Agent 3.1 (2022-11-04)

New Features

New Versioning Scheme

From now on, Teramind will be using a new versioning scheme: <major>.<minor>. For example, 3.1. The <major> part of the version will change with each public release. The  <minor> part will change with any hotfix/patch updates. 

This will simplify version control and make it compatible with Windows product versioning guidelines. It will also help with tools like WiX and SCCM to understand what version of the Agent is installed so that they don't accidentally remove/change the installed application. The new versioning will also help admins who have a custom agent understand what/when they need to update.

Behavior Rules: Detect the Running of Elevated Apps

A new rule criteria, Running Elevated is added under Activity Rules > Applications. This will allow you to detect any application that's launched with an elevated permission with Windows User Control (UAC):

mceclip0.png

Note: the UI shown on the image might change as this feature is still being implemented on the Teramind Dashboard.

An app is usually run as elevated when you launch it from the Windows Start menu while holding down the SHIFT+CTRL keys. Or, when you run it from the Explorer with the right-click and then select the Run as administrator option:

mceclip1.png

This new rule feature will enhance the security of your system as software which usually require admin permission might make changes to your system. It can also help you mitigate the impact of malware and prevent unauthorized privilege escalation, etc.

Improvements

Speeded Up the Process of Stopping the Agent Services

Teramind Agent (dwm.exe) is launched for every logged in user (session) and is being controlled by a service (svc.exe, service name is tsvchst). When you use a command like sc stop tsvchst, it stops all the agents.

Before this update, agents were being stopped sequentially one after another, which would drastically slow down the shutdown of the service, especially  on a terminal server where multiple users/sessions could be running.

With this improvement, services are stopped in parallel improving both speed and reliability.

Improved the Performance of Detecting Activity Changes

Under the hood changes were made so that the Agent doesn't check for events for the desktop and background windows for activity changes - improving speed and resource utilization.

Agent Update: Fewer Command Line Options

Currently to update an Agent you would use a command like this::

msiexec.exe /i TMUPDATE=1 TMROUTER=<server> /q /n 

Now, you don't need to provide the TMROUTER parameter anymore. So, the new command should look something like this:

msiexec.exe /i TMUPDATE=1 /q /n

Bug Fixes

The Agent Crashes when Changing the Language/Region

The Agent would crash sometimes when you changed the language/region. This is fixed now.

The Agent Crashes with Blue Screen Of Death (BSOD)

Due to a memory leak bug in tmfsdrv2, the Agent would sometimes crash with a Blue Screen Of Death (BSOD). The bug is fixed now.

The Agent Crashes Without Any Explanation

Due to an internal bug, the Revealed Agent would crash without displaying any error message. This is fixed now.

The Agent Crashes when Running Firefox

In some rare situations, if you had many tabs open, the Agent would crash (with a TMDIAG fatal error log watchdog timeout). The bug causing the error is fixed now.

The Agent Causes a Sharing Violation Error

In some cases, a sharing violation error may occur when a file is being accessed. The bug is fixed now.

Python Script Cannot Access a File Because of the Agent

You might have seen an error like the below on Python when the script tries to access a file:

  pathlib.Path.resolve(): [WinError 32] The process cannot access the file because
  it is being used by another process: '<file path>'

The issue seemed to occur with pathlib (but no problem on Python 3.10) and nt.path (but not os.path).

The issue is fixed now.

The Agent Taskbar Icon is Not Displayed Properly

In some cases, the app icon for the Teramind Revealed Agent weren't being displayed correctly on the Windows Taskbar. This is fixed now.

Security: Agent Protection is Turned Off When Same Version of the Agent is Installed

A bug caused a Protected Agent installation (e.g., a Hidden Agent installed with the DO_PROTECT=yes parameter) lose it's protection when the same version of the Agent was installed over the current (protected) version of the Agent:

protected_v2.gif

The bug is fixed now so that the installer performs the correct checks  before updating a Protected Agent.

Security: Agent Protection Bypass Using the MD5 Hash

Due to how a the password for a Protected Hidden Agent was stored, an attacker could bypass the password using a MD5 hash generator together with the computer's name. Name.

The vulnerability is fixed now by implementing a more complex hash and storage mechanism.

Security: Insecure Storage of User Credentials by Teramind Revealed Agent on Windows

Teramind Revealed Agent for Windows had a potential vulnerability due to its use of insecure storage of the user credentials. As the uninstaller didn't clear the user's login information from the Registry, an attacker could gain unauthorized access to the account or clone the registry keys for use in a different machine. The security flaw is fixed now and the user credentials are removed when the Agent is uninstalled.

Security: DLL Sideloading on Teramind Hidden Agent

Teramind Hidden Agent had a potential "DLL sideloading" vulnerability. An adversary could use this vulnerability to execute code inside a trusted (signed) process with elevated (SYSTEM) privileges.

While the Agent and its supporting files are all signed, the signatures weren't being checked before loading a DLL.

The flaw is fixed now so that each file is  checked to ensure that the loaded file can be trusted and is actually issued by Teramind before its loaded and executed.

Monitoring Settings: USB Devices are Unexpectedly Blocked

Due to a bug, The Agent would sometimes block USB peripherals (e.g., hub, webcam, mouse, etc.) connected to computer. This is fixed now.

Monitoring Settings: Certificate Injection Issue in Tor Browser

Teramind injects proxy certificates in the browser to monitor web activities. Due to a bug, this certificate wasn't being injected properly into Tor browser. The issue is fixed now.

Monitoring/BI Reports: IMAP Emails Note Captured Properly

Due to incorrect memory access in IMAP handler, sometimes email monitoring might not work properly for some emails. The bug is fixed now.

Monitoring/BI Reports: Outlook Emails Note Captured Properly

There was a bug with MTM (a service used to monitor Outlook emails) preventing it from connecting to the Outlook Desktop client if a message was opened and minimized. You might have seen an error like the one below due to this bug:

mceclip1.png

This would cause issues with email monitoring.  The bug is fixed now.

Monitoring/BI Reports: Printed Docs Not Captured Properly

Due to a bug, printers weren't opened properly causing printer activities not getting reported. The bug is fixed now.

Monitoring/BI Reports: Browser Issues Due to Injection Errors

You might have noticed one or more of the following issues caused by an error of code injection in the browser:

  • Empty name in the Webpage activity report
  • Error with firing the focus event when reconnecting
  • Error with firing a false focus event (browser behavior oddities)
  • Error with firing the focus event when processing a message with a favicon

A fix was made so all the these issues should be remedied.

Monitoring/BI Reports: Incorrect Detection of External Drives

Due to a bug, sometimes the Agent would detect and report on Insert/Eject events for external drives that aren't really present on the system:

mceclip2.png

The bug is fixed now so that no such events are detected or reported.

Monitoring/BI Reports: Incorrect Filenames on Skype File Transfers Report

Due to a bug in Skype monitoring, Web Upload/Web Download events weren't tracked properly causing the Filenames being reported incorrectly:

mceclip2.png

The bug is fixed now.

Monitoring/BI Reports: MS Teams Activities Not Captured Properly

Due to a bug, WhatsApp Web events such as meetings weren't being captured properly. This is fixed now.

Monitoring/BI Reports: WhatsApp Web Activities Not Captured Properly

Due to a bug, MS Teams events such as chats/calls weren't being captured properly. This is fixed now.

Monitoring/BI Reports: Outlook Activities Not Captured Properly

Due to a bug, MTM wouldn't connect to Outlook if a message is opened and then minimized.

Monitoring/BI Reports: Gmail Activities Not Captured Properly

Due to a bug, Gmail weren't captured properly. This is fixed now.

Monitoring/BI Reports: Twitter Activates Not Captured Properly

Due to a bug, Twitter events such as create post or comment weren't being captured properly. This is fixed now.

Computers: Remote Uninstall Not Working

Due to a bug, the Uninstall Agent from PC option the COMPUTERS screen wouldn't work:

mceclip5.png

It would show the Agent was removed but in reality, it wasn't. The bug is fixed now.

Behavior Rules: RDP Criteria Not Working

Due to a bug, Remote Desktop Protocol (RDP)-based rules (e.g., Activity > Network rules with the Remote host or Remote port conditions) wouldn't trigger properly.

mceclip3.png

The bug is fixed so that RDP-based rules work as expected.

Behavior Rules: Memory Leaks in Some Content-Based Rules

We noticed that memory usage was high when copying large amount of data to network locations when using Content > Files rules similar to the one below:

mceclip0.png

The memory leak bug that was causing the issue is fixed now.

Behavior Rules: Incorrect Reporting of Idle/Active Time

You might have noticed that idle time/active time grows incorrectly (exponentially) causing Behavior Rules based on idle time not triggering properly. This bug is fixed now.

Behavior Rules: Idle/Active Time Criteria Not Working

In some scenarios, matched values weren't being reported correctly for active/idle time. This would cause rules like the example below to not trigger properly:

mceclip1.png

The bug is fixed now so that rules based on idle/active time should work properly.

Behavior Rules: Except Condition Not Working on Files-Based Rules

In some scenarios, Activity > Files based rules with an EXCEPT condition wouldn't work if used with an IM. For example:

mceclip3.png

The bug is fixed now so that Files rules which uses the EXCEPT condition and IM should work properly.

Behavior Rules: Rules with Launched from CLI and Command Line Arguments Criteria Not Working

In some scenarios, Activity > Applications based rules with the Launched from CLI and Command Line Arguments criteria wouldn't trigger. For example:

mceclip4.png

The bug is fixed now so that these rules should work properly.

Was this article helpful?
0 out of 0 found this helpful