Proofpoint | ObserveIT On-Premises Release Notes version 7.12.0

Version 7.12.0

This document provides information about features, issues that were discovered and fixed since the previous release of ObserveIT, and any limitations of the release. It is important that you read this document before you install and configure this version.

For information about how to install and upgrade, see:

This version includes security fixes.

New Features and Enhancements

New Console Users Roles

Console User roles have been added. These roles are in addition to the already existing roles.

  • Alerts Analyst: This role is the same as View-Only Admin with additional access to Alert & Prevent Rules and Lists (within the Configuration area). This role cannot access any other ObserveIT configuration options.

  • Settings Admin: This role is the same as Config Admin (which has access to the Configuration area only), but does not have access to Alert & Prevent Rules and Lists (within the Configuration area). Users with this role can see all users and their permissions, but can create or delete only Settings Admin users.

    See: Creating and Managing Local Console Users

MIP Labels

The Agent also detects MIP label changes on tracked files. This provides additional visibility when monitoring suspicious activity on sensitive files. Using label change detection when a file is exfiltrated lets you fine tune alerts, reduce noise and gives you a more comprehensive view of file activity. Label changes display in the File Diary and File History, User and Endpoint Diary and in the Session Player views. Alert Rules can be created based on MIP label change activity to detect when a monitored user modifies a MIP Label.

See: MIP Integration

Linux Desktop UI Monitoring is now GA

Linux Desktop UI Monitoring provides a graphical view for Linux systems that support a graphical environment. The Linux Desktop Agent captures screenshots and metadata for application usage and Web browsing. This feature is supported on Gnome for Debian 8-10, Ubuntu 18.04-20.04, and CentOS 7.9-8.3.

See: Linux Desktop UI Monitoring Overview

USB Device ID

USB Device ID is now stored and displayed as a separate field. Previously, it was included in the USB Label field.

USB Device ID is displayed in Endpoint and User Diary, File Diary, Alerts, Search and in the Session Player. The field Device ID is also available when generating reports for USBConnect and File Activity types. You can also search by USB Device IDs in a free text search.

USB Device IDs can be used when defining alerts for files exfiltrated to a USB device (Exfiltrated FileTo USB deviceUSB whose Device ID) and detecting connected USBs (Detect connected USBUSB ID)

Audit Screen Enhancement

In the Operator column of Audit Sessions list, (Configuration > Security & Privacy > Audit > Sessions), the text "this screen" displays next to an operator who opened a video session player from the Audit Sessions screen. This indication allows you to differentiate between a Console User who acts as an Auditor (usually reviewing and analyzing the Audit screens) and a Console User who acts as Analyst.

In addition, you can filter the view to show:

  • Any screen (the default): Shows video sessions played from the Audit Session screen and any other screen

  • This screen: Shows only video sessions played from the Audit Sessions screen

  • Other screens: Shows only video session played from any screen other than the Audit Sessions screen

See: Auditing Session Replays

Extract Email for AD Group

For console users who are configured as part of an AD group defined in the Console User screen, the email that is stored within the Active Directory for each user (member)  can be extracted if needed. With this feature, when a session that was saved (in the Session Player Screen), is ready for download, the user (from the AD group) who saved the session will receive an email.

Endpoint Grouping Enhancements

In order to add massive amount of endpoints to an existing custom Endpoint Group, the Add Endpoints to Group window in Configuration > Endpoint Management > Endpoint Groups) has been improved:

  • The column Custom Endpoint Groups was added. This column displays what custom groups each endpoint is already associated with.

  • The filter Filter by Endpoint Groups was added at the top of the screen. This allows you to view only endpoints that are associated with specific custom group or endpoints that have not associated yet with any custom group. This is useful after deploying the Agent to new endpoints.

  • The Select All link at the bottom was enhanced. Users select whether the selection should be applied only to the current page or to endpoints on all pages.

See: Modifying Members in Endpoint Groups

System Event for mTLS Server-Side Enforcement

A new checkbox was added to the Security screen in ConfigurationSecurity & Privacy to trigger an event when it is detected that the server-side does not enforce mTLS agent-server communication.

See: Enforcing mTLS by the Server

New API for Agent-Server Communication

A new enhanced API for Agent-Server communication is now supported. Older Agents (before 7.12) will not be able to communicate with the server using this API. From 7.12.0, this option is selected by default.

In clean installations of version 7.12.0 (or later), this option is selected by default. Upon upgrading from versions earlier than 7.12, this option is not selected by default and requires manual activation. If you want to upgrade your agents as well, first make sure this option is not selected, then uninstall old agents, then activate this option and install the new agents.

For customers with Linux Agents, you must disable this option or the Agent will not be able to communicate.

To enable, select ConfigurationSecurity & Privacy > Security & PrivacySecurity

See: Force Using New API for Agent-Server Communication

Archiving/Deleting Process Status Enhancement

Archiving/Deleting process now handles Alerts and Agent updates with statuses.

Supported Platforms

Release 7.12.0 supports Agents from release 7.8.0 and above.

From this version, Website Categorization module can be installed on Windows Server version 2016 or later. Window Server 2012 is no longer supported for the Website Categorization module.

7.12.0 is the last version to support:
SQL Server 2012/2014 Enterprise
Win 32 bit Agents
Win 8.x 64 bit
Win Server 2012 (not R2)
Debian 9.1 and lower

Resolved Issues

  • [Issue 420]: Fixed application error when setting up MTLS password on Web Console.
  • [Issue 394]: Printing sessions from the Endpoint and User Diary pages fixed to respect the time filter.
  • [Issue 376]: Fixed high CPU issue when killing non-interactive session on Linux.
  • [Issue 360]: Issue with installing Agent on an endpoint that was renamed has been resolved.
  • [Issue 359]: Performance issue when querying file activity when using API reports has been resolved.
  • [Issue 357]: High latency when deleting metadata as part of archiving with legal hold has been resolved.
  • [Issue 353]: Default time period in various Web Console screens has been changed to "last 3 days".
  • [Issue 248, 349]: In the Video Player, the issue of the Alert overlay that did not fully collapse has been resolved.
  • [Issues 340, 338]: The issue of missing screenshots that arrive after the session was signed has been resolved.
  • [Issue 336]: Fixed memory issue for RDCL process on RDS Citrix machine.
  • [Issue 329]: Fix display issue with Database path field has been fixed.
  • [Issue 327]: High CPU usage for Linux endpoints when registration fails, has been fixed.
  • [Issue 323]: Issue of documenting file attaching to email and switching quickly to browser associated as an email not as an upload. (Mac Agent)
  • [Issue 321]: Issue with installing the Agent based on Master Image on Turkish-based OS was fixed.
  • [Issue 303]: Fixed detecting monitoring of Web browsing during offline Activity Replay.
  • [Issue 265]: The Admin Dashboard screen was fixed to show earlier version fields correctly.
  • [Issue 264]: Non-USB hard drives are no longer recognized as USB devices.
  • [Issue 198]: Fixed login issue on Linux when all Application servers are in down.
  • [Issue 194]: The issue that triggered Alert based on keylogger XQurartz terminal on Mac was fixed.
  • [Issue 161]: Archiving and deleting process in now handled
  • [Issue 182]: The detection of the correct URL when uploading files and switching to other tabs was significantly improved.
  • [Issue 446]: Resolved issue of possible MacOS pop-up for screens recording permissions for metadata.
  • [Issue 439]: Removed duplicate file copies.
  • [Issue 438]: Issue resolved when Activity Replay to stop recording as configured.
  • [Issue 426]: Performance issue was resolved when processing email activity.
  • [Issue 420]: Issue was resolved in Security & Privacy screen when setting mTLS passoword.
  • [Issue 417]: Issue of error messages during installation of Linux Agent to non-default location was resolved.
  • [Issue 411, 399]: Partial documentation of massive file copy was fixed, recovering all files.
  • [Issue 380]: A performance issue on archiving process was fixed.
  • [Issue 320, 319]: Test files created by the system are no longer left on screenshot storage devices.

Limitations and Known Issues

File attachments sent with emails using Apple Mail, are not captured and displayed in the Email Diary screen in the Web Console. However, the activity of attaching a file to a mail is captured and displayed correctly. (This limitation can be an inherent issue to macOS Monterey and has been reported to Apple. )