Features
Expanded support for processes injection analytics, to dramatically increase the accuracy of detecting malicious vs benign intent for applications.
This became especially important due to a small number (<0.02% of machines in Cyber Crucible telemetry) demonstrating aggressive use of process injection techniques.
Increased monitoring capability of unsigned system processes. This was partially in response to attackers focusing heavily on involving those processes during lateral movement operations (on a system, and between systems).
Fixes
Changed a file modification behavior to decrease false positives by no longer triggering on certain benign actions, through additional kernel-level context to a process' file-access behaviors.
WHCP/WHQL Validation Status
Validated.