Syspeace 2.7.0
April 03, 2017
Detection improvements
- Added a way for Syspeace to do enhanced IP address detection of SSL-based RDP communication, which would otherwise not be detected, on Windows Server 2008 and 2008 R2. This workaround is off by default but can be turned on in Settings → Rules → General.
- Improved the part of Syspeace’s engine responsible for correlating Windows logon audit events without IP addresses with RDPCore event logs for better accuracy in detecting RDP-related successful and failed login attempts on Windows Server 2012 and 2012 R2.
- Added the setting “Coalesce repetitive Windows network login success entries” to mitigate repetitive “success” login entries issued by file servers on every file operation.
- Fixed a rare race condition in the Windows login detector logic that would cause Syspeace to crash when matching events while new events are being read.
Other changes and bug fixes
- Improved database design to drastically reduce the size of the Syspeace database, especially when many blocks are present and/or blocks are added, removed or changed often.
- Added the ability to export entries out of the local blacklist in a simple format by selecting them and copying them.
- Added the ability to import entries into the local blacklist by pasting them into the list in the same format as when copying.
- Attempt to use TLS 1.2 when .NET Framework 4.5 or later is installed.
- Fixed an incompatibility issue with newer versions of SQL Server that would prevent Syspeace from starting.
- Fixed an incompatibility issue with a Syspeace dependency.