Features
Credential/Identity Monitoring now includes various VPN, cryptocurrency wallet, and other applications.
In a (this is common) chain of affected processes during an attack (attacker moves from running program A, to B, to C, and D is used for data theft), the “patient 0” program A is suspended, but patient D is reported as the process performing the theft behavior.
Memory state is preserved and reported throughout the process chains, for future forensic analysis.
In the event of an automated response in which a running process' memory was modified, that memory modification is configurably uploaded to Cyber Crucible for reverse engineering and further analysis.
In the event of a non-malicious memory modification bug in an application, behavioral exceptions (“whitelists”) now have the ability to flag certain memory corruption events as benign. This will not stop the program itself from crashing or losing data due to the bug, but Cyber Crucible will know to ignore the bug while searching for malicious injection of code into running processes (process injection/hollowing).
Fixes
Removed vulnerability where binaries could be deleted by a privileged process while CC binaries are updating.
Removed vulnerability where registry keys could be deleted or altered by a privileged process while CC binaries are updating.
Corrected memory state tracking when a process is patched in-memory during Cyber Crucible evaluation of the memory.
Corrected memory state tracking under certain conditions where memory is re-allocated between memory pages.
Minor CPU efficiency updates, that are likely too minor to register in Task Manager, since usage is normally <1%
WHCP/WHQL Validation Status
Validated
MD5 Hashes
service.exe = 90a6ca2f5b7a76b847052f3d420f0c9b assistant.exe = b62ee623f74171f4a3f34ff129188174 CCRRSecMon.sys (Windows10) = dfdce4016f6920e844615b3d506ec2e2 CCRRSecMon.sys (Windows8) = 59bbd41c883ca0205fd3adbfdbb5dbb6 CCRRSecMon.sys (Windows7) = 88e6f047f7fa26e717a24f5fd7b33dc5