Tenable.ad 3.11 — On-premise (2021-12-01)
This release is end-of-life (EOL). Upgrade to a supported version. For information about EOL dates and policies for Tenable products, see the Tenable Software Release Lifecycle Matrix and Policy.
Tenable.ad version 3.11 includes the following new features:
A new Indicator of Exposure lists dangerous permissions and misconfigured parameters related to the Windows Public Key Infrastructure (PKI).
Secure communications between components via TLS using Tenable.ad's self-signed auto-generated certificate or a custom certificate.
A dedicated MSI for the security probe installation.
A lockout policy to mitigate brute force attacks against authentication mechanisms. It aims to lock out user accounts after too many failed login attempts.
A product licensing feature to allow you to update your Tenable.ad license.
Ability to disable certain indicators of exposure without restarting the security engine node.
Support for the localization process.
Single domain recrawling to force the refreshing of data for a domain.
Use of native Server Message Block (SMB) mapping.
Upgrade of Node.js to v16.
Japanese language support
New Indicator of Exposure to detect when privileged users are allowed to authenticate on systems that are not considered as trusted.
New Indicator of Attack to detect PETIT-POTAM attempts to coerce remote servers to authenticate with another machine on the network due to a Windows vulnerability.
A licensing feature to allow you to update your Tenable.ad license.
A new ability to define time zones for PDF/PPTX/CSV reports.
A new pane to display the details of an event when you review an incriminating attribute.
Tenable.ad version 3.11 contains the following bug fixes:
|Bug Fix||Defect ID|
|Tenable.ad purges the previous version's events from internal queues after each upgrade.||N/A|
|The analytics service successfully reconnects to the RabbitMQ server after failures.||N/A|
|The Indicator of Exposure C-PASSWORD-POLICY is more resilient against a specific corner case.||N/A|
|Tenable.ad ignores InheritOnly ACEs when it checks ACLs to avoid false positives.||N/A|
|The Trail Flow no longer freezes.||N/A|
|The Indicators of Attack requiring Sysmon tolerate better versions of Windows event, which strengthens detection.||N/A|
|Tenable.ad lists an event's deviances.|
|Tenable.ad now processes the InheritOnly flag in the Active Directory's ACEs when it checks ACLs.||N/A|
|Tenable.ad displays current dashboard data for new profiles.||N/A|
|Tenable.ad sets a timeout when it reindexes the database to prevent sporadic database unavailability.||N/A|
|Tenable.ad processes correctly LDAP objects with an empty GPLinks attribute.||N/A|
|Tenable.ad enables a live trail flow on the first login.||N/A|
|There are fewer deadlock possibilities in the database when Tenable.ad inserts Active Directory objects.||N/A|
|The widget title now supports Japanese characters.||N/A|
|Tenable.ad decreases the memory that the security analysis service consumes.||N/A|
|Tenable.ad uses the correct configuration naming context when it looks for the Default Query Policy.||N/A|
|Diffs on long attribute values no longer overflow.||N/A|
|Tenable.ad enables live directory status on the first login.||N/A|
|Tenable.ad shows better data consistencies regarding the member attributes of group objects.||N/A|
|The Indicator of Exposure C-DC-ACCESS-CONSISTENCY does not check deleted domain controllers when you disable this option.||N/A|
|Node.JS has upgraded to version 12.22.7.||N/A|
|The Indicator of Exposure C-OBSOLETE-SYSTEMS displays alerts for the correct end of life date for Windows Server 2012 R2.||N/A|
|Tenable.ad reports correctly the end of support date for Windows 2012 r2.||N/A|
|API route events/eventId/ad objects do not fail due to responses exceeding the limit of 8000 bytes.||N/A|
|The Directory Listener reconnects to the queue manager without exhausting ports.||N/A|
|An indicator of exposure does not show up as deviant if all of its deviant objects are ignored.||N/A|
|The Indicator of Exposure C-OBSOLETE-SYSTEMS now checks for obsolete versions of Windows 10.||N/A|
|There is no longer a mismatch error between properties and attributes for indicators of attack.||N/A|
|The Ceti service can locate the TimeCreated property from an indicator-of-attack event.||N/A|
|Multi-threading works in the check context.||N/A|
|Indicator of attack errors are now centralized in Ceti's logs.||N/A|
|The GetLastEvent command returns correctly the ID of the last event without filtering.||N/A|
|Tenable.ad decodes correctly the cACertificate attribute.||N/A|
|Users can access the "Email alerts" page in order to create or modify email alerts.||N/A|
|Sysvol crawling succeeds with SMB mapping.||N/A|
|Crawling succeeds even when LDAP requests take a long time to initialize.||N/A|
|SYSVOL crawling completes successfully despite network errors||N/A|
|The fetching of attribute names no longer fails due to timeout.||N/A|
|There are no performance issues with the Cygni component.||N/A|
|The Ceti component asks the Eridanis component to send directories only once.||N/A|
|Tenable.ad does not consider an empty GpcFileSysPath attribute as deviant.||N/A|
|The IoA task script supports Windows Server 2008R2.||N/A|
|Tenable.ad no longer considers as deviant alerts from domains that were removed.||N/A|
|The Sysvol Crawler continues even if the registry.pol file exceeds a given size.||N/A|
|The LDAP initialization succeeds even when it crawls an object that does not have an attribute change.||N/A|
|The parsing of POL files now works correctly.||N/A|
|There are no longer lost IoA events.||N/A|
|When creating a PSO after creating a domain, Tenable.ad no longer displays the reason "No PSO are applied on the domain".||N/A|
|Tenable.ad displays two distinct trust relationships even if they start from and end at the same domain.||N/A|
|Tenable.ad redirects the user from the email's "IoE details" and "IoA details" buttons to their corresponding page.||N/A|
|Tenable.ad supports Syslog and email ports above 60000.||N/A|
|Tenable.ad reconnects to the LDAP server when it loses the connection due to an LDAP_SERVER_DOWN error.||N/A|
|The Consolidated View timeline begins with the last day of the previous month when you select the month period.||N/A|
|Tenable.ad exports the Consolidated View in PDF or PPT with the same selected month.||N/A|
|Tenable.ad raises an "NTLMv1 protocol not disabled" deviance when the GPO is unlinked.||N/A|
|The checker now ignores the KRBTGT account.||N/A|
|Default profile options are included in any profile.||N/A|
|The license lock works with the NFR license.||N/A|
|The LDAP initialization completes even when it attempts to crawl inaccessible objects.||N/A|
|LDAP initialization succeeds even when it crawls an object that does not have an attribute change.||N/A|
Tenable.ad version 3.11.9 contains the following patches.
|Fixed CVE-2022-37026 by upgrading the RabbitMQ library dependency.||N/A|
Tenable.ad version 3.11.7 contains the following patches.
|Tenable.ad correctly flushes out Login event (4624) from its cache memory after a Logoff event (4634).||N/A|
|Tenable.ad displays attacks that occur on the 1st day of the month in the correct month.||N/A|
|When you remove a GPO, Tenable.ad only displays the deleted event.||N/A|
|When the SYSVOL connection breaks, Tenable.ad renews the connection to allow the listener to fetch new events.||N/A|
|The allow lists for Credentials Roaming users and groups now accept the samAccountName format.||N/A|
This patch also updates OpenSSL-related software to address the security issue CVE-2022-0778.
Tenable.ad version 3.11.6 contains the following patches.
|SQL services are running when upgrading from version 3.11.3.||N/A|
|Split architecture installations include TLS options.||N/A|
|Rabbit MQ correctly resumes after upgrading from version 3.1.5 to 3.11.3.||N/A|
|Event insertion no longer affects performance.||N/A|
|Events for Indicators of Attack do not consume too many memory resources.||N/A|
Tenable.ad version 3.11.4 contains the following patches.
|The Tenable.ad installer pre-fills values for IP/ports from variables during an upgrade.||N/A|
|The upgrade correctly considers existing certificates.||N/A|
|The SQL service account can now access local certificates.||N/A|
|Tenable.ad updates group members when they change Organizational Units (OU).||N/A|
|The Security Probe installer completes after a reinstallation.||N/A|
|The Tenable.ad installer verifies that the PFX certificates are valid.||N/A|