New features in 8.11.0

The following are the new features available with the Xprotect version 8.11.0 released on the 10th of November, 2020:

Restricted mode for Xprotect agents when drivers do not load

Xprotect hosts are automatically moved to a Restricted mode, if the drivers that are necessary to run the Xprotect agent  do not load on a host. In the Restricted mode, the Xprotect policies you enforced on the host are inactive and Alerts are not generated from the host. However you can perform host management operations such as, upgrading, restarting, or uninstalling the agent on the host. You can also perform investigative operations such as, fetching and isolating suspicious files, and executing commands remotely on the host from the Xprotect UI.

Hosts on which the agents are moved to Restricted mode display a Red overlay icon, in the Name column on the Hosts page.

Offline cache for Xprotect agents when Xprotect instance is not reachable

When the Xprotect instance is not reachable to the host, the agent on the host caches up to 1000 Alerts from the time the instance was not reachable to the time when the the instance becomes reachable to the host.

The offline cache spans across 20 files, with 50 Alerts in each file. The last 20 cache files are listed in a master JSON file. When the host resumes connectivity with the instance, the cached Alerts from the last 20 files are sent to the instance.

Statistics report for Alerts and Policies

On the Reports page, generate and download a report with the count for the number of alerts generated and events blocked for Whitelist, Blacklist, and Rule ring policy violations, and the number of policies and rules added or modified. 

This report can be generated for the last 1 hour, 8 hours, 24 hours, 7 days, or 30 days. The report is downloaded as a CSV file.

Temporary policy settings for policies

On the Hosts page, select One or more hosts and click Set Temporary Policy (in the 3-dot menu or the floating panel on the top), and apply a temporary setting for One or more types of policies that are/can be enforced on the hosts. For example, relax the USB protect policy to install or upgrade software by using USB devices, relax the File protect policy to back up policy-protected files as part of disaster recovery and high-availability measures, or 'only Monitor' policy violations during planned and experimental activities on the hosts. 

You can apply a temporary policy setting for One of the following duration - 1 hour, 2 hours, 4 hours, 8 hours, 12 hours, or 24 hours. After the duration, the policy setting is reverted to the original setting.

You can apply multiple temporary policy settings for a host. However, only the latest temporary setting is active, after the host receives the updates for the temporary setting, from the Xprotect instance.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.