Proofpoint | ObserveIT On-Premises Release Notes version 7.16.3

Version 7.16.3

This document provides information about new features, issues that were discovered and fixed since the previous release, and any limitations of the release. It is important that you read this document before you install and configure this version.

New Features and Enhancements

This version includes security fixes that address the following:

Support Microsoft New Outlook for Windows Agent

This feature is not enabled by default. To activate it, contact Proofpoint Support.

The Windows Agent now supports monitoring New Outlook (olk.exe) processes to track email activity. This includes detecting when emails are sent and when attachment files are saved to disk.

Note the following limitations for the New Outlook support:

  • Attaching a file to an email is not detected at the moment of attachment. Instead, it is reported to the backend simultaneously with the email send activity, resulting in two activities with the same timestamp.

  • The From field displays the endpoint name along with the currently logged-in user, rather than the actual sender’s email address.

  • The To field captures the value as it appears in the email composition window. In some cases, this may be a display name from the organization directory rather than the recipient’s email address.

  • If a mouse click occurs directly over the Send button, even if another window overlaps it, the email will still be sent—even if the Outlook window is not in focus.

  • The email send activity is reported to the backend as soon as the Send button is clicked, even if the email remains unsent due to missing details (e.g., subject or recipient).

  • When attaching a file via the Suggested Files panel, the source path reported alongside the email send activity will be shown as “Email_Client_Temp_Folder”.

Support for Ubuntu 24

The Linux Agent is now certified for Ubuntu 24. This applies to both the user activity monitoring agent within the windows system and the command-line execution monitoring agent.

Alerting on Cisco Webex Usage Based on Child Processes

The Windows Agent now supports enhanced monitoring of Cisco Webex activity by extracting not only the Process name but also a list of all child processes. These child process names are stored as comma-separated values in a new field called Child process names.

This enhancement applies only to Cisco Webex application.

Key improvements:

  • The Child process names field is now displayed on both the Alert Rule and Alerts screens.

  • In the Ran Application menu, a new sub-menu titled Child process names has been added for creating or editing Alert Rules.

  • Users can now define alerts triggered by specific child processes.

  • When an alert is triggered, the Child process name will appear in the Alert Details on the Alerts screen.

Code Signing with Valid Certificate (OMS-12196)

All On-Prem components have been properly code-signed with a valid certificate to prevent functionality issues with the Updater that could occur after a service restart. This update addresses the issue reported in OMS-12916 by Proofpoint in December 2024.

Increased Default Log File Size for Unix/Linux

The default value for the Log file rotation in the Recording Policy for Unix/Linux screen has been increased from 10 MB to 100 MB. This change helps ensure that essential information is retained during troubleshooting with Proofpoint Support.

Enhanced "oitcons" Script on macOS with New Arguments

The "oitcons" script on macOS has been enhanced with two new switches:

  • -launch: Gracefully starts all agent services and processes.

  • -shutdown: Gracefully stops all agent services and processes.

Unique Downloaded JWT File Names for Different Modules

When downloading a JWT file from Configuration > Settings > Service Settings for any of the three modules — Screenshots Storage Optimizer, Agent Installation, or Update Installation — the file will now be assigned a unique name based on the module to prevent confusion.

.

Resolved Issues

[Issue 936]: Fixed an issue where user activity recordings on Citrix were associated with the incorrect endpoint name.

[Issue 1236]: Fixed an issue where alerts on Keylogger within SSH session invoked via CMD failed to trigger due to unsupported delimiters between key words.

[Issue 1194]: Fixed an issue where the installation log on Mac was incorrectly displaying the real reason for failure.

[Issue 1069, 1191]: Fixed an issue were applications invoked on Linux though a very long command line (e.g. Pycharm and GDB) would crash.

[Issue 1166]: Fixed an issue that caused slowness during the archive process.

[Issue 1198]: Fixed an issue where Keylogger activity reports on Mac incorrectly displayed the operating system as Windows instead of Mac.

[Issue 1237]: Fixed an issue where some Window Console screens did not function correctly when activities from a Mac Agent had a hostname containing an apostrophe.

[Issue 1205]: Fixed an issue where Linux agent installation succeeded but Agent functionality was failing because file was missing on hardened environment.