Product Troubleshooting WithSecure Elements Announcements

What's New in Elements: June/July 2022

It has been quiet here due to well-earned vacations, but we have not stopped working behind the scenes to provide you with continued security. Here's a high-level summary of Elements news since the last update.

Updated on 24 August 2022 to add information about upcoming domain changes for Elements.

Elements Security Center

Reporting streamlined – Broad Context Detections are now reported in Security Events

Security Events has started reporting EDR BCDs that are severe, high or medium risk incidents.

They are also available via Elements Connector 22.18/22.19 release or through the API ().

Elements Endpoint Protection

Elements Endpoint Agent 22.4

A new version of the endpoint clients is now available.This release is for all variants of Elements Endpoint Protection, and updates them to version 22.4 (internal version 4.35.1073). The endpoints get automatically upgraded, without a reboot.

This release introduced new features and fixes. Several of the new features rely on portal changes, and naturally we have updated that to match. We do recommend that customers enable the Early access program on some of your computers to try new versions out before general release.

Features:

Added monthly counters: how many files were scanned last month, how many issues were detected and so on (in the Device details).

Added an option, in the profile, to show overlay icon on all folder and files protected by DataGuard (Profile > DataGuard).

Scan reports and device listing in portal have more info about last performed scan.

Added a possibility to define maximum temp file size for unpacking archives during scanning (Profile > General settings).

All alerts which are sent to portal are also saved to the Windows Application Event log.

Improved proxy detection - it always uses default system proxy as well when automatic proxy discovery is enabled.
Remote and local restart requests are visible in recent events UI.
WMI automatically removes special characters from product name (for instance, trademark).
Automated tasks had several improvements: Added ability to scan a folder.

Added possibility to define a timeout for power management tasks (reboot in 10 minutes, for instance).

Added a new @away trigger to execute a task when user is away from the device for defined amount of time.

Local view of automated tasks in the Agent UI. Note, the broken path is greyed out, as we recognize it is an invalid.

Elements Endpoint Protection portal

The latest release of the Elements Endpoint Protection portal introduces changes to support the latest client features, many smaller fixes, and a new way that we present information in the Dashboard.

Introducing a toggle to enable new Dashboard and Devices views

We are introducing a new dashboard view along with making the new devices view more easily available. These views won't be made as defaults yet, but you can find a toggle from the Dashboard that allows you to switch back and forth between the versions.

Things to note regarding new views: The Dashboard will now look the same on both partner and company levels

Dashboard will list following:

Devices that have a reboot pending
Devices that have malware protection disabled, malfunction or expired
Devices that have dangerous exclusions in profiles / local settings
Devices that have outdated malware definitions
Devices that have outdated scan results for software updates
Devices that are missing critical or important software updates
Devices that have firewall disabled (profile or GPO)
Devices that have low disk space (less than 5GB)
Devices that have severe or high EDR incidents
- Elements Connectors that have certificates which are expiring soonDevice view allows customized set of columns to be shown
- Device view allows custom views to be saved
- Device view allows more flexible filtering capabilities

Elements Endpoint Protection Audit Log

A new feature is activated in the Audit Log view. Next to the event timestamp you are able to filter by which administrator initiated the action.

Other Improvements:

If company has Active Directory data then default profiles tab always shows the Active Directory section.
Current version and target version for Microsoft products on device updates screen is shown as N/A.

F-Secure CP&RDR upgrade to WithSecure™ Element Agent 22.3.45064 has started for Mac clients participating in Early Access

New features and noticeable changes:

Product is now rebranded as WithSecure™ Elements Agent
New GUI:
redesigned menubar agent now contains up to date protection status
there is no longer a separate app with product status
local product settings are now available in menubar, System Preferences pane is no longer installed with the product
WithSecure™ Elements Agent no longer requires Rosetta2 on Apple Silicon Macs
Single installer is now working with different Elements production environments based on the activation key

Business Suite Client/Server to Elements migration installers updated (bs2cp)

We have updated the .jar files which are needed to migrate from Business Suite to Elements. The Package details have also been updated to reflect our new corporate naming and version.

In some cases the migration installation could fail with the old installers. The faulty versions have been replaced. They can be found under the Migrating computers section of the WithSecure™ Elements Endpoint Protection online user guide.

Please download the latest jar (select the correct one for your Elements environment) and exchange them in your personal storages and / or what you already imported into the Policy Manager, before beginning or continuing your migration projects.

Elements Endpoint Detection and Response

Customized device isolation notification message

A message is shown in endpoint when device is isolated manually or automatically.This setting is under Firewall -> Firewall rules for WithSecure profile: Network isolation -> A customized message about an isolated computer.

New response action is introduced to "Retrieve event log entries" from Windows devices

This Action can be used to retrieve e.g. only specified Windows event log id, or specified log name or log entries within given time range.
More details can be found from admin guide:

New version of response action ”Kill process” has been introduced

This response gives option to combine retrieving process memory dump with given flags and killing the process for more efficient response workflow.

Software reputation listing now includes breakdown of components under each software application

From each component version, hash and reputation information is shown.
Problem where component details could not be accessed when software name is undefined has been fixed.

Broad Context Detection list view supports opening of incidents in new tab.

Option is available with mouse right click on top of Broad Context Detection ID field in the table.

Elements Collaboration Protection

We have made multiple releases of Elements Collaboration Protection, and the following summarizes all the releases

New features and improvements

Improvements to the user interface and product functionality
Updated the notification logic to exclude repetition, for example, for deleted malicious email messages.
Protection for OneDrive is available to all our WithSecure Elements Collaboration Protection (ECP) customers with no additional cost. OneDrive Protection detects and blocks known and unknown ransomware and malware from your Microsoft OneDrive, enabling your workforce to collaborate and share files via OneDrive and Teams chats, securely. For more information on how to set up the OneDrive protection, see the WithSecure Elements Collaboration Protection Administrator guide.

You can find more information on this feature at the dedicated community article.

Elements Vulnerability Management

The team has made several releases for Elements Vulnerability management, and these bring the following:

New features and improvements:

Added pagination and additional filtering on the Device discovery page. From now on, admin can discover and review more than 500 devices without changing filter options.
Status indicator of the Reports page has been extended with guidance and reference ID whenever the report generation task cannot be completed.
Introducing VM Asset Risk Score. It is a step towards risk-based vulnerability management - an approach that reduces vulnerabilities across your attack surface by prioritizing remediation effort based on the risks they pose to your organization. Along with Asset Risk Score, the solution includes the ability to specify asset importance, a new attribute which plays a significant role in the risk evaluation. Within this release, the asset risk score and asset importance are exposed to the Asset list and Asset details page, and the visibility will be extended to dashboards and reporting in the future.

You can click the “i” next to Asset Risk, for more information in the portal.

The new cross-check functionality allows users to specify if the system should make additional verification to avoid creating duplicates of the same scanned hosts within a single Scan group. Duplicates can be caused by Asset Update Source Automation in some specific use cases, typically with the combination of human-made changes in the portal. The expected result, after enabling this feature, is a cleaner Scan group (no two or more same scans) and less hassle mainly with the different scan target names.

Added the ability to search devices by using case-insensitive requests in a Search query on the Device discovery page.

Added an ability to exclude certain vulnerabilities from the risk score evaluation by changing its status to "Accept the risk", for example.
Up to this point, vulnerability instances that affected assets that were already archived were taken into account in the scores on the Vulnerability list and in the vulnerability details view. This has been changed, and they are now excluded by default. You can include them by changing the default filter.The latest Scan Node in available in the Elements Vulnerability Management portal no longer require .NET Core 2.2 for the installation and usage.

Integrations

Elements Connector release

A new release 22.18 (Windows) / 22.19 (Linux) is rolled out with the following changes:

New features:

Support EDR BCD incidents in Security Events forwarding to SIEM systems. This feature is planned to be released into production back-end later this week.

Fixed issues:

Includes latest spring4shell updated binaries, so after new installation you don't need to apply any hotfixes anymore.

First time installers are now released and have also been delivered via automatic channel update, so your Connector should already be at the latest level.

Provisioning API updates

Getting a list of subscriptions for a company or a partner is now possible. Details in

Other items of interest

Getting the latest information on WithSecure™ service status

Did you know that WithSecure has a publicly available service that provides information about ongoing incidents? You can access this service here and it is even possible to subscribe to it so that you can be informed by several different methods. Simple click on "Subscribe to Updates" at the top, and choose the method you want, and ensure that you don't miss any important status announcements. Customers who previously used the F-Secure status service should re-subscribe to this new service, as it caters for B2B customers exclusively.

Domain changes for accessing WithSecure™ Elements

As F-Secure Business is now WithSecure™, we will shortly be moving the Elements portal and related services so they work under the withsecure.com domain. Once this change is made, the portal will be accessible using the URL .

To aid partners and customers during this transition, we will be redirecting access made via automatically to the new domain. However, we do advise any partners or customers to ensure that they whitelist this new URL to ensure continued access.

In addition to the main portal access, the authentication URL used for sign-in will also change to one using a withsecure.com address.

Please note: Once the new domains are taken into use, users who are logged in to the portal will need to re-authenticate. This is a one-time action, but is unfortunately unavoidable due to the change. To ease this transition, we will schedule the change so that it occurs during off-peak hours.

API access URLs are not affected by this change, and existing client installations continue to work without any changes being needed to Access Control Lists.

Changes in WithSecure™ License Terms and Privacy Policies

As we have separated our B2B (Business) and B2C (Consumer) businesses, we are in the process of updating our License Terms and Privacy Policies to better reflect this. The new License Terms will take effect during September, and the Privacy Policies are being updated on a slightly different schedule.

There are no substantive changes to the Privacy Policies. The main changes in the License Terms were to remove the B2C references, update the changing process and to make the text clearer and easier to follow. You can find out more details of the upcoming License Terms changes here.

WithSecure™ Threat Highlights Reports

May 2022 highlights

Advisory on initial access techniques
Emotet back at full power
BPFDoor, an insidious backdoor
- Ransomware: Trends and notable reports:Is this the end of Conti?
- Iran is carrying out ransomware attacks
- Operator of Thanos builder charged
- The return of REvil?

Access the May Threat Highlights Report PDF – following this link.

June 2022 highlights

Follina, an exploited vulnerability in MSDT
Emotet back at full power
State-backed actors target Confluence vulnerability
Law enforcement takes down Flubot
- Ransomware: Trends and notable reportsA look at the ransomware ecosystem
- LockBit is updated to 3.0
- An advisory on Karakurt
- “Ransomware” targeting Elasticsearch
- The costs of ransomware to businesses

Access the June Threat Highlights Report PDF – following this link.

July 2022 highlights

Trickbot group attack Ukraine
Brute Ratel being abused by threat actors
Black Basta on the rise
Ransomware: Trends and notable reports
BlackCat under the spotlight
Vice Society
A closer look at LockBit 3.0
Hive joins BlackCat in using Rust
CISA produce alert on MedusaLocker
HavanaCrypt, a new group with novel tactics
Q2 statistics from Digital Shadows

Access the July Threat Highlights Report PDF – following this link.

Security Advisories

You may have seen that WithSecure has released several Security Advisories relating to the products we have in use with our customers.

We have started publishing these for any vulnerability in the interests of “being open”. We believe that only by being transparent with our customers, can we truly stand beside our customers. We will hide nothing when it comes to vulnerabilities. You can always find the latest information on vulnerabilities in our software at the Security Advisories page on our public website.

One thing that we are really proud of is the fact that virtually all of the vulnerabilities found in our Elements software can be patched, fully automatically, without the customer needing to do anything at all.

WithSecure Detects New Infostealer Malware DUCKTAIL

WithSecure has discovered an ongoing operation, dubbed "DUCKTAIL", that targets individuals and organizations operating on Facebook's Ads and Business platform. Based upon analysis and gathered data, WithSecure has high confidence that the operation is conducted by a Vietnamese threat actor. The chain of evidence suggests that the threat actor's motives are financially driven.

Detection

WithSecure Endpoint Detection and Response

WithSecure’s Endpoint Detection and Response detects multiple stages of the attack lifecycle. This will generate a single incident with detailed detections, including:

Ducktail infostealer detected
File download headless browser
Dotnet telegram bot module load
Web-browser database file accessed
Abnormal connection to telegram api

WithSecure Endpoint Protection

WithSecure Endpoint Protection offers multiple detections that detect the malware and its behavior. Ensure that real-time protection as well as DeepGuard are enabled. You may run a full scan on your endpoint. Our products currently offer the following detections against the malware:

Trojan:W32/DuckTail.*
Trojan:W32/SuspiciousDownload.A!DeepGuard
Malicious certificate blocking

In case you missed it

Early Access for pre-release builds is now available for Mac and Windows

Early Access is available in the general settings section of the Mac and Windows profiles. After a device is assigned a profile with this setting enabled, it will receive the latest product version before it is released to channels for the silent upgrade. The upgrade will still happen silently and identical to the regular update. We reserve up to 2 weeks for the build to be available in Early Access before it is pushed to all the clients. We also may reduce the early access stage to the minimum in case a release contains some urgent vulnerability fixes. We strongly encourage using the Early Access feature to verify upcoming changes, before they are applied to the real production fleet environment.

Share your ideas with us

Our purpose is to co-secure the world with you – now as WithSecure™. To co-create the best possible cyber security products and services, we warmly recommend you share your ideas via our Ideas Portal, now accessible directly from WithSecure™ Elements Security Center.

Further information

Changelogs and Release Notes for all parts of WithSecure™ Elements can be found at the Help Center https://connect.withsecure.com/api-reference/psb#get-/accounts/-accountUuid-/security-events/polling https://help.f-secure.com/product.html#business/edr/latest/en/concept_41F4F6089A0540CDB825811DEDDEDCF0-latest-en https://connect.withsecure.com/api-reference/provisioning#get-/ws/rest/provisioning/ https://elements.withsecure.com https://elements.f-secure.com