Extended Detection and Response
Endpoint Protection
WithSecure Agent for Mac
An update to WithSecure Elements Agent for macOS has been released to General Availability on 17th of March 2026.
This release brings
- Performance improvements in wsagent
- New response version with python 3.12
- Client side support for software inventory feature (available later in 2026)
Bug fixes
- "Allow" button in Browsing Protection is not clickable
Elements Agent for macOS supports following macOS versions:
- macOS 26 Tahoe
- macOS 15 Sequoia
- macOS 14 Sonoma
WithSecure Elements Mobile Protection for IOS
An update to the WithSecure Elements Mobile Protection app for iOS (26.3.12185) has been released.
Fixed issues:
- Critical bug fix for early logout during activation or after subscription is updated
- Stability improvements
- Shortcuts compatibility is supported: gives ability to enable / disable Mobile Protection while other application is on screen
WithSecure Endpoint Security Portal
Automatic labelling for unmanaged devices
The admins can now configure labelling rules for unmanaged devices, under Security configurations -> Profiles -> Profile assignment rules -> Unmanaged labelling rules
Once this is configured, any new unmanaged devices that satisfy the rules will have the labels assigned to it automatically.The admins can view the labels assigned in the Environment -> Devices -> Unmanaged devices view
The admins can also choose to immediately apply the labelling rules to all existing unmanaged devices, by choosing the option “Evaluate Labeling rules for all Unmanaged devices after saving“, when saving the rules
Endpoint Detection and Response
Wildcard support for Accepted Behavior suppression rules
To help you create more flexible and maintainable suppression rules, wildcards are available for Accepted Behavior suppression rule parameters. Wildcards allow you to match patterns instead of exact values, making it easier to suppress recurring or similar events without creating multiple rules.
What are wildcards?
Wildcards let you define suppression rules using partial matches rather than exact strings. This is especially useful when values vary slightly, such as file names, paths, or user names.
The following wildcard characters are supported:
- * – matches any sequence of characters (including empty) Example: *.exe matches file.exe, test.exe, .exe
- ? – matches any single character Example: file?.txt matches file1.txt, fileA.txt
To treat wildcard characters as literal values, use the backslash (\) as an escape character:
- \* – matches a literal asterisk Example: test\*.txt matches test*.txt
- \? – matches a literal question mark Example: test\?.txt matches test?.txt
Supported parameters
Wildcards are supported in suppression rules for Accepted Behavior when matching the following parameters:
- Process name
- Process path
- Process command line
- Username
- Parent process name
- Parent process path
How to use wildcards
You can create or edit wildcard-based suppression rules in two ways:
- From Events → Broad Context Detections, when closing a detection as Accepted behavior and choosing to create a suppression rule.
- From Security Configurations → Automated actions → Suppression rules, by editing an existing rule.
In both flows, select Wildcard for the chosen parameter in the Parameters step, then define the pattern using *, ?, or escaped characters as needed.
Using wildcards helps reduce rule duplication, keeps configurations cleaner, and makes suppression rules easier to maintain over time
Exposure Management
The latest release includes following updates in the external assets list (Network -> External assets):
DNS A Record History
External asset details now display only the latest DNS resolution result. Previously, the full DNS resolution history was shown.
External Asset Source
A new Source column has been added to the table, indicating how each external asset was discovered. List of assets can be filtered using Source. Possible values include:
- User import – Manually imported by a user via CSV.
- Internet – Manually added from the Internet Discovery page.
- DNS resolution – Automatically resolved via DNS from another asset.
- Subdomain discovery – Discovered through automated subdomain enumeration.
- Webscan – Automatically added based on Webscan activity.
External Asset Exposure Risk
A new Exposure Risk column has been introduced, showing the exposure risk of an external asset. Risk calculation is available only for assets with findings.
Exposure Management for Business
WithSecure Exposure Management Portal
Recent releases of the Exposure Management Portal have brought:
- Support for all ticket statuses when exporting tickets to a CSV file.
- A page size selector to the Discovery Scan details page.
- Resolved an issue where devices and findings were not removed from Exposure Management views after being removed from the Computers and Unmanaged Devices views.
- Resolved an issue where the VM Asset Risk Score was not recalculated when device importance or internet exposure was changed.
- Resolved an issue where assets did not appear in the summary report wizard when their importance value was not set.
- Overall performance improvements.
- Resolved an issue in the Summary Reports wizard that prevented clearing the Importance filter.
- Resolved an issue where a Summary Report could not be generated.
- Resolved an issue on the “Email notification and report” list page where language and email recipients were missing.
- Resolved an issue where vulnerability counters were not updated after changes to the software–vulnerability relationship.
- When computer or umnaged device is restored, related findings are also restored in Exposure Management views.
- Resolved an issue with updating SSH authentication method in System Scans.
- Resolved an issue with updating TCP Scan Technique in System Scans.
- Resolved an Issue where Summary Reports failed to generate, preventing successful report creation.
WithSecure Exposure Management System Scan
Support for detecting vulnerabilities in the following products was added to Authenticated Scanning for Windows:
- Canon IJ Scan Utility
- Dell Command | Intel vPro Out of Band
- Dell Connected Service Delivery SubAgent
- Dell NetWorker Management Console
- Devolutions Server (also in Remote Scan)
- Elastic Synthetics Recorder
- FinalCode Client
- GameLoop
- MobaXterm
- PowerShell Universal (also in Remote Scan)
- Visionline
Support for detecting vulnerabilities in the following products was added to Authenticated Scanning:
- Apache Avro Java SDK
- Apache Livy
- Apache PDFBox Examples
Exposure Management for Cloud
A new version of Exposure Management for Cloud has been released.
Highlights include:
- Improved Azure Subscriptions onboarding
- New automatic single scan execution and monthly schedule execution to all new accounts that passed validation
- New "on notification" scans
- Enhanced Row Level Security to customer accessible tables
- Improved scanner to get cloud provider findings
- Fixed bug where new customers would not have the resource scan scheduled
- Fixed issue with synchronization of data after connection is re-added by user
- Fixed cases of database connections not closed properly
- Fixed issue with repeated entries in the Finding timeline
Elements Foundations
Elements Security Center
Enhanced “My Reports”
We are excited to introduce new enhancements to My Reports for MSP environments, designed to improve report management, consistency, and flexibility across organizational hierarchies.
Following are the new features
Inheritable View Templates
SOP administrators can now mark “My report” view templates as inheritable.
This means that:
- The template becomes visible to all underlying companies in the hierarchy
- Companies can use these templates to create reports within their own scope
Updatable Reports
Administrators can now create updatable reports that are linked to a view template.
Key benefits:
- Reports automatically reflect any updates made to the associated template
- Ensures reports stay aligned with the latest structure and data requirements
- Reduces manual updates and maintenance
Important notes:
- This feature works only with organization-level or inherited view templates
- For inherited templates, it is now possible to include a partner logo in the generated PDF reports
Limitations
- Previously created reports cannot be converted into updatable reports
- Once a report is created as updatable, it cannot be reverted to a non-updatable report
Other items of interest
WithSecure Labs: The Changing Economics of Cybercrime-as-a-Service: What Defenders Need to Know
Back in 2023, when we last wrote about Cybercrime-as-a-Service, we described cybercrime as an economy that had figured out how to scale. Ransomware-as-a-Service affiliates, Initial Access Brokers, Crypter-as-a-Service providers, Malware-as-a-Service developers - each of them owning a role in the kill chain and each handoff between them monetized.
It looked like a trend back then. Now it looks like the baseline, the foundation on which everything else is getting built.
Read more
WithSecure Labs: Ivanti EPMM Exploitation: Hit-and-Run
During February 2026, there was a security incident related to the Ivanti EPMM solution, and WithSecure's STINGR Group analysed it.
You can read the full details of the analysis over on the WithSecure Labs blog
In case you missed it
We recently introduced Cloud Account Management (CLAM) to WithSecure Elements, to unify and improve the way Azure Subscriptions are onboarded for exposure scanning.
You can read more details about this functionality in a dedicated article.
Share your ideas with us
Our purpose is to co-secure the world with you – now as WithSecure™. To co-create the best possible cyber security products and services, we warmly recommend you share your ideas via the Ideas section of the WithSecure Community, now accessible directly from WithSecure™ Elements Security Center.
Further information
Changelogs and Release Notes for all parts of WithSecure™ Elements can be found at the Help Center