# Software Releases

# Endpoint Agent

# _General

<title id="bkmrk-cyber-crucible-knowl">Cyber Crucible Knowledge Base : Endpoint Agent</title> <link href="styles/site.css" id="bkmrk-" rel="stylesheet" type="text/css"></link> <meta content="text/html; charset=UTF-8" http-equiv="Content-Type" id="bkmrk--1"></meta></head><body><div id="bkmrk-created-by-dennis-un"><div class="aui-page-panel" id="bkmrk-created-by-dennis-un-1"><div id="bkmrk--2"><div id="bkmrk--3"> </div> </div><div class="view" id="bkmrk-created-by-dennis-un-2"><div class="page-metadata"> Created by <span class="author"> Dennis Underwood</span>, last modified on Mar 07, 2023 </div><div class="wiki-content group" id="bkmrk-4.4.0.94.4.0.9.14.4.">- [4.4.0.9](4.4.0.9_17563649.html)
- [4.4.0.9.1](4.4.0.9.1_17694721.html)
- [4.4.1.0](4.4.1.0_19202051.html)
- [4.4.1.1](4.4.1.1_19955713.html)
- [4.4.1.2](4.4.1.2_23330827.html)
- [4.4.1.3](4.4.1.3_28180481.html)
- [4.4.1.4](4.4.1.4_40796161.html)
- [4.4.2.0](4.4.2.0_45285377.html)
- [4.4.2.1](4.4.2.1_45481987.html)
- [4.4.2.2](4.4.2.2_46891009.html)
- [4.4.2.3](4.4.2.3_52559873.html)
- [4.4.2.4](4.4.2.4_52559880.html)
- [4.4.2.5](4.4.2.5_52822017.html)
- [4.4.2.6](4.4.2.6_52920321.html)
- [4.4.2.7](4.4.2.7_52953092.html)
- [4.4.2.8](4.4.2.8_53411852.html)
- [4.4.3.0](4.4.3.0_56098817.html)
- [4.4.3.1](4.4.3.1_61079567.html)
- [4.4.3.2](4.4.3.2_59670553.html)
- [4.4.4.0](4.4.4.0_61505541.html)
- [4.4.4.4](4.4.4.4_69009411.html)
- [4.4.5.1](4.4.5.1_69402627.html)
- [4.4.5.2](4.4.5.2_75169795.html)
- [4.4.5.3](4.4.5.3_79298561.html)
- [4.4.5.4](4.4.5.4_84049930.html)
- [4.4.5.5](4.4.5.5_83886081.html)
- [4.4.5.6](4.4.5.6_83886090.html)
- [4.4.5.7](4.4.5.7_84049921.html)
- [4.4.5.8](4.4.5.8_83263490.html)
- [4.4.5.9](4.4.5.9_83165190.html)
- [4.4.6.0](4.4.6.0_88539139.html)
- [4.4.6.1](4.4.6.1_96993284.html)
- [4.4.6.2](4.4.6.2_103972865.html)
- [4.4.6.3](4.4.6.3_116850694.html)
- [4.4.6.4](4.4.6.4_165642241.html)
- [4.4.7.0](4.4.7.0_165773314.html)
- [4.4.7.1](4.4.7.1_188153857.html)
- [4.4.7.3](4.4.7.3_231047169.html)
- [4.4.8.0](4.4.8.0_274268163.html)
- [4.4.8.1](4.4.8.1_293208065.html)
- [4.4.8.2](4.4.8.2_311230467.html)
- [4.4.9.0](4.4.9.0_518422529.html)
- [4.4.9.1](4.4.9.1_518520833.html)
- [4.4.9.2](4.4.9.2_518586369.html)
- [4.4.9.4](4.4.9.4_556761089.html)
- [4.5.0.0](4.5.0.0_572424193.html)
- [4.5.0.1](4.5.0.1_582451201.html)
- [4.5.0.2](4.5.0.2_601260033.html)
- [4.5.0.3](4.5.0.3_626491393.html)
- [4.5.1.0](4.5.1.0_781418497.html)
- [4.5.1.2](4.5.1.2_863961089.html)
- [4.5.2.1](4.5.2.1_891813889.html)
- [4.5.2.2](4.5.2.2_905576449.html)
- [4.5.3.0](4.5.3.0_990838785.html)

 </div> </div> </div><div id="bkmrk-document-generated-b" role="contentinfo"> <section class="footer-body">Document generated by Confluence on May 18, 2026 19:42

<div id="bkmrk-atlassian">[Atlassian](http://www.atlassian.com/)</div> </section> </div> </div>

# 4.4.0.9

# Features

- For telementry-enabled groups, added Active Directory data to credential theft watch list

# Fixes

- Remove duplicate local volumes and network share entries in some environments.
- Refined behavior for some thumbnail database rebuilds causing incidents
- Fixed license validation bug which could increase startup time
- Refined behavior for file access to write-once media such as CD’s and WORM tape drives

# WHCP/WHQL Validation Status

Validated

# MD5 Hashes

```
service.exe   = c32c54381666cbd075fba2b1078b518b
assistant.exe = 2e4266bf1527f384665f57dc979c4c79
CCRRSecMon.sys (Windows10)       = 35472ab324221af5fb459badb937f899
CCRRSecMon.sys (Windows8)        = 04132be3deb9dff52166f2dd39488874
CCRRSecMon.sys (Windows7)        = fc7f480d417d0bf650bef3e5770f49c2
```

# 4.4.0.9.1

# Features

None - maintenance update.

# Fixes

- Fixed some network shares connected by a user being initially ignored in analytics.
- Refined false positive behavior associated with shares appearing during user sessions, followed quickly by a Save As dialog box.

# WHCP/WHQL Validation Status

Validated.

# MD5 Hashes

```
service.exe   = 52e03ed57dab0fac936364899140af59
assistant.exe = a90ad6f6544c2c3b2fb44bb57b70180b
CCRRSecMon.sys (Windows10)       = 6201b1a056d85c7576e4357e4ec9494e
CCRRSecMon.sys (Windows8)        = bd86ede6922503890f6d9b69871660e4
CCRRSecMon.sys (Windows7)        = ffcfbdda88faac6743b2de00c2cc4530
```

# 4.4.1.0

# Features

- Expanded support for processes injection analytics, to dramatically increase the accuracy of detecting malicious vs benign intent for applications.
    
    
    - This became especially important due to a small number (&lt;0.02%) of machines in Cyber Crucible telemetry alerting on aggressive process injection behaviors of system processes.
- Increased monitoring capability of unsigned system processes.
    
    
    - This was partially in response to attackers focusing heavily on involving those processes during lateral movement operations (on a system, and between systems).

# Fixes

- Changed a file modification behavior to decrease false positives by no longer triggering on certain benign actions, through additional kernel-level context to a process' file-access behaviors.

# WHCP/WHQL Validation Status

Validated.

# MD5 Hashes

```
service.exe   = 0bab8404900c6a16ac3ad0293c45de5c
assistant.exe = 98f013fd4fdb7325f903d07c87b999ac
CCRRSecMon.sys (Windows10)       = 452719399d9bb98dc6b14fb8787d8415
CCRRSecMon.sys (Windows8)        = a974c7cc46db3759a2da34f37caaa72e
CCRRSecMon.sys (Windows7)        = 6a0f2e55d6a7b66bd9bbe318d5dbbebf
```

# 4.4.1.1

# Features

- Improved analytical processing for parent-child relationships, when the parent process quickly dies before Cyber Crucible completes processing (milliseconds).
    
    
    - The extremely common scenario here is that attackers (and legitimate programs) will often open up multiple programs, sometimes in a muli-step “daisy-chain”. This may be on purpose, or due to Windows or other application behavior “under the hood”.
    - Cyber Crucible behavioral models leverage activity &amp; state variables for all processes in a chain of executions to achieve maximum accuracy and context.

# Fixes

- Cyber Crucible had a loss in behavioral model decision making accuracy, due to the loss of telemetry when multiple programs each call each other, but one of the programs died in milliseconds.
    
    
    - In a chain where Program A executes Program B. Program B starts Program C, but Program B dies within milliseconds (usually a silent crash, but not always). Cyber Crucible behavioral analysis has Program A and Program C variables, but did not have time to completely analyze program B, since it expected it to be running.
    - This has been correcting, resulting in more accurate decision making by the Cyber Crucible hyper-automated decision making engine.

# WHCP/WHQL Validation Status

Validated.

# MD5 Hashes

```
service.exe   = db76d0abc8f4bc4b2a093435bc314bde
assistant.exe = a5bac35d839d7a57fcccfceb011083c1
CCRRSecMon.sys (Windows10)       = 935e43368fa95ae740a3f04defcc390d
CCRRSecMon.sys (Windows8)        = ee555ad0f282f36dd11deada8d1ca9c7
CCRRSecMon.sys (Windows7)        = a6a5073c6565361b443651ef29e49490
```

# 4.4.1.2

# Features

- Increased available specificity for whitelists, such as parent process path and arguments.
- Expanded support for identity access analytics to more credential databases.
    
    
    - Identity access is now also monitored for Slack, Opera, Thunderbird, Discord, and Vivaldi.
- Expanded whitelist support to include identity access.

# Fixes

- Reduced the bandwidth used between agents and the rest API.
- Fixed some older Windows Server editions displaying canaries on in Explorer.
- Fixed some identify access logs missing certificate trust indicators.

# WHCP/WHQL Validation Status

Validated

# MD5 Hashes

```
service.exe   = e289ef44c5a1bca39d57861ff9d05bee
assistant.exe = d8e83309372b43ffc70feaf2bd538f36
CCRRSecMon.sys (Windows10)       = db736330f5a690a2e828472a357ee6b6
CCRRSecMon.sys (Windows8)        = b9d644930fc52495229dc7f96ffea299
CCRRSecMon.sys (Windows7)        = 7b1ece332986dadfcc6463574fd16616
```

# 4.4.1.3

# Features

- Credential/Identity Monitoring now includes various VPN, cryptocurrency wallet, and other applications.
- In a (this is common) chain of affected processes during an attack (attacker moves from running program A, to B, to C, and D is used for data theft), the “patient 0” program A is suspended, but patient D is reported as the process performing the theft behavior.
    
    
    - Memory state is preserved and reported throughout the process chains, for future forensic analysis.
- In the event of an automated response in which a running process' memory was modified, that memory modification is configurably uploaded to Cyber Crucible for reverse engineering and further analysis.
- In the event of a non-malicious memory modification bug in an application, behavioral exceptions (“whitelists”) now have the ability to flag certain memory corruption events as benign. This will not stop the program itself from crashing or losing data due to the bug, but Cyber Crucible will know to ignore the bug while searching for malicious injection of code into running processes (process injection/hollowing).

# Fixes

- Removed vulnerability where binaries could be deleted by a privileged process while CC binaries are updating.
- Removed vulnerability where registry keys could be deleted or altered by a privileged process while CC binaries are updating.
- Corrected memory state tracking when a process is patched in-memory during Cyber Crucible evaluation of the memory.
- Corrected memory state tracking under certain conditions where memory is re-allocated between memory pages.
- Minor CPU efficiency updates, that are likely too minor to register in Task Manager, since usage is normally &lt;1%

# WHCP/WHQL Validation Status

Validated

# MD5 Hashes

```
service.exe   = 90a6ca2f5b7a76b847052f3d420f0c9b
assistant.exe = b62ee623f74171f4a3f34ff129188174
CCRRSecMon.sys (Windows10)       = dfdce4016f6920e844615b3d506ec2e2
CCRRSecMon.sys (Windows8)        = 59bbd41c883ca0205fd3adbfdbb5dbb6
CCRRSecMon.sys (Windows7)        = 88e6f047f7fa26e717a24f5fd7b33dc5
```

# 4.4.1.3.1

Gained visibility into some system processes that initialize before the Cyber Crucible driver loads.

MD5 Hashes:

```
service.exe: a03b91df83f86ffe322f7b16960f503c
assistant.exe: e22641924d3a1811b86a0f4357f74720
win7/CCRRSecMon.sys: b64b63c04f00afd1020a7a43fc0bb67d
win8/CCRRSecMon.sys: c50aacb4aac6ac9f1e95e4ffa749cb2a
win10/CCRRSecMon.sys: 77dd029b8e4b2cf5a2354787402ecc17
```

# 4.4.1.3.2

Added additional telemetry for the now-visible system processes due to 4.4.1.3.1.

MD5 Hashes:

```
service.exe: 47f408d6102eb06a94f2244cf139a0a5
assistant.exe: 86733da51ee703f93dcda9346231cca6
win7/CCRRSecMon.sys: b01e8933fa9ac9f0a049527b20d9f679
win8/CCRRSecMon.sys: 4467124cf7e8b5ab5652169f9eb41663
win10/CCRRSecMon.sys: 8f06de95303eeac038002ec27c297811
```

# 4.4.1.3.3

Fixed some incident reports including data for the wrong process, when a process dies mid-calculation.

MD5 Hashes:

```
service.exe: f2a341ca4856ab3f8a15b7cf725cd0cc
assistant.exe: 5d5d2213e276bc066f4d42ab751c7317
win7/CCRRSecMon.sys: 13da73b66751d12f5f3e65cde0602266
win8/CCRRSecMon.sys: 08fe8cb3391c9215bc37a997ec59b0a2
win10/CCRRSecMon.sys: 4c8a1707839f0d28c386f17ce2dbc8ed
```

# 4.4.1.3.4

Optimization of memory calculations, in preparation for 4.4.1.4.

MD5 Hashes:

```
service.exe   = 4a5bd9822ea28c10f399afe437837a2a
assistant.exe = 7070e61862bc2ede3205c4bfdc6805d2
CCRRSecMon.sys (Windows10)       = 4e9b790522fe61e9206140e15e37b7fe
CCRRSecMon.sys (Windows8)        = 7b477503840f882028ff8bdbbfc72121
CCRRSecMon.sys (Windows7)        = 65e95b4dd58cb1c9a5dab398155e2113
```

# 4.4.1.4

# Features

- Upgraded pattern matching capabilities in the behavioral model.
    
    
    - This is especially relevant for additional coverage of identity store locations, such as cryptocurrency wallet locations.
- Increased software dependency functionality for (Cyber Crucible) libraries in use for upcoming fully automated identity access protection.
- Opt-in capability to run the agent in safe mode

# Fixes

- Optimize memory usage in the service. This would only have been experienced on very busy servers with lots of behavioral analysis occurring (by Cyber Crucible) simultaneously.

# MD5 Hashes

```
service.exe   = 1cb8e19fc9ed2788189684f23693087a
assistant.exe = c60e851d9836955b078474270e04d0c1
CCRRSecMon.sys (Windows7)        = 3b7656b24a0e2387389f0ce9db375379
CCRRSecMon.sys (Windows8)        = 204689e666bb704621ebbd5d606a1274
CCRRSecMon.sys (Windows10)       = f9839b8b2437a3a7b6a099d2598dc639
```

# 4.4.2.0

# Features

- Upgraded monitoring and prevention capabilities for automated identity access protection.
- Optimize network usage through variable communication rates dependent on client behaviors.

# Fixes

- N/A

# MD5 Hashes

```
service.exe   = 408d8ae9e35ee65c8e208cfa76c67df6
assistant.exe = 8ba7fa2a201ae92f595e85e4cf52b804
CCRRSecMon.sys (Windows7)        = 359ff6e23107798fd01a3afb33716f78
CCRRSecMon.sys (Windows8)        = 2bd4267eeea697a137447d91a8b38e1c
CCRRSecMon.sys (Windows10)       = fcf979529c13eba5f93bf6c6d0096d6f
```

# 4.4.2.1

# Fixes

- Optimized identity information tracking for applications with large number of deeply nested directories.

# MD5 Hashes

```
service.exe   = 9c6474e44959e8eba54876c46e13fb25
assistant.exe = 03d671ffa567ac8dc783ce905d624351
CCRRSecMon.sys (Windows7)        = 5fbd3b4a9066299c9ce3d619dc6fca17
CCRRSecMon.sys (Windows8)        = 0ee960548846da463d4c66381dea0841
CCRRSecMon.sys (Windows10)       = bda977682effcd61e6d478da750c966b
```

# 4.4.2.2

# Features

- None

# Fixes

- Optimization of variable handling for one genre of behavior.
    
    
    - Cause: One unspecified security product produced a very large number of behaviors on a couple large servers, which cause excessive memory usage of Cyber Crucible.
    - Symptoms: Cyber Crucible’s memory usage jumps from a few MB to GB’s. The security product’s memory usage also jumped by 100 fold as well, to over 250GB. If you experience this, as that may be independent of Cyber Crucible, please open a support ticket so we may help you. We suspect this was an issue with the security product as well, independent of Cyber Crucible’s optimization.
    - Fix: This behavior variable tracking was migrated from an algorithm which expected low-volume population to a high-volume algorithm like in use elsewhere in the driver.
    - Who is affected? Only one customer was observed with this issue, and only on a small portion of their large servers. Regardless - this update is deployed to all customers.

# MD5 Hashes

```
service.exe   = bbfb0bf47d942d30438a260b497c04cd
assistant.exe = 280d746ed3edea9b7267955a94b97a8e
CCRRSecMon.sys (Windows7)        = cded2aaa7dd0c2fe446694451bd17960
CCRRSecMon.sys (Windows8)        = a06dce5e19627fe1f982cbde632fc313
CCRRSecMon.sys (Windows10)       = 14e0c4e7f86405562701187fac93aea2
```

# 4.4.2.3

# Features

- None

# Fixes

- Fixed Acronis compatibility issues

# MD5 Hashes

```
service.exe   = 4747ae6372a0f3a410c145e64314123c
assistant.exe = f7c0ac0044a3b186d2f6db2a8a1989f0
CCRRSecMon.sys (Windows10)       = f69661a61bb9364d6f25f5f4b410729c
CCRRSecMon.sys (Windows8)        = 25b496529282e6c973b53a14a94a3480
CCRRSecMon.sys (Windows7)        = ca9ee3cde474ea3b6b5b61b8bc26f170
```

# 4.4.2.4

# Features

- Credential protection support for Microsoft Teams and Signal Messenger

# Fixes

- Suppressed network related logs when in safe mode without networking
- Backup some agent data on uninstall to the Windows temporary storage folder

# MD5 Hashes

```
service.exe   = 23735f3ca870b1d70017c433d5e24d17
assistant.exe = 57d8742b1bbc27b73dd134fb3ac6ebc2
CCRRSecMon.sys (Windows8)        = 99262ee4a93e4751adb8b4b1ef2102ce
CCRRSecMon.sys (Windows10)       = 0f2809c32a22af2eda0fe606c361d6d2
CCRRSecMon.sys (Windows7)        = 0d73a497bebfad7b85441ae981ed4be1
```

# 4.4.2.5

# Features

- None

# Fixes

- Reduced network usage when sending large amounts of reports at once
- Fix handling of some certificate data

# MD5 Hashes

```
service.exe   = a54087913a6ddd451853ffce64112e21
assistant.exe = 14859d6c32192a073c0518b0d3e957ee
CCRRSecMon.sys (Windows8)        = 99262ee4a93e4751adb8b4b1ef2102ce
CCRRSecMon.sys (Windows10)       = 0f2809c32a22af2eda0fe606c361d6d2
CCRRSecMon.sys (Windows7)        = 0d73a497bebfad7b85441ae981ed4be1
```

# 4.4.2.6

# Features

- None

# Fixes

- Reduced memory usage in servers with many unique program certificates

# MD5 Hashes

```
service.exe   = c7afcb665f6849d39430df2271703cd6
assistant.exe = d6ed1b6f2d6d914e9bb08396a3d03a57
CCRRSecMon.sys (Windows8)        = 1a399a22cecdca9b5ffefe69a211fc66
CCRRSecMon.sys (Windows7)        = 57363998c02e1334f6fda931c6c194ba
CCRRSecMon.sys (Windows10)       = d15ddd4035830b80a67e9057456560c2
```

# 4.4.2.7

# Features

- None

# Fixes

- Reduced memory usage during handling of programs that use undefined behavior in querying directories

# MD5 Hashes

```
service.exe   = 7bf08deada69a09e2c0362337554c124
assistant.exe = ced782e4c6793e4b8a2ec2d4580b90f8
CCRRSecMon.sys (Windows10)       = 1eea1da529c0251a5438a0169ace53b7
CCRRSecMon.sys (Windows7)        = f82d5fbe2b22b70158dbbfb57949e948
CCRRSecMon.sys (Windows8)        = 9ff7406c41c583337357163a8dd8aeb2
```

# 4.4.2.8

# Features

- None

# Fixes

- Increased logging and telemetry for bad machine states
- Stability increase for Identity protections at boot time

# MD5 Hashes

```
service.exe   = 5f33211e1c36f31439a9d5efb8e7b029
assistant.exe = ced782e4c6793e4b8a2ec2d4580b90f8
CCRRSecMon.sys (Windows10)	 = 49c474f127041672509d31f013653259
CCRRSecMon.sys (Windows7)	 = 411f80c24854874d81b80a7d7af03ac9
CCRRSecMon.sys (Windows8)	 = fac1a12c4d1bbebd1e7ed1c21bf9fc2f
```

# 4.4.3.0

# Features

- In addition to existing service protections, the kernel mode driver will restart the service if it terminates for any reason.

# Fixes

- None

# MD5 Hashes

```
service.exe   = 65c8d59a22f376a8918347166def50a3
assistant.exe = ced782e4c6793e4b8a2ec2d4580b90f8
CCRRSecMon.sys (Windows7)        = 3a336be46b11c5875dda0e94340eb62a
CCRRSecMon.sys (Windows8)        = 8ddef1c798f94931ef8131674ad9ebf6
CCRRSecMon.sys (Windows10)       = 9fb3336a3c1990be3a1c4c3fdd8c53e2
```

# 4.4.3.2

# Features

- None

# Fixes

- Reduced CPU usage during process starts.
- Reduced CPU usage in trust determinations during consecutive directory queries.

# MD5 Hashes

```
service.exe   = a1e5c45b87f914343c772c05e18b153e
CCRRSecMon.sys (Windows7)        = c995f7efeb88ef42425cf54b0b210dc7
CCRRSecMon.sys (Windows8)        = 3135a7787076286f3e8d82ca384582e9
CCRRSecMon.sys (Windows10)       = 0f6be8ec8806d4acabb8d03904c1b148
```

# 4.4.3.1

# Features

- None

# Fixes

- Fixed some machines with unusual Windows installation characteristics having visible canaries in Explorer.

# MD5 Hashes

```
service.exe   = b2a62cc2285afe01a28f4859afc03511
CCRRSecMon.sys (Windows7)        = 16b9d8946189feb7d620351a4d9c6a9f
CCRRSecMon.sys (Windows8)        = 24f55af4414447ec46f450eeca35c92e
CCRRSecMon.sys (Windows10)       = 2305ebd13864355ef384099dae1bee57
```

# 4.4.4.0

# Features

- Reports for incidents and telemetry are stored on disk for offline scenarios.
    
    
    - Due to tampering attempts observed against multiple EDR/XDR logging stores, Cyber Crucible enabled kernel-level protection against the disk-stored data before deploying this capability.
- Increased protection of the service process used for backend communication and updates, as part of look-ahead zero-trust hardening.
    
    
    - This was not in response to an existing threat, but proactive for one the Team sees upcoming.

# Fixes

- Fixed processes that load at boot not being available in the dashboard under process creations.
- Prevented two installers from running at the same time, which would use register the same machine twice.

# MD5 Hashes

```
service.exe                      = 116dab615aab07d804667b13ecfe821a
CCRRSecMon.sys (Windows7)        = db358b3d6e784d11827ff899722e3070
CCRRSecMon.sys (Windows8)        = a95dd87d2ea9944e8643de787f11d71c
CCRRSecMon.sys (Windows10)       = 6eb017a5cb3a9dd45bc065b466fb4789
```

# 4.4.4.4

# Features

- None

# Fixes

- Improved performance for parsing certificate data on system startup.

# MD5 Hashes

```
service.exe   = 69395e14240c91bc4df73168615927d9
CCRRSecMon.sys (Windows7)        = 2dd89c52e5a2914289371d4c3fd80ef8
CCRRSecMon.sys (Windows8)        = 41f25ea44e1f1a6ba11c7e7181554467
CCRRSecMon.sys (Windows10)       = ecc7f1f0a1d63f801a3a84f7b52b850c
```

# 4.4.5.1

# Features

- Reduced bandwidth usage:
    
    
    - Use compression for larger telemetry data and larger server responses
    - Use HTTP/2 for compressed headers and greater socket efficiency
- Increased insight into certificate operations.

# Fixes

- Encode certificate metadata in raw telemetry when non-RFC-compliant labels exist. Network security infrastructure was corrupting or deleting the payloads, causing the agent to re-transmit until success.

# MD5 Hashes

```
service.exe   = 686e91ca0f1bab7a0f3b09d2052d7e4c
CCRRSecMon.sys (Windows7)        = 25c194ee5f3c4ef25ef86124303aec82
CCRRSecMon.sys (Windows8)        = 6b4b8b6cc960a718464fd3ebb89b1fe8
CCRRSecMon.sys (Windows10)       = 8c668fe57652530d77d323b8563d3f4e
```

# 4.4.5.2

# Features

- New kernel level access telemetry for network-based behaviors, to better identify possible client-side networking bugs, or opportunities to optimize
- Outbound telemetry is now bundled and sent together, just like inbound settings
    
    
    - Transmitted with a 25% timing variance, so that every machine will not be sending packets simultaneously across a client network
- HTTP/2 is now fully utilized end to end

# Fixes

- Reduced minimum threads in use in userspace
- Reduced CPU usage for userspace service
- Agent-Server authentication is now performed more efficiently
- Replaced previous service sleep &lt;&gt; restart algorithm when licenses were not available.
    
    
    - Previous algorithm caused a "service exited unexpectedly" in event manager every 15 minutes.
    - Allowing the Operating System to tell the service to shut off (something abused by criminals and other security tools) would have allowed a “clean” service restart without event manager logs. Instead of creating that vulnerability, Cyber Crucible’s service restarted itself without Windows involvement, causing the event log.

# MD5 Hashes

```
service.exe  = b17a2a528a4424771fdeca8559b9f56b
CCRRSecMon.sys (Windows7)        = c2b051b1001474419e7572fd23625d84
CCRRSecMon.sys (Windows8)        = 335d355bbd492c390e67ac615c5252b0
CCRRSecMon.sys (Windows10)       = 0d1fc32fba2cb878ce8cb0f549b8d167
```

# 4.4.5.3

# Features

- Added a second domain for server communication ([see domain list here](https://knowledgebase.cybercrucible.com/books/which-domains-are-used-by-cyber-crucible)).
    
    
    - If there are communication issues with one domain the agent will automatically switch to the other.

# Fixes

- Changed some old legacy strings that referred to “Ransomware Rewind” to now refer to “Cyber Crucible”.

# MD5 Hashes

```
service.exe  = 8cf710b96d15ec9ff0b88bba12dcd142
CCRRSecMon.sys (Windows7)        = c2b051b1001474419e7572fd23625d84
CCRRSecMon.sys (Windows8)        = 335d355bbd492c390e67ac615c5252b0
CCRRSecMon.sys (Windows10)       = 0d1fc32fba2cb878ce8cb0f549b8d167
```

# 4.4.5.9

# Features

- Increased hardening of portions of functionality previously conducted by the Windows cryptography libraries are done conducted by the Cyber Crucible kernel driver.
    
    
    - This is both general hardening, and an increase in telemetry indicating possible attacks against Windows cryptography libraries and APIs.
- This is a milestone release from incremental releases found in 4.4.5.4 - 4.4.5.8, all aligned on the previous cryptography analysis hardening functionality.
    
    
    - Early telemetry indicates the failures in Windows certificate and cryptography libraries were legitimately responded to by Cyber Crucible.
    - It is unknown at this time what percentage of issues were due to exploitation vs a Windows core library bug. Please contact your Cyber Crucible representative to discuss further as necessary.

# Fixes

- Fixed some process reports incorrectly reporting the listed certificate as “not trusted”, due to Windows certificate library functionality loss.

# MD5 Hashes

```
service.exe  = 79650eea0a93b8f480b4247d57ddd03b
CCRRSecMon.sys (Windows7)        = 06a647c897f9f385416482a4e899e204
CCRRSecMon.sys (Windows8)        = 72c1b462e3e8e3fa4dcf6344ce3b0acd
CCRRSecMon.sys (Windows10)       = 02b1c53268059ae38427fe43152d593c
```

# 4.4.5.8

# Features

- Increased hardening of portions of functionality previously conducted by the Windows cryptography libraries are done conducted by the Cyber Crucible kernel driver.
    
    
    - This is both general hardening, and an increase in telemetry indicating possible attacks against Windows cryptography libraries and APIs.

# Fixes

- Fixed some process reports incorrectly reporting the listed certificate as “not trusted”, due to Windows certificate library functionality loss.

# MD5 Hashes

```
service.exe  = d8187cf4468cba634470772fe8e7ba8b
CCRRSecMon.sys (Windows7)        = b97b6bc79529be5ccd88807892e16153
CCRRSecMon.sys (Windows8)        = 6a6b5801b5a4552a4be8477d74706198
CCRRSecMon.sys (Windows10)       = 4f3e54c2a9d348b0279767bc03420c99
```

# 4.4.5.5

# Features

- Increased hardening of portions of functionality previously conducted by the Windows cryptography libraries are done conducted by the Cyber Crucible kernel driver.
    
    
    - This is both general hardening, and an increase in telemetry indicating possible attacks against Windows cryptography libraries and APIs.

# Fixes

- Fixed some process reports incorrectly reporting the listed certificate as “not trusted”, due to Windows certificate library functionality loss.

# MD5 Hashes

```
service.exe  = 90525bbf61ae57bd5e61f79198ae031f
CCRRSecMon.sys (Windows7)        = c2b051b1001474419e7572fd23625d84
CCRRSecMon.sys (Windows8)        = 335d355bbd492c390e67ac615c5252b0
CCRRSecMon.sys (Windows10)       = 0d1fc32fba2cb878ce8cb0f549b8d167
```

# 4.4.5.6

# Features

- Increased hardening of portions of functionality previously conducted by the Windows cryptography libraries are done conducted by the Cyber Crucible kernel driver.
    
    
    - This is both general hardening, and an increase in telemetry indicating possible attacks against Windows cryptography libraries and APIs.

# Fixes

- Fixed some process reports incorrectly reporting the listed certificate as “not trusted”, due to Windows certificate library functionality loss.

# MD5 Hashes

```
service.exe  = 60c0b7b7d00dc14415334ddef590f593
CCRRSecMon.sys (Windows7)        = c2b051b1001474419e7572fd23625d84
CCRRSecMon.sys (Windows8)        = 335d355bbd492c390e67ac615c5252b0
CCRRSecMon.sys (Windows10)       = 0d1fc32fba2cb878ce8cb0f549b8d167
```

# 4.4.5.7

# Features

- Increased hardening of portions of functionality previously conducted by the Windows cryptography libraries are done conducted by the Cyber Crucible kernel driver.
    
    
    - This is both general hardening, and an increase in telemetry indicating possible attacks against Windows cryptography libraries and APIs.

# Fixes

- Fixed some process reports incorrectly reporting the listed certificate as “not trusted”, due to Windows certificate library functionality loss.

# MD5 Hashes

```
service.exe  = c97ce96b69c0be846af70c2359671e22
CCRRSecMon.sys (Windows7)        = 475915b1881add45c6af260f82bd43b9
CCRRSecMon.sys (Windows8)        = dfc09e7504b4aa73ecfb15e62f8cde86
CCRRSecMon.sys (Windows10)       = 5581c7c11aa52488a1858fa728cfaf46
```

# 4.4.5.4

# Features

- Increased hardening of portions of functionality previously conducted by the Windows cryptography libraries are done conducted by the Cyber Crucible kernel driver.
    
    
    - This is both general hardening, and an increase in telemetry indicating possible attacks against Windows cryptography libraries and APIs.

# Fixes

- Fixed some process reports incorrectly reporting the listed certificate as “not trusted”, due to Windows certificate library functionality loss.

# MD5 Hashes

```
service.exe  = fd2157d8dee1d07ec45406a1d323359c
CCRRSecMon.sys (Windows7)        = c2b051b1001474419e7572fd23625d84
CCRRSecMon.sys (Windows8)        = 335d355bbd492c390e67ac615c5252b0
CCRRSecMon.sys (Windows10)       = 0d1fc32fba2cb878ce8cb0f549b8d167
```

# 4.4.6.0

# Features

- CPU performance enhancement for some applications which burst large numbers of automated &amp; simultaneous directory traversals as part of their application behaviors.

# Fixes

- 

# MD5 Hashes

```
service.exe  = 3e443b55efdf1c1fd10a2b2931aa1bfd
CCRRSecMon.sys (Windows7)        = eb992a496b88874e59d71f8ad83ba917
CCRRSecMon.sys (Windows8)        = 2e9786c84a55911e1b94aec38b4a90ff
CCRRSecMon.sys (Windows10)       = c68c4d4ba3f2e42953e6550b5e7c0b47
```

# 4.4.6.1

# Features

- Further migration from the “Ransomware Rewind” product name to “Cyber Crucible”.
    
    
    - Legacy service name `"Ransomware Rewind"` will migrate to `"CyberCrucibleAgent"`. Process name stays the same.
    - Registry key in `HKLM\SOFTWARE` will migrate from legacy `RansomwareRewind` to current `CyberCrucibleAgent.`

# Fixes

- Fixed some 32bit processes triggering as having “modified memory” when the process image is at the maximum allowable size of a 32 bit process.

# MD5 Hashes

```
service.exe  = 51ff73ab3caac8d269d1fad823de9f60
CCRRSecMon.sys (Windows7)        = 6014b3fa07cec7e39753f7eaea4d1ea7
CCRRSecMon.sys (Windows8)        = 26756d6394a70482952519c104730676
CCRRSecMon.sys (Windows10)       = 8665c9f7b99b385acaecc11d42fda468
```

# 4.4.6.2

# Features

- Added optional “access type” flags exposed to end users for behavioral access specificity.

# Fixes

- None.

# MD5 Hashes

```
service.exe  = 07a709d672f38ea466de675b8c8f1b76
CCRRSecMon.sys (Windows7)        = 4d9195aeda4ae5dafb6f27405b541d9a
CCRRSecMon.sys (Windows8)        = 12deea5a512128e62aba173c2f786387
CCRRSecMon.sys (Windows10)       = 39daf75dd7678ae2b83a5f79aeab3b68
```

# 4.4.6.3

# Features

- Added optional SOCKS5 proxy support to assist agent deployment.

# Fixes

- Fixed reinstallations from older agents using the incorrect installation ID.
- Fixed existing installations from older installers having an unquoted service path.

# MD5 Hashes

```
service.exe  = 610b75a1a4fc7460138f545751cc7606
CCRRSecMon.sys (Windows7)        = 4d9195aeda4ae5dafb6f27405b541d9a
CCRRSecMon.sys (Windows8)        = 12deea5a512128e62aba173c2f786387
CCRRSecMon.sys (Windows10)       = 39daf75dd7678ae2b83a5f79aeab3b68
```

# 4.4.6.4

# Features

- Parent process memory information is available for process reports when modifications were detected.

# Enhancements

- Changed some server communication frequencies to no longer require reboot for adjustment.

# Fixes

None this release.

# MD5 Hashes

```
service.exe  = 608ab69e92f5592a3da66801edaafd0e
CCRRSecMon.sys (Windows7)        = 090b0b8decd4634797de4acf3aef05ae
CCRRSecMon.sys (Windows8)        = d993e733702bc810de9139965850e210
CCRRSecMon.sys (Windows10)       = 65a48c062156b4723894783fa9115204
```

# 4.4.7.0

# Features

- Beginning rollout of JWE-based HTTPS communications.
    
    
    - Encryption keys are unique to every agent.
    - All payloads encrypted under the HTTPS. Disabled by default during the initial rollout.
    - Ability to optionally revert from JWE-encrypted HTTPS to unencrypted HTTPS if JWE formatted payloads are not transmitting successfully.

# MD5 Hashes

```
service.exe  = 581a528318644c55d9dc6d552fb295c0
CCRRSecMon.sys (Windows7)        = 629e77591a672915021842a9f5271157
CCRRSecMon.sys (Windows8)        = 3f499538502e0b7c4fe956eb7b4bd0ab
CCRRSecMon.sys (Windows10)       = 0f7db98f84a6f67aac02dd4eb2dbd547
```

# 4.4.7.1

# Features

- More telemetry for process creations and incidents
    
    
    - User SID
    - User down-level logon name
    - Whether or not the process is elevated (Run As Administrator)
- Incidents now report where iterative data access occurred

# Fixes

- Reduced memory usage during periods of server connectivity issues and heavy telemetry occurring at once
- Reduced memory usage during incident reporting

# MD5 Hashes

```
service.exe  = 0df0b7d76abd0978734ac961cd4cddaf
CCRRSecMon.sys (Windows7)        = dced5933e7b3e720a72160eb32cd83cb
CCRRSecMon.sys (Windows8)        = e14aa1324a9a42958cd955b9fffd4f79
CCRRSecMon.sys (Windows10)       = 9d2edcf2288e7563892dac6300517102
```

# 4.4.7.3

# Features

- DMZ Mode
    
    
    - Optional configuration to use a signed CA bundle for TLS communication with authentication and telemetry servers. These CA bundles are then protected from tampering or deletion by Cyber Crucible’s proprietary anti-tampering capabilities.
    - OCSP and CRL checks are disabled to reduce the list of domains to allow through a firewall.

# Fixes

- Reduced memory usage and CPU time spent on memory diff submission, especially after long offline periods.

# MD5 Hashes

```
service.exe  = 536adc06bd5ac3d4caca53dd5b780759
CCRRSecMon.sys (Windows7)        = dc446d663e8c865b039de0eb585de1fb
CCRRSecMon.sys (Windows8)        = ea96fdf4b097ac9afb646e6a766431aa
CCRRSecMon.sys (Windows10)       = 434c9061390804e4e61f5299158aaa00
```

# 4.4.8.0

# Features

- Kernel-mode Authenticode telemetry
    
    
    - For increased speed and reliability, certificate data for process creations and incidents will be recorded by the driver alone.
    - This update does not remove dependencies on Windows cryptography libraries, but conducts cryptographic calculations in parallel. Eventually the dependency on Windows may be entirely removed.

# Fixes

- Reduced memory usage and CPU time spent on attempted event submission when offline, during which telemetry is securely stored until the machine regains connectivity to Cyber Crucible servers.
- Some Nvidia driver installers believed they didn’t have privilege to install due to use of an internal Microsoft kernel function to attempt to access Cyber Crucible installed files.
- Fixed incompatibility with JWE mode and DMZ mode

# MD5 Hashes

```
service.exe  = 5189fe49a1bfade50766fce2a1980eef
CCRRSecMon.sys (Windows7)        = 342dd1bbe5f5dfcffe7752b74b34a9e8
CCRRSecMon.sys (Windows8)        = a20c9cca59be651db7ae69f9f1f64cf2
CCRRSecMon.sys (Windows10)       = a3cf6860d3f059a1ab38ee7b2d82b097
```

# 4.4.8.1

# Features

- Executable metadata such as product version, company name, etc. for in-memory processes are reported by the driver via kernel visibility. Normal functionality is to use user-space Windows API calls. This move to parsing in the kernel removing the (observed) opportunity for attackers to tamper with the process information.
- Agent authentication information is replicated elsewhere in the system to restore in the event the registry is corrupted by a malicious driver.

# Enhancements

- Server connection errors are minimally logged by the agent, reducing log size on disk.

# Fixes

- N/A

# MD5 Hashes

```
service.exe  = 8c1f6999ccd176193e493686216f14c6
CCRRSecMon.sys (Windows7)        = 3b032d0e43674509126c6cb1c9efd688
CCRRSecMon.sys (Windows8)        = d3131131c83c2cf833ebc2157149c364
CCRRSecMon.sys (Windows10)       = eac8a8b38a8743a13dd7130509de9907
```

# 4.4.8.2

# Features

- Added support for an optional system tray icon. This feature is disabled by default.

# Fixes

- Added workaround for issue requesting kernel Windows API hashing requests. Workaround may be removed at some point in the future if Windows issue is corrected, possibly at next kernel update.

# MD5 Hashes

```
service.exe  = 6e21b0a7c41b156f2001c93bbcd142de
CCRRSecMon.sys (Windows7)        = 43cce21323465eac015fc7c90b88ac87
CCRRSecMon.sys (Windows8)        = c7b2d8d130f8c3e768891ad0b20931a5
CCRRSecMon.sys (Windows10)       = d95d162bc7f87f3eaef46d58eb543364
```

# 4.4.9.0

# Features

- Kernel-mode DLL telemetry
    
    
    - Certificate parsing and trust calculation for all loaded DLLs in the driver.

# Fixes

- None.

# MD5 Hashes

```
service.exe  = f4e017fab1f1117859bcfcd4733cc439
CCRRSecMon.sys (Windows7)        = 976f8826ebd5bacb1803fcf6d274a6d0
CCRRSecMon.sys (Windows8)        = 90f02751eca65f6286b3676ea8b2bb2c
CCRRSecMon.sys (Windows10)       = af9c0469fb05a0104579d8fb1694719e
```

# 4.4.9.1

# Features

- None.

# Fixes

- Increased amount of telemetry handled at once by the service for creation and injection data.
- Adjusted ordering of canaries for programs using unusual file iteration methods.
- Adjusted ACL on some canaries to better fit in with real filesystems.

# MD5 Hashes

```
service.exe  = 5728b771c4b89d47942043fece634be9
CCRRSecMon.sys (Windows7)        = fd1b9163edfcfa66370a0510286de6bf
CCRRSecMon.sys (Windows8)        = c7bf417fdd2f2f0fdec9a9011913b672
CCRRSecMon.sys (Windows10)       = 22066d3fcf90b3a0e672a41d8fe787d8
```

# 4.4.9.2

# Features

- Memory modification tracking for loaded DLLs.
- Memory diff generation for modified DLLs.

# Fixes

- Handle some non-conforming DLLs from yielding incorrect authenticode hash results.

# MD5 Hashes

```
service.exe  = 7b76a84809347d1caa4f46217d7c02ad
CCRRSecMon.sys (Windows7)        = 27cc77a22706f1f007f0c8f433910efd
CCRRSecMon.sys (Windows8)        = d94978e73452be5869b194fe234fc125
CCRRSecMon.sys (Windows10)       = c321cf4abafbd8f2b6d3ef1917904d57
```

# 4.4.9.4

# Fixes

- Service dump files are now limited to 10 per version+thread combination.

# MD5 Hashes

```
service.exe  = TBD
CCRRSecMon.sys (Windows7)        = 27cc77a22706f1f007f0c8f433910efd
CCRRSecMon.sys (Windows8)        = d94978e73452be5869b194fe234fc125
CCRRSecMon.sys (Windows10)       = c321cf4abafbd8f2b6d3ef1917904d57
```

# 4.5.0.0

# Features

- AI Kernel Firewall
- Authenticode hash calculation speedups
- Significantly reduced memory usage for DLL telemetry
- Increased visibility for memory modifications in DLLs

# Fixes

- Fix service recovery compatibility with 24H2

# MD5 Hashes

```
service.exe  = 2a01dc8267e6bbae3c42c0f0d873286f
CCRRSecMon.sys (Windows7)        = 502b85e17a7103a35d5b6eb50ce0eea7
CCRRSecMon.sys (Windows8)        = 65c315313330c83f602d19e031d99f67
CCRRSecMon.sys (Windows10)       = d17ba3cde6c2051d85dea395891caff9
```

# 4.5.0.1

# Features

- Option to migrate to hosted OAuth authentication server domain
- Task to dynamically configure REST and OAuth server URLs

# Fixes

- None.

# MD5 Hashes

```
service.exe  = 171e15eb5bf2a8c2d5f13ef6711d09d0
CCRRSecMon.sys (Windows7)        = 502b85e17a7103a35d5b6eb50ce0eea7
CCRRSecMon.sys (Windows8)        = 65c315313330c83f602d19e031d99f67
CCRRSecMon.sys (Windows10)       = d17ba3cde6c2051d85dea395891caff9
```

# 4.5.0.2

# Features

- None.

# Fixes

- Reduced memory used for AI Kernel Firewall.
- Quicker usage of new authentication endpoints.
- Removed [icanhazip.com](http://icanhazip.com) calls, previously optional but no longer necessary.

# MD5 Hashes

```
service.exe  = 716d0a77b44e612342007d64cb1b54aa
CCRRSecMon.sys (Windows7)        = 754908e2775c1e88e2ca693e8fc4f71b
CCRRSecMon.sys (Windows8)        = 50c180de6862f4741fa6569736b61c97
CCRRSecMon.sys (Windows10)       = b3a32b9d639f481aa14a36bfe2f37092
```

# 4.5.0.3

# Features

- Status tray indicator now displays self configuration status for new installations.

# MD5 Hashes

```
service.exe  = 517b27279ea728223d6dd32ecb90f2e5
CCRRSecMon.sys (Windows7)        = 754908e2775c1e88e2ca693e8fc4f71b
CCRRSecMon.sys (Windows8)        = 50c180de6862f4741fa6569736b61c97
CCRRSecMon.sys (Windows10)       = b3a32b9d639f481aa14a36bfe2f37092
```

# 4.5.1.0

# Features

- OpenSSL is now used for TLS communication.
    
    
    - This should sidestep issues on older OS versions that are no longer being patched for newer TLS requirements.

# Fixes

- Improved parsing support for non compliant Authenticode signatures.

# MD5 Hashes

```
service.exe  = b19823fcc66eef583fa4dc3e2f16a6d6
CCRRSecMon.sys (Windows10)       = 0f27455b5ca7c7e028e1a4ce6a7d7f68
CCRRSecMon.sys (Windows8)        = 0ac88365a3585ae79928a337900ae16b
CCRRSecMon.sys (Windows7)        = 041f03d5e37154f183deb5af7b89bc6b
```

# 4.5.1.2

# Features

- Dropped legacy certificate validating that relied on builtin, slow Windows libraries.
- Added ability to keep logs on uninstall.

# MD5 Hashes

```
service.exe  = fe8a70286926dba3b6277a9cdf446c38
CCRRSecMon.sys (Windows10)       = d4e458f3960a7b1c4b6d06ce4d062f1e
CCRRSecMon.sys (Windows8)        = 1f090bc190b80c9c08b03a1017381e6c
CCRRSecMon.sys (Windows7)        = 592020ee1f145357c3b77c681ebb3bac
```

# 4.5.2.1

# Features

- Broad release of reports for Fortress AI access

# Fixes

- Optimization of Cyber Crucible kernel operations not using Windows APIs to counteract increased latency in some Windows environments by approximately 20%.

# MD5 Hashes

```
service.exe  = 6ddad1f20f43e8ba799b562235363ceb
CCRRSecMon.sys (Windows10)       = d9c81609fafd99957063b2b6574b4a3c
CCRRSecMon.sys (Windows8)        = 429dd8f9e39fe8e3bad6b5592dea91f9
CCRRSecMon.sys (Windows7)        = 1f6aa2cf085e710c01a0347d6f4489d2
```

# 4.5.2.2

# Fixes

- Optimization of Cyber Crucible kernel operations via avoidance of problematic windows event and data bus core OS capabilities.

# MD5 Hashes

```
service.exe  = a4bfeca13496d47c8b91121a5da2b3b8 
CCRRSecMon.sys (Windows10)       = 042d39305b91caff229605c3a043a24b 
CCRRSecMon.sys (Windows8)        = 429dd8f9e39fe8e3bad6b5592dea91f9
CCRRSecMon.sys (Windows7)        = 1f6aa2cf085e710c01a0347d6f4489d2
```

# 4.5.3.0

# Features

- FortressAI
    
    
    - Added notifications when a policy violation is reported
        
        
        - Integration with Windows Notification Center
    - Added a GUI to view policy notification history
    - Added simulate mode
- Cyber Crucible Core
    
    
    - Configurable asynchronous DLL analytics for machines with minimal hardware resources
    - Process creation analytics and telemetry
        
        
        - now uses disk persistence
        - removed Windows MiniFilter dependencies
    - Process injections analytics and telemetry
        
        
        - now uses disk persistence
        - removed Windows MiniFilter dependencies
    - Removed additional Windows kernel resource dependencies

# Fixes

- Optimization of telemetry reporting for even faster reporting
- Removed deadlock due to exclusive vs shared kernel resource access for a specific kernel resource demanded by Microsoft Defender when Defender enables driver debug mode

# MD5 Hashes

```
service.exe  = 37ba9005bb7dc8a8e5b86670dd02f5dd 
CCRRSecMon.sys (Windows10)       = aabc6d7299e2c5da21784f12b8836647 
CCRRSecMon.sys (Windows8)        = 678bb0459a74030dcaab19646141fde7
CCRRSecMon.sys (Windows7)        = 07d4c04a12da5979dd8f2d7347669887
```

# 4.5.3.1

# Features

- FortressAI
    
    
    - Detects attempts to bypass policy controls through the use of screenshots.
- Cyber Crucible Core
    
    
    - Supports reinitializing an agent’s identity without requiring a full redeployment.
        
        
        - This fixes situations where a machine with Cyber Crucible installed is cloned, thus cloning the license and agent identifiers. Just like with IP addresses, MAC addresses, machine names, and other unique identifiers, Cyber Crucible identifies a cloned agent and alerts the CC administrators to the opportunity to generate new CC identifiers.

# MD5 Hashes

```
service.exe  = 5db5b2dfe65b9908c93d04a136123c98
CCRRSecMon.sys (Windows10)       = e4a27842cc4352cffaea780116e5ae00
CCRRSecMon.sys (Windows8)        = 060170a2cfff082c2092dc99a8330717
CCRRSecMon.sys (Windows7)        = 63a39eb153298766a3ff7034eaafa5af
```

# 4.5.3.2

# Features

- FortressAI
    
    
    - None
- Cyber Crucible Core
    
    
    - Kernel Buffer Operation Enhancement
        
        
        - The driver leverages buffers to temporarily store telemetry that is ultimately sent to the customer dashboard. This activity is distinct from behavioral model population or operations.
        - If a kernel buffer overloads, system CPU load increases.
            
            
            - This would only happen due to a large OS bug or an attack on the systems.
            - Automated customer notification of very high buffer usage available 1 JUN 2026.
        - Almost all of the kernel buffer operations for CC are with three primary buffers.
        - All three primary buffers' usage percentage is now transmitted to the CC infrastructure for metrics gathering and identification of buffer usage on a per-agent basis.
        - All three primary buffers are able to be adjusted in size remotely, and their status tracked by users.

# Fixes

- A recent update involving DotNet and MSVC Redistributable libraries overwhelmed Cyber Crucible buffers with sustained very high (500%+) process and DLL operations events, affecting some customers. Though buffer usage is back down to the normal 1-5% usage, including the impacted customers, all buffers were doubled in size to account for any future issues. This is in addition to the configuration capabilities listed above.

# Sha-256 Hashes

```
service.exe  = 2f46657af8809339d16546f1e6f2b58975bbf4d5c10fde3510363d628b129492
fai-alert.exe  = 890ccca7e0ce14a0e2ff7f90bae75a7ef12ad6c8cd43ffb52093c8431e65770b
CCRRSecMon.sys   = d0e941bc25d31e38cbebbe9ce3918f82d0b9c7b433efed318cb34e36a50acf94
CCRRSecMon.inf   = db54d8077afdfef81286868f7bda1e8df17dbd812178ddac989127550a904a8c
ccrrsecmon.cat   = a01c31db7231fed3852c9e559eb2c3f7496a016982207c102b88d8b36dcb0486
```

# Middleware (REST Servers)

# _General

<title id="bkmrk-cyber-crucible-knowl">Cyber Crucible Knowledge Base : Middleware (REST Servers)</title> <link href="styles/site.css" id="bkmrk-" rel="stylesheet" type="text/css"></link> <meta content="text/html; charset=UTF-8" http-equiv="Content-Type" id="bkmrk--1"></meta></head><body><div id="bkmrk-created-by-dennis-un"><div class="aui-page-panel" id="bkmrk-created-by-dennis-un-1"><div id="bkmrk--2"><div id="bkmrk--3"> </div> </div><div class="view" id="bkmrk-created-by-dennis-un-2"><div class="page-metadata"> Created by <span class="author"> Dennis Underwood</span> on Jan 02, 2023 </div><div class="wiki-content group" id="bkmrk--4"></div> </div> </div><div id="bkmrk-document-generated-b" role="contentinfo"> <section class="footer-body">Document generated by Confluence on May 18, 2026 19:42

<div id="bkmrk-atlassian">[Atlassian](http://www.atlassian.com/)</div> </section> </div> </div>

# Middleware 01.23

# Features

- Implemented controller for training licenses and added a training license expiration service.
- Updated each endpoint to account for the web application’s new training mode feature along with tests to each endpoint for training mode.
- Added an endpoint for resetting all of a parent group’s training data to its original state.
- Implemented endpoints for the new password aging policy setting for groups.
- Adding documentation for the Reactive Springboot endpoints.

# Middleware 04.23

# Features

- Partner Portal Updates:
    
    
    - Implemented endpoints for the new Register Deal process with Cyber Crucible approval of deals
    - Updated the PartnerDeal model to have a type associated with deals, each having a percentage discount associated with them
        
        
        - Also updated the PartnerDeal model for both Referral type deals to store the Dashboard User Account to associate with the licenses for the deal
    - Updated the PartnerDeal model to be able to separate Monthly vs Annual billing for payment of deals
        
        
        - Includes updating existing endpoints to account for Monthly vs Annual billing for Stripe
    - Implemented endpoints to be able to send quotes through Stripe for a deal
    - Implemented endpoint to resend the Stripe invoice for a deal
    - Implemented endpoint to edit multiple fields for a deal at the same time, associated with the edit deal modal in the Web Application
- Agent/License Management:
    
    
    - Implemented endpoint to bulk assign licenses to agents
    - Implemented endpoint to change the automatic re-licensing setting for a given agent
    - Implemented endpoint to release a license from an agent by passing the agentId in the request
- Implemented endpoints to retrieve and save the user setting to show the installer script config icon on the Groups grid
- Implemented endpoint to retrieve the Agent Installer Script Client Auth value for a group
- Updated our AV Scanner Service to search in the identity incident collection in addition to the process creation collection
- Various updates to our list of default data + identity whitelists for AVs.
- Implemented new change stream endpoint to listen for new Extortion Response insertions
- Implemented endpoint to copy whitelists to another group
- Implemented endpoint to download the Memory Diff File for an incident
- Implemented categorizing identity incident programs into applications
- Implemented saving column modes for each web page grid and saving chart visibility settings

# Middleware 08.23

# Features

- Partner Portal Updates:
    
    
    - Implemented endpoints to be able to create a POC for approved partner deals
    - Implemented endpoints for the Distributor Group Management page in the Web Application
    - Implemented endpoint to return the data for the Payment Management grid in the Web Application
    - Implemented the ability to change a partner deal’s owner
    - Implemented the ability to set a custom memo for partner deals that appear on the Stripe invoices and quotes
- Implemented endpoint to be able to resend user account invitations
- Added more application labeling options for Identity Access objects
- Updating the Group model for partner groups to have new boolean fields for the type of partner
- Updating the Group model to have a list of canary extension configs
- Various updates to our list of default data + identity + cert whitelists for AVs
- Enabling HTTP/2 support
- Upgrading our Spring Boot to the latest version along with various other dependencies
- Implemented notification alerts for Abnormal Identity Accesses
- Enabled server response compression for agents
- Implementing filtering for the Identity Access grid’s No Trusted Cert column in the Web Application for the “Disconnected Retrieving Cert Info” and “Timed Out Retrieving Cert Info” options
- Fixed issue in our partner deal expiration notification service to not send expired emails for completed deals

# Middleware 11.23

# Features

- Whitelist Updates
    
    
    - Implemented the ability to create an exception with the parent program path and arguments
    - Implemented the ability to create an exception to match extortion responses when there are only trusted certs, match only when there are no related injections, and match only when there is no modified memory
    - Implemented the ability to create an exception to match specific file access triggers
- Implemented group setting for automatically freeing licenses for inactive agents
    
    
    - Updated Group model to have setting for when to free licenses from inactive agents in the group. Options are 30/60/90 days, or have this setting turned off
    - Updated Agent model to have new inactive status
    - Implemented service to automatically free inactive agents' licenses according to their group setting
- Updated the endpoint for the retrieving extortion responses to include the parent program path and arguments
    
    
    - The parent program path and arguments are now also included in the unique extortion response counts for the Web Application, Security Notification alerts, and Executive Summaries
- Updated our Executive Summary Reports to separate out the Licenses slide to individual Desktop and Server Licenses slides
- Updated Security Email Notification model and the Security Notification service to include two new alert types
    
    
    - Behavioral Model Tuned
    - New Agent Version
        
        
        - When a group’s managed update settings are changed to have auto update turned off, a New Agent Version notification is automatically created for the group
- User Role/Permission Updates
    
    
    - Updated the Role model Incident Manager permissions to now only have view/edit for whitelists and silent response rules
    - Groups now have 3 default roles that are not user editable:
        
        
        - Admin
        - Read Only
        - Guest
    - Users added to a group by default are assigned the Guest Role
- Implemented endpoints for the Web Application Browser Utility Process Tuning Modal to easily manage how agents in groups should respond to chrome utility processes
- Updated the endpoint for the Agents page chart to be able to limit counts to agents that have called in over the past 30/60/90 days
- Updated the Security Notification Ransomware Activity email alert to include a link that will automatically redirect users to the Extortion Responses page with the a filter to show the responses the alert was for
- Implemented group setting for agents in a group to run in safe mode or not
- Implemented a powershell script option for installing agents
- Upgrading our Spring Boot to the latest version
- Various updates to our list of default data + identity + cert whitelists for AVs

# Middleware 04.24

# Features

- Implemented the group setting and related endpoints for the setup and management of proxy configurations to assist in agent deployment
- Updated our telemetry data endpoints to be able to view all telemetry data or only data directly related to an extortion response
- Implemented the group setting for automatically hiding agents in groups when a license is released from an agent, an agent is marked as inactive, or an agent completes an uninstall
- Updated the links to our dashboard in our notification emails to contain a URL Parameter used to automatically filter data on the related frontend grid to show what triggered the notification
- Updated the endpoint used for the frontend Agent Licenses chart to include counts for both Desktop and Server licenses
- Implemented endpoints for the new Customer Deployment Health frontend page
- Updated our process tuning to account for Microsoft Edge WebView

# Middleware 09.24

# Features

- Implemented the endpoints for the new Group DMZ Mode setting
- Updated the Deal Registration endpoints to be able to register multi-year deals with the ability to pay up front or pay yearly for multi-year deals
- Added the ability to view the root cause analysis for Identity Accesses
- Implemented Temporary Tailored Behaviors
- Updated the User model to save the setting for hiding or showing expired Agent Licenses by default on the Agent Licenses grid
- Updated the Security Notification model and related endpoints/services for the new offline agent alert options of Partially and Fully Offline agents
- Updates to the endpoints related to adding the new columns on the frontend on the Agents grid to show when the assigned license expires, and when the license was assigned to the agent
- Added setting to the Group Model for agents in the group to show the agent icon in the related agent machine’s system tray
- Updated the server side grid queries to be able to take in multi condition filters for the same key/column

# Middleware 05.25

# Features

- Updated the Sales Notification model with new types:
    
    
    - Distributor Partners can receive alerts when their reseller subgroups create a new Deal Registration
    - Partner Deal POC activity
- Updated the authentication process to allow for SSO integration with Microsoft Entra ID (Azure Active Directory)
- Updated the agent installer endpoint to allow for a new installer type for Native Cli
- Updated the endpoints for the Distributor Partner new updates
    
    
    - Added a new Partner in Motion model
    - Updated the Partner Deal Registration model to add the ability for distributors to approve their reseller subgroup’s deals
    - Added ability for Distributor Partners to edit the multi year discounts for their reseller subgroups
    - Added ability for distributors to send themselves quotes with their distributor pricing for a reseller subgroup’s deal
    - Added requirement for when a reseller subgroup registers a deal to require the Subgroup Reseller Agreement to be uploaded by their parent distributor on the Distributor Group Management page
- Updated the Role model with a new Partner Deal Manager for deal registration operations and updated each related endpoint to check for permission
- Added the endpoint for editing a group setting’s in bulk
- Upgraded our Spring Boot to the latest version
- Improved the queries used for generating executive reports to reduce the time it takes to generate the report
- Moved our telemetry collections in the database to use sharding
- Updated the agents query used for the dashboard grid to include if the agent is a server or not
- Updated the /updateGroupAutomaticallyHideAgentsReactive endpoint to retroactively apply the update to existing agents
- Major authentication updates to allow agents to call into our REST Servers with the new hosted OAuth authentication
- Added new endpoints for DLL telemetry submission by agents

# Middleware 12.25

# Features

- Added new endpoints for DLL Visualization on the dashboard for viewing related untrusted module loads for Extortion Responses, Process Creations, Process Injections, and Identity Accesses
- Updated the Extortion Response and Identity Access endpoints for the dashboard queries to return additional fields for DLL Visualization including modified module memory, modified module path, etc
- Updated the Agent model to have new fields for if the agent is fully configured and the date the agent was first fully configured
- Added new endpoints and controller for the AI Firewall Management page
- Updated the endpoint that returns the list of agents for the dashboard to include new fields for which rest server and OAuth server the agent is calling to, and the WAN IPv4 and IPv6 of the agent
- Added new endpoint for the Extortion Responses page that allows users to view all fields for an Extortion Response in this endpoint rather than using the existing endpoint that offers a condensed view of the fields and requires an additional api call to get more details.
    
    
    - Users on the dashboard can use the toggle on the Extortion Responses page to use the previous grid option and the new grid option that returns all fields in one grid
- Added a new option to Security Notifications to include a CSV file in the email alert for Ransomware and Identity Access Alerts containing information on why the alert was triggered.

# Web Application

# _General

<title id="bkmrk-cyber-crucible-knowl">Cyber Crucible Knowledge Base : Web Application</title> <link href="styles/site.css" id="bkmrk-" rel="stylesheet" type="text/css"></link> <meta content="text/html; charset=UTF-8" http-equiv="Content-Type" id="bkmrk--1"></meta></head><body><div id="bkmrk-created-by-dennis-un"><div class="aui-page-panel" id="bkmrk-created-by-dennis-un-1"><div id="bkmrk--2"><div id="bkmrk--3"> </div> </div><div class="view" id="bkmrk-created-by-dennis-un-2"><div class="page-metadata"> Created by <span class="author"> Dennis Underwood</span> on Jan 02, 2023 </div><div class="wiki-content group" id="bkmrk--4"></div> </div> </div><div id="bkmrk-document-generated-b" role="contentinfo"> <section class="footer-body">Document generated by Confluence on May 18, 2026 19:42

<div id="bkmrk-atlassian">[Atlassian](http://www.atlassian.com/)</div> </section> </div> </div>

# Web Application 01.23

# Features

- Implemented a cross-link on the extortion responses child grid to view the related process creations and injections.
- Implemented user password aging policy for groups.
- Added training mode and the ability to reset a parent group’s training data to its original state on the settings page.
- Added the Training License page.
- Implemented Amazon Cognito Security.
- Added the Automation button above grids that reveal operations to perform after clicking the button.

# Web Application 04.23

# Features

- Partner Portal Updates:
    
    
    - Ability to schedule a demo on the Register Deal page
    - Implemented new Register Deal process with Cyber Crucible Approval of Deals
    - Added a Deal Prospect Type when registering deals
    - Added Monthly and Annual Billing Cycle for deals
    - Implemented sending quotes for Cyber Crucible approved deals through Stripe and signing quotes before completing a deal
    - Ability to re-send the Stripe invoice for a completed deal
    - Ability to edit a deal through a modal, similar to the register new deal modal, pre-filled with the deal’s current information
- Agent/License Management:
    
    
    - Ability to release licenses from the Agents page in bulk
    - Ability to assign licenses to agents in bulk on the Agents page
    - Ability on the Agents page to view and change the automatic re-licensing settings for agents when they call into our rest server without a license
        
        
        - Users can update agents individually and in bulk
- Implemented the ability on the Groups page to view a group’s Id and Client Auth values used in the Agent Installer Script
- Implemented the ability to copy whitelists to another group
- Upgraded to React 18
- Added the reset columns and auto-size all columns options to the context menu on grids when right clicking
- Added the download Memory Diff File option to the Extortion Responses grid for applicable responses
- Implemented state saving for chart visibility
- Added new Application columns to the Identity Access grid for the accessed, accessing, and parent programs.
- Implemented column mode toggling on each grid for the amount of columns to show. Modes include: Min, Medium, Max, and Custom
- Implemented searching/autocomplete ability in Dropdown Select elements with Material UI

# Web Application 08.23

# Features

- Partner Portal Updates:
    
    
    - Added the Demo Videos page to the Partner Portal
    - Added the ability to create a POC for approved partner deals
    - Added the Distributor Group Management page to the Partner Portal for Distributor partners to create and manage their subgroups
    - Added the Payment Management page to the Partner Portal
    - Added the ability to change a partner deal’s owner
    - Added a custom memo field for partner deals to show on the Stripe invoices and quotes
- Implemented a Remember Me functionality that allows users to stayed logged in
- Added a link to view the Stripe Customer Portal where users can manage their subscriptions and payment methods
- Added the ability on the Agent Licenses page to change the group of multiple selected licenses on the grid
- Upgraded AG Grid to version 29
- Updating dependencies to their latest versions
- Removed the Automation button above grids that revealed icons and instead placed the icons directly above the grid
- Removed the Columns button above grids that revealed the Grid Column State Options and instead placed the Grid Column State Options directly above the grid
- Added the ability to resend user account invitations on the Groups page
- Added the Canary Extension Mode column to the Groups page
- Added more application labeling to the Identity Access page
- Added icons and filtering on Identity Access grid to the No Trusted Cert column for “Disconnected Retrieving Cert Info” and “Timed Out Retrieving Cert Info”
- Fixed issue on mobile devices with rendering grids

# Web Application 11.23

# Features

- Added the ability to automatically free licenses for inactive agents.
    
    
    - This feature is a group setting and options are to automatically free licenses for inactive agents in the group after 30/60/90 days, as well as turning this setting off
- Whitelist Updates
    
    
    - Added the ability to create an exception with the parent program path and arguments
    - Added the ability to create an exception to match extortion responses when there are only trusted certs, match only when there are no related injections, and match only when there is no modified memory
    - Added the ability to create an exception to match specific file access triggers
- Added the parent program path and arguments to the extortion responses grid
- Added file hashes to the Extortion Response Details Modal
- Added new Security Notification alert types:
    
    
    - Behavioral Model Tuned
    - New Agent Version
- Updated the Ransomware Activity alert emails to include a link that will automatically redirect users to the Extortion Responses page with the a filter to show the responses the alert was for
- Added option to the Agents page chart to only include counts on the chart for agents that have called in over the past 30/60/90 days, and also the option to not limit the counts
- Added examples on the Rest Integration page of calling to the aws /token endpoint. Examples include calling the endpoint with bash, powershell, and command prompt
- Updated the permissions for the Incident Manager on the Roles page to only have view/edit for whitelists and silent response rules
- The deprecated Response Automation Manager was removed from the Roles page
- Added the Browser Utility Process Tuning Modal to the Whitelists, Silent Response Rules, and Extortion Responses pages
    
    
    - Includes the option to select how agents in groups should respond to chrome utility processes
- Added option to download the agent using a powershell script
- Added the group setting for agents in the group to run in safe mode
- Added the OS Name column to the agents grid
- Fixed issue on certain grids where column widths and order would reset on icon/button clicks on the page

# Web Application 04.24

# Features

- Added the ability to setup and manage proxy configurations to assist in agent deployment. View more about proxy configurations [here](https://cybercrucible.atlassian.net/l/cp/9u28P129)
- Fixed the issue where the horizontal scrollbar at the bottom of our data grids was not visible due to the grid extending beyond the visible screen height
- Added the ability on our Telemetry pages to toggle between viewing all telemetry data or only viewing data that was directly related to an extortion response
- Added the group setting for automatically hiding agents in the group when a license is released from an agent, an agent is marked as inactive, or an agent completes an uninstall
- Added the ability when clicking a link from one of our notification emails to automatically filter data on the related grid to show what triggered the notification
- Updated the Agent Licenses chart to show the counts for both Desktop and Server Licenses
- Upgraded AG Grid to version 31
- Upgraded Ag Charts to version 9
- Added more text filter options to our data grids
- Added the Customer Deployment Health page (found under the operations tab)

# Web Application 09.24

# Features

- Added to the Agent licenses page the ability to filter expired licenses from the grid and chart by default. This setting can be updated on the toggle above the agent licenses grid
- Implemented multi condition filters for a single column on the server side grids. The server side grids are the grids where all the rows are not loaded into the grid on the initial load due to the large amount of rows on these grids: Extortion Response, Process Creations, Process Injections, and Identity Accesses
- Added the multi-year option for Deal Registrations. Deals can be up to 3 years in length, and users have the option to pay up front or pay yearly for multi-year deals
- Implemented Temporary Tailored Behaviors. View more [here](https://cybercrucible.atlassian.net/wiki/spaces/CYB/pages/85688321/How+to+Manage+Tailored+Behaviors#How-to-Create-and-Edit-Temporary-Tailored-Behaviors)
- Added new column on the Identity Access grid for Root Cause Analysis
- Updating Security Notifications with two different options for offline agent alerts: Partially and Fully Offline agent alerts
- Added new columns to the agents grid for the license expiration date and date license assigned to agent
- Added the new Group setting for DMZ Mode for agents in the group to follow. DMZ Mode is for environments where online certificate checking is unavailable. Enabling DMZ Mode will embed CA roots locally on agents in the group and disable OSCP
- Added the new Group setting for agents in the group to have an agent icon shown on the related agent machine in the system tray, only agents on version 4.4.8.2 and higher have this capability
- Added a sidebar to our data grids to easily change column visibility and order

# Web Application 05.25

# Features

- Added SSO integration for our dashboard login with Microsoft Entra ID (Azure Active Directory)
    
    
    - Users must contact Cyber Crucible and complete a few steps found [here](https://cybercrucible.atlassian.net/wiki/x/AQB8Iw) to integrate Entra ID SSO for their organization with our dashboard login
- Distributor Partner Updates
    
    
    - Improvements to the process of distributors associating reseller subgroups and those reseller subgroups registering and completing deals. A more detailed explanation of the improved Distributor Group Management process can be found [here](https://cybercrucible.atlassian.net/wiki/x/TIDRB)
    - Added a new Sales Notification type for Distributor Partners to receive alerts when their reseller subgroups create a new Deal Registration
    - Added ability for Distributor Partners to edit the multi year discounts for their reseller subgroups. This can be found on the Distributor Group Management Page
    - Added the Distributor Approval column to the Deal Registration for Distributors to manage their reseller subgroup deals
    - Added the Partner in Motion page found under the Partners tab for distributors partners to register reseller subgroup partners that are in the works
- Added the Partner Deal Manager to roles for deal registration related operations
- Added new sales notification type for Partner Deal POC activity. This alert applies to the new POC group that is created when a partner creates a POC for a deal. Alerts for this type are sent for agent installs/uninstalls and when the POC licenses expire in the POC group
- Added the new Agent installer type “Native CLI”
- Added the Edit Group Modal on the Group Management page that allows you to edit the group settings in bulk
- Upgraded AG Grid to version 32
- Adding password visibility toggle/button for login

# Web Application 12.25

# Features

- Added the new AI Firewall Management page found in the Operations tab
- DLL Visualization
    
    
    - Added ability to view related module loads for Extortion Responses, Process Creations, Process Injections, and Identity Accesses
    - A new column was added to these pages that shows if related untrusted module loads were found. When an untrusted module load is found, the cell in this column will show an icon where clicking it will take users to a new page to view all the related untrusted module loads
- Added new columns to Extortion Responses and Identity Access grids:
    
    
    - Modified Module Memory
    - Modified Module Path
    - Modified Module Original Memory Hash
    - Modified Module Current Memory Hash
    - Modified Module Identifier
    - Process Execution GUID
    - Pid
    - Pid Reuse Number
- Added to the Extortion Responses grid the “Data Access Attempted” column, which shows the path on the machine where the data access was attempted at
- Updated the Extortion Responses page to now have 2 different grid options. The previous grid option for a more condensed view of the extortion responses with the parent and child grid still exists, a new option for removing the parent/child grid and showing all the data and columns on a single grid now exists
- Added columns to the Agents grid showing if the agent is fully configured and the date the agent was first fully configured
- Added additional columns to the Agents grid for which OAuth Server and REST Server the agent is calling too, and the WAN IPv4 and IPv6 of the agent
- Added Co-branded Collateral to the Partners tab that allows partners to download a .zip file containing all the co-branded collateral material
- Upgraded AG Grid to version 34
- Added the number of days until a license expires to the Agent Licenses page and Agents page. This can be found as an icon in the Renews column on the Agent Licenses page, and the License Expiration Date column on the Agents page
- Added a new option to Security Notifications to include a CSV file in the email alert for Ransomware and Identity Access Alerts containing information on why the alert was triggered. This option was added so users can view why an alert happened right in the email without having to login to the dashboard