Windows Agent 19.0 (2023-07-20)


Detect Browser Process Name Change, Custom Browsers and Prevent the Bypass of URL Logging

Sometimes, users might change the name of a browser's application executable. There might be legitimate reasons for doing so. For example, you might be using a customized/enterprise version of a browser with a different app name. But a malicious user might also change the process name to bypass URL logging by tools like Teramind. 

If you changed a browser like this, it would also change the Windows Process Name for it. For example, in the screenshot below, chrome.exe is changed to Teramind Chrome.exe:

Previously. the Agent relied on a browser's name to detect it. So, changes to its process name would cause the Agent to not recognize the browser and it would stop injecting the proxy certificate (Quick Web Proxy). As a result, it would mark the browser as a generic process/app and wouldn't capture detailed web activities such as the Full URL:

Behavior rules created to detect the browser name, URL, etc. might also fail for the same reason.

We are introducing a better method to detect browsers so that changes like the above wouldn't affect the Agent's ability to identify a browser properly. It will now use several data points such as Browser Name, Digital Certificate Signature, Original Filename, Product Name, File Description, etc. to verify the browser.


Bug Fixes

Network Connection Would Be Interrupted on Agent Restart or When Monitoring Settings Are Changed 

Due to a bug, when you restarted the Agent, disabled monitoring (e.g., from the Computers screen), or turned off the NETWORK DRIVER (Monitoring Settings > Monitoring Profile > Advanced), it might interrupt the network connection:

In most cases, the network would auto-recover in a few seconds, but you might lose connection to services that rely on continuous or real-time streams such as the remote desktop connection (RDP):

The bug is fixed now so that the network connection will not be interrupted when the Agent is restarted or the network driver is disabled.






Was this article helpful?
0 out of 0 found this helpful