ccd88807892e16153
CCRRSecMon.sys (Windows8) = 6a6b5801b5a4552a4be8477d74706198
CCRRSecMon.sys (Windows10) = 4f3e54c2a9d348b0279767bc03420c99
4.4.5.5
Features
Increased hardening of portions of functionality previously conducted by the Windows cryptography libraries are done conducted by the Cyber Crucible kernel driver.
This is both general hardening, and an increase in telemetry indicating possible attacks against Windows cryptography libraries and APIs.
Fixes
Fixed some process reports incorrectly reporting the listed certificate as “not trusted”, due to Windows certificate library functionality loss.
MD5 Hashes
service.exe = 90525bbf61ae57bd5e61f79198ae031f
CCRRSecMon.sys (Windows7) = c2b051b1001474419e7572fd23625d84
CCRRSecMon.sys (Windows8) = 335d355bbd492c390e67ac615c5252b0
CCRRSecMon.sys (Windows10) = 0d1fc32fba2cb878ce8cb0f549b8d167
4.4.5.6
Features
Increased hardening of portions of functionality previously conducted by the Windows cryptography libraries are done conducted by the Cyber Crucible kernel driver.
This is both general hardening, and an increase in telemetry indicating possible attacks against Windows cryptography libraries and APIs.
Fixes
Fixed some process reports incorrectly reporting the listed certificate as “not trusted”, due to Windows certificate library functionality loss.
MD5 Hashes
service.exe = 60c0b7b7d00dc14415334ddef590f593
CCRRSecMon.sys (Windows7) = c2b051b1001474419e7572fd23625d84
CCRRSecMon.sys (Windows8) = 335d355bbd492c390e67ac615c5252b0
CCRRSecMon.sys (Windows10) = 0d1fc32fba2cb878ce8cb0f549b8d167
4.4.5.7
Features
Increased hardening of portions of functionality previously conducted by the Windows cryptography libraries are done conducted by the Cyber Crucible kernel driver.
This is both general hardening, and an increase in telemetry indicating possible attacks against Windows cryptography libraries and APIs.
Fixes
Fixed some process reports incorrectly reporting the listed certificate as “not trusted”, due to Windows certificate library functionality loss.
MD5 Hashes
service.exe = c97ce96b69c0be846af70c2359671e22
CCRRSecMon.sys (Windows7) = 475915b1881add45c6af260f82bd43b9
CCRRSecMon.sys (Windows8) = dfc09e7504b4aa73ecfb15e62f8cde86
CCRRSecMon.sys (Windows10) = 5581c7c11aa52488a1858fa728cfaf46
4.4.5.4
Features
Increased hardening of portions of functionality previously conducted by the Windows cryptography libraries are done conducted by the Cyber Crucible kernel driver.
This is both general hardening, and an increase in telemetry indicating possible attacks against Windows cryptography libraries and APIs.
Fixes
Fixed some process reports incorrectly reporting the listed certificate as “not trusted”, due to Windows certificate library functionality loss.
MD5 Hashes
service.exe = fd2157d8dee1d07ec45406a1d323359c
CCRRSecMon.sys (Windows7) = c2b051b1001474419e7572fd23625d84
CCRRSecMon.sys (Windows8) = 335d355bbd492c390e67ac615c5252b0
CCRRSecMon.sys (Windows10) = 0d1fc32fba2cb878ce8cb0f549b8d167
4.4.6.0
Features
CPU performance enhancement for some applications which burst large numbers of automated & simultaneous directory traversals as part of their application behaviors.
Fixes
MD5 Hashes
service.exe = 3e443b55efdf1c1fd10a2b2931aa1bfd
CCRRSecMon.sys (Windows7) = eb992a496b88874e59d71f8ad83ba917
CCRRSecMon.sys (Windows8) = 2e9786c84a55911e1b94aec38b4a90ff
CCRRSecMon.sys (Windows10) = c68c4d4ba3f2e42953e6550b5e7c0b47
4.4.6.1
Features
Further migration from the “Ransomware Rewind” product name to “Cyber Crucible”.
Legacy service name
"Ransomware Rewind"will migrate to"CyberCrucibleAgent". Process name stays the same.Registry key in
HKLM\SOFTWAREwill migrate from legacyRansomwareRewindto currentCyberCrucibleAgent.
Fixes
Fixed some 32bit processes triggering as having “modified memory” when the process image is at the maximum allowable size of a 32 bit process.
MD5 Hashes
service.exe = 51ff73ab3caac8d269d1fad823de9f60
CCRRSecMon.sys (Windows7) = 6014b3fa07cec7e39753f7eaea4d1ea7
CCRRSecMon.sys (Windows8) = 26756d6394a70482952519c104730676
CCRRSecMon.sys (Windows10) = 8665c9f7b99b385acaecc11d42fda468
4.4.6.2
Features
Added optional “access type” flags exposed to end users for behavioral access specificity.
Fixes
None.
MD5 Hashes
service.exe = 07a709d672f38ea466de675b8c8f1b76
CCRRSecMon.sys (Windows7) = 4d9195aeda4ae5dafb6f27405b541d9a
CCRRSecMon.sys (Windows8) = 12deea5a512128e62aba173c2f786387
CCRRSecMon.sys (Windows10) = 39daf75dd7678ae2b83a5f79aeab3b68
4.4.6.3
Features
Added optional SOCKS5 proxy support to assist agent deployment.
Fixes
Fixed reinstallations from older agents using the incorrect installation ID.
Fixed existing installations from older installers having an unquoted service path.
MD5 Hashes
service.exe = 610b75a1a4fc7460138f545751cc7606
CCRRSecMon.sys (Windows7) = 4d9195aeda4ae5dafb6f27405b541d9a
CCRRSecMon.sys (Windows8) = 12deea5a512128e62aba173c2f786387
CCRRSecMon.sys (Windows10) = 39daf75dd7678ae2b83a5f79aeab3b68
4.4.6.4
Features
Parent process memory information is available for process reports when modifications were detected.
Enhancements
Changed some server communication frequencies to no longer require reboot for adjustment.
Fixes
None this release.
MD5 Hashes
service.exe = 608ab69e92f5592a3da66801edaafd0e
CCRRSecMon.sys (Windows7) = 090b0b8decd4634797de4acf3aef05ae
CCRRSecMon.sys (Windows8) = d993e733702bc810de9139965850e210
CCRRSecMon.sys (Windows10) = 65a48c062156b4723894783fa9115204
4.4.7.0
Features
Beginning rollout of JWE-based HTTPS communications.
Encryption keys are unique to every agent.
All payloads encrypted under the HTTPS. Disabled by default during the initial rollout.
Ability to optionally revert from JWE-encrypted HTTPS to unencrypted HTTPS if JWE formatted payloads are not transmitting successfully.
MD5 Hashes
service.exe = 581a528318644c55d9dc6d552fb295c0
CCRRSecMon.sys (Windows7) = 629e77591a672915021842a9f5271157
CCRRSecMon.sys (Windows8) = 3f499538502e0b7c4fe956eb7b4bd0ab
CCRRSecMon.sys (Windows10) = 0f7db98f84a6f67aac02dd4eb2dbd547
4.4.7.1
Features
More telemetry for process creations and incidents
User SID
User down-level logon name
Whether or not the process is elevated (Run As Administrator)
Incidents now report where iterative data access occurred
Fixes
Reduced memory usage during periods of server connectivity issues and heavy telemetry occurring at once
Reduced memory usage during incident reporting
MD5 Hashes
service.exe = 0df0b7d76abd0978734ac961cd4cddaf
CCRRSecMon.sys (Windows7) = dced5933e7b3e720a72160eb32cd83cb
CCRRSecMon.sys (Windows8) = e14aa1324a9a42958cd955b9fffd4f79
CCRRSecMon.sys (Windows10) = 9d2edcf2288e7563892dac6300517102
4.4.7.3
Features
DMZ Mode
Optional configuration to use a signed CA bundle for TLS communication with authentication and telemetry servers. These CA bundles are then protected from tampering or deletion by Cyber Crucible’s proprietary anti-tampering capabilities.
OCSP and CRL checks are disabled to reduce the list of domains to allow through a firewall.
Fixes
Reduced memory usage and CPU time spent on memory diff submission, especially after long offline periods.
MD5 Hashes
service.exe = 536adc06bd5ac3d4caca53dd5b780759
CCRRSecMon.sys (Windows7) = dc446d663e8c865b039de0eb585de1fb
CCRRSecMon.sys (Windows8) = ea96fdf4b097ac9afb646e6a766431aa
CCRRSecMon.sys (Windows10) = 434c9061390804e4e61f5299158aaa00
4.4.8.0
Features
Kernel-mode Authenticode telemetry
For increased speed and reliability, certificate data for process creations and incidents will be recorded by the driver alone.
This update does not remove dependencies on Windows cryptography libraries, but conducts cryptographic calculations in parallel. Eventually the dependency on Windows may be entirely removed.
Fixes
Reduced memory usage and CPU time spent on attempted event submission when offline, during which telemetry is securely stored until the machine regains connectivity to Cyber Crucible servers.
Some Nvidia driver installers believed they didn’t have privilege to install due to use of an internal Microsoft kernel function to attempt to access Cyber Crucible installed files.
Fixed incompatibility with JWE mode and DMZ mode
MD5 Hashes
service.exe = 5189fe49a1bfade50766fce2a1980eef
CCRRSecMon.sys (Windows7) = 342dd1bbe5f5dfcffe7752b74b34a9e8
CCRRSecMon.sys (Windows8) = a20c9cca59be651db7ae69f9f1f64cf2
CCRRSecMon.sys (Windows10) = a3cf6860d3f059a1ab38ee7b2d82b097
4.4.8.1
Features
Executable metadata such as product version, company name, etc. for in-memory processes are reported by the driver via kernel visibility. Normal functionality is to use user-space Windows API calls. This move to parsing in the kernel removing the (observed) opportunity for attackers to tamper with the process information.
Agent authentication information is replicated elsewhere in the system to restore in the event the registry is corrupted by a malicious driver.
Enhancements
Server connection errors are minimally logged by the agent, reducing log size on disk.
Fixes
N/A
MD5 Hashes
service.exe = 8c1f6999ccd176193e493686216f14c6
CCRRSecMon.sys (Windows7) = 3b032d0e43674509126c6cb1c9efd688
CCRRSecMon.sys (Windows8) = d3131131c83c2cf833ebc2157149c364
CCRRSecMon.sys (Windows10) = eac8a8b38a8743a13dd7130509de9907
4.4.8.2
Features
Added support for an optional system tray icon. This feature is disabled by default.
Fixes
Added workaround for issue requesting kernel Windows API hashing requests. Workaround may be removed at some point in the future if Windows issue is corrected, possibly at next kernel update.
MD5 Hashes
service.exe = 6e21b0a7c41b156f2001c93bbcd142de
CCRRSecMon.sys (Windows7) = 43cce21323465eac015fc7c90b88ac87
CCRRSecMon.sys (Windows8) = c7b2d8d130f8c3e768891ad0b20931a5
CCRRSecMon.sys (Windows10) = d95d162bc7f87f3eaef46d58eb543364
4.4.9.0
Features
Kernel-mode DLL telemetry
Certificate parsing and trust calculation for all loaded DLLs in the driver.
Fixes
None.
MD5 Hashes
service.exe = f4e017fab1f1117859bcfcd4733cc439
CCRRSecMon.sys (Windows7) = 976f8826ebd5bacb1803fcf6d274a6d0
CCRRSecMon.sys (Windows8) = 90f02751eca65f6286b3676ea8b2bb2c
CCRRSecMon.sys (Windows10) = af9c0469fb05a0104579d8fb1694719e
4.4.9.1
Features
None.
Fixes
Increased amount of telemetry handled at once by the service for creation and injection data.
Adjusted ordering of canaries for programs using unusual file iteration methods.
Adjusted ACL on some canaries to better fit in with real filesystems.
MD5 Hashes
service.exe = 5728b771c4b89d47942043fece634be9
CCRRSecMon.sys (Windows7) = fd1b9163edfcfa66370a0510286de6bf
CCRRSecMon.sys (Windows8) = c7bf417fdd2f2f0fdec9a9011913b672
CCRRSecMon.sys (Windows10) = 22066d3fcf90b3a0e672a41d8fe787d8
4.4.9.2
Features
Memory modification tracking for loaded DLLs.
Memory diff generation for modified DLLs.
Fixes
Handle some non-conforming DLLs from yielding incorrect authenticode hash results.
MD5 Hashes
service.exe = 7b76a84809347d1caa4f46217d7c02ad
CCRRSecMon.sys (Windows7) = 27cc77a22706f1f007f0c8f433910efd
CCRRSecMon.sys (Windows8) = d94978e73452be5869b194fe234fc125
CCRRSecMon.sys (Windows10) = c321cf4abafbd8f2b6d3ef1917904d57
4.4.9.4
Fixes
Service dump files are now limited to 10 per version+thread combination.
MD5 Hashes
service.exe = TBD
CCRRSecMon.sys (Windows7) = 27cc77a22706f1f007f0c8f433910efd
CCRRSecMon.sys (Windows8) = d94978e73452be5869b194fe234fc125
CCRRSecMon.sys (Windows10) = c321cf4abafbd8f2b6d3ef1917904d57
4.5.0.0
Features
AI Kernel Firewall
Authenticode hash calculation speedups
Significantly reduced memory usage for DLL telemetry
Increased visibility for memory modifications in DLLs
Fixes
Fix service recovery compatibility with 24H2
MD5 Hashes
service.exe = 2a01dc8267e6bbae3c42c0f0d873286f
CCRRSecMon.sys (Windows7) = 502b85e17a7103a35d5b6eb50ce0eea7
CCRRSecMon.sys (Windows8) = 65c315313330c83f602d19e031d99f67
CCRRSecMon.sys (Windows10) = d17ba3cde6c2051d85dea395891caff9
4.5.0.1
Features
Option to migrate to hosted OAuth authentication server domain
Task to dynamically configure REST and OAuth server URLs
Fixes
None.
MD5 Hashes
service.exe = 171e15eb5bf2a8c2d5f13ef6711d09d0
CCRRSecMon.sys (Windows7) = 502b85e17a7103a35d5b6eb50ce0eea7
CCRRSecMon.sys (Windows8) = 65c315313330c83f602d19e031d99f67
CCRRSecMon.sys (Windows10) = d17ba3cde6c2051d85dea395891caff9
4.5.0.2
Features
None.
Fixes
Reduced memory used for AI Kernel Firewall.
Quicker usage of new authentication endpoints.
Removed icanhazip.com calls, previously optional but no longer necessary.
MD5 Hashes
service.exe = 716d0a77b44e612342007d64cb1b54aa
CCRRSecMon.sys (Windows7) = 754908e2775c1e88e2ca693e8fc4f71b
CCRRSecMon.sys (Windows8) = 50c180de6862f4741fa6569736b61c97
CCRRSecMon.sys (Windows10) = b3a32b9d639f481aa14a36bfe2f37092
4.5.0.3
Features
Status tray indicator now displays self configuration status for new installations.
MD5 Hashes
service.exe = 517b27279ea728223d6dd32ecb90f2e5
CCRRSecMon.sys (Windows7) = 754908e2775c1e88e2ca693e8fc4f71b
CCRRSecMon.sys (Windows8) = 50c180de6862f4741fa6569736b61c97
CCRRSecMon.sys (Windows10) = b3a32b9d639f481aa14a36bfe2f37092
4.5.1.0
Features
OpenSSL is now used for TLS communication.
This should sidestep issues on older OS versions that are no longer being patched for newer TLS requirements.
Fixes
Improved parsing support for non compliant Authenticode signatures.
MD5 Hashes
service.exe = b19823fcc66eef583fa4dc3e2f16a6d6
CCRRSecMon.sys (Windows10) = 0f27455b5ca7c7e028e1a4ce6a7d7f68
CCRRSecMon.sys (Windows8) = 0ac88365a3585ae79928a337900ae16b
CCRRSecMon.sys (Windows7) = 041f03d5e37154f183deb5af7b89bc6b
4.5.1.2
Features
Dropped legacy certificate validating that relied on builtin, slow Windows libraries.
Added ability to keep logs on uninstall.
MD5 Hashes
service.exe = fe8a70286926dba3b6277a9cdf446c38
CCRRSecMon.sys (Windows10) = d4e458f3960a7b1c4b6d06ce4d062f1e
CCRRSecMon.sys (Windows8) = 1f090bc190b80c9c08b03a1017381e6c
CCRRSecMon.sys (Windows7) = 592020ee1f145357c3b77c681ebb3bac
4.5.2.1
Features
Broad release of reports for Fortress AI access
Fixes
Optimization of Cyber Crucible kernel operations not using Windows APIs to counteract increased latency in some Windows environments by approximately 20%.
MD5 Hashes
service.exe = 6ddad1f20f43e8ba799b562235363ceb
CCRRSecMon.sys (Windows10) = d9c81609fafd99957063b2b6574b4a3c
CCRRSecMon.sys (Windows8) = 429dd8f9e39fe8e3bad6b5592dea91f9
CCRRSecMon.sys (Windows7) = 1f6aa2cf085e710c01a0347d6f4489d2
4.5.2.2
Fixes
Optimization of Cyber Crucible kernel operations via avoidance of problematic windows event and data bus core OS capabilities.
MD5 Hashes
service.exe = a4bfeca13496d47c8b91121a5da2b3b8
CCRRSecMon.sys (Windows10) = 042d39305b91caff229605c3a043a24b
CCRRSecMon.sys (Windows8) = 429dd8f9e39fe8e3bad6b5592dea91f9
CCRRSecMon.sys (Windows7) = 1f6aa2cf085e710c01a0347d6f4489d2
4.5.3.0
Features
FortressAI
Added notifications when a policy violation is reported
Integration with Windows Notification Center
Added a GUI to view policy notification history
Added simulate mode
Cyber Crucible Core
Configurable asynchronous DLL analytics for machines with minimal hardware resources
Process creation analytics and telemetry
now uses disk persistence
removed Windows MiniFilter dependencies
Process injections analytics and telemetry
now uses disk persistence
removed Windows MiniFilter dependencies
Removed additional Windows kernel resource dependencies
Fixes
Optimization of telemetry reporting for even faster reporting
Removed deadlock due to exclusive vs shared kernel resource access for a specific kernel resource demanded by Microsoft Defender when Defender enables driver debug mode
MD5 Hashes
service.exe = 37ba9005bb7dc8a8e5b86670dd02f5dd
CCRRSecMon.sys (Windows10) = aabc6d7299e2c5da21784f12b8836647
CCRRSecMon.sys (Windows8) = 678bb0459a74030dcaab19646141fde7
CCRRSecMon.sys (Windows7) = 07d4c04a12da5979dd8f2d7347669887
4.5.3.1
Features
FortressAI
Detects attempts to bypass policy controls through the use of screenshots.
Cyber Crucible Core
Supports reinitializing an agent’s identity without requiring a full redeployment.
This fixes situations where a machine with Cyber Crucible installed is cloned, thus cloning the license and agent identifiers. Just like with IP addresses, MAC addresses, machine names, and other unique identifiers, Cyber Crucible identifies a cloned agent and alerts the CC administrators to the opportunity to generate new CC identifiers.
MD5 Hashes
service.exe = 5db5b2dfe65b9908c93d04a136123c98
CCRRSecMon.sys (Windows10) = e4a27842cc4352cffaea780116e5ae00
CCRRSecMon.sys (Windows8) = 060170a2cfff082c2092dc99a8330717
CCRRSecMon.sys (Windows7) = 63a39eb153298766a3ff7034eaafa5af
4.5.3.2
Features
FortressAI
None
Cyber Crucible Core
Kernel Buffer Operation Enhancement
The driver leverages buffers to temporarily store telemetry that is ultimately sent to the customer dashboard. This activity is distinct from behavioral model population or operations.
If a kernel buffer overloads, system CPU load increases.
This would only happen due to a large OS bug or an attack on the systems.
Automated customer notification of very high buffer usage available 1 JUN 2026.
Almost all of the kernel buffer operations for CC are with three primary buffers.
All three primary buffers' usage percentage is now transmitted to the CC infrastructure for metrics gathering and identification of buffer usage on a per-agent basis.
All three primary buffers are able to be adjusted in size remotely, and their status tracked by users.
Fixes
A recent update involving DotNet and MSVC Redistributable libraries overwhelmed Cyber Crucible buffers with sustained very high (500%+) process and DLL operations events, affecting some customers. Though buffer usage is back down to the normal 1-5% usage, including the impacted customers, all buffers were doubled in size to account for any future issues. This is in addition to the configuration capabilities listed above.
Sha-256 Hashes
service.exe = 2f46657af8809339d16546f1e6f2b58975bbf4d5c10fde3510363d628b129492
fai-alert.exe = 890ccca7e0ce14a0e2ff7f90bae75a7ef12ad6c8cd43ffb52093c8431e65770b
CCRRSecMon.sys = d0e941bc25d31e38cbebbe9ce3918f82d0b9c7b433efed318cb34e36a50acf94
CCRRSecMon.inf = db54d8077afdfef81286868f7bda1e8df17dbd812178ddac989127550a904a8c
ccrrsecmon.cat = a01c31db7231fed3852c9e559eb2c3f7496a016982207c102b88d8b36dcb0486