Limitations and Known Issues

This section describes limitations and known issues in previous releases.

Release 7.16.3

New Outlook Support

  • Attaching a file to an email is not detected at the moment of attachment. Instead, it is reported to the backend simultaneously with the email send activity, resulting in two activities with the same timestamp.

  • The From field displays the endpoint name along with the currently logged-in user, rather than the actual sender’s email address.

  • The To field captures the value as it appears in the email composition window. In some cases, this may be a display name from the organization directory rather than the recipient’s email address.

  • If a mouse click occurs directly over the Send button, even if another window overlaps it, the email will still be sent—even if the Outlook window is not in focus.

  • The email send activity is reported to the backend as soon as the Send button is clicked, even if the email remains unsent due to missing details (e.g., subject or recipient).

Release 7.16.2

Mac Agent - macOS Sequoia Known Issues

On macOS Sequoia, users may experience a popup that will briefly appear for a couple of milisecondsonce a month, as a result of macOS new permissions policy.

Release 7.16.1

Email sending is not captured and reported to the backend in the new Outlook version for macOS when clicking the icon to collapse the email details (To, CC, BCC, Attachments) into a single line on the New Mail screen.

Release 7.14.3

When upgrading, the Web Console component must be removed and you must install the new version as Security Support Provider Interface (SSPI). It is not possible to upgrade from an older version configured with SQL authentication to a new version with SSPi.

Release 7.14.1

While using the Agent Auto Upgrade mechanism in order to downgrade an agent that was installed on a non-default folder, the older version (after the downgrade) will be installed on the default folder.

If duplicated active apps are defined in dev portal, then downloading agent JWT file fails.

Release 7.13.0

While using the Agent Auto Upgrade mechanism in order to downgrade an agent that was installed on a non-default folder, the older version (after the downgrade) will be installed on the default folder.

If duplicated active apps are defined in dev portal, then downloading agent JWT file fails

Release 7.12.0

  • For files with any of the following extensions: RTF, TXT, PNG, BMP, JPG, JPEG, XML, ZIP, upon adding or removing a label that has protection in a way that the file is renamed (for example, from .txt to .ptxt), the indication for Label Change in some cases is not displayed in the File History tab.

  • If 2 applications exist with the same name within the Credentials screen in the Developer Portal, then the upgrade process will not be completed successfully, and agents won't be able to be installed.

  • If you perform a backup and restore of the SQL database, Upgrades registered by the Updater before the restore, will not re-registerand any Upgrade Sets will not be assigned to the Upgrade Updaters.

    You will need to force the Updater to re-register the Upgrades server.

    For each endpoint, delete oitsettings.json file located in <updater installed location>\Updater Utility\config

    For example (default location):

    C:\Program Files\Windows Client Utility\Updater Utility\config

  • File attachments sent with emails using Apple Mail, are not captured and displayed in the Email Diary screen in the Web Console. However, the activity of attaching a file to a mail is captured and displayed correctly. (This limitation can be an inherent issue to macOS Monterey and has been reported to Apple. )

 

Release 7.11.0

The Application Server cannot be installed on a servers with WebDAV enabled.

The Web Console cannot be installed on servers with WebDAV enabled.

MIP Limitations and Known Issues

  • Alert rules configured using the MIP Label of the file option are currently not supported for user file activity on the Mac.

  • In the File Diary, File MIP Label filter includes all the labels available in the database. This list is populated whenever there is file activity for file with a MIP label and on the tenants configured. This list can’t be managed/cleaned.

  • For tracked files: the Agent only reads MIP labels when there is file activity. If an MIP label is changed in the background, for example in MS Azure, and there is no file activity, the label may not be updated.

  • If MS Office is not installed on the endpoint, the Agent may not be able to extract files.

  • The Agent extracts sub-labels (for MIP) for AIP. The Agent extracts the lowest sublevel, so the child label, not the parent label is extracted.

  • Label name and label display name: the Agent extracts the label name. This may differ from the display name (You can check the name in the Microsoft 365 Security Console – Sensitivity Labels )

  • Label name changes: Agent sees Microsoft’s label name and not the display name, in MIP as an admin you can change only the display, the label name remains the same.

  • With Azure Information Protection (AIP): the Agent can extract labels and sub-labels, because of the metadata on file for files labels coming from AIP.

  • In an ITM environment where the "Exfiltrating tracked file to the web by uploading" rule is enabled, the rule will be triggered unexpectedly when a client with ITM Agent installed performs the following operations

Release 7.10.0

  • Agent Updater: Version 7.10 requires deployment using third party tools.
  • In some cases, when creating a new Upgrade Set, the default Target Version is set to 7.9 instead of 7.10. You can choose the correct version (7.10) manually by clicking the Change hyperlink next to the version number.
  • DBA Activity: In SQL2017, Execute button not supported for DBA Activity in Web Console, Use F5 to execute query.
  • In mTLS setup, if you want to replace the Client certificate, add the new certificate and remove the older certificate. This allows the connection to resume.

  • When performing an upload operation with multiple files that takes time to complete and during this time the user switches to a different tab, in some cases the URL destination is taken from the tab the user switched to.

Release 7.9.0

  • In order to upgrade ObserveIT Windows Agents from version 7.6.2, run the Windows Agent installation .MSI file using the upgrade method (instead of manually uninstalling version 7.6.2 and then installing the new one).
  • URL extraction in Firefox/Tor 71 and 72 is not supported. URL extraction is supported until Firefox/Tor 70.
  • Email Monitoring does not support MTLS. This is for both Windows and Mac.
  • Email Monitoring: Attaching and saving file activity to/from email is monitored when the actions are performed using Save As or Attach File in Outlook/Mail applications. These activities are not monitored when using drag/drop and/or copy/paste. File sending from email activity is monitored for all cases (attach file, copy/paste and drag/drop).

Known Issues

  • For Windows Agent, the URL is captured only when the window title is changed.
  • The archive/delete operation will not run for more than one day if the storage mode for screen capture data is set to SQL Server DB.

Email Monitoring Limitations

  • When sending emails from a Mac client (Apple Mail/Microsoft Outlook for Mac) using a non-English UI, some sent emails may not be monitored. When using the Send button or key combination, all emails are monitored.
  • Images pasted in the email body - by the user or as part of the signature - are not monitored.
  • If you send an email and the Subject field is blank, ObserveIT monitors this email as a sent email. In this case, the email client may warn you that the Subject field is empty. If you choose to fill in the blank Subject field and send again, the email is not monitored this time. (Mac client only - Apple Mail/Microsoft Outlook for Mac)
  • In anonymized mode, when setting alert rules for types Sent email using an email client or Exfiltrated file by sending it via email using conditions Sender/Recipient Address, if an alert is triggered with these conditions, the sender/ recipients email addresses will be unmasked in the Alerts view
  • When data anonymization is enabled, you cannot Exclude users from email addresses from being anonymized. Email addresses will not be exposed in Email views.
  • When using Outlook for Mac or Apple Mail, the recipient's nickname is used, - not the email address. Since no email address is used, by default, the recipient is defined as untrusted. To resolve this issue, ObserveIT builds a learning mechanism so that whenever an email is initially sent with a nickname, ObserveIT remembers the relevant email and includes it in dictionary of email addresses.
  • The first time email monitoring is enabled, ObserveIT starts monitoring emails only after the user restarts Outlook. This limitation applies only to the first time email monitoring is enabled. Restarting Outlook will not be required again when disabling and enabling email monitoring, changing recording policy, and/or upgrading.
  • When monitoring email sending events, the maximum number of recipients allowed is 1000 per email. If an email has more than 1000 recipients, only the first 1000 are included.
  • When monitoring email sending events, the maximum number of attachments allowed is 1000 per email. If an email has more than 1000 attachments, only the first 1000 are included.
  • When attaching files to an email, all activities from within the Outlook application are supported email attachment events, including attaching a file, copying a file and pasting in an email and dragging a file to an email. Non-supported email attachment events occur outside the Outlook email, such as actions from the file list. Sending an email from IE menu by right-clicking and selecting Send to.
  • In monitoring of email sending events that include files, the file name and file size information is always available. Other information about the attachment, such as the original file path, file history and whether a file is tracked, is only available when:
    • The Monitoring of file attachments events option is turned on in the Email Policy
    • The user's action is a supported email attachment event
  • When a user selects the Run as administrator option by right-clicking Outlook, emails sent are not monitored.

Activity Replay Limitations

  • If an Alert triggers in Offline mode, metadata-only is recorded. No video will be recorded.

  • In Activity Replay recording is per session. When a user ends a session, recording stops even if the define time range has not been reached.

  • When Activity Replay is activated, ObserveIT records metadata and switches to video before and after the defined triggers for all users, including users previously configured for recording video & metadata in the User Recording policy.

System Limitation

  • [Issue #67929 ] In full screen mode, excluded applications/websites are displayed in the background on Windows

Limitations Release 7.7x

File Activity Monitoring Limitations

  • While FAM activity is exported via Developers Portal RESTful API, it is not currently exported via CEF Logs and Monitor Logs.
  • USB connection of iPhone does not grant writing access to the iPhone, so USB connection of iPhone is ignored as a USB-connect event.
  • USB Thunderbolt is not supported. 
  • Microsoft signature is encrypted with SHA-256 hashing algorithm so installation of Security Update for Windows 7 (KB3033929) which adds support for SHA-2 is required https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2015/3033929
  • When copying a tracked file to a network share or to a local drive mapped to a network shared drive, tracking is discontinued.
  • When copying a tracked file to a Cloud Sync & Share local folder, it will be detected as an exfiltration activity to a Cloud Sync folder. However, this file will stop being tracked for manipulations like copy, move, rename or delete.
  • FAM has a built-in protection mechanism against affecting the monitored user productivity (CPU, memory consumption) in cases of copying/moving a very large number of files. In such cases, not all the copied/moved files will be captured by the system.
  • File tracking is lost after deleting (i.e., moving to the Recycle Bin) and then restoring the file.
  • Modifications of file content are not tracked.
  • Changes to file permissions are not tracked.
  • Performing a “Save As” on a tracked file will not track the newly created file
  • Upgrading an Agent will sometimes stop tracking of files that were tracked before the upgrade
  • Cloud Sync & Share:
    • Only the default installation folders are supported. For example, if you install Dropbox in a non-default folder an alert will not be triggered when copying a tracked file to this folder.
    • Only “Tracked Files” (Currently files originating in web download or saving of email attachments or taken from Box Sync/Drive local folder) are being monitored for exfiltration via Cloud Sync Folders
  • The TOR browser is not supported for detecting file upload and download.
  • When using Edge browser (Win 10), upload events are filtered out and not marked. File Picker activity works well with Drag and Drop activity. This limitation applies to OS builds before 1709 only.

  • After downloading a file and opening it from the browser’s Downloaded Files Panel (implemented differently on each browser), if during file opening the user switches to other tab, then in some cases this operation is detected as file upload.

Paste Activity Limitations

  • Right-menu paste is not detected in the following:

    • Non-standard implementation of right-menu (Microsoft Office, Paint, Visual Studio, SSMS, WordPad, Wireshark, Slack, Fiddler)
    • Opening menu by right-click and choosing Paste (not with the mouse), for example, using arrow keys & ENTER or keyboard shortcuts such as Shift-P
    • Paste by clicking on the paste icon

  • Opening right menu on Mac with the Touch Bar without releasing your finger from the Touch Bar, dragging your finger and choosing the Paste menu item.

    If however, after opening the right menu, you release your finger from the Touch Bar and then click the Paste menu item, paste activity is detected.

Mac Printing Limitations

  • Printing directly from Chrome browser is not tracked.
  • Printing from Finder using right-click-Print, without opening the document is not tracked.
  • Printing from the Mail application may not be tracked at times.
  • When printing from OneDrive, the document name is sometimes missing.

In-App Elements Limitations

In-App Elements are no longer supported. In-App element options still appear in some places in the UI, they will be removed in 2022.

Active Directory Limitations

  • The Application Server must have access to at least one Domain Controller of the 'Login Domain', otherwise the old Agent will fail to retrieve the user's group membership. This also occurs when there is “One Way Trust” between forests.
  • In order that the Application Server/Web Console will refresh the Active Directory networking topology (for example, when there is a new Domain Controller, forest trust relationship, etc.), the user must reset the IIS (Microsoft Internet Information Server).

Endpoint IP Limitation

  • The Additional IPs displayed in Configuration>Endpoints screen may include some non-real IPs (starting with “169.254”).

Product Architecture Limitation

  • [Issue #63625] – Agent remote control for start/stop activities is not supported on Amazon Web Server (AWS) environment.

Other Limitations

  • For Asian languages that use a virtual keyboard, key logging data is captured by "writing" on the keyboard, but typed characters cannot be captured by mouse clicks.
  • Graphical (X) applications are not recorded except for the supported X terminals, such as GNOME-terminal or dtterm.

Known Issues

  • [Issue #56098] – When upgrading from a version earlier than 7.1, changes that were made in the assignment of Insider Threat Library (ITL) alert rules to User Lists (from a version earlier than 7.1) will be reset to their default assignment.
  • [Issue #58105] – During installation of the Website Categorization module on machines that are using TLS version 1.2, the following error message might be displayed:
  • “The update service could not be accessed. Please check Internet connectivity. If this machine…”
  • This error message can be ignored as the Website Categorization module will still function properly in this environment.
  • [Issue #58607] – When accessing a Linux agent using sftp protocol and an alert notification has been configured for GET and PUT commands, the user receives an “access denied” message but the warning notification is not displayed.
  • [Issue #60392] – Upload tracking with Firefox on Windows 10 does not work due to permissions issues.
  • [Issue #61186] – When using the Edge browser, the “Save as photo” command is not detected as a file event. The downloaded file is not tracked.
  • [Issue #60137] – Searching for a part of a filename together with the file extension may not return correct results.
  • [Issue #62197] – When moving from using a combined mode of screenshot storage (SSD “Hot” storage together with standard “Warm” storage), to using only standard file system storage, IIS must be restarted after the change is applied in Screenshot Storage configuration.
  • [Issue #62988] – The apis folder and its sub-folders remain after uninstall.
  • [Issue #62720] – Uploads from Firefox (below Firefox release 40) are not tracked.
  • When an “Anonymized” Web Console user logs in to the Web Console, the following features are disabled: Reports, Archive, DBA Activity, Saved Sessions, Audit Sessions, Audit Saved Sessions, and Inventory view in the Endpoint Diary.
  • Prior to ObserveIT installation, if a DDL trigger exists on the ITM On-Prem (ObserveIT) Database, you must disable it.

  • After downloading a file and opening it from the browser’s Downloaded Files Panel (implemented differently on each browser), if during file opening the user switches to other tab, then in some cases this operation is detected as file upload.