You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: release-notes/elastic-security/index.md
+47Lines changed: 47 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -27,6 +27,53 @@ To check for security updates, go to [Security announcements for the Elastic sta
27
27
28
28
% *
29
29
30
+
31
+
## 9.2.0 [elastic-security-9.2.0-release-notes]
32
+
33
+
### Features and enhancements [elastic-security-9.2.0-features-enhancements]
34
+
* Adds an {{elastic-defend}} option to remediate orphaned state by attempting to start {{agent}} service.
35
+
* Updates the `endpoint-package` submodule.
36
+
* Adds more {{elastic-defend}} options to the {{ls}} output, allowing for finer control by the end user.
37
+
* Increases the throughput of {{elastic-defend}} {{ls}} connections by increasing the maximum size it can upload at once.
38
+
* Adds {{elastic-defend}} support for device control on macOS.
39
+
* Updates the device control schema.
40
+
* Adds architecture of PE file in malware alerts to {{elastic-defend}}.
41
+
* Adds the `Endpoint.state.orphaned` indicator to {{elastic-defend}} policy response.
42
+
* Adds {{elastic-defend}} support for cluster migration.
43
+
* Adds firewall anti-tamper plug-in to protect {{elastic-endpoint}} processes against network blocking via Windows Firewall.
44
+
* Includes `origin_url`, `origin_referrer_url`, and `Ext.windows.zone_identifier` fields by default to Windows image load and process events, if the information can be retrieved.
45
+
* Improves {{elastic-defend}} by integrating a new Event Tracing for Windows (ETW) provider (Microsoft-Windows-Ldap-Client) to create new event types that prebuilt endpoint rules can use to detect malicious LDAP activity.
46
+
* Adds more Linux diagnostic process `ptrace` events.
47
+
* Improves reporting reliability and accuracy of the {{elastic-defend}}'s {{es}} connection.
48
+
* Enriches {{elastic-defend}} macOS network connect events with `network.direction`. Possible values are `ingress` and `egress`.
49
+
* Improves {{elastic-defend}} malware scan queue efficiency by not blocking scan requests when an oplock for the file being scanned cannot be acquired.
50
+
* Adds an {{elastic-defend}} advanced policy setting `windows.advanced.events.security.event_disabled` that lets users disable security event collection per event ID.
51
+
* Shortens the time it takes {{elastic-defend}} to recover from a `DEGRADED` status caused by communication issues with {{agent}}.
52
+
* Improves the `verify` command to ensure {{elastic-endpoint}} service is running, otherwise {{agent}} has to fix it automatically.
53
+
* Adds {{elastic-defend}} support for Windows on ARM.
54
+
* Improves the reliability of {{elastic-defend}} Kafka connections.
55
+
* Adds {{elastic-defend}} support for diagnostic DNS events on Linux.
56
+
57
+
### Fixes [elastic-security-9.2.0-fixes]
58
+
* Fixes an {{elastic-defend}} issue on Linux by preventing unnecessary locking within Malware Protections to avoid invalid watchdog firings.
59
+
* Fixes issues that could sometimes cause crashes of the {{elastic-defend}} user-mode process on very busy Windows systems.
60
+
* Addresses CVE-2025-##### in {{elastic-defend}} on Windows, which could allow a low-privilege attacker to delete arbitrary files on the system. On Windows versions before 25H2, this could result in local privilege escalation.
61
+
* Adds support in {{elastic-defend}} for installing eBPF event probes on Linux endpoints when cgroup2 is mounted in a non-standard location or not mounted at all.
62
+
* Adds support in {{elastic-defend}} for installing eBPF probes on Linux endpoints when taskstats is compiled out of the kernel.
63
+
* Fixes an issue in {{elastic-defend}} where Linux network events could have source and destination bytes swapped.
64
+
* Fixes a bug where Linux capabilities were included in {{elastic-endpoint}} network events despite being disabled.
65
+
* Fixes an issue where {{elastic-defend}} would incorrectly calculate throughput capacity when sending documents to output. This may have limited event throughput on extremely busy endpoints.
66
+
* Improves the reliability of local {{elastic-defend}} administrative shell commands. In rare cases, a command could fail to execute due to issues with interprocess communication.
67
+
* Fixes an issue in {{elastic-defend}} where host isolation could auto-release incorrectly. Host isolation now only releases when {{elastic-endpoint}} becomes orphaned. Intermittent {{elastic-agent}} connectivity changes no longer alter the host isolation state.
68
+
* Fixes a bug in {{elastic-defend}} where Linux endpoints would report `process.executable` as a relative, instead of absolute, path.
69
+
* Fixes an improper status in process remediation, when a cancelled process cannot be stopped because it's being debugged.
70
+
* Fixes an issue in {{elastic-defend}} installation logging where only the first character of install paths (usually 'C') was logged.
71
+
* Prevents {{elastic-endpoint}} from stopping system-critical processes or threads.
72
+
* Fixes an issue to improve reliability of health status reporting between {{elastic-endpoint}} and {{agent}}.
73
+
* Fixes a race condition in {{elastic-defend}} that occasionally resulted in corrupted process command lines on Windows. This could cause incorrect values for `process.command_line`, `process.args_count` and `process.args`, leading to false positives.
74
+
* Fixes an issue in {{elastic-defend}} that could result in a crash if a specified {{ls}} output configuration contained a certificate that couldn't be parsed.
75
+
76
+
30
77
## 9.1.5 [elastic-security-9.1.5-release-notes]
31
78
32
79
### Features and enhancements [elastic-security-9.1.5-features-enhancements]
0 commit comments