4.4.1.3

Features

  • Credential/Identity Monitoring now includes various VPN, cryptocurrency wallet, and other applications.

  • In a (this is common) chain of affected processes during an attack (attacker moves from running program A, to B, to C, and D is used for data theft), the “patient 0” program A is suspended, but patient D is reported as the process performing the theft behavior.

    • Memory state is preserved and reported throughout the process chains, for future forensic analysis.

  • In the event of an automated response in which a running process' memory was modified, that memory modification is configurably uploaded to Cyber Crucible for reverse engineering and further analysis.

  • In the event of a non-malicious memory modification bug in an application, behavioral exceptions (“whitelists”) now have the ability to flag certain memory corruption events as benign. This will not stop the program itself from crashing or losing data due to the bug, but Cyber Crucible will know to ignore the bug while searching for malicious injection of code into running processes (process injection/hollowing).

Fixes

  • Removed vulnerability where binaries could be deleted by a privileged process while CC binaries are updating.

  • Removed vulnerability where registry keys could be deleted or altered by a privileged process while CC binaries are updating.

  • Corrected memory state tracking when a process is patched in-memory during Cyber Crucible evaluation of the memory.

  • Corrected memory state tracking under certain conditions where memory is re-allocated between memory pages.

  • Minor CPU efficiency updates, that are likely too minor to register in Task Manager, since usage is normally <1%

WHCP/WHQL Validation Status

Validated

MD5 Hashes

service.exe = 90a6ca2f5b7a76b847052f3d420f0c9b assistant.exe = b62ee623f74171f4a3f34ff129188174 CCRRSecMon.sys (Windows10) = dfdce4016f6920e844615b3d506ec2e2 CCRRSecMon.sys (Windows8) = 59bbd41c883ca0205fd3adbfdbb5dbb6 CCRRSecMon.sys (Windows7) = 88e6f047f7fa26e717a24f5fd7b33dc5

 

4.4.1.3.1

Gained visibility into some system processes that initialize before the Cyber Crucible driver loads.

MD5 Hashes:

service.exe: a03b91df83f86ffe322f7b16960f503c assistant.exe: e22641924d3a1811b86a0f4357f74720 win7/CCRRSecMon.sys: b64b63c04f00afd1020a7a43fc0bb67d win8/CCRRSecMon.sys: c50aacb4aac6ac9f1e95e4ffa749cb2a win10/CCRRSecMon.sys: 77dd029b8e4b2cf5a2354787402ecc17

4.4.1.3.2

Added additional telemetry for the now-visible system processes due to 4.4.1.3.1.

MD5 Hashes:

service.exe: 47f408d6102eb06a94f2244cf139a0a5 assistant.exe: 86733da51ee703f93dcda9346231cca6 win7/CCRRSecMon.sys: b01e8933fa9ac9f0a049527b20d9f679 win8/CCRRSecMon.sys: 4467124cf7e8b5ab5652169f9eb41663 win10/CCRRSecMon.sys: 8f06de95303eeac038002ec27c297811

4.4.1.3.3

Fixed some incident reports including data for the wrong process, when a process dies mid-calculation.

MD5 Hashes:

4.4.1.3.4

Optimization of memory calculations, in preparation for 4.4.1.4.

MD5 Hashes: