Windows Agent Releases

Some Windows Agent 4.4.x, Agent 4.3.x and 4.2.x features are only supported on FortiSIEM 6.4.0 or later.

Windows Agent 4.4.1

This release includes the following bug fix.

For French locale, Windows Security, System and Application Event logs are incorrectly formatted, leading to important fields not being parsed (Bug 901252).

Windows Agent 4.4.0

This release contains the following new feature and bug fix.

Support for Virtual Desktop Infrastructure (VDI) Environment

Windows Agents can work in VDI environments using the following steps:

1. The administrator first installs the Windows Agent onto the VDI Golden image. See Installing Windows Agent in VDI Environment for details.

2. When user logs on to the VDI environment and downloads a VM from the VDI Server, the VM contains a VDI transient image (containing the Windows Agent). The agent automatically registers to the FortiSIEM Supervisor node, with host name set to <DOMAIN>__<USERNAME> in CMDB.

3. When user logs off from the VDI environment, the agent automatically unregisters to the FortiSIEM Supervisor node. The agent's status is decommissioned, so that it does not consume an agent license.

Bug Fix

Command line arguments in 'new process created' events are lowercased affecting base64 decoding of command line arguments (Bug 873700).

Windows Agent 4.3.0

This release provides the following features and improvements.

Software Installer Improvements

In earlier versions, FortiInsight User Entity Behavior Analysis (UEBA) was installed as a separate package and installer and showed up as a separate Windows service. Starting with this release, FortiInsight runs as an integrated module within FortiSIEM Windows Agent. This also means that FortiInsight will no longer be running in the background when the UEBA license, and template associations are not enabled.

Three installation options are provided: x86 MSI, x64 MSI and a bundled exe that automatically detects the correct MSI to use.

Installation paths, log files and registries have been renamed from AccelOps to FortiSIEM:

• Installation path has been updated from C:/Program Files/AccelOps to C:/Program Files/Fortinet/FortiSIEM

• ProgramData paths have been updated from C:/ProgramData/AccelOps to C:/ProgamData/FortiSIEM/

• Registry entries have been moved from HKLM/Software/AccelOps to HKLM/Software/Fortinet/FortiSIEM

• Log files have been added to C:/Program Files/Fortinet/FortiSIEM/logs

• ProxyTrace.log has been updated to C:/ProgramData/FortiSIEM/logs/Trace.log

• All libraries have been renamed from AccelOps to FortiSIEM.

  • AccelOps.Common > FortiSIEM.Common

  • AccelOps.Security > FortiSIEM.Security

  • AccelOps.Utilities > FortiSIEM.Utilities

  • AccelOps.WebProxy > FortiSIEM.WebProxy

Robust Detection of Event Log Restart (Event ID 1100)

In previous versions, Event Log restart was detected by tracking the Process ID (PID) of the Windows Event Log service. The assumption is that when Windows Event Log service restarts, the PID gets recycled. In some cases, however, the Windows Event Log “restart” does not recycle the PID, but just invalidates the handles.

This release adds a robust restart check by looking for the security Event ID 1100, which indicates a restart has occurred.

Restart Event Collection from Last Position

In previous versions, event collection starts from Agent startup time. This causes the Agent to miss events, especially in case of restart. In this release, the Windows Agent will store its last processed event and on restart, will begin event collection from that point. Restart will not result in Event loss.

Monitor Software Installed via Microsoft Apps

In previous versions, FortiSIEM Windows Agent would detect installed software when the user installed via standard installation mechanisms such as Control Panel or MSIs. This release adds support for the Microsoft App store, which has become more the standard for installing, and distributing Microsoft software. FortiSIEM Windows Agent 4.3 can now detect installed/removed software when the user installs software via the Microsoft App store.

Windows Agent 4.2.7

This release fixes the following issue.

Windows Agent process stops after enabling UEBA on Windows OS French language pack version (Bug 821479).

Windows Agent 4.2.6

This release fixes the following issue.

Virtual Collector configuration in Windows Agent Host to Template Association does not work correctly. Agent does not send events to the configured Virtual Collectors (Bug 812009).

Windows Agent 4.2.5

This release fixes the following issue.

Windows security logs with XML keyword are truncated. Examples are Windows Security Event ID 1202, 1203 for Active Directory Federation Service (ADFS) (Bug 799857).

Windows Agent 4.2.4

This release resolves the following issue.

Allow the following characters in the Windows Agent user name during registration: space, dollar, plus, minus, dot, at the rate of, underscore, left parenthesis, right parenthesis, in other words, these characters between double quote “ $*+-.@_()” (contains space) (Bug 790304).

Windows Agent 4.2.3

This release provides a way to install FortiSIEM Windows Agent so that the Administrator can stop the Agent Service if needed. To accomplish this, the user must install the Agent via the command line with the UNPROTECT = 1 option. For details, see Installing with the Ability to Stop Agent Service in the Windows Agent Guide.

Windows Agent 4.2.2

This release adds support for the full special characters set in specifying Windows Agent passwords. Supported character set is specified at this website:

https://owasp.org/www-community/password-special-characters

Specifically, it includes (between double quotes): " !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~"

These characters can be input both via the Windows Agent command line and the GUI.

Windows Agent 4.2.1

This release fixes the following three issues for FortiSIEM Windows Agent.

1. The Agent may not capture Windows Event Forwarding (WEF) logs when WEF is configured to write forwarded logs to any folder other than the Forwarded Events folder on the forwarded server. In addition, the Agent's performance of WEF log handling is improved. (Bug 766939)

2. The Agent limits the Collectors' name to only 50 characters, which may not work in AWS where FQDN can be long. (Bug 770632)
   
   Note: The name is now 253 characters.

3. The Agent stops sending logs after killing or restarting Windows Event Log Process. (Bug 744891)

Windows Agent 4.2.0

This release contains two enhancements.

1. A GUI is provided for installing the Agent. See Installing FortiSIEM Windows Agent 4.2.x in the Windows Agent 4.x.x Installation Guide.

2. Ability to upgrade multiple agents in parallel from the Supervisor. See here.

Windows Agent 4.1.6

This release fixes the following three issues for FortiSIEM Windows Agent.

1. The Agent may not capture Windows Event Forwarding (WEF) logs when WEF is configured to write forwarded logs to any folder other than the Forwarded Events folder on the forwarded server. In addition, the Agent's performance of WEF log handling is improved. (Bug 766939)

2. The Agent limits the Collectors' name to only 50 characters, which may not work in AWS where FQDN can be long. (Bug 770632)
   Note: The name is now 253 characters.

3. The Agent stops sending logs after killing or restarting Windows Event Log Process. (Bug 744891)

Windows Agent 4.1.5

This release resolves two security issues:

1. The log file contains plain text password used to register the agent to the Supervisor. This password is not used for any other purposes. (Bug 749499)

2. An authenticated windows user can run arbitrary Powershell scripts with Admin permissions. (Bug 749499)

Windows Agent 4.1.4

This release resolves two issues:

1. File handle leak while interfacing with local SQLite database. This can cause Windows Agent memory usage to grow overtime. (Bug 746978)

2. File handle leak while interfacing with Windows registry. This can cause Windows Agent memory usage to grow over time. (Bug 748252)

Windows Agent 4.1.3

This release resolves two issues:

1. When FortiSIEM monitors DNS Analytical logs, Windows EventLog service memory utilization maybe high. (Bug 723147)

2. Windows Agent may stop sending events if both the Supervisor and Collector go down for more than 10 minutes and then come up. (Bug 727842)

Windows Agent 4.1.2

This release adds the ability to work with FortiSIEM Management Extension Application (MEA) Collector released as part of FortiSIEM 6.3.0.

Windows Agent 4.1.1

This release fixes the following issues:

1. Windows Agent does not generate events when a monitoring template is chosen with a large set of comma separated eventIDs. Previous limit of 50 eventIDs or 250 characters is now extended to 1200 characters including comma separating characters. If you need more than this limit, you can always create multiple monitoring templates. (Bug 702090)

2. When Windows Event Forwarding is configured, FortiSIEM Agent running on the forwarded server may sometimes fail to get the message in Security Events. A new API is now used to collect the events from the Windows Forwarded Events folder. (Bug 710074)

Windows Agent 4.1.0

This release adds the following enhancements.

1. Agent will restart automatically after 1 minute if it is killed.

2. Service protection – user cannot Stop, Restart or Pause the agent from Windows Service Manager.

3. Users can change the logging level without restarting service by changing the registry key. Registry key instructions follow:

   1. Open HKEY_LOCAL_MACHINE\SOFTWARE\AccelOps\Agent key

   2. To update with trace logging, set “LogLevel” value to “2”

   3. To update with debug logging, set “LogLevel” value to “1”

4. Agent Database is used to store Agent configuration parameters and to store events when connectivity to collectors is lost. The default size for your Agent Database is 1GB. This can be changed by modifying the MaxDBSizeInMB entry in your Registry Editor.

Details are in the Windows Agent Guide.

Windows Agent 4.0.1

This release fixes three issues:

1. Agent status became disconnected on Windows server 2012R2. (Bug 672660)

2. The log file contains plain text password used to register the agent to the Supervisor. This password is not used for any other purposes. (Bug 749499)

3. An authenticated windows user can run arbitrary Powershell scripts with Admin permissions. (Bug 749499)

Windows Agent 4.0.0

This release provides User Entity Behavior Analysis (UEBA) by embedding a Kernel Agent that detects anomalies on these 10 user activities.

• Log on and log off

• Machine on and off

• File create

• file delete

• file read

• file write

• file rename

• file move

• file upload

• file download

• drive mount

• drive un-mount

Windows Agent 3.3.1

This release resolves two security issues:

1. The log file contains plain text password used to register the agent to the Supervisor. This password is not used for any other purposes. (Bug 749499)

2. An authenticated windows user can run arbitrary Powershell scripts with Admin permissions. (Bug 749499)

Windows Agent 3.3.0

This release fixes the following issue:

Windows Agent fails to send events to Collector after service restart or machine reboot. (Bug 659782)

Windows Agent 3.2.3

This release resolves two security issues:

1. The log file contains plain text password used to register the agent to the Supervisor. This password is not used for any other purposes. (Bug 749499)

2. An authenticated windows user can run arbitrary Powershell scripts with Admin permissions. (Bug 749499)

Windows Agent 3.2.2

This release fixes the following issue:

Windows Agent on certain platforms, including Windows10 Pro, may crash while doing File Integrity Monitoring checks. This can cause Agents to get disconnected from FortiSIEM GUI and cause events to stop coming. (Bug 653943)

Windows Agent 3.2.1

This release fixes the following issue:

Windows Agent service stops after a while with File Integrity Monitoring (FIM) turned on. (Bug 636060)

Windows Agent 3.2.0

This release includes several enhancements for File Integrity Monitoring (FIM) when using Windows Agents:

• Detect File Permission and Ownership changes.

• Ability to push monitored files from agents to the FortiSIEM Supervisor where an audit trail of file changes are kept in SVN. The user can then examine the differences between the files.

• Ability to detect file changes from a baseline.

Windows Agent 3.1.3

This release resolves two security issues:

1. The log file contains plain text password used to register the agent to the Supervisor. This password is not used for any other purposes. (Bug 749499)

2. An authenticated windows user can run arbitrary Powershell scripts with Admin permissions. (Bug 749499)

Windows Agent 3.1.2

This release adds the following new features and enhancements:

• Signed Agent binary: Windows Agent binaries are now cryptographically signed by Fortinet.

• Ability to specify host name: The user can specify a host name during Windows Agent installation. The Agent will register to the Supervisor with that host name. CMDB will show that host name.

• Virtual Collector Support: Agents can send events to a Virtual Collector (such as an F5 Load balancer) located between Agents and Collectors. Virtual Collectors can be defined in the Agent definition on the Supervisor.

• Agent fails to install if there is a file or folder named Program under C:\.

Windows Agent 3.1.0

This release contains the following Windows Agent specific enhancements, in addition to the ability to work without Agent Manager functionality described earlier.

• Support for Windows Event Forwarding: Windows can forward logs using Windows mechanisms to a Central Windows Server. A FortiSIEM agent on the central server can then bring all the events from the various windows servers to FortiSIEM. This is an alternative to running FortiSIEM agent on every Windows server. The disadvantage of this approach is that Windows (Security, application and system) event logs can be collected in this way, while FortiSIEM agent can collect other information such as FIM, Custom log, Sysmon etc. This release is able to parse the forwarded Windows events so that actual reporting Windows server is captured and all the attributes are parsed as sent by native agents.

• Support of Windows FIPS enabled mode: In earlier releases, the agent did not work properly if FIPS mode was turned on. This issue is addressed in this release.

• File hash for File Integrity Monitoring computed using SHA256: The file hash value for file/folder monitoring is now reported using SHA256 algorithm instead of MD5. This enables direct match with external threat intelligence malware file hashes.