BeyondInsight Version History 6.3.1 to 6.8

 

BeyondInsight 6.8 Release Notes

December 7, 2018 Requirements:

• BeyondInsight requires Adobe Flash Player version 22.0+.

• This release is available for download by BeyondTrust customers at https://beyondtrustsecurity.force.com/customer/login and also through BeyondTrust BT Updater. o MD5 signature: 5fc9bad49c3eff303b89091696f9d4f9

o SHA-1 signature: 2b032052f86ab9c1ea73f87e9e8c02e0ed442cd5

o SHA-256 signature: df23e01276d38cc1457f2de3838bb1a42bb3205265a7a4a8a09247c4a444195e

New Features and Enhancements:

 

BeyondInsight

• Added permissions for the connector and scan Options.

• Added an email alert for failed credentials/keys for Azure and Amazon Web Services cloud connectors.

• Added an option to purge cloud assets.

• Added a configuration option to redirect users back to the single sign-on login page at log off or timeout.

• Added an option to append or to overwrite address groups with the content of the file being imported.

• Added an option to remove BeyondTrust social media links.

• Updated the Rackspace connector to support the latest API.

• Added a new format (comma-delimited) option for syslog event forwarding.

• Added new Password Safe events to all event forwarders.

• Added additional event field mappings for predefined CEF fields to the ArcSight connector.

• Added The multiselect filter support to the Asset grid.

• Added improvements to the McAfee DXL connector.

• Replaced configuration screens for API Registration, Address Groups, Credentials, and User Audits.

• Updated the Remedy connector to support complex field mappings.

• Improved keyboard control and navigation.

• Improved session timeout tracking.

• Moved multi-tenancy organization picker to the user profile.

 

Analytics and Reporting

• Added multi-line comment support in the email body via the subscription wizard.

• Added an Asset Name filter in the PowerBroker for Windows Event Details report.

• Assets without Vulnerabilities Report.

• Added vendor name as a multi-select and added software as a partial text match parameter for Vulnerabilities in the Business Unit, Vulnerabilities Delta by Month, and Vulnerabilities Delta by Day reports.

• Added vendor name to Vulnerabilities by Security report.

• Improved performance to the daily synchronization of PowerBroker for Windows data.

 

Password Safe

• Added ISA-based session support for Direct Connect SSH.

• Added remote applications support for Direct Connect.

• Added the ability to play sound on active RDP sessions.

• Added the ability to mask passwords in RDP sessions.

• Added cryptography options for SSH proxies.

• Added a limitation to allow only one Manage Assets using Password Safe action in a smart rule.

• Added a limitation to allow only one Manage Account Settings action in a smart rule.

• Removed the Unmanaged Session Notification option.

• Added auditing for all changes made under Global Settings.

• Added a /admin option for RDP sessions.

• Changed maximum password checkout duration to 365 days. • Added the ability to modify the Oracle database connection string.

• Added the ability to allow the F5 Xforwarded header to be used in access policy validation.

• Added the Allow API Rotation Override option to access policies to prevent password rotation while using the password cache.

• Added UPN support for Direct Connect.

• Improved error messaging for RDP sessions not able to connect.

• Disabled the ability to replay RDP sessions recorded prior to BeyondInsight version 5.5.

• Please see the API release notes.

Issues Resolved:

• Resolved a reporting issue with the Password and Session Activity report.

• Resolved an issue with launching PowerBroker Password Safe sessions.

• Resolved a display issue for RDP sessions in Password Safe.

• Resolved an issue with editing smart rules.

• Resolved an issue with delivering Analytics and Reporting reports to a share.

• Resolved an issue with opening RDP sessions with the RoyalTS client.

• Resolved a session management issue with applications requiring UAC prompts.

• Resolved a password change issue for PowerBroker for Windows clients.

• Resolved a password cache issue.

• Resolved an issue with Audit Syncit updates.

• Resolved an issue with displaying WSUS patches.

• Resolved an issue with user IDs being unable to access BeyondInsight.

• Resolved an issue with the Password Safe email agent.

• Resolved an issue with displaying incorrect scanner statuses.

• Resolved an issue with displaying duplicate job information.

• Resolved an issue with loading the BeyondInsight console.

• Resolved an issue with the Assets report counts.

• Resolved password cache issues.

• Resolved an issue with generating the Hardware report.

• Resolved an issue with disabling debug logging.

• Resolved an issue with using the Azure connector.

• Resolved a login issue when using a managed bind account.

• Resolved a filter issue on the PowerBroker for Windows Events grid.

• Resolved an issue with loading cloud assets on the Asset grid.

• Resolved an issue with the Benchmark Compliance report.

• Resolved a test password issue with PowerBroker Windows accounts.

• Resolved an issue with displaying EPP data.

• Resolved an issue with using the SecureCRT SSH for Direct Connect.

• Resolved an issue with ordering scans to run SNMP OS detection.

• Resolved an issue with missing PowerBroker Windows events.

• Resolved a spelling mistake.

• Resolved an issue with display data on the Jobs grid.

• Resolved a sync issue with managed PowerBroker Windows accounts.

• Resolved an issue with processing smart rules.

• Resolved an issue with changing passwords for managed PowerBroker Windows accounts.

• Resolved an issue with displaying vulnerabilities.

• Resolved an issue with Retina’s host scanner detection.

• Resolved an issue with the Enable PasswordSafe smart rule action.

• Resolved a performance issue with analytics and reporting.

• Resolved an issue with changing passwords for Oracle managed accounts.

• Resolved an issue with displaying passwords.

• Resolved an issue with UPN logins.

• Resolved an issue with cloning directory queries.

• Resolved an issue with displaying users under Asset Details.

• Resolved an issue with displaying assets in the 169. range.

• Resolved an issue with PSRUN.

• Resolved an issue with missing reports. • Resolved an issue with managed account caching.

• Resolved an issue with LDAP validation.

• Resolved an issue with login authentication.

• Resolved an issue with error messaging for failed usernames and passwords.

• Resolved an error handling issue with Anti-CSRF token validation.

Issues Resolved from Previous Releases:

 

6.6.2

• Resolved an SSH connection error.

 

6.6.1

• Resolved an operational issue with BeyondInsight.

6.6.0

• Resolved an issue with terminating and closing active Password Safe RDP sessions.

• Resolved an issue with moving Password Safe RDP sessions to a separate monitor.

• Resolved an issue with Password Safe SSH Direct Connect replays.

• Resolved an issue with Password Safe RDP sessions that have RDP Security enabled.

• Resolved a multi-plexing issue with Password Safe SSH sessions.

• Resolved an issue with displaying nonactive sessions as active sessions.

• Resolved an issue with creating managed systems for inactive platforms.

• Resolved an issue with scheduled password changes for Active Directory accounts.

• Resolved an issue with displaying linked accounts on the Password Safe portal.

• Resolved an issue with functional accounts for work groups.

• Resolved mapping issues for dedicated accounts.

• Resolved an issue with changing the password on a checkpoint system.

• Resolved a session monitoring masking issue.

• Resolved a formatting issue for NTLM authentication.

• Resolved an issue with a missing approve quick link.

• Resolved an issue with updates to functional accounts.

• Resolved an issue with changing passwords for Windows Scheduled Tasks.

• Resolved an issue with testing password changes on custom platforms.

• Resolved an issue with the password cache.

• Resolved several issues with the SailPoint connector.

• Resolved an issue using Entrust two-factor authentication.

• Resolved an ADFS login issue.

• Modified messaging around password failures on custom platforms.

• Resolved an issue with deleting applications.

• Resolved an issue with SAML logins.

• Resolved an issue with syncing account passwords for PowerBroker for Windows.

• Resolved an issue launching multiple application sessions using the same managed account.

• Resolved an issue with changing passwords on Windows systems.

• Resolved an issue with using RoyalITS for launching Password Safe sessions.

• Resolved a ServiceNow state validation issue.

• Resolved an issue with smart rule processing.

• Resolved an issue with configuring a preferred domain controller.

• Resolved an issue with updating scheduled jobs.

• Resolved an issue with enumerating Oracle users.

• Resolved a duplicate asset issue.

• Resolved an issue with target lists for scheduled scans.

• Resolved an issue with scheduling scans.

• Resolved a login issue using HSM.

• Resolved an issue with creating custom audit groups.

• Resolved an issue with updating the operating system of an asset.

• Resolved an issue with enumerating the operating system of an asset.

• Resolved an issue with enumerating user accounts.

• Resolved a display issue on the Member of Group tab for an asset. • Resolved a display issue of asset IP addresses.

• Resolved a BeyondInsight database configuration issue.

• Resolved an issue with CPU usage.

• Resolved a data issue with the software report.

• Resolved an issue with removing a database instance from an asset.

• Resolved an issue with displaying WSUS patches.

• Resolved a purging issue.

• Resolved a display issue for address groups.

• Resolved a display issue in the Jobs grid.

• Resolved a login issue for multi-tenant environments.

• Resolved an issue with processing large ServiceNow imports.

• Resolved an issue with PowerBroker for Windows normalization.

6.4.8

• Enforced global authentication for AMF remoting services in order to enhance security around AMF requests.

• Ensured binary files are digitally signed.

6.4.7

• Resolved an issue with the Analytics and Reporting daily job.

• Resolved an issue with two-factor authentication using the API.

6.4.6

• Resolved a logging issue.

• Resolved a functional account, multi-tenancy issue

• Resolved an issue with asset metadata.

• Resolved an issue with faded text in reports.

• Resolved an issue with Active Directory query availability.

• Resolved an issue with the date picker for subscriptions.

• Resolved an access issue for administrators.

• Resolved an issue with the built-in platform for Fortinet.

• Resolved a licensing issue.

• Resolved a data issue with the Vulnerability report.

• Resolved an issue with the web console app pool.

• Resolved an SSRS email notification issue.

• Resolved an issue with changing passwords from the Managed Accounts grid.

• Resolved an issue with RDP sessions freezing and disconnecting.

• Resolved an audit issue.

• Resolved a performance issue with the PowerBroker for Windows Rollup grid.

• Resolved an issue with dedicated account smart rules.

• Resolved a Radius authentication issue.

• Resolved a PowerBroker for Windows session monitoring display issue.

• Resolved an issue with displaying applications within the Password Safe portal.

• Resolved an issue with the daily synchronization.

• Resolved a Users and Groups permission issue.

6.4.4

• Prevent organizations from using reserved names (Global, Everyone).

• Resolved a connection issue for an Oracle Database instance.

• Resolved an issue with failed scans.

• Resolved an issue with managed Retina credentials.

• Resolved vulnerability last found/last updated dates displaying in local time.

• Resolved an issue with loading Active Directory users for a given group.

• Resolved an issue with displaying incorrect Domain data.

• Resolved an issue with updating the Retina Host Security Scanner queue.

• Resolved an issue with displaying assets for VMWare cloud connector.

• Resolved an issue with the BeyondInsight website getting stuck initializing.

• Resolved a login issue when FIPS is enabled in BeyondInsight.

• Resolved an issue with scheduled tasks disappearing from the Asset grid.

• Resolved an issue with smart rules reverting to a previously saved version.

• Resolved an issue with updating Active Directory group changes.

• Resolved an issue with displaying non-versioned information in the Version field. • Resolved an out of memory issue for Class A network scans.

• Resolved a display issue for disabled user accounts.

• Resolved an issue with deleted assets incorrectly displaying under the Scan Job Information section.

• Resolved an issue with incorrect IP addresses.

• Resolved a smart rule count issue.

• Resolved a display issue with custom smart rules.

• Resolved an issue with displaying long smart rule name.

• Resolved an RTD import issue.

• Resolved an issue with audit upgrades.

• Resolved an excess CPU usage issue.

• Resolved an issue with vulnerabilities getting auto marked as resolved in BeyondInsight with the auto aging logic.

• Resolved a timeout issue for long running Analytics and Reporting reports.

• Resolved an issue with vulnerabilities not being associated with an asset.

• Resolved an issue with applying WSUS-approved patches.

• Resolved an issue with deleting PowerBroker for Windows user policies.

• Resolved an issue with moving policies between policy groups under the Protection Policies section.

• Resolved an issue with PowerBroker SOLR searches.

• Resolved an issue with unknown PowerBroker for Windows events displaying in custom reports.

• Resolved a display issue for the PowerBroker for Windows/PowerBroker for Mac Rollup and All grids.

• Resolved a sorting issue with the PowerBroker for Windows grid.

• Resolved an issue with inserting event data in bulk.

• Resolved an issue with the PowerBroker for Password Safe import scan template displaying multiple values for changed attributes.

• Resolved an issue where PBSMD consumes excess CPU.

• Resolved an issue with trying to delete Cloud assets.

• Resolved an issue with using ALT characters in a password.

• Resolved an issue with the Password and Session Activity report incorrectly reporting RDP requests.

• Resolved a default port issue for the smart rule action Manage Assets using Password Safe.

• Resolved an issue with removing deleted assets from the Favorite tab of the PowerBroker Password Safe portal.

• Resolved an issue with password change options for scheduled tasks.

• Resolved an issue that could potentially lead to passwords getting out of sync with managed systems.

• Resolved an issue where Direct Connect SSH failed for users due to a timeout in authentication.

• Resolved an issue with password changes on Active Directory, functional accounts under the Auto Management section.

• Resolved a CA Service Desk connector issue.

• Resolved an issue with RDP outputs displaying a dark screen.

• Resolved an issue with changing passwords for Oracle accounts.

• Resolved an issue with inactive smart rules.

• Resolved a keyboard language issue with RDP Direct Connect.

• Resolved an issue with launching an application session.

• Resolved an issue with application sessions connecting using DNS.

• Resolved a permission issue with a member belonging to multiple groups.

• Resolved a mouse lag issue with enhanced session monitoring.

• Resolved an issue with removing a policy user.

• Resolved an input issue on the Admin Session tab of the PowerBroker Password Safe portal.

• Resolved an issue with managing MYSQL accounts.

• Resolved a Telnet logon issue.

• Resolved a display issue for remote applications.

• Resolved a smart rules processing issue.

• Resolved a concurrency error for password changes.

• Resolved an issue preventing custom platforms from working properly when connecting to systems on non-standard SSH ports.

• Resolved an issue with changing passwords for Active Directory managed accounts that do not have an SID.

• Resolved a date format issue for connection profile alert emails.

• Resolved an issue with sending email release notifications.

• Resolved an issue with launching RDP sessions via PowerBroker for Password Safe when PowerBroker for Password Safe has FIPS enabled. • Resolved an issue with changing passwords on Linux machines.

• Resolved an issue with deleted managed accounts.

• Resolved an issue with scheduled password changes when using PowerBroker for Windows agents.

• Resolved an issue with password checkouts using PowerBroker for Windows agents.

6.3.1

• Resolved a performance issue with the Vulnerabilities grid.

• Resolved a duplication issue with Active Directory users.

• Resolved a deadlock issue when processing scan data.

• Resolved an audit group setting issue.

• Resolved a sorting issue with assigned policies.

• Resolved a duplicate asset issue generated from PBEPP 8.1 data.

• Resolved an issue with purging stale email records.

• Resolved an issue with scheduled tasks.

• Resolved an issue with TempDB usage.

• Resolved a purging issue.

• Resolved an issue with loading domain-linked accounts for Password Safe.

• Resolved an issue with the domain-joined single sign-on login page.

• Resolved a custom platforms issue for functional accounts with elevated privileges.

• Resolved a mapping issue with dedicated accounts.

• Resolved an issue with the auto-management failing on Active Directory functional accounts.

Known Issues:

• For Analytics and Reporting, entitlement by group is not showing the correct account counts.

• The Audit Group screen allows you to edit a smart rule-driven audit group, but the Update action and other buttons are intentionally disabled. However, if changes are made and another audit group is clicked, the system offers to save the changes, and saving the changes overwrites the audits picked by the smart rule.

• If running against stored data and an earlier report is selected, reports run against live data with changes to exclusions will not display. The history of the exclusions is not being stored and will always show the latest regardless of what is reported on for existing data report selections.

• Data cannot be processed in the Third Party Feed handler log for Japanese.

• When exported data exceeds the default character form field length in Remedy, the associated vulnerability or asset is not inserted into the Remedy AR System. The workaround is to increase the form field length in Remedy.

• When using the certificate installation MSI and uninstalling, the certificate is not removed. This is by design and only uninstalls the certificate deployer.

• When launching a Retina scan in BeyondInsight where host names are specified as targets, target host names that are not resolved by the scanner may report a job status of "Job Did Not Start” even if some of the targets were successfully scanned.

• Cloning a smart rule with a Patch action will succeed, but it also silently drops the patch action.

• Adding a second organization and removing it will leave an All Assets smart rule for Default Organization. Users can manually remove the rule.

• Users who have access to smart rules marked as inactive or do not have access to smart group actions for a specific organization are still shown the choice of that organization on the Smart Group browser. If the organization is selected, the browser appears empty, and the last accessible smart rule asset remains on the Asset grid.

• When editing the last remaining smart rule for an organization and marking that smart rule as inactive, the Assets page will continue to display assets for that organization.

• Due to a dependency in the local publishing portion of the WSUS API, it is required that all WSUS resources (servers and consoles) be at the same service pack level. If not, the following error may appear in the ThirdPartyPatchSvc.txt log file: System.InvalidOperationException: Publishing operation failed because the console and remote server versions do not match.

• If a scheduled job includes a report and the associated smart rule is changed to use a set scanner action with two or more scanners, each scanner will produce a report for the portion of the scan it handled.

• If you have a scan job configured for a smart rule that is set to Rule Level distribution and only one scanner is configured, you can set the scan job to have a report association. If you later add additional scanners to the smart rule, the job will work. However, separate reports will appear for each scanner and may contain incomplete data.

• When connecting to a WSUS server that already has third-party patches, the Community Edition will display these patches in addition to the free, supported patches.

• When choosing the option to modify the products and classifications for third-party patches, changes are made to all WSUS servers -not just the selected WSUS Server.

• If attempting to scan cloud assets with a scanner that does not support cloud scanning, cloud assets will be ignored.

• Scheduled, recurring Benchmark Compliance reports show historical data.

• If a user duplicates a report template and others have scheduled scans and reports for that report, the duplicated report template cannot be deleted.

• If WSUS and BeyondInisght are not installed on the C: drive, the Approved, Installed, and Required Patches reports fail to generate.

• When retrieving data from the WSUS server and the Patch View option is selected, smart groups containing several assets or patches may take a long time to render or may encounter a timeout error. In this situation, it may be better to use the Asset view and drill into the patches on the Asset level.

• When viewing reports in Internet Explorer with script debugging enabled, you may occasionally see the JavaScript error message 'this._docMapSplitter' is null or not an object. Despite the error message displaying, the report will work as expected.

• When using an IAVA license and running existing data with the Non-Vulnerable Audit Status selected, the report may fail and display an out of memory error.

• When a Ticket Report returns several tickets and the option to include assets and notes has been selected, an out of memory error may be received.

• When several report parameters are selected and several selections/re-selections are performed, parameters listed in grids may disappear. To restore missing parameters, click on the Clear Filter icon for that grid, or cancel the screen and re-enter.

• Email alerts for smart rules returning large asset counts may generate emails exceeding what the email server can actually send. If this occurs, the user is not made aware that the email did not send.

• Changes made to Scan Restrictions in the Scan Agent interface are not reflected in the BeyondInsight interface.

• If a protection agent is installed on the same asset as a scanning agent, the scan agent will be listed as the only scanner in the run on existing data report parameters. However, scans from both will still be selectable.

• If the scanning agent fails to complete a benchmark scan for an asset, no xccdf-output.xml is created, and no asset information is displayed in the report.

• For benchmark scans, large result files may not be transferred successfully from the scanner to BeyondInsight. However, the result files are still available on the scanner agent’s file system.

• When using Quick Scan Credentials for reports with job metrics, the Credential Description displays as a GUID.

• If a report returns more assets than the 256 allowed, the report may stay in the processing state.

• BeyondInsight may install on SQL servers not set to Latin Case Insensitive. However, this is not supported for BeyondInsight and may not work appropriately.

• NT Authority\System Accounts do not exist in SQL Server 2012. As a result, an invalid license message will appear when attempting to authenticate with an NT Authority\System.

• Scheduled Benchmark Compliance Reports display no data after upgrades. To display data, the report must be rescheduled.

• When WSUS is installed, suscomp.dll is defined globally and loaded in every application pool. The BeyondInsight application pool is only 32-bit and will result in the following error when the 64-bit suscomp.dll attempts to load. Windows Server 2012 is a 64bit only Operating System. Solutions are provided below. o Option 1 . Take IIS backup.

. Open IIS Manager.

. Click on server module node at the top of the left-hand tree. Choose Modules.

. Right-click on DynamicCompressionModule, then choose Unlock.

. Right-click on StaticCompressionModule, then choose Unlock.

. Open Default Web Site > Open Modules.

. Right-click on DynamicCompressionModules, then choose Remove.

. Right-click on StaticCompressionModule, then choose Remove.

. From an elevated or administrative command prompt, enter IISRESET.

o Option 2 . Install BeyondInsight and WSUS on separate 2012 servers.

• Updated permission changes to a logged in account will not be applied until the user is logged off.

• Trying to create a smart rule with the same name as one that already exists as a different type (Asset/Vulnerability/Account) will give the following error: This Smart Rule was not saved because an error occurred: Sequence contains no matching element.

• When clicking the Apply Patch Now button, a user may receive a generic error message in the BeyondInsight interface. The workaround is to use the Approve button, or right-click the menu option for patch selection.

• Unless new attributes are added to filters via the smart rule editor, newly-added attribute types are not available in existing smart rule attribute filters. • If the description of the PowerBroker policy is more than 1024 characters in length, Analytics and Reporting Process Daily Job will fail.

 

Password Safe

• HP iLO and iDRAC accounts cannot be discovered. The accounts must be manually added.

• Deprecated change password options still appear in smart rules containing the Managed Password Safe Accounts action. The change password options are Retrieve password, Allow SSH Connection, Allow RDP Connection, and Record session. These options have been migrated to password safe roles. However, they may still appear as an upgraded smart rule. Removing the Manage Password Safe Account action and re-adding it will rectify the display issue.

• When accounts are discovered and brought under automatic management via Password Safe smart rule actions and the use current password to change password option is enabled, the password will never change due to the absence of the initial password. It is recommended this option only be enabled in smart rules that are not using discovery options.

• When the Link domain accounts to managed systems smart rule action is enabled in a smart rule and contains the Active Directory query filter with the Discover Accounts option also enabled, the smart rule may remain in a processing state. It is recommended the Link domain accounts to managed systems action only be enabled in smart rules not utilizing the Discover Accounts option.

• SAP assets cannot be managed by smart rules. The asset can only be managed manually.

• During the installation or upgrade of some environments, the Sybase.Charset archive may fail to decompress. If using the Sysbase Platform for Password Safe management, the archive can be manually decompressed.

• Scanning with DSS Keys in Retina Network Security Scanner version 5.23 and 5.23.1 will fail as a result of a public key authentication issue in Retina Network Security Scanner.

• If a functional account is tied to a remote client asset in PowerBroker for Windows, the functional account password will not change.

• In SSHDirectConnect, you are not able to create sessions 1 minute and 59 seconds before the access schedule expires. The access policy must extend to the current time plus the default request duration.

• In SSHDirectConnect, the user can login from another location even when the access policy is set to restrict the user’s location.

• The use of non-incremental keys in DSA or RSA causes auto-managed key changes to fail.

• Ctrl+Action (Ctrl+C) is captured as ^C and is attached to the beginning of the next keystroke.

• Cloud systems cannot be deleted when the managed account is linked to a remote application. The workaround is to remove the link between the managed account and the remote application via the Managed Account Settings screen, then delete the cloud system.

• On occasion, proxy sessions will not fully release the request, and sessions remain active and viewable within active sessions. As a workaround, locate all pbsmd.exe *32 processes in the BeyondInsight server, and select End Process for each process. This removes the inactive sessions and removes the sessions from the Active Sessions grid.

• Deleted systems previously marked as favorites will display as a favorite until the system is removed from the Favorites section.

• The new smart rule action called Account Name Format drop-down is not available for existing smart rules. If the action is required, delete and re-add the smart rule action.

• Users attempting an RDP DirectConnect to Windows 7 servers are not able to connect.

Notes:

• None

 

 

Date of Release: 20 July 2018

Product Name: BeyondInsight

Updated Version: 6.6.2

Superseded Versions: 1.0.0-6.6.1

Table of Contents

1. Installation Prerequisite

2. What's New in This Release

3. Known Issues

4. General Notes

5. Release Availability

6. Current and Historical Issues Resolved

1. Installation/Upgrade Prerequisites

=======================================================================

If BeyondInsight is installed on the BeyondTrust Security Management Virtual Appliances UVMv20 that were shipped between June 2014 and October 2016(versions 1.2 - 1.5.9) that have NOT been updated to 2.2.4 or higher,

the following steps are required prior to installing BeyondInsight version 6.4.8 if upgrading from a version prior to 6.3.1:

1. RDP to UVMv20 (versions 1.2 - 1.5.9)

2. Start | Run | c:\oracle\uninstall.bat all myhome

3. Upgrade to 6.4.4

4. Reboot

Should you require the RDP code to access the UVMv20 (versions 1.2 - 1.5.9) and/or additional assistance please contact BeyondTrust Customer Support

2. What's New in 6.6.2

=======================================================================

GENERAL:

- Added a new configuration landing page with search capability

- Added PowerBroker Management Suite Web Console link for installations on UVMs

- Added the ability to select an organization to the user profile section for a multiple organization

- Added Asset Grid Improvements

- Added Vulnerability Tab Improvements

- Added Support Package creation improvements

- Added Asset Purge Improvements

- Added the ability to clone directory queries

- Added the ability to sort directory queries

- Additional details added to audit change alerts

- Added a Policy User Smart Rule filter for User Accounts

- Added PBW/PBMac policy assignment using new User Account based Policy Users

- Added a catch all Smart Group for assets not belonging to of any other Smart Groups

- Added the ability to customize information contained within the completed scans alert

- Added the ability for multiple organizations to use one scanner

- Added ability to export groups to SailPoint

- Added UI improvements to the User Groups

- Added UI improvements to the credentials screen

- Added Docker Container Image support

- Added a warning when the target list has changed due to changes made to a Smart Group for scheduled scans

- Changed REMEMConfig tool to allow special characters for passwords

- Changed the PCI report to meet the latest PCI requirements

- Added warning when user attempts to delete HSM credentials

- Added the ability to perform Scanner/Credential mapping for network scanners

- Added the ability to disable AD/LDAP/Local BI user login by user

- Restricted the scan job name text field to 58 characters

- Added the ability to create smart rule filter based on CVE information

- Added the ability to stop all scan jobs from the Jobs grid.

- Added the ability to scan multiple Oracle databases using a single Oracle credential

- PBUL/PBSUDO SOLR search improvements

- 3rd Party Asset import improvements

- Added auditing for login/logout events and changes to security settings for local users

- Added auditing for adding new AD users

- Added Radius login improvements

- Added support for Radius auto-failover

- Replaced Asset Kind with Asset Type in Smart Rule Asset Attribute.

- Deprecated The Smart Rule option "Make primary Policy"

ANALYTICS and REPORTING:

- Added the ability to save scheduled reports to a network share

- Added Entitlement by User report

- Added CVSSv3 score and CVSSv3 score range to Vulnerability and PCI Compliance reports

- Added the Database User Report

- Added Last Login Date column to Asset User Account List

- Added new columns and filters to the Extended Vulnerability Export report

- Added data and performance improvements to PowerBroker Password Safe reports

- Added PBW Heartbeat report

- Added Asset User Account Delta by Week report

- Added Asset User Account Delta by Day report

- Added PBW/PBMac Lateral Movement report

- Added Docker Host Summary report

- Added Docker Image Details report

- Added Docker image vulnerability report

- Added PowerBroker Password Safe user cluster data

 

PowerBroker Password Safe:

- Added localization to the Password Safe for portal for: German, French (Canada), French (France)

- Added the ability to replay of sessions from any node in an Active-Active cluster

- Added the ability to view and/or copy the password to the clipboard from the password retrieval page

- Added the ability to use the SYSDBA privilege for an Oracle Functional Account

- Added keystroke recording performance improvements

- Added "LANG=en_US;" to custom platforms

- Added "Set Attributes on each account" Smart Rule Action for Managed Accounts

- Added ‘Attribute Assigned’ Smart Rule filter for Managed Accounts

- Changed Session Monitoring Window Position to no longer default to center of the screen

- Added Active Directory Functional Account Test improvements using UPN account names

- Post Release password changes processing improvements

- Added auditing for changes to Managed Systems, Managed Accounts, Password Complexity rules

- Added support for Managed Account password test via the PBW Agent

- Added PBUL/PBRUN jump host support

- Added login security improvements

- API enhancements to support Dynamic Access Policy

- For API enhancements please see the API release notes

 

3. Known Issues

=======================================================================

- If a user is using Firefox 55 or newer, they may encounter a black screen upon their first visit to one of the Flex pages within the BeyondInsight web application. It may not be apparent that there is any user action possible from this black screen.

Resolution - When encountering this black screen, the user must click on the black area to show the "Activate Adobe Flash" link, and click it to allow the content to show. This activation step only needs to be done the first time a user visits a Flex area within the BeyondInsight web application.

- If Event Server 4.1.0.0 is missing from Programs and Features after the a completed BeyondInsight 6.4.4 upgrade / install and re-boot, re-launch the "BeyondInsight_6.4.4.222.exe" installer, which will re-install Event Server as one of its first actions, after this, when the BeyondInsight Setup window appears with the options for "Repair" or "Remove", close the window instead (using the 'X' in the top right hand corner) and confirm that you want to close / cancel.

- PowerBroker for Windows - File Integrity Monitor events triggered by specific users always shown as system user or empty

- The audit group screen will allows editing a smart rule driven audit group but the "Update" and other buttons are disabled.

This is as intended; but if changes are made and then click on another audit group it will offer to save the changes, saving them will work and overwrite the audits picked by the smart rule.

- Reports run against live data with changes to exclusions will not show if running against stored data and selecting a earlier/specific report.

The history of the exclusions is not being stored and will always show the latest regardless of report on existing data past report selections.

- Japanese - Unable to process data in ThirdParty Feed handler log

- The associated vulnerability or asset will not get inserted into the Remedy AR System when the exported data exceeds the default character form field length in Remedy.

-Workaround: Increase the form field length in Remedy

- PBW Privileged Rule Impact Dashboard low level drill through is missing Argument data

when multiple PBW events take place in the same second, only the arguments from the first event found in the

database will show in the lowest level drill-through.

- Using the certificate installation MSI and then running the uninstall in "Add/Remove Programs" does not uninstall the certificate. This is by design

and only uninstalls the certificate deployer.

- Scheduled scans in Chrome can be off by an hour. Disabling Chrome'sPPAPI version of flash plugin will workaround the issue (see

chrome://plugins). The issue is not observed in Internet Explorer 9 or Firefox 15.

- When launching a Retina scan in BeyondInsight and host names are specified as targets, if any target host name cannot be resolved by the scanner the job status may be reported

as "Job Did Not Start" when, in fact, some of the targets were successfully scanned.

- Cloning a SmartRule with a Patch action in it will succeed but silently drop the Patch Action.

- Adding a second organization and then removing it will leave an "All Assets" SmartRule for "Default Organization". User can remove it manually.

- Organization information is not available on the Report screen.

- Users for which all the smart rules they have access to are either inactive or donÕt have the Smart Group action for a particular organization will be shown the choice of that organization on the

Smart Group browser on the left but if selected the browser will appear empty and the last accessible smart ruleÕs asset will remain showing on the Asset grid.

- When editing the last remaining Smart Rule for an organization, and marking that Smart Rule as inactive, the Assets page will continue to display assets for that organization.

- Due to a dependency in the Local Publishing portion of the WSUS API,it is necessary for all WSUS resources (servers and consoles) to be at the same Service Pack level for WSUS. If not,

the following error may appear in the ThirdPartyPatchSvc.txt log file: System.InvalidOperationException: Publishing operation failed because the console and remote server versions do not match.

- If a scheduled job includes a report and the associated smart rule is changed to use a set scanner action with two or more scanners, each scanner will produce a report for the

portion of the scan it handled.

- If you have a scan job setup for a smart rule that is set to "Rule Level" distribution but only contains 1 scanner you can setup the scan job with a report associated. If you later add additional

scanners to the smart rule the job will work but separate reports will appear for each scanner and may contain incomplete data.

- When connecting to a WSUS server that already has third party patches the Community edition will display these patches in addition to the free ones supported by the Community Edition.

- Choosing the option to modify the Products and Classifications for third party patches, the changes are made to all WSUS servers and not just the selected WSUS Server.

- Attempting to scan cloud assets with scanners that do not support cloud scanning will result in those cloud assets being ignored by the scanner.

- Recurring scheduled Benchmark Compliance reports will show historical data.

- A user who has duplicated a report template and for which other users have scheduled scan§reports for cannot be deleted.

- Patch Management: If WSUS and BeyondInisght are not installed on the C: drive, the Approved, Installed and Required Patches reports fail to generate.

- Patch Management: Smart groups that contain a large number of assets or patches may take a long time to render or may encounter a timeout error when retrieving data from the WSUS server when the patch view

option is selected. In this situation it may serve better to use the asset view and drill into the patches on the asset level as needed.

- When viewing reports in Internet Explorer with script debugging enabled, you may occasionally see the JavaScript error message "'this._docMapSplitter' is null or not an object", but the report will continue to work normally.

- When using an IAVA license and running on existing data with the Non-Vulnerable audit status selected, for large groups of assets the report may fail with an "out of memory" error.

- When running a Ticket Report that returns a large number of Tickets and the option to include Assets and Notes has been selected, an "out of memory" error may result.

- When selecting report parameters and performing several selections and re-selections, parameters listed in grids may disappear. To restore missing parameters, click on the "Clear Filter" icon for

that grid, or cancel the screen and re-enter.

- Smart Rules: Emailing alerts on smart rules that return extremely large asset counts (exact count will vary) may generate an email that exceeds what the email server will send. If this occurs the

user is not given and notice that the email wasn't sent.

- Assets Tab: The Assets and Agents grids are not able to filter on Protection Policy Name.

- Scan Restrictions: Changes made to Scan Restrictions in the scan agent UI are not reflected in the BeyondInsight UI.

- Scan: If a Protection Agent is installed on the same asset as a scanning agent, only the scan agent will be listed as a scanner in the run on existing data report parameters. However, scans from both will still be selectable.

- Benchmark Scan: If the scanning agent fails to complete a Benchmark scan for an asset, no xccdf-output.xml will be created, and no asset information will be displayed in the report.

- Benchmark Scans: Very large result files may not successfully be transferred from the scanner to BeyondInsight. The result files will still be available on the scanner agent file system. This

will be fixed in a later release.

- When using Quick Scan Credentials for reports that have Job Metrics, the Credential Description will display as a GUID.

- Community: if a report returns more assets than the 256 allowed,the report may stay in the processing state.

- BeyondInsight may install on SQL Servers configured with a server that is not set to Latin Case Insensitive but BeyondInsight do not support operating in that configuration and may not work correctly.

- The NT Authority\System account does not exist with SQL Server 2012, as a result an invalid license message will appear when attempting to authenticate with an NT Authority\System

- Scheduled Benchmark Compliance Display No Data After an Upgrade and Needs Rescheduling

- Windows Server 2012 is a 64bit only Operating System. When WSUS is installed, suscomp.dll is defined globally and loaded in every application pool. The BeyondInsight application pool

is 32bit and will result in the above error when the 64bit suscomp.dll attempts to load.

Solution:

 

Option 1

-> Take IIS backup.

-> Open IIS Manager

-> Click on server module node at the top of the left hand tree and choose "Modules".

-> Right click on DynamicCompressionModule and choose "Unlock"

-> Right click on StaticCompressionModule and choose "Unlock".

-> Open Default Web Site -> Open Modules.

-> Right click on DynamicCompressionModules and choose Remove".

-> Right click on StaticCompressionModule and choose "Remove".

-> Do IISRESET from an elevated/administrative command prompt.

 

Option 2

Install BeyondInsight and WSUS on separate 2012 servers

 

- Viewing a Report in IE 11 - Can't scroll to see all of report

- A Re-Start of SSAS is required if the SQL 2012 Servers do not have the .NET framework 4.5 installed prior to installing 5.X and the database has an instance name

- Error seen accessing web site on 2012R2 and 2012 server due to Asp.Net v4.0 restriction, which can not be fixed running register command, To install ASP.NET 4.5 on Windows Server 2012, use one of the following options:

Run the following command from an administrative command prompt: dism /online /enable-feature /featurename:IIS-ASPNET45

For Windows Server 2012 computers, enable "IIS-ASPNET45" using Server Manager, under "Web Server (IIS) -> Web Server ->Application Development -> ASP.NET 4.5".

- Scanner selection doesn't work in multi-tenant mark old scanners as inactive

- Updated permission changes to a logged in account will not be applied until the user is logged off

- Trying to create a smart rule with the same name as one that already exists as a different type (Asset/Vulnerability/Account) will give the following error

"This Smart Rule was not saved because an error occurred: Sequence contains no matching element"

- Patch Management - A user may receive a generic Error message in the BeyondInsight UI when using the Apply Patch Now Button,

the workaround is to use the Approve button or right-click menu option when selecting patches

- Password Safe - HP Ilo and Idrac accounts are not currently discoverable, these accounts have to be manually added.

- Password Safe - Deprecated Change password options will still appear in Smart Rules containing the Managed Password Safe Accounts action.

The change password options in question are: Retrieve password, Allow SSH Connection, Allow RDP Connection, Record session.

These options have been migrated to password safe roles. However they may still appear is inan upgraded smart rule.

Removing the Manage Password Safe Account action and re-adding it will rectify the display issue.

- Password Safe - In situations where accounts are discovered and brought under automatic management via Password Safe Smart Rule actions with the "use current password to change password"

option enabled the password will never change due to the absence of the initial password. It is recommended that this option only be enabled in smart rules that are not using discovery options.

- Password Safe - In situations where the "Link domain accounts to managed systems" smart rule action is enabled in a Smart Rule containing the Active Directory query filter with the discover accounts option enabled,

the Smart Rule may get stuck in a processing state. It is recommended that the "Link domain accounts to managed systems" action only be enabled in Smart Rules that are not utilizing the discover accounts option.

- Password Safe - The SAP asset cannot be managed via the smart rule. The asset can only be managed manually

 

- Password Safe - The Sybase.Charset archive may fail to decompress during install or upgrade on some environments. If using the Sysbase Platform for Password Safe management, the archive can be manually decompressed if needed.

- Scanning with DSS Keys using Retina Network Security Scanner version 5.23 and 5.23.1 will fail as a result of a public key authentication issue in Retina Network Security Scanner.

- Password Safe - if Functional Account is tied to a remote client asset (PBW), Functional Account password will not change

- Password Safe - SSHDirectConnect - unable to create sessions 1 minute 59 seconds before the Access Schedule expires, the Access Policy must extend to the current time plus the default request duration

- Password Safe - SSHDirectConnect - when Access Policy is set to Restrict Location the User is able to login from another location

- Password Safe - Using non-incremental keys in DSA or RSA causes auto managed key change to fail

- Passowrd Safe - Keystrokes - Ctrl+Action (Ctrl+C) is being capture as ^C and attached to the beginning of the next keystroke

- Password Safe - Cannot delete cloud systems when the managed account is linked to a remote application. Workaround is to remove the link between the managed account and the remote application via the Managed Account Settings screen and then delete the cloud system.

- Password Safe - On occasion, proxy sessions will not fully release the request and the sessions remained as active and was view able within Active Sessions. Workaround: Within the BI server, locate all pbsmd.exe *32 processes and select End Process for each. This will remove the inactive sessions and remove them from the Active Sessions grid.

- Password Safe - a deleted system, if previously marked as a Favorite, will still display under Favorites until the system is removed from Favorites

- Password Safe - Cloud Applications sessions are not displaying within Active/Replay for an Administrator

- Password Safe - The new smart rule action called Account Name Format drop-down is not available for existing smart rules, if the action is required, then delete and re-add the Smart Rule Action

- Password Safe - Users attempting an RDP DirectConnect cannot connect to Windows 7 servers

- Smart Rules - Newly added attribute types are not available in existing Smart Rule Attribute filters unless the new attribute is added to the filter via the Smart Rule editor

-

4. General Notes

=======================================================================

- BeyondInsight requires Adobe Flash Player 22.0 or higher

 

5. Release Availability

========================================================================

- This release is available by download from BeyondTrust customers

(https://beyondtrustsecurity.force.com/customer/login) and using the BeyondTrust Auto-Updater.

The MD5 signature is: 2cbafcbfc27a924149cd6601d2c8ddac

The SHA-1 signature is: ef745cb60b23dee6b3ec9377f477d9ccf79d2241

The SHA-256 signature is: 23d3d609bdfce1d306d98ed7b178385b62fdb15e92975068032bc41fc74d1553

6. Issues Resolved

========================================================================

6.6.2

- Fixed a SSH connection error

6.6.1

- Fixed an operational issue with BeyondInsight

6.6.0

- Fixed an issue terminating and closing active PBPS RDP sessions

- Fixed an issue with moving PBPS RDP sessions to a separate monitor

- Fixed an issue with PBPS SSH Direct Connect replays

- Fixed an issue with PBPS RDP Sessions with RDP Security enabled

- Fixed a multiplexing issue with PBPS SSH Sessions

- Fixed an issue with displaying non-active sessions as Active sessions

- Fixed an issue with creating managed systems for inactive platforms

- Fixed an issue with scheduled password changes for AD accounts

- Fixed an issue displaying linked accounts on PBPS portal

- Fixed an issue with Functional Accounts for workgroups

- Fixed mapping issues for Dedicated Accounts

- Fixed an issue changing the password on a Checkpoint system

- Fixed a session monitoring masking issue

- Fixed a format issue for NTLM authentication

- Fixed an issue with a missing Approve quick link

- Fixed an issue with updates to Functional Accounts

- Fixed an issue with changing passwords for Windows Scheduled Tasks

- Fixed an issue with testing password changes on custom platforms

- Fixed an issue with the Password Cache

- Fixed several issues with the SailPoint connector

- Fixed an issue using Entrust 2-factor authentication

- Fixed an ADFS login issue

- Fixed messaging around password failures on custom platforms

- Fixed an issue deleting an application

- Fixed an issue with SAML logins

- Fixed an issue with Syncing account passwords for PBW

- Fixed an issue launching multiple application sessions using the same managed account

- Fixed an issue with changing passwords on Windows Systems

- Fixed an issue with using RoyalITS for launching PBPS sessions

- Fixed a ServiceNow State validation issue

- Fixed an issue with Smart Rule processing

- Fixed an issue with configuring the preferred Domain Controller

- Fixed an issue with updating scheduled jobs

- Fixed an issue with enumerating Oracle users

- Fixed a duplicate asset issue

- Fixed an issue with target lists for scheduled scans

- Fixed an issue with scheduling scans

- Fixed a login issue using HSM

- Fixed an issue creating custom audit groups

- Fixed an issue updating the operating system of an asset

- Fixed an issue enumerating the operating system of an asset

- Fixed an issue enumerating user accounts

- Fixed a display issue on the Member of Group tab for an asset

- Fixed a display issue of an Asset's IP address

- Fixed a BeyondInsight database Configuration issue

- Fixed an issue with CPU usage.

- Fixed a data issue with the software report

- Fixed an issue with removing a database instance from an asset

- Fixed an issue displaying WSUS patches

- Fixed a purging issue

- Fixed a display issue for Address Groups

- Fixed a display issue in the Jobs grid

- Fixed a login issue for multi-tenant environments

- Fixed an issue with processing large ServiceNow imports

- Fixed an issue with PBW normalization

 

6.4.8

- Enforce global authentication for AMF remoting service to enhance security around AMF requests

- Ensured binary files are digitally signed

6.4.7

- Fixed an issue with the Analytics and Reporting daily job

- Fixed an issue with 2 factor authentication using the API

6.4.6

- Fixed a logging issue

- Fixed a functional account multi-tenancy issue

- Fixed an issue with Asset Metadata

- Fixed an issue with faded text in reports

- Fixed an issue with AD query availability

- Fixed an issue with the Date Picker for Subscriptions

- Fixed an access issue for administrators

- Fixed an issue with the built-in platform for Fortinet

- Fixed a licensing issue

- Fixed a data issue with the Vulnerability report

- Fixed an issue with the Web Console App Pool

- Fixed an SSRS email notification issue

- Fixed an issue on changing passwords from the Managed Accounts grid

- Fixed an issue with RDP sessions freezing and disconnecting

- Fixed an audit issue

- Fixed a performance issue with the PBW Rollup grid

- Fixed an issue with Dedicated Account Smart Rules

- Fixed a Radius authentication issue

- Fixed a PBW Session Monitoring display issue

- Fixed an issue displaying applications within the PBPS portal

- Fixed an issue with the daily sync

- Fixed a Users & Groups permission issue

6.4.4

- Prevent organizations from using reserved names (Global, Everyone)

- Fixed a connection issue for an Oracle Database instance

- Fixed an issue with failed scans

- Fixed an issue with managed Retina credentials

- Fixed Vulnerability last found / last updated date to display in local time

-Fixed an issue loading AD users for a given group

- Fixed an issue with displaying incorrect Domain data

- Fixed an issue with updating the Retina Host Security Scanner queue

- Fixed an issue displaying assets for VMWare cloud connector

- Fixed an issue with the BeyondInsight website getting stuck in initializing

- Fixed a login issue when BeyondInsight is FIPS enabled

- Fixed an issue scheduled tasks disappearing from the asset grid

- Fixed an issue with Smart Rules reverting to a previously saved version

- Fixed an issue with updating AD Group changes

- Fixed an issue with displaying non-version information in the version field

- Fixed an out of memory issue for Class A Network Scans

- Fixed a display issue for disabled user accounts

- Fixed an issue with deleted assets incorrectly displaying under Scan Job Information

- Fixed an issue with incorrect IP addresses

- Fixed a Smart Rule counts issue

- Fixed a display issue with custom smart rules

- Fixed an issue displaying long Smart Rule name

- Fixed an RTD import issue

- Fixed an issue with Audit upgrades

- Fixed an excess CPU issue

- Fixed an issue with the way vulnerabilities get auto marked as fixed in BeyondInsight with the auto aging logic

- Fixed a timeout issue for long running Analytics and Reporting reports

- Fixed an issue with a vulnerability not being associated with an asset

- Fixed an issue with applying WSUS approved patches

- Fixed an issue with deleting PowerBroker for Windows user policies

- Fixed an issue with moving Policies between Policy groups under Protection Policies

- Fixed an issue with SOLR searches

- Fixed an issue with "Unknown" PowerBroker for Windows events displaying in custom reports

- Fixed a display issue for the PowerBroker for Windows/PowerBroker for Mac Rollup and All grids

- Fixed a sorting issue with the PowerBroker for Windows grid

- Fixed an issue with inserting Event data in bulk

- Fixed an issue with the PowerBroker for Password Safe import scan template displaying multiple values for changed attributes

- Fixed an issue where PBSMD consumes excess CPU

- Fixed an issue with trying to delete Cloud assets

- Fixed an issue using ALT characters in a password

- Fixed an issue with Password and Session Activity Report misreporting RDP requests

- Fixed a default port issue for the Smart Rule Action "Manage Assets using Password Safe"

- Fixed an issue to remove deleted Assets from Favorite tab of the PowerBroker Password Safe portal

- Fixed an issue with Password change options for Scheduled tasks

- Fixed an issue that could potentially lead to passwords getting out of sync with managed systems

- Fixed an issue where Direct Connect SSH failed for users due to a timeout in authentication

- Fixed an issue with password changes on AD functional accounts under Auto Management

- Fixed a CA Service desk connector issue

- Fixed an issue with RDP output displaying a dark screen

- Fixed an issue changing passwords for Oracle accounts

- Fixed an issue with inactive Smart Rules

- Fixed a keyboard language issue with RDP Direct Connect

- Fixed an issue launching an application session

- Fixed an issue with Application sessions connecting using DNS

- Fixed a permission issue with a member belonging to multiple groups

- Fixed a mouse lag issue with enhanced session monitoring

- Fixed an issue with removing a policy user

- Fixed an input issue on the Admin Session tab of the PowerBroker Password Safe portal

- Fixed an issue with managing MYSQL accounts

- Fixed a Telenet logon issue

- Fixed a display issue of Remote Applications

- Fixed a Smart Rules processing issue

- Fixed a concurrency error for password changes

- Fixed an issue that prevented custom platforms from working when connecting to systems on non-standard ssh ports

- Fixed an issue with changing passwords on for AD managed accounts that do not have a SID

- Fixed a date format issue with connection profile alert emails

- Fixed an issue with sending email release notifications

- Fixed an issue with launching RDP sessions via PowerBroker for Password Safe when PowerBroker for Password Safe is FIPS enabled

- Fixed an issue with changing passwords on Linux machines

- Fixed an issue with deleted managed accounts

- Fixed an issue with scheduled password changes when using PowerBroker for Windows agents

- Fixed an issue with password checkouts using PowerBroker for Windows agents

 

6.3.1

- Fixed a performance issue with the vulnerabilities grid

- Fixed a duplication issue with Active Directory users

- Fixed a deadlock issue while processing scan data

- Fixed an Audit Group setting issue

- Fixed a sorting issue with Assigned Policies

- Fixed a duplicate asset issue generated from PBEPP 8.1 data

- Fixed an issue with purging stale email records

- Fixed in issue with scheduled tasks

- Fixed an issue with TempDB usage

- Fixed a purging issue

- Fixed an issue with loading Domain Linked accounts for Password Safe

- Fixed an issue with the Domain Joined Single Sign-On login page

- Fixed a custom platforms issue around functional accounts with elevated privileges

- Fixed a mapping issue with dedicated accounts

- Fixed an issue with the Auto Management failing on AD functional accounts

6.3

- Fixed an upgrade issue overwriting SAML configuration

- Fixed an issue with creating assets with the same name under different workgroups

- Fixed an issue with creating duplicate assets in error

- Fixed an issue with displaying duplicate assets in the Asset Grid

- Fixed an issue with Audit settings

- Fixed an issue with high CPU usage

- Fixed an issue with PBW processing of events

- Fixed an issue with replaying PBUL IO logs

- Fixed an issue with creating WSUS certificates

- Fixed a timeout issue on the Audit Viewer for Analytics and Reporting

- Fixed an issue with the print button not working for Analytics and Reporting

- Fixed a login issue when the user is part of multiple groups for Analytics and Reporting

- Fixed an issue with displaying HTML tags on the pre-login banner for Analytics and Reporting

- Fixed an issue with the Download logs button for Analytics and Reporting

- Fixed a data issue and timeout issue with the Password Safe Activity report within Analytics and Reporting

- Fixed an issue report options displaying blank values for Analytics and Reporting

- Fixed an SSH Connection issue with FIPS enabled

- Fixed an invalid credential error during the check-in of SSH requests

- Fixed an issue with creating Account smart rules

- Fixed an issue executing Account smart rules

- Fixed an issue with deleting cloud systems when the Managed Account is linked to a remote application

- Fixed an issue with black screens displaying on RDP logout/disconnect

- Fixed an issue with users with the Auditor role being unable to request passwords or perform session management activities

- Fixed an issue with a display issue with dedicated accounts in the Password Safe grid

6.2.2

- Fixed an issue with Linked Accounts with applications being added to Database Assets

- Fixed an issue with onboarding Account Smart Rules

- Fixed an issue overwriting the web config file for Active Directory Federation Services when using the BeyondInsight Configuraiton tool

- Fixed an issue with upgrading Favourites on the Password Safe Portal grid

- Fixed an access issue with Favorites under the Password Safe Portal grid

- Fixed an authentication issue using the Active Directory Short Name

- Fixed an access issue for Cloud Accounts under the Password Safe Portal grid

 

 

Date of Release: 16 July 2018

Product Name: BeyondInsight

Updated Version: 6.6.1

Superseded Versions: 1.0.0-6.4.8

Table of Contents

1. Installation Prerequisite

2. What's New in This Release

3. Known Issues

4. General Notes

5. Release Availability

6. Current and Historical Issues Resolved

1. Installation/Upgrade Prerequisites

=======================================================================

If BeyondInsight is installed on the BeyondTrust Security Management Virtual Appliances UVMv20 that were shipped between June 2014 and October 2016(versions 1.2 - 1.5.9) that have NOT been updated to 2.2.4 or higher,

the following steps are required prior to installing BeyondInsight version 6.4.8 if upgrading from a version prior to 6.3.1:

1. RDP to UVMv20 (versions 1.2 - 1.5.9)

2. Start | Run | c:\oracle\uninstall.bat all myhome

3. Upgrade to 6.4.4

4. Reboot

Should you require the RDP code to access the UVMv20 (versions 1.2 - 1.5.9) and/or additional assistance please contact BeyondTrust Customer Support

2. What's New in 6.6

=======================================================================

GENERAL:

- Added a new configuration landing page with search capability

- Added PowerBroker Management Suite Web Console link for installations on UVMs

- Added the ability to select an organization to the user profile section for a multiple organization

- Added Asset Grid Improvements

- Added Vulnerability Tab Improvements

- Added Support Package creation improvements

- Added Asset Purge Improvements

- Added the ability to clone directory queries

- Added the ability to sort directory queries

- Additional details added to audit change alerts

- Added a Policy User Smart Rule filter for User Accounts

- Added PBW/PBMac policy assignment using new User Account based Policy Users

- Added a catch all Smart Group for assets not belonging to of any other Smart Groups

- Added the ability to customize information contained within the completed scans alert

- Added the ability for multiple organizations to use one scanner

- Added ability to export groups to SailPoint

- Added UI improvements to the User Groups

- Added UI improvements to the credentials screen

- Added Docker Container Image support

- Added a warning when the target list has changed due to changes made to a Smart Group for scheduled scans

- Changed REMEMConfig tool to allow special characters for passwords

- Changed the PCI report to meet the latest PCI requirements

- Added warning when user attempts to delete HSM credentials

- Added the ability to perform Scanner/Credential mapping for network scanners

- Added the ability to disable AD/LDAP/Local BI user login by user

- Restricted the scan job name text field to 58 characters

- Added the ability to create smart rule filter based on CVE information

- Added the ability to stop all scan jobs from the Jobs grid.

- Added the ability to scan multiple Oracle databases using a single Oracle credential

- PBUL/PBSUDO SOLR search improvements

- 3rd Party Asset import improvements

- Added auditing for login/logout events and changes to security settings for local users

- Added auditing for adding new AD users

- Added Radius login improvements

- Added support for Radius auto-failover

- Replaced Asset Kind with Asset Type in Smart Rule Asset Attribute.

- Deprecated The Smart Rule option "Make primary Policy"

ANALYTICS and REPORTING:

- Added the ability to save scheduled reports to a network share

- Added Entitlement by User report

- Added CVSSv3 score and CVSSv3 score range to Vulnerability and PCI Compliance reports

- Added the Database User Report

- Added Last Login Date column to Asset User Account List

- Added new columns and filters to the Extended Vulnerability Export report

- Added data and performance improvements to PowerBroker Password Safe reports

- Added PBW Heartbeat report

- Added Asset User Account Delta by Week report

- Added Asset User Account Delta by Day report

- Added PBW/PBMac Lateral Movement report

- Added Docker Host Summary report

- Added Docker Image Details report

- Added Docker image vulnerability report

- Added PowerBroker Password Safe user cluster data

 

PowerBroker Password Safe:

- Added localization to the Password Safe for portal for: German, French (Canada), French (France)

- Added the ability to replay of sessions from any node in an Active-Active cluster

- Added the ability to view and/or copy the password to the clipboard from the password retrieval page

- Added the ability to use the SYSDBA privilege for an Oracle Functional Account

- Added keystroke recording performance improvements

- Added "LANG=en_US;" to custom platforms

- Added "Set Attributes on each account" Smart Rule Action for Managed Accounts

- Added ‘Attribute Assigned’ Smart Rule filter for Managed Accounts

- Changed Session Monitoring Window Position to no longer default to center of the screen

- Added Active Directory Functional Account Test improvements using UPN account names

- Post Release password changes processing improvements

- Removed the Change Password feature for PBPS web portal local users

- Added auditing for changes to Managed Systems, Managed Accounts, Password Complexity rules

- Added support for Managed Account password test via the PBW Agent

- Added PBUL/PBRUN jump host support

- Added login security improvements

- API enhancements to support Dynamic Access Policy

- For API enhancements please see the API release notes

 

3. Known Issues

=======================================================================

- If a user is using Firefox 55 or newer, they may encounter a black screen upon their first visit to one of the Flex pages within the BeyondInsight web application. It may not be apparent that there is any user action possible from this black screen.

Resolution - When encountering this black screen, the user must click on the black area to show the "Activate Adobe Flash" link, and click it to allow the content to show. This activation step only needs to be done the first time a user visits a Flex area within the BeyondInsight web application.

- If Event Server 4.1.0.0 is missing from Programs and Features after the a completed BeyondInsight 6.4.4 upgrade / install and re-boot, re-launch the "BeyondInsight_6.4.4.222.exe" installer, which will re-install Event Server as one of its first actions, after this, when the BeyondInsight Setup window appears with the options for "Repair" or "Remove", close the window instead (using the 'X' in the top right hand corner) and confirm that you want to close / cancel.

- PowerBroker for Windows - File Integrity Monitor events triggered by specific users always shown as system user or empty

- The audit group screen will allows editing a smart rule driven audit group but the "Update" and other buttons are disabled.

This is as intended; but if changes are made and then click on another audit group it will offer to save the changes, saving them will work and overwrite the audits picked by the smart rule.

- Reports run against live data with changes to exclusions will not show if running against stored data and selecting a earlier/specific report.

The history of the exclusions is not being stored and will always show the latest regardless of report on existing data past report selections.

- Japanese - Unable to process data in ThirdParty Feed handler log

- The associated vulnerability or asset will not get inserted into the Remedy AR System when the exported data exceeds the default character form field length in Remedy.

-Workaround: Increase the form field length in Remedy

- PBW Privileged Rule Impact Dashboard low level drill through is missing Argument data

when multiple PBW events take place in the same second, only the arguments from the first event found in the

database will show in the lowest level drill-through.

- Using the certificate installation MSI and then running the uninstall in "Add/Remove Programs" does not uninstall the certificate. This is by design

and only uninstalls the certificate deployer.

- Scheduled scans in Chrome can be off by an hour. Disabling Chrome'sPPAPI version of flash plugin will workaround the issue (see

chrome://plugins). The issue is not observed in Internet Explorer 9 or Firefox 15.

- When launching a Retina scan in BeyondInsight and host names are specified as targets, if any target host name cannot be resolved by the scanner the job status may be reported

as "Job Did Not Start" when, in fact, some of the targets were successfully scanned.

- Cloning a SmartRule with a Patch action in it will succeed but silently drop the Patch Action.

- Adding a second organization and then removing it will leave an "All Assets" SmartRule for "Default Organization". User can remove it manually.

- Organization information is not available on the Report screen.

- Users for which all the smart rules they have access to are either inactive or donÕt have the Smart Group action for a particular organization will be shown the choice of that organization on the

Smart Group browser on the left but if selected the browser will appear empty and the last accessible smart ruleÕs asset will remain showing on the Asset grid.

- When editing the last remaining Smart Rule for an organization, and marking that Smart Rule as inactive, the Assets page will continue to display assets for that organization.

- Due to a dependency in the Local Publishing portion of the WSUS API,it is necessary for all WSUS resources (servers and consoles) to be at the same Service Pack level for WSUS. If not,

the following error may appear in the ThirdPartyPatchSvc.txt log file: System.InvalidOperationException: Publishing operation failed because the console and remote server versions do not match.

- If a scheduled job includes a report and the associated smart rule is changed to use a set scanner action with two or more scanners, each scanner will produce a report for the

portion of the scan it handled.

- If you have a scan job setup for a smart rule that is set to "Rule Level" distribution but only contains 1 scanner you can setup the scan job with a report associated. If you later add additional

scanners to the smart rule the job will work but separate reports will appear for each scanner and may contain incomplete data.

- When connecting to a WSUS server that already has third party patches the Community edition will display these patches in addition to the free ones supported by the Community Edition.

- Choosing the option to modify the Products and Classifications for third party patches, the changes are made to all WSUS servers and not just the selected WSUS Server.

- Attempting to scan cloud assets with scanners that do not support cloud scanning will result in those cloud assets being ignored by the scanner.

- Recurring scheduled Benchmark Compliance reports will show historical data.

- A user who has duplicated a report template and for which other users have scheduled scan§reports for cannot be deleted.

- Patch Management: If WSUS and BeyondInisght are not installed on the C: drive, the Approved, Installed and Required Patches reports fail to generate.

- Patch Management: Smart groups that contain a large number of assets or patches may take a long time to render or may encounter a timeout error when retrieving data from the WSUS server when the patch view

option is selected. In this situation it may serve better to use the asset view and drill into the patches on the asset level as needed.

- When viewing reports in Internet Explorer with script debugging enabled, you may occasionally see the JavaScript error message "'this._docMapSplitter' is null or not an object", but the report will continue to work normally.

- When using an IAVA license and running on existing data with the Non-Vulnerable audit status selected, for large groups of assets the report may fail with an "out of memory" error.

- When running a Ticket Report that returns a large number of Tickets and the option to include Assets and Notes has been selected, an "out of memory" error may result.

- When selecting report parameters and performing several selections and re-selections, parameters listed in grids may disappear. To restore missing parameters, click on the "Clear Filter" icon for

that grid, or cancel the screen and re-enter.

- Smart Rules: Emailing alerts on smart rules that return extremely large asset counts (exact count will vary) may generate an email that exceeds what the email server will send. If this occurs the

user is not given and notice that the email wasn't sent.

- Assets Tab: The Assets and Agents grids are not able to filter on Protection Policy Name.

- Scan Restrictions: Changes made to Scan Restrictions in the scan agent UI are not reflected in the BeyondInsight UI.

- Scan: If a Protection Agent is installed on the same asset as a scanning agent, only the scan agent will be listed as a scanner in the run on existing data report parameters. However, scans from both will still be selectable.

- Benchmark Scan: If the scanning agent fails to complete a Benchmark scan for an asset, no xccdf-output.xml will be created, and no asset information will be displayed in the report.

- Benchmark Scans: Very large result files may not successfully be transferred from the scanner to BeyondInsight. The result files will still be available on the scanner agent file system. This

will be fixed in a later release.

- When using Quick Scan Credentials for reports that have Job Metrics, the Credential Description will display as a GUID.

- Community: if a report returns more assets than the 256 allowed,the report may stay in the processing state.

- BeyondInsight may install on SQL Servers configured with a server that is not set to Latin Case Insensitive but BeyondInsight do not support operating in that configuration and may not work correctly.

- The NT Authority\System account does not exist with SQL Server 2012, as a result an invalid license message will appear when attempting to authenticate with an NT Authority\System

- Scheduled Benchmark Compliance Display No Data After an Upgrade and Needs Rescheduling

- Windows Server 2012 is a 64bit only Operating System. When WSUS is installed, suscomp.dll is defined globally and loaded in every application pool. The BeyondInsight application pool

is 32bit and will result in the above error when the 64bit suscomp.dll attempts to load.

Solution:

 

Option 1

-> Take IIS backup.

-> Open IIS Manager

-> Click on server module node at the top of the left hand tree and choose "Modules".

-> Right click on DynamicCompressionModule and choose "Unlock"

-> Right click on StaticCompressionModule and choose "Unlock".

-> Open Default Web Site -> Open Modules.

-> Right click on DynamicCompressionModules and choose Remove".

-> Right click on StaticCompressionModule and choose "Remove".

-> Do IISRESET from an elevated/administrative command prompt.

 

Option 2

Install BeyondInsight and WSUS on separate 2012 servers

 

- Viewing a Report in IE 11 - Can't scroll to see all of report

- A Re-Start of SSAS is required if the SQL 2012 Servers do not have the .NET framework 4.5 installed prior to installing 5.X and the database has an instance name

- Error seen accessing web site on 2012R2 and 2012 server due to Asp.Net v4.0 restriction, which can not be fixed running register command, To install ASP.NET 4.5 on Windows Server 2012, use one of the following options:

Run the following command from an administrative command prompt: dism /online /enable-feature /featurename:IIS-ASPNET45

For Windows Server 2012 computers, enable "IIS-ASPNET45" using Server Manager, under "Web Server (IIS) -> Web Server ->Application Development -> ASP.NET 4.5".

- Scanner selection doesn't work in multi-tenant mark old scanners as inactive

- Updated permission changes to a logged in account will not be applied until the user is logged off

- Trying to create a smart rule with the same name as one that already exists as a different type (Asset/Vulnerability/Account) will give the following error

"This Smart Rule was not saved because an error occurred: Sequence contains no matching element"

- Patch Management - A user may receive a generic Error message in the BeyondInsight UI when using the Apply Patch Now Button,

the workaround is to use the Approve button or right-click menu option when selecting patches

- Password Safe - HP Ilo and Idrac accounts are not currently discoverable, these accounts have to be manually added.

- Password Safe - Deprecated Change password options will still appear in Smart Rules containing the Managed Password Safe Accounts action.

The change password options in question are: Retrieve password, Allow SSH Connection, Allow RDP Connection, Record session.

These options have been migrated to password safe roles. However they may still appear is inan upgraded smart rule.

Removing the Manage Password Safe Account action and re-adding it will rectify the display issue.

- Password Safe - In situations where accounts are discovered and brought under automatic management via Password Safe Smart Rule actions with the "use current password to change password"

option enabled the password will never change due to the absence of the initial password. It is recommended that this option only be enabled in smart rules that are not using discovery options.

- Password Safe - In situations where the "Link domain accounts to managed systems" smart rule action is enabled in a Smart Rule containing the Active Directory query filter with the discover accounts option enabled,

the Smart Rule may get stuck in a processing state. It is recommended that the "Link domain accounts to managed systems" action only be enabled in Smart Rules that are not utilizing the discover accounts option.

- Password Safe - The SAP asset cannot be managed via the smart rule. The asset can only be managed manually

 

- Password Safe - The Sybase.Charset archive may fail to decompress during install or upgrade on some environments. If using the Sysbase Platform for Password Safe management, the archive can be manually decompressed if needed.

- Scanning with DSS Keys using Retina Network Security Scanner version 5.23 and 5.23.1 will fail as a result of a public key authentication issue in Retina Network Security Scanner.

- Password Safe - if Functional Account is tied to a remote client asset (PBW), Functional Account password will not change

- Password Safe - SSHDirectConnect - unable to create sessions 1 minute 59 seconds before the Access Schedule expires, the Access Policy must extend to the current time plus the default request duration

- Password Safe - SSHDirectConnect - when Access Policy is set to Restrict Location the User is able to login from another location

- Password Safe - Using non-incremental keys in DSA or RSA causes auto managed key change to fail

- Passowrd Safe - Keystrokes - Ctrl+Action (Ctrl+C) is being capture as ^C and attached to the beginning of the next keystroke

- Password Safe - Cannot delete cloud systems when the managed account is linked to a remote application. Workaround is to remove the link between the managed account and the remote application via the Managed Account Settings screen and then delete the cloud system.

- Password Safe - On occasion, proxy sessions will not fully release the request and the sessions remained as active and was view able within Active Sessions. Workaround: Within the BI server, locate all pbsmd.exe *32 processes and select End Process for each. This will remove the inactive sessions and remove them from the Active Sessions grid.

- Password Safe - a deleted system, if previously marked as a Favorite, will still display under Favorites until the system is removed from Favorites

- Password Safe - Cloud Applications sessions are not displaying within Active/Replay for an Administrator

- Password Safe - The new smart rule action called Account Name Format drop-down is not available for existing smart rules, if the action is required, then delete and re-add the Smart Rule Action

- Password Safe - Users attempting an RDP DirectConnect cannot connect to Windows 7 servers

- Smart Rules - Newly added attribute types are not available in existing Smart Rule Attribute filters unless the new attribute is added to the filter via the Smart Rule editor

-

4. General Notes

=======================================================================

- BeyondInsight requires Adobe Flash Player 22.0 or higher

 

5. Release Availability

========================================================================

- This release is available by download from BeyondTrust customers

(https://beyondtrustsecurity.force.com/customer/login) and using the BeyondTrust Auto-Updater.

The MD5 signature is: 25f9e807d99dcb5e296b782dbc58f17e

The SHA-1 signature is: 01fb76ee113d7ee17a587deaed2663d1d0b7044c

The SHA-256 signature is: db471232a1f27733c398a2aff50b72f9ac8a4114a895bce790e7af29eca53dcf

6. Issues Resolved

========================================================================

6.6.0.

- Fixed an operational issue with BeyondInsight

6.6.0

- Fixed an issue terminating and closing active PBPS RDP sessions

- Fixed an issue with moving PBPS RDP sessions to a separate monitor

- Fixed an issue with PBPS SSH Direct Connect replays

- Fixed an issue with PBPS RDP Sessions with RDP Security enabled

- Fixed a multiplexing issue with PBPS SSH Sessions

- Fixed an issue with displaying non-active sessions as Active sessions

- Fixed an issue with creating managed systems for inactive platforms

- Fixed an issue with scheduled password changes for AD accounts

- Fixed an issue displaying linked accounts on PBPS portal

- Fixed an issue with Functional Accounts for workgroups

- Fixed mapping issues for Dedicated Accounts

- Fixed an issue changing the password on a Checkpoint system

- Fixed a session monitoring masking issue

- Fixed a format issue for NTLM authentication

- Fixed an issue with a missing Approve quick link

- Fixed an issue with updates to Functional Accounts

- Fixed an issue with changing passwords for Windows Scheduled Tasks

- Fixed an issue with testing password changes on custom platforms

- Fixed an issue with the Password Cache

- Fixed several issues with the SailPoint connector

- Fixed an issue using Entrust 2-factor authentication

- Fixed an ADFS login issue

- Fixed messaging around password failures on custom platforms

- Fixed an issue deleting an application

- Fixed an issue with SAML logins

- Fixed an issue with Syncing account passwords for PBW

- Fixed an issue launching multiple application sessions using the same managed account

- Fixed an issue with changing passwords on Windows Systems

- Fixed an issue with using RoyalITS for launching PBPS sessions

- Fixed a ServiceNow State validation issue

- Fixed an issue with Smart Rule processing

- Fixed an issue with configuring the preferred Domain Controller

- Fixed an issue with updating scheduled jobs

- Fixed an issue with enumerating Oracle users

- Fixed a duplicate asset issue

- Fixed an issue with target lists for scheduled scans

- Fixed an issue with scheduling scans

- Fixed a login issue using HSM

- Fixed an issue creating custom audit groups

- Fixed an issue updating the operating system of an asset

- Fixed an issue enumerating the operating system of an asset

- Fixed an issue enumerating user accounts

- Fixed a display issue on the Member of Group tab for an asset

- Fixed a display issue of an Asset's IP address

- Fixed a BeyondInsight database Configuration issue

- Fixed an issue with CPU usage.

- Fixed a data issue with the software report

- Fixed an issue with removing a database instance from an asset

- Fixed an issue displaying WSUS patches

- Fixed a purging issue

- Fixed a display issue for Address Groups

- Fixed a display issue in the Jobs grid

- Fixed a login issue for multi-tenant environments

- Fixed an issue with processing large ServiceNow imports

- Fixed an issue with PBW normalization

 

6.4.8

- Enforce global authentication for AMF remoting service to enhance security around AMF requests

- Ensured binary files are digitally signed

6.4.7

- Fixed an issue with the Analytics and Reporting daily job

- Fixed an issue with 2 factor authentication using the API

6.4.6

- Fixed a logging issue

- Fixed a functional account multi-tenancy issue

- Fixed an issue with Asset Metadata

- Fixed an issue with faded text in reports

- Fixed an issue with AD query availability

- Fixed an issue with the Date Picker for Subscriptions

- Fixed an access issue for administrators

- Fixed an issue with the built-in platform for Fortinet

- Fixed a licensing issue

- Fixed a data issue with the Vulnerability report

- Fixed an issue with the Web Console App Pool

- Fixed an SSRS email notification issue

- Fixed an issue on changing passwords from the Managed Accounts grid

- Fixed an issue with RDP sessions freezing and disconnecting

- Fixed an audit issue

- Fixed a performance issue with the PBW Rollup grid

- Fixed an issue with Dedicated Account Smart Rules

- Fixed a Radius authentication issue

- Fixed a PBW Session Monitoring display issue

- Fixed an issue displaying applications within the PBPS portal

- Fixed an issue with the daily sync

- Fixed a Users & Groups permission issue

6.4.4

- Prevent organizations from using reserved names (Global, Everyone)

- Fixed a connection issue for an Oracle Database instance

- Fixed an issue with failed scans

- Fixed an issue with managed Retina credentials

- Fixed Vulnerability last found / last updated date to display in local time

-Fixed an issue loading AD users for a given group

- Fixed an issue with displaying incorrect Domain data

- Fixed an issue with updating the Retina Host Security Scanner queue

- Fixed an issue displaying assets for VMWare cloud connector

- Fixed an issue with the BeyondInsight website getting stuck in initializing

- Fixed a login issue when BeyondInsight is FIPS enabled

- Fixed an issue scheduled tasks disappearing from the asset grid

- Fixed an issue with Smart Rules reverting to a previously saved version

- Fixed an issue with updating AD Group changes

- Fixed an issue with displaying non-version information in the version field

- Fixed an out of memory issue for Class A Network Scans

- Fixed a display issue for disabled user accounts

- Fixed an issue with deleted assets incorrectly displaying under Scan Job Information

- Fixed an issue with incorrect IP addresses

- Fixed a Smart Rule counts issue

- Fixed a display issue with custom smart rules

- Fixed an issue displaying long Smart Rule name

- Fixed an RTD import issue

- Fixed an issue with Audit upgrades

- Fixed an excess CPU issue

- Fixed an issue with the way vulnerabilities get auto marked as fixed in BeyondInsight with the auto aging logic

- Fixed a timeout issue for long running Analytics and Reporting reports

- Fixed an issue with a vulnerability not being associated with an asset

- Fixed an issue with applying WSUS approved patches

- Fixed an issue with deleting PowerBroker for Windows user policies

- Fixed an issue with moving Policies between Policy groups under Protection Policies

- Fixed an issue with SOLR searches

- Fixed an issue with "Unknown" PowerBroker for Windows events displaying in custom reports

- Fixed a display issue for the PowerBroker for Windows/PowerBroker for Mac Rollup and All grids

- Fixed a sorting issue with the PowerBroker for Windows grid

- Fixed an issue with inserting Event data in bulk

- Fixed an issue with the PowerBroker for Password Safe import scan template displaying multiple values for changed attributes

- Fixed an issue where PBSMD consumes excess CPU

- Fixed an issue with trying to delete Cloud assets

- Fixed an issue using ALT characters in a password

- Fixed an issue with Password and Session Activity Report misreporting RDP requests

- Fixed a default port issue for the Smart Rule Action "Manage Assets using Password Safe"

- Fixed an issue to remove deleted Assets from Favorite tab of the PowerBroker Password Safe portal

- Fixed an issue with Password change options for Scheduled tasks

- Fixed an issue that could potentially lead to passwords getting out of sync with managed systems

- Fixed an issue where Direct Connect SSH failed for users due to a timeout in authentication

- Fixed an issue with password changes on AD functional accounts under Auto Management

- Fixed a CA Service desk connector issue

- Fixed an issue with RDP output displaying a dark screen

- Fixed an issue changing passwords for Oracle accounts

- Fixed an issue with inactive Smart Rules

- Fixed a keyboard language issue with RDP Direct Connect

- Fixed an issue launching an application session

- Fixed an issue with Application sessions connecting using DNS

- Fixed a permission issue with a member belonging to multiple groups

- Fixed a mouse lag issue with enhanced session monitoring

- Fixed an issue with removing a policy user

- Fixed an input issue on the Admin Session tab of the PowerBroker Password Safe portal

- Fixed an issue with managing MYSQL accounts

- Fixed a Telenet logon issue

- Fixed a display issue of Remote Applications

- Fixed a Smart Rules processing issue

- Fixed a concurrency error for password changes

- Fixed an issue that prevented custom platforms from working when connecting to systems on non-standard ssh ports

- Fixed an issue with changing passwords on for AD managed accounts that do not have a SID

- Fixed a date format issue with connection profile alert emails

- Fixed an issue with sending email release notifications

- Fixed an issue with launching RDP sessions via PowerBroker for Password Safe when PowerBroker for Password Safe is FIPS enabled

- Fixed an issue with changing passwords on Linux machines

- Fixed an issue with deleted managed accounts

- Fixed an issue with scheduled password changes when using PowerBroker for Windows agents

- Fixed an issue with password checkouts using PowerBroker for Windows agents

 

6.3.1

- Fixed a performance issue with the vulnerabilities grid

- Fixed a duplication issue with Active Directory users

- Fixed a deadlock issue while processing scan data

- Fixed an Audit Group setting issue

- Fixed a sorting issue with Assigned Policies

- Fixed a duplicate asset issue generated from PBEPP 8.1 data

- Fixed an issue with purging stale email records

- Fixed in issue with scheduled tasks

- Fixed an issue with TempDB usage

- Fixed a purging issue

- Fixed an issue with loading Domain Linked accounts for Password Safe

- Fixed an issue with the Domain Joined Single Sign-On login page

- Fixed a custom platforms issue around functional accounts with elevated privileges

- Fixed a mapping issue with dedicated accounts

- Fixed an issue with the Auto Management failing on AD functional accounts

6.3

- Fixed an upgrade issue overwriting SAML configuration

- Fixed an issue with creating assets with the same name under different workgroups

- Fixed an issue with creating duplicate assets in error

- Fixed an issue with displaying duplicate assets in the Asset Grid

- Fixed an issue with Audit settings

- Fixed an issue with high CPU usage

- Fixed an issue with PBW processing of events

- Fixed an issue with replaying PBUL IO logs

- Fixed an issue with creating WSUS certificates

- Fixed a timeout issue on the Audit Viewer for Analytics and Reporting

- Fixed an issue with the print button not working for Analytics and Reporting

- Fixed a login issue when the user is part of multiple groups for Analytics and Reporting

- Fixed an issue with displaying HTML tags on the pre-login banner for Analytics and Reporting

- Fixed an issue with the Download logs button for Analytics and Reporting

- Fixed a data issue and timeout issue with the Password Safe Activity report within Analytics and Reporting

- Fixed an issue report options displaying blank values for Analytics and Reporting

- Fixed an SSH Connection issue with FIPS enabled

- Fixed an invalid credential error during the check-in of SSH requests

- Fixed an issue with creating Account smart rules

- Fixed an issue executing Account smart rules

- Fixed an issue with deleting cloud systems when the Managed Account is linked to a remote application

- Fixed an issue with black screens displaying on RDP logout/disconnect

- Fixed an issue with users with the Auditor role being unable to request passwords or perform session management activities

- Fixed an issue with a display issue with dedicated accounts in the Password Safe grid

6.2.2

- Fixed an issue with Linked Accounts with applications being added to Database Assets

- Fixed an issue with onboarding Account Smart Rules

- Fixed an issue overwriting the web config file for Active Directory Federation Services when using the BeyondInsight Configuraiton tool

- Fixed an issue with upgrading Favourites on the Password Safe Portal grid

- Fixed an access issue with Favorites under the Password Safe Portal grid

- Fixed an authentication issue using the Active Directory Short Name

- Fixed an access issue for Cloud Accounts under the Password Safe Portal grid

 

Date of Release: 6 July 2018

Product Name: BeyondInsight

Updated Version: 6.6

Superseded Versions: 1.0.0-6.4.8

Table of Contents

1. Installation Prerequisite

2. What's New in This Release

3. Known Issues

4. General Notes

5. Release Availability

6. Current and Historical Issues Resolved

1. Installation/Upgrade Prerequisites

=======================================================================

If BeyondInsight is installed on the BeyondTrust Security Management Virtual Appliances UVMv20 that were shipped between June 2014 and October 2016(versions 1.2 - 1.5.9) that have NOT been updated to 2.2.4 or higher,

the following steps are required prior to installing BeyondInsight version 6.4.8 if upgrading from a version prior to 6.3.1:

1. RDP to UVMv20 (versions 1.2 - 1.5.9)

2. Start | Run | c:\oracle\uninstall.bat all myhome

3. Upgrade to 6.4.4

4. Reboot

Should you require the RDP code to access the UVMv20 (versions 1.2 - 1.5.9) and/or additional assistance please contact BeyondTrust Customer Support

2. What's New in 6.6

=======================================================================

GENERAL:

- Added a new configuration landing page with search capability

- Added PowerBroker Management Suite Web Console link for installations on UVMs

- Added the ability to select an organization to the user profile section for a multiple organization

- Added Asset Grid Improvements

- Added Vulnerability Tab Improvements

- Added Support Package creation improvements

- Added Asset Purge Improvements

- Added the ability to clone directory queries

- Added the ability to sort directory queries

- Additional details added to audit change alerts

- Added a Policy User Smart Rule filter for User Accounts

- Added PBW/PBMac policy assignment using new User Account based Policy Users

- Added a catch all Smart Group for assets not belonging to of any other Smart Groups

- Added the ability to customize information contained within the completed scans alert

- Added the ability for multiple organizations to use one scanner

- Added ability to export groups to SailPoint

- Added UI improvements to the User Groups

- Added UI improvements to the credentials screen

- Added Docker Container Image support

- Added a warning when the target list has changed due to changes made to a Smart Group for scheduled scans

- Changed REMEMConfig tool to allow special characters for passwords

- Changed the PCI report to meet the latest PCI requirements

- Added warning when user attempts to delete HSM credentials

- Added the ability to perform Scanner/Credential mapping for network scanners

- Added the ability to disable AD/LDAP/Local BI user login by user

- Restricted the scan job name text field to 58 characters

- Added the ability to create smart rule filter based on CVE information

- Added the ability to stop all scan jobs from the Jobs grid.

- Added the ability to scan multiple Oracle databases using a single Oracle credential

- PBUL/PBSUDO SOLR search improvements

- 3rd Party Asset import improvements

- Added auditing for login/logout events and changes to security settings for local users

- Added auditing for adding new AD users

- Added Radius login improvements

- Added support for Radius auto-failover

- Replaced Asset Kind with Asset Type in Smart Rule Asset Attribute.

- Deprecated The Smart Rule option "Make primary Policy"

ANALYTICS and REPORTING:

- Added the ability to save scheduled reports to a network share

- Added Entitlement by User report

- Added CVSSv3 score and CVSSv3 score range to Vulnerability and PCI Compliance reports

- Added the Database User Report

- Added Last Login Date column to Asset User Account List

- Added new columns and filters to the Extended Vulnerability Export report

- Added data and performance improvements to PowerBroker Password Safe reports

- Added PBW Heartbeat report

- Added Asset User Account Delta by Week report

- Added Asset User Account Delta by Day report

- Added PBW/PBMac Lateral Movement report

- Added Docker Host Summary report

- Added Docker Image Details report

- Added Docker image vulnerability report

- Added PowerBroker Password Safe user cluster data

 

PowerBroker Password Safe:

- Added localization to the Password Safe for portal for: German, French (Canada), French (France)

- Added the ability to replay of sessions from any node in an Active-Active cluster

- Added the ability to view and/or copy the password to the clipboard from the password retrieval page

- Added the ability to use the SYSDBA privilege for an Oracle Functional Account

- Added keystroke recording performance improvements

- Added "LANG=en_US;" to custom platforms

- Added "Set Attributes on each account" Smart Rule Action for Managed Accounts

- Added ‘Attribute Assigned’ Smart Rule filter for Managed Accounts

- Changed Session Monitoring Window Position to no longer default to center of the screen

- Added Active Directory Functional Account Test improvements using UPN account names

- Post Release password changes processing improvements

- Removed the Change Password feature for PBPS web portal local users

- Added auditing for changes to Managed Systems, Managed Accounts, Password Complexity rules

- Added support for Managed Account password test via the PBW Agent

- Added PBUL/PBRUN jump host support

- Added login security improvements

- API enhancements to support Dynamic Access Policy

- For API enhancements please see the API release notes

 

3. Known Issues

=======================================================================

- If a user is using Firefox 55 or newer, they may encounter a black screen upon their first visit to one of the Flex pages within the BeyondInsight web application. It may not be apparent that there is any user action possible from this black screen.

Resolution - When encountering this black screen, the user must click on the black area to show the "Activate Adobe Flash" link, and click it to allow the content to show. This activation step only needs to be done the first time a user visits a Flex area within the BeyondInsight web application.

- If Event Server 4.1.0.0 is missing from Programs and Features after the a completed BeyondInsight 6.4.4 upgrade / install and re-boot, re-launch the "BeyondInsight_6.4.4.222.exe" installer, which will re-install Event Server as one of its first actions, after this, when the BeyondInsight Setup window appears with the options for "Repair" or "Remove", close the window instead (using the 'X' in the top right hand corner) and confirm that you want to close / cancel.

- PowerBroker for Windows - File Integrity Monitor events triggered by specific users always shown as system user or empty

- The audit group screen will allows editing a smart rule driven audit group but the "Update" and other buttons are disabled.

This is as intended; but if changes are made and then click on another audit group it will offer to save the changes, saving them will work and overwrite the audits picked by the smart rule.

- Reports run against live data with changes to exclusions will not show if running against stored data and selecting a earlier/specific report.

The history of the exclusions is not being stored and will always show the latest regardless of report on existing data past report selections.

- Japanese - Unable to process data in ThirdParty Feed handler log

- The associated vulnerability or asset will not get inserted into the Remedy AR System when the exported data exceeds the default character form field length in Remedy.

-Workaround: Increase the form field length in Remedy

- PBW Privileged Rule Impact Dashboard low level drill through is missing Argument data

when multiple PBW events take place in the same second, only the arguments from the first event found in the

database will show in the lowest level drill-through.

- Using the certificate installation MSI and then running the uninstall in "Add/Remove Programs" does not uninstall the certificate. This is by design

and only uninstalls the certificate deployer.

- Scheduled scans in Chrome can be off by an hour. Disabling Chrome'sPPAPI version of flash plugin will workaround the issue (see

chrome://plugins). The issue is not observed in Internet Explorer 9 or Firefox 15.

- When launching a Retina scan in BeyondInsight and host names are specified as targets, if any target host name cannot be resolved by the scanner the job status may be reported

as "Job Did Not Start" when, in fact, some of the targets were successfully scanned.

- Cloning a SmartRule with a Patch action in it will succeed but silently drop the Patch Action.

- Adding a second organization and then removing it will leave an "All Assets" SmartRule for "Default Organization". User can remove it manually.

- Organization information is not available on the Report screen.

- Users for which all the smart rules they have access to are either inactive or donÕt have the Smart Group action for a particular organization will be shown the choice of that organization on the

Smart Group browser on the left but if selected the browser will appear empty and the last accessible smart ruleÕs asset will remain showing on the Asset grid.

- When editing the last remaining Smart Rule for an organization, and marking that Smart Rule as inactive, the Assets page will continue to display assets for that organization.

- Due to a dependency in the Local Publishing portion of the WSUS API,it is necessary for all WSUS resources (servers and consoles) to be at the same Service Pack level for WSUS. If not,

the following error may appear in the ThirdPartyPatchSvc.txt log file: System.InvalidOperationException: Publishing operation failed because the console and remote server versions do not match.

- If a scheduled job includes a report and the associated smart rule is changed to use a set scanner action with two or more scanners, each scanner will produce a report for the

portion of the scan it handled.

- If you have a scan job setup for a smart rule that is set to "Rule Level" distribution but only contains 1 scanner you can setup the scan job with a report associated. If you later add additional

scanners to the smart rule the job will work but separate reports will appear for each scanner and may contain incomplete data.

- When connecting to a WSUS server that already has third party patches the Community edition will display these patches in addition to the free ones supported by the Community Edition.

- Choosing the option to modify the Products and Classifications for third party patches, the changes are made to all WSUS servers and not just the selected WSUS Server.

- Attempting to scan cloud assets with scanners that do not support cloud scanning will result in those cloud assets being ignored by the scanner.

- Recurring scheduled Benchmark Compliance reports will show historical data.

- A user who has duplicated a report template and for which other users have scheduled scan§reports for cannot be deleted.

- Patch Management: If WSUS and BeyondInisght are not installed on the C: drive, the Approved, Installed and Required Patches reports fail to generate.

- Patch Management: Smart groups that contain a large number of assets or patches may take a long time to render or may encounter a timeout error when retrieving data from the WSUS server when the patch view

option is selected. In this situation it may serve better to use the asset view and drill into the patches on the asset level as needed.

- When viewing reports in Internet Explorer with script debugging enabled, you may occasionally see the JavaScript error message "'this._docMapSplitter' is null or not an object", but the report will continue to work normally.

- When using an IAVA license and running on existing data with the Non-Vulnerable audit status selected, for large groups of assets the report may fail with an "out of memory" error.

- When running a Ticket Report that returns a large number of Tickets and the option to include Assets and Notes has been selected, an "out of memory" error may result.

- When selecting report parameters and performing several selections and re-selections, parameters listed in grids may disappear. To restore missing parameters, click on the "Clear Filter" icon for

that grid, or cancel the screen and re-enter.

- Smart Rules: Emailing alerts on smart rules that return extremely large asset counts (exact count will vary) may generate an email that exceeds what the email server will send. If this occurs the

user is not given and notice that the email wasn't sent.

- Assets Tab: The Assets and Agents grids are not able to filter on Protection Policy Name.

- Scan Restrictions: Changes made to Scan Restrictions in the scan agent UI are not reflected in the BeyondInsight UI.

- Scan: If a Protection Agent is installed on the same asset as a scanning agent, only the scan agent will be listed as a scanner in the run on existing data report parameters. However, scans from both will still be selectable.

- Benchmark Scan: If the scanning agent fails to complete a Benchmark scan for an asset, no xccdf-output.xml will be created, and no asset information will be displayed in the report.

- Benchmark Scans: Very large result files may not successfully be transferred from the scanner to BeyondInsight. The result files will still be available on the scanner agent file system. This

will be fixed in a later release.

- When using Quick Scan Credentials for reports that have Job Metrics, the Credential Description will display as a GUID.

- Community: if a report returns more assets than the 256 allowed,the report may stay in the processing state.

- BeyondInsight may install on SQL Servers configured with a server that is not set to Latin Case Insensitive but BeyondInsight do not support operating in that configuration and may not work correctly.

- The NT Authority\System account does not exist with SQL Server 2012, as a result an invalid license message will appear when attempting to authenticate with an NT Authority\System

- Scheduled Benchmark Compliance Display No Data After an Upgrade and Needs Rescheduling

- Windows Server 2012 is a 64bit only Operating System. When WSUS is installed, suscomp.dll is defined globally and loaded in every application pool. The BeyondInsight application pool

is 32bit and will result in the above error when the 64bit suscomp.dll attempts to load.

Solution:

 

Option 1

-> Take IIS backup.

-> Open IIS Manager

-> Click on server module node at the top of the left hand tree and choose "Modules".

-> Right click on DynamicCompressionModule and choose "Unlock"

-> Right click on StaticCompressionModule and choose "Unlock".

-> Open Default Web Site -> Open Modules.

-> Right click on DynamicCompressionModules and choose Remove".

-> Right click on StaticCompressionModule and choose "Remove".

-> Do IISRESET from an elevated/administrative command prompt.

 

Option 2

Install BeyondInsight and WSUS on separate 2012 servers

 

- Viewing a Report in IE 11 - Can't scroll to see all of report

- A Re-Start of SSAS is required if the SQL 2012 Servers do not have the .NET framework 4.5 installed prior to installing 5.X and the database has an instance name

- Error seen accessing web site on 2012R2 and 2012 server due to Asp.Net v4.0 restriction, which can not be fixed running register command, To install ASP.NET 4.5 on Windows Server 2012, use one of the following options:

Run the following command from an administrative command prompt: dism /online /enable-feature /featurename:IIS-ASPNET45

For Windows Server 2012 computers, enable "IIS-ASPNET45" using Server Manager, under "Web Server (IIS) -> Web Server ->Application Development -> ASP.NET 4.5".

- Scanner selection doesn't work in multi-tenant mark old scanners as inactive

- Updated permission changes to a logged in account will not be applied until the user is logged off

- Trying to create a smart rule with the same name as one that already exists as a different type (Asset/Vulnerability/Account) will give the following error

"This Smart Rule was not saved because an error occurred: Sequence contains no matching element"

- Patch Management - A user may receive a generic Error message in the BeyondInsight UI when using the Apply Patch Now Button,

the workaround is to use the Approve button or right-click menu option when selecting patches

- Password Safe - HP Ilo and Idrac accounts are not currently discoverable, these accounts have to be manually added.

- Password Safe - Deprecated Change password options will still appear in Smart Rules containing the Managed Password Safe Accounts action.

The change password options in question are: Retrieve password, Allow SSH Connection, Allow RDP Connection, Record session.

These options have been migrated to password safe roles. However they may still appear is inan upgraded smart rule.

Removing the Manage Password Safe Account action and re-adding it will rectify the display issue.

- Password Safe - In situations where accounts are discovered and brought under automatic management via Password Safe Smart Rule actions with the "use current password to change password"

option enabled the password will never change due to the absence of the initial password. It is recommended that this option only be enabled in smart rules that are not using discovery options.

- Password Safe - In situations where the "Link domain accounts to managed systems" smart rule action is enabled in a Smart Rule containing the Active Directory query filter with the discover accounts option enabled,

the Smart Rule may get stuck in a processing state. It is recommended that the "Link domain accounts to managed systems" action only be enabled in Smart Rules that are not utilizing the discover accounts option.

- Password Safe - The SAP asset cannot be managed via the smart rule. The asset can only be managed manually

 

- Password Safe - The Sybase.Charset archive may fail to decompress during install or upgrade on some environments. If using the Sysbase Platform for Password Safe management, the archive can be manually decompressed if needed.

- Scanning with DSS Keys using Retina Network Security Scanner version 5.23 and 5.23.1 will fail as a result of a public key authentication issue in Retina Network Security Scanner.

- Password Safe - if Functional Account is tied to a remote client asset (PBW), Functional Account password will not change

- Password Safe - SSHDirectConnect - unable to create sessions 1 minute 59 seconds before the Access Schedule expires, the Access Policy must extend to the current time plus the default request duration

- Password Safe - SSHDirectConnect - when Access Policy is set to Restrict Location the User is able to login from another location

- Password Safe - Using non-incremental keys in DSA or RSA causes auto managed key change to fail

- Passowrd Safe - Keystrokes - Ctrl+Action (Ctrl+C) is being capture as ^C and attached to the beginning of the next keystroke

- Password Safe - Cannot delete cloud systems when the managed account is linked to a remote application. Workaround is to remove the link between the managed account and the remote application via the Managed Account Settings screen and then delete the cloud system.

- Password Safe - On occasion, proxy sessions will not fully release the request and the sessions remained as active and was view able within Active Sessions. Workaround: Within the BI server, locate all pbsmd.exe *32 processes and select End Process for each. This will remove the inactive sessions and remove them from the Active Sessions grid.

- Password Safe - a deleted system, if previously marked as a Favorite, will still display under Favorites until the system is removed from Favorites

- Password Safe - Cloud Applications sessions are not displaying within Active/Replay for an Administrator

- Password Safe - The new smart rule action called Account Name Format drop-down is not available for existing smart rules, if the action is required, then delete and re-add the Smart Rule Action

- Password Safe - Users attempting an RDP DirectConnect cannot connect to Windows 7 servers

- Smart Rules - Newly added attribute types are not available in existing Smart Rule Attribute filters unless the new attribute is added to the filter via the Smart Rule editor

-

4. General Notes

=======================================================================

- BeyondInsight requires Adobe Flash Player 22.0 or higher

 

5. Release Availability

========================================================================

- This release is available by download from BeyondTrust customers

(https://beyondtrustsecurity.force.com/customer/login) and using the BeyondTrust Auto-Updater.

The MD5 signature is: 715a6676fc0fb5670a0581d493e5ff62

The SHA-1 signature is: 4af4dd2c3fa6bbbaf030d332272a7a8f955282ba

The SHA-256 signature is: 2645294ea92c6b8c3aabc54025c24405d19084896e1b42400558cae506e07bfb

6. Issues Resolved

========================================================================

6.6.0

- Fixed an issue terminating and closing active PBPS RDP sessions

- Fixed an issue with moving PBPS RDP sessions to a separate monitor

- Fixed an issue with PBPS SSH Direct Connect replays

- Fixed an issue with PBPS RDP Sessions with RDP Security enabled

- Fixed a multiplexing issue with PBPS SSH Sessions

- Fixed an issue with displaying non-active sessions as Active sessions

- Fixed an issue with creating managed systems for inactive platforms

- Fixed an issue with scheduled password changes for AD accounts

- Fixed an issue displaying linked accounts on PBPS portal

- Fixed an issue with Functional Accounts for workgroups

- Fixed mapping issues for Dedicated Accounts

- Fixed an issue changing the password on a Checkpoint system

- Fixed a session monitoring masking issue

- Fixed a format issue for NTLM authentication

- Fixed an issue with a missing Approve quick link

- Fixed an issue with updates to Functional Accounts

- Fixed an issue with changing passwords for Windows Scheduled Tasks

- Fixed an issue with testing password changes on custom platforms

- Fixed an issue with the Password Cache

- Fixed several issues with the SailPoint connector

- Fixed an issue using Entrust 2-factor authentication

- Fixed an ADFS login issue

- Fixed messaging around password failures on custom platforms

- Fixed an issue deleting an application

- Fixed an issue with SAML logins

- Fixed an issue with Syncing account passwords for PBW

- Fixed an issue launching multiple application sessions using the same managed account

- Fixed an issue with changing passwords on Windows Systems

- Fixed an issue with using RoyalITS for launching PBPS sessions

- Fixed a ServiceNow State validation issue

- Fixed an issue with Smart Rule processing

- Fixed an issue with configuring the preferred Domain Controller

- Fixed an issue with updating scheduled jobs

- Fixed an issue with enumerating Oracle users

- Fixed a duplicate asset issue

- Fixed an issue with target lists for scheduled scans

- Fixed an issue with scheduling scans

- Fixed a login issue using HSM

- Fixed an issue creating custom audit groups

- Fixed an issue updating the operating system of an asset

- Fixed an issue enumerating the operating system of an asset

- Fixed an issue enumerating user accounts

- Fixed a display issue on the Member of Group tab for an asset

- Fixed a display issue of an Asset's IP address

- Fixed a BeyondInsight database Configuration issue

- Fixed an issue with CPU usage.

- Fixed a data issue with the software report

- Fixed an issue with removing a database instance from an asset

- Fixed an issue displaying WSUS patches

- Fixed a purging issue

- Fixed a display issue for Address Groups

- Fixed a display issue in the Jobs grid

- Fixed a login issue for multi-tenant environments

- Fixed an issue with processing large ServiceNow imports

- Fixed an issue with PBW normalization

 

6.4.8

- Enforce global authentication for AMF remoting service to enhance security around AMF requests

- Ensured binary files are digitally signed

6.4.7

- Fixed an issue with the Analytics and Reporting daily job

- Fixed an issue with 2 factor authentication using the API

6.4.6

- Fixed a logging issue

- Fixed a functional account multi-tenancy issue

- Fixed an issue with Asset Metadata

- Fixed an issue with faded text in reports

- Fixed an issue with AD query availability

- Fixed an issue with the Date Picker for Subscriptions

- Fixed an access issue for administrators

- Fixed an issue with the built-in platform for Fortinet

- Fixed a licensing issue

- Fixed a data issue with the Vulnerability report

- Fixed an issue with the Web Console App Pool

- Fixed an SSRS email notification issue

- Fixed an issue on changing passwords from the Managed Accounts grid

- Fixed an issue with RDP sessions freezing and disconnecting

- Fixed an audit issue

- Fixed a performance issue with the PBW Rollup grid

- Fixed an issue with Dedicated Account Smart Rules

- Fixed a Radius authentication issue

- Fixed a PBW Session Monitoring display issue

- Fixed an issue displaying applications within the PBPS portal

- Fixed an issue with the daily sync

- Fixed a Users & Groups permission issue

6.4.4

- Prevent organizations from using reserved names (Global, Everyone)

- Fixed a connection issue for an Oracle Database instance

- Fixed an issue with failed scans

- Fixed an issue with managed Retina credentials

- Fixed Vulnerability last found / last updated date to display in local time

-Fixed an issue loading AD users for a given group

- Fixed an issue with displaying incorrect Domain data

- Fixed an issue with updating the Retina Host Security Scanner queue

- Fixed an issue displaying assets for VMWare cloud connector

- Fixed an issue with the BeyondInsight website getting stuck in initializing

- Fixed a login issue when BeyondInsight is FIPS enabled

- Fixed an issue scheduled tasks disappearing from the asset grid

- Fixed an issue with Smart Rules reverting to a previously saved version

- Fixed an issue with updating AD Group changes

- Fixed an issue with displaying non-version information in the version field

- Fixed an out of memory issue for Class A Network Scans

- Fixed a display issue for disabled user accounts

- Fixed an issue with deleted assets incorrectly displaying under Scan Job Information

- Fixed an issue with incorrect IP addresses

- Fixed a Smart Rule counts issue

- Fixed a display issue with custom smart rules

- Fixed an issue displaying long Smart Rule name

- Fixed an RTD import issue

- Fixed an issue with Audit upgrades

- Fixed an excess CPU issue

- Fixed an issue with the way vulnerabilities get auto marked as fixed in BeyondInsight with the auto aging logic

- Fixed a timeout issue for long running Analytics and Reporting reports

- Fixed an issue with a vulnerability not being associated with an asset

- Fixed an issue with applying WSUS approved patches

- Fixed an issue with deleting PowerBroker for Windows user policies

- Fixed an issue with moving Policies between Policy groups under Protection Policies

- Fixed an issue with SOLR searches

- Fixed an issue with "Unknown" PowerBroker for Windows events displaying in custom reports

- Fixed a display issue for the PowerBroker for Windows/PowerBroker for Mac Rollup and All grids

- Fixed a sorting issue with the PowerBroker for Windows grid

- Fixed an issue with inserting Event data in bulk

- Fixed an issue with the PowerBroker for Password Safe import scan template displaying multiple values for changed attributes

- Fixed an issue where PBSMD consumes excess CPU

- Fixed an issue with trying to delete Cloud assets

- Fixed an issue using ALT characters in a password

- Fixed an issue with Password and Session Activity Report misreporting RDP requests

- Fixed a default port issue for the Smart Rule Action "Manage Assets using Password Safe"

- Fixed an issue to remove deleted Assets from Favorite tab of the PowerBroker Password Safe portal

- Fixed an issue with Password change options for Scheduled tasks

- Fixed an issue that could potentially lead to passwords getting out of sync with managed systems

- Fixed an issue where Direct Connect SSH failed for users due to a timeout in authentication

- Fixed an issue with password changes on AD functional accounts under Auto Management

- Fixed a CA Service desk connector issue

- Fixed an issue with RDP output displaying a dark screen

- Fixed an issue changing passwords for Oracle accounts

- Fixed an issue with inactive Smart Rules

- Fixed a keyboard language issue with RDP Direct Connect

- Fixed an issue launching an application session

- Fixed an issue with Application sessions connecting using DNS

- Fixed a permission issue with a member belonging to multiple groups

- Fixed a mouse lag issue with enhanced session monitoring

- Fixed an issue with removing a policy user

- Fixed an input issue on the Admin Session tab of the PowerBroker Password Safe portal

- Fixed an issue with managing MYSQL accounts

- Fixed a Telenet logon issue

- Fixed a display issue of Remote Applications

- Fixed a Smart Rules processing issue

- Fixed a concurrency error for password changes

- Fixed an issue that prevented custom platforms from working when connecting to systems on non-standard ssh ports

- Fixed an issue with changing passwords on for AD managed accounts that do not have a SID

- Fixed a date format issue with connection profile alert emails

- Fixed an issue with sending email release notifications

- Fixed an issue with launching RDP sessions via PowerBroker for Password Safe when PowerBroker for Password Safe is FIPS enabled

- Fixed an issue with changing passwords on Linux machines

- Fixed an issue with deleted managed accounts

- Fixed an issue with scheduled password changes when using PowerBroker for Windows agents

- Fixed an issue with password checkouts using PowerBroker for Windows agents

 

6.3.1

- Fixed a performance issue with the vulnerabilities grid

- Fixed a duplication issue with Active Directory users

- Fixed a deadlock issue while processing scan data

- Fixed an Audit Group setting issue

- Fixed a sorting issue with Assigned Policies

- Fixed a duplicate asset issue generated from PBEPP 8.1 data

- Fixed an issue with purging stale email records

- Fixed in issue with scheduled tasks

- Fixed an issue with TempDB usage

- Fixed a purging issue

- Fixed an issue with loading Domain Linked accounts for Password Safe

- Fixed an issue with the Domain Joined Single Sign-On login page

- Fixed a custom platforms issue around functional accounts with elevated privileges

- Fixed a mapping issue with dedicated accounts

- Fixed an issue with the Auto Management failing on AD functional accounts

6.3

- Fixed an upgrade issue overwriting SAML configuration

- Fixed an issue with creating assets with the same name under different workgroups

- Fixed an issue with creating duplicate assets in error

- Fixed an issue with displaying duplicate assets in the Asset Grid

- Fixed an issue with Audit settings

- Fixed an issue with high CPU usage

- Fixed an issue with PBW processing of events

- Fixed an issue with replaying PBUL IO logs

- Fixed an issue with creating WSUS certificates

- Fixed a timeout issue on the Audit Viewer for Analytics and Reporting

- Fixed an issue with the print button not working for Analytics and Reporting

- Fixed a login issue when the user is part of multiple groups for Analytics and Reporting

- Fixed an issue with displaying HTML tags on the pre-login banner for Analytics and Reporting

- Fixed an issue with the Download logs button for Analytics and Reporting

- Fixed a data issue and timeout issue with the Password Safe Activity report within Analytics and Reporting

- Fixed an issue report options displaying blank values for Analytics and Reporting

- Fixed an SSH Connection issue with FIPS enabled

- Fixed an invalid credential error during the check-in of SSH requests

- Fixed an issue with creating Account smart rules

- Fixed an issue executing Account smart rules

- Fixed an issue with deleting cloud systems when the Managed Account is linked to a remote application

- Fixed an issue with black screens displaying on RDP logout/disconnect

- Fixed an issue with users with the Auditor role being unable to request passwords or perform session management activities

- Fixed an issue with a display issue with dedicated accounts in the Password Safe grid

6.2.2

- Fixed an issue with Linked Accounts with applications being added to Database Assets

- Fixed an issue with onboarding Account Smart Rules

- Fixed an issue overwriting the web config file for Active Directory Federation Services when using the BeyondInsight Configuraiton tool

- Fixed an issue with upgrading Favourites on the Password Safe Portal grid

- Fixed an access issue with Favorites under the Password Safe Portal grid

- Fixed an authentication issue using the Active Directory Short Name

- Fixed an access issue for Cloud Accounts under the Password Safe Portal grid

 

Date of Release: 31 May 2018

Product Name: BeyondInsight

Updated Version: 6.4.8

Superseded Versions: 1.0.0-6.4.7

Table of Contents

1. Installation Prerequisite

2. What's New in This Release

3. Known Issues

4. General Notes

5. Release Availability

6. Current and Historical Issues Resolved

1. Installation/Upgrade Prerequisites

=======================================================================

PowerBroker for Windows users, prior to installing 6.4.8 please review the following knowledge base article:

https://beyondtrustsecurity.force.com/customer/articles/KB_Article/PBW-Policy-Editor-and-BI-6-4-4-ampersand-issue

BeyondTrust Partners can access the article from this link:

https://beyondtrustsecurity.force.com/partner/articles/KB_Article/PBW-Policy-Editor-and-BI-6-4-4-ampersand-issue

If BeyondInsight is installed on the BeyondTrust Security Management Virtual Appliances UVMv20 that were shipped between June 2014 and October 2016(versions 1.2 - 1.5.9) that have NOT been updated to 2.2.4 or higher,

the following steps are required prior to installing BeyondInsight version 6.4.8 if upgrading from a version prior to 6.3.1:

1. RDP to UVMv20 (versions 1.2 - 1.5.9)

2. Start | Run | c:\oracle\uninstall.bat all myhome

3. Upgrade to 6.4.4

4. Reboot

Should you require the RDP code to access the UVMv20 (versions 1.2 - 1.5.9) and/or additional assistance please contact BeyondTrust Customer Support

2. What's New in 6.4.8

=======================================================================

GENERAL:

- Added a Single Sign-In page for BeyondInsight, Analytics and Reporting, and PowerBroker Password Safe

- Added a new Dashboard

- Added a new Navigation menu

- Added Create Date and Last Update Date to the Asset API

- Added API PUT <base>/Assets/{id}

- Added Operating System property to API Post assets

- Added Purging improvements for PowerBroker Unix/Linux

- Added purging of PowerBroker Identity Services data

- Additional files added to the BeyondInsight Support Package

- Added EventServer 4.0.3.6 to the BeyondInsight installation

- Added Installation improvements

- Added Clarity processing improvements

- Added purging improvements

- Added Database improvements

- Added Smart rule processing improvements

- Added performance improvements to the Vulnerability grid

- Added performance improvements to Asset Details

- Added Vulnerability based smart rules processing improvements

- Added Asset matching improvements

- Added Power Broker for Windows grid improvements

- Added PowerBroker for Windows processing improvements

- Added ability to create User AD queries for PowerBroker for Windows licenses

- Added Host Scanner Grid Improvements

- Added ability on install to an existing database

- Added All Policy Users smart rule

- Added PowerBroker for Windows User Policy smart rule

- Added User Based Policy Support for PowerBroker for Mac

- Added filtering to Smart Rules Grid

- Added ability to display top 100 Smart Groups

- Added ability to display top 100 User Groups

- Added ability to install BeyondInsight onto an existing database.

- Added Support for Windows Server 2016

- Added CVSS V3 Support

- Added Authentication Alerts to the Asset Grid

- Added a Label/Slot Selection under the Hardware Security Module configuration

- Added a Smart rule action to remove Remote Host Security Scan agents from a Host Scan Group

- Added a new template named Vulnerabilities Express Report

- Added support for Retina Network Security Scans Web Application scanning

- Added ability to change the web console URL

- Added Operating System information from PowerBroker for Windows Agents

- Added password reset to the BeyondInsight console

- Enhanced third party data imports to support new CSV formats from other vulnerability assessment vendors

- Enhanced third party imports to mark vulnerabilities as fixed as indicated per import

- Added warning to the Asset grid when a Retina Network Security Scanner is running on an unsupported operating system

- Added state validation to the ServiceNow Ticket system integration

ANALYTICS and REPORTING:

- Removed Classic Analytics and Reporting (Silverlight) website from BeyondInsight

- Added PowerBroker for Windows Policy and Policy XML to PowerBroker for Windows Rule data

- Removed PowerBroker for Windows UAC response from Analytics and Reporting

- Added user based policy data into Analytics and Reporting

- Added Login IDs to the PowerBroker for Windows True Up License Report

- Added Windows Event Description to the Windows Event Report

- Added CVSS v3 data to Analytics and Reporting

- Added a User Details Drill-through section which is available by clicking on username in reports for PowerBroker for Mac and PowerBroker for Windows

- Added Events by User and Rule for PowerBroker for Mac report

- Added Events by User and Rule for PowerBroker for Windows report

- Added Audit Group filter to Consolidated Remediation report

- Added Authentication Alert Summary report

- Added Authentication Alert by Smart Group report

- Changed the Password and Session activity report to display the Y axis values of the graph with whole numbers

- Added Asset Smart Rule details to the section displaying Entitlements by Smart Rule in the Entitlement by Group report

- Added ability to maintain SQL Max Concurrent Connections settings value after upgrade

- Improved diagnostic logging for A&R database

- Improved performance for A&R daily sync process

- Added User Clustering for Password Management to Clarity

- Pivot Grid Improvements:

- Optionally enable charts

- Pivot on data (swap rows/columns)

- Export Pivot Grid charts

- Apply sorting to saved JSON file

- Indented columns

- Added Collapsible filters

- Added PBSudo reports

 

PowerBroker Password Safe:

-Added support for an encrypted connection to Oracle databases

- Added localization to the Password Safe for portal for: Korean, Spanish, Portuguese, Japanese,

- PowerBroker Password Safe smart rule performance improvements

- Added the Max Concurrent Requests support to the Database platforms

- Added improvement to the Account Smart Rule Action

- Performance Improvements to Managed Account Smart Rule processing

- Added a Smart Rule information tab to the Managed Account area

- Added ability to select multiple accounts on the Accounts Grid

- Added Quick Groups to Existing Smart Rule Editor

- Added 3 tags to the 'Password change failure notification' email

- Added the ability to Audit copy and pasting of text via Session Management

- Improved SSH and RDP Session termination for Session Management

- Re-enabled X11 forwarding if required

- Added Support to manage PostgreSQL Accounts

- Added Support to allow for Identical Forest Names in different Organizations

- Added auditing for creation of and changes to Access Policies

- Added the ability to configure the "From" email address for email notifications

- Added Managed Account Description to the Account Cache

- Enabled Font Smoothing by default for RDP Sessions

- Added support for dependent services when managing service accounts

- Added option to allow bulk operation to unlink accounts in the Accounts grid

- Added option to allow bulk operation to delete accounts in the Accounts grid

- Added countdown timer to display on RDP and SSH Active Sessions

- Added support for Remote Proxy

- Added ‘Session Initialization Timeout’ attribute defaulted to 60 seconds to determine usable time of an RDP file

- Added the ability to specify the format of the username used when interacting with managed systems

- Added improvements for displaying Active Sessions

- Added support for SamAccount and User Principal Name for Functional Accounts

- Added option to turn off keystroke recordings

- Added option to enhanced session auditing

- Added 2 Factor Authentication support for DirectConnect

- Added ability to terminate SSH and RDP sessions

- Increased password rotation maximum limit to 999 days

- Added New reprocessing limits in the Smart Rule configuration for 1 hour, 6 hours, and 12 hours

- Added Reprocessing limit column to the Account Smart Rule tab and the Smart Rule Editor

- Added Reprocessing limit as a mouse-over to the Smart Group panel

- Added ability to perform concurrent requests for Cloud accounts

- Added permissions to the Password Safe menus and buttons

- Added ability to pass DNS for Applications

- Added support to use PowerBroker Password Safe Managed accounts when creating directory queries

- Added Unix/Linux host key verification

- Added Support for TLS Authentication for Proxy connections

- Added Auto-it token Pass Through

- Disabled SSH Session Multiplexing

- Added RDP Smart Card Redirect

- Suppressed operation emails for Password Cache

- Added ability for multiple application launches from checked out account

- Added Account description column to PBPS Portal

- Added 2 pre-defined Access Policies Connection Profiles: Lateral Movement and Suspicious Activity

- For API enhancements please see the API release notes

 

3. Known Issues

=======================================================================

- If a user is using Firefox 55 or newer, they may encounter a black screen upon their first visit to one of the Flex pages within the BeyondInsight web application. It may not be apparent that there is any user action possible from this black screen.

Resolution - When encountering this black screen, the user must click on the black area to show the "Activate Adobe Flash" link, and click it to allow the content to show. This activation step only needs to be done the first time a user visits a Flex area within the BeyondInsight web application.

- If Event Server 4.1.0.0 is missing from Programs and Features after the a completed BeyondInsight 6.4.4 upgrade / install and re-boot, re-launch the "BeyondInsight_6.4.4.222.exe" installer, which will re-install Event Server as one of its first actions, after this, when the BeyondInsight Setup window appears with the options for "Repair" or "Remove", close the window instead (using the 'X' in the top right hand corner) and confirm that you want to close / cancel.

- PowerBroker for Windows - File Integrity Monitor events triggered by specific users always shown as system user or empty

- The audit group screen will allows editing a smart rule driven audit group but the "Update" and other buttons are disabled.

This is as intended; but if changes are made and then click on another audit group it will offer to save the changes, saving them will work and overwrite the audits picked by the smart rule.

- Reports run against live data with changes to exclusions will not show if running against stored data and selecting a earlier/specific report.

The history of the exclusions is not being stored and will always show the latest regardless of report on existing data past report selections.

- Japanese - Unable to process data in ThirdParty Feed handler log

- The associated vulnerability or asset will not get inserted into the Remedy AR System when the exported data exceeds the default character form field length in Remedy.

-Workaround: Increase the form field length in Remedy

- PBW Privileged Rule Impact Dashboard low level drill through is missing Argument data

when multiple PBW events take place in the same second, only the arguments from the first event found in the

database will show in the lowest level drill-through.

- Using the certificate installation MSI and then running the uninstall in "Add/Remove Programs" does not uninstall the certificate. This is by design

and only uninstalls the certificate deployer.

- Scheduled scans in Chrome can be off by an hour. Disabling Chrome'sPPAPI version of flash plugin will workaround the issue (see

chrome://plugins). The issue is not observed in Internet Explorer 9 or Firefox 15.

- When launching a Retina scan in BeyondInsight and host names are specified as targets, if any target host name cannot be resolved by the scanner the job status may be reported

as "Job Did Not Start" when, in fact, some of the targets were successfully scanned.

- Cloning a SmartRule with a Patch action in it will succeed but silently drop the Patch Action.

- Adding a second organization and then removing it will leave an "All Assets" SmartRule for "Default Organization". User can remove it manually.

- Organization information is not available on the Report screen.

- Users for which all the smart rules they have access to are either inactive or donÕt have the Smart Group action for a particular organization will be shown the choice of that organization on the

Smart Group browser on the left but if selected the browser will appear empty and the last accessible smart ruleÕs asset will remain showing on the Asset grid.

- When editing the last remaining Smart Rule for an organization, and marking that Smart Rule as inactive, the Assets page will continue to display assets for that organization.

- Due to a dependency in the Local Publishing portion of the WSUS API,it is necessary for all WSUS resources (servers and consoles) to be at the same Service Pack level for WSUS. If not,

the following error may appear in the ThirdPartyPatchSvc.txt log file: System.InvalidOperationException: Publishing operation failed because the console and remote server versions do not match.

- If a scheduled job includes a report and the associated smart rule is changed to use a set scanner action with two or more scanners, each scanner will produce a report for the

portion of the scan it handled.

- If you have a scan job setup for a smart rule that is set to "Rule Level" distribution but only contains 1 scanner you can setup the scan job with a report associated. If you later add additional

scanners to the smart rule the job will work but separate reports will appear for each scanner and may contain incomplete data.

- When connecting to a WSUS server that already has third party patches the Community edition will display these patches in addition to the free ones supported by the Community Edition.

- Choosing the option to modify the Products and Classifications for third party patches, the changes are made to all WSUS servers and not just the selected WSUS Server.

- Attempting to scan cloud assets with scanners that do not support cloud scanning will result in those cloud assets being ignored by the scanner.

- Recurring scheduled Benchmark Compliance reports will show historical data.

- A user who has duplicated a report template and for which other users have scheduled scan§reports for cannot be deleted.

- Patch Management: If WSUS and BeyondInisght are not installed on the C: drive, the Approved, Installed and Required Patches reports fail to generate.

- Patch Management: Smart groups that contain a large number of assets or patches may take a long time to render or may encounter a timeout error when retrieving data from the WSUS server when the patch view

option is selected. In this situation it may serve better to use the asset view and drill into the patches on the asset level as needed.

- When viewing reports in Internet Explorer with script debugging enabled, you may occasionally see the JavaScript error message "'this._docMapSplitter' is null or not an object", but the report will continue to work normally.

- When using an IAVA license and running on existing data with the Non-Vulnerable audit status selected, for large groups of assets the report may fail with an "out of memory" error.

- When running a Ticket Report that returns a large number of Tickets and the option to include Assets and Notes has been selected, an "out of memory" error may result.

- When selecting report parameters and performing several selections and re-selections, parameters listed in grids may disappear. To restore missing parameters, click on the "Clear Filter" icon for

that grid, or cancel the screen and re-enter.

- Smart Rules: Emailing alerts on smart rules that return extremely large asset counts (exact count will vary) may generate an email that exceeds what the email server will send. If this occurs the

user is not given and notice that the email wasn't sent.

- Assets Tab: The Assets and Agents grids are not able to filter on Protection Policy Name.

- Scan Restrictions: Changes made to Scan Restrictions in the scan agent UI are not reflected in the BeyondInsight UI.

- Scan: If a Protection Agent is installed on the same asset as a scanning agent, only the scan agent will be listed as a scanner in the run on existing data report parameters. However, scans from both will still be selectable.

- Benchmark Scan: If the scanning agent fails to complete a Benchmark scan for an asset, no xccdf-output.xml will be created, and no asset information will be displayed in the report.

- Benchmark Scans: Very large result files may not successfully be transferred from the scanner to BeyondInsight. The result files will still be available on the scanner agent file system. This

will be fixed in a later release.

- When using Quick Scan Credentials for reports that have Job Metrics, the Credential Description will display as a GUID.

- Community: if a report returns more assets than the 256 allowed,the report may stay in the processing state.

- BeyondInsight may install on SQL Servers configured with a server that is not set to Latin Case Insensitive but BeyondInsight do not support operating in that configuration and may not work correctly.

- The NT Authority\System account does not exist with SQL Server 2012, as a result an invalid license message will appear when attempting to authenticate with an NT Authority\System

- Scheduled Benchmark Compliance Display No Data After an Upgrade and Needs Rescheduling

- Windows Server 2012 is a 64bit only Operating System. When WSUS is installed, suscomp.dll is defined globally and loaded in every application pool. The BeyondInsight application pool

is 32bit and will result in the above error when the 64bit suscomp.dll attempts to load.

Solution:

 

Option 1

-> Take IIS backup.

-> Open IIS Manager

-> Click on server module node at the top of the left hand tree and choose "Modules".

-> Right click on DynamicCompressionModule and choose "Unlock"

-> Right click on StaticCompressionModule and choose "Unlock".

-> Open Default Web Site -> Open Modules.

-> Right click on DynamicCompressionModules and choose Remove".

-> Right click on StaticCompressionModule and choose "Remove".

-> Do IISRESET from an elevated/administrative command prompt.

 

Option 2

Install BeyondInsight and WSUS on separate 2012 servers

 

- Viewing a Report in IE 11 - Can't scroll to see all of report

- A Re-Start of SSAS is required if the SQL 2012 Servers do not have the .NET framework 4.5 installed prior to installing 5.X and the database has an instance name

- Error seen accessing web site on 2012R2 and 2012 server due to Asp.Net v4.0 restriction, which can not be fixed running register command, To install ASP.NET 4.5 on Windows Server 2012, use one of the following options:

Run the following command from an administrative command prompt: dism /online /enable-feature /featurename:IIS-ASPNET45

For Windows Server 2012 computers, enable "IIS-ASPNET45" using Server Manager, under "Web Server (IIS) -> Web Server ->Application Development -> ASP.NET 4.5".

- Scanner selection doesn't work in multi-tenant mark old scanners as inactive

- Updated permission changes to a logged in account will not be applied until the user is logged off

- Trying to create a smart rule with the same name as one that already exists as a different type (Asset/Vulnerability/Account) will give the following error

"This Smart Rule was not saved because an error occurred: Sequence contains no matching element"

- Patch Management - A user may receive a generic Error message in the BeyondInsight UI when using the Apply Patch Now Button,

the workaround is to use the Approve button or right-click menu option when selecting patches

- Password Safe - HP Ilo and Idrac accounts are not currently discoverable, these accounts have to be manually added.

- Password Safe - Deprecated Change password options will still appear in Smart Rules containing the Managed Password Safe Accounts action.

The change password options in question are: Retrieve password, Allow SSH Connection, Allow RDP Connection, Record session.

These options have been migrated to password safe roles. However they may still appear is inan upgraded smart rule.

Removing the Manage Password Safe Account action and re-adding it will rectify the display issue.

- Password Safe - In situations where accounts are discovered and brought under automatic management via Password Safe Smart Rule actions with the "use current password to change password"

option enabled the password will never change due to the absence of the initial password. It is recommended that this option only be enabled in smart rules that are not using discovery options.

- Password Safe - In situations where the "Link domain accounts to managed systems" smart rule action is enabled in a Smart Rule containing the Active Directory query filter with the discover accounts option enabled,

the Smart Rule may get stuck in a processing state. It is recommended that the "Link domain accounts to managed systems" action only be enabled in Smart Rules that are not utilizing the discover accounts option.

- Password Safe - The SAP asset cannot be managed via the smart rule. The asset can only be managed manually

 

- Password Safe - The Sybase.Charset archive may fail to decompress during install or upgrade on some environments. If using the Sysbase Platform for Password Safe management, the archive can be manually decompressed if needed.

- Scanning with DSS Keys using Retina Network Security Scanner version 5.23 and 5.23.1 will fail as a result of a public key authentication issue in Retina Network Security Scanner.

- Password Safe - if Functional Account is tied to a remote client asset (PBW), Functional Account password will not change

- Password Safe - SSHDirectConnect - unable to create sessions 1 minute 59 seconds before the Access Schedule expires, the Access Policy must extend to the current time plus the default request duration

- Password Safe - SSHDirectConnect - when Access Policy is set to Restrict Location the User is able to login from another location

- Password Safe - Using non-incremental keys in DSA or RSA causes auto managed key change to fail

- Passowrd Safe - Keystrokes - Ctrl+Action (Ctrl+C) is being capture as ^C and attached to the beginning of the next keystroke

- Password Safe - Cannot delete cloud systems when the managed account is linked to a remote application. Workaround is to remove the link between the managed account and the remote application via the Managed Account Settings screen and then delete the cloud system.

- Password Safe - On occasion, proxy sessions will not fully release the request and the sessions remained as active and was view able within Active Sessions. Workaround: Within the BI server, locate all pbsmd.exe *32 processes and select End Process for each. This will remove the inactive sessions and remove them from the Active Sessions grid.

- Password Safe - a deleted system, if previously marked as a Favorite, will still display under Favorites until the system is removed from Favorites

- Password Safe - Cloud Applications sessions are not displaying within Active/Replay for an Administrator

- Password Safe - The new smart rule action called Account Name Format drop-down is not available for existing smart rules, if the action is required, then delete and re-add the Smart Rule Action

-

4. General Notes

=======================================================================

- BeyondInsight requires Adobe Flash Player 22.0 or higher

 

5. Release Availability

========================================================================

- This release is available by download from BeyondTrust customers

(https://beyondtrustsecurity.force.com/customer/login) and using the BeyondTrust Auto-Updater.

The MD5 signature is: fe84d408e4a737d3b4c0836f71a7719f

The SHA-1 signature is: 504c68ff2d4c0336ae1cfaa4d74021cdf56c6a94

The SHA-256 signature is: 8363b85b248c4ddd2a380306f73964003683241883374260fd62a8ae5db4cb0a

6. Issues Resolved

========================================================================

6.4.8

- Enforce global authentication for AMF remoting service to enhance security around AMF requests

- Ensured binary files are digitally signed

6.4.7

- Fixed an issue with the Analytics and Reporting daily job

- Fixed an issue with 2 factor authentication using the API

6.4.6

- Fixed a logging issue

- Fixed a functional account multi-tenancy issue

- Fixed an issue with Asset Metadata

- Fixed an issue with faded text in reports

- Fixed an issue with AD query availability

- Fixed an issue with the Date Picker for Subscriptions

- Fixed an access issue for administrators

- Fixed an issue with the built-in platform for Fortinet

- Fixed a licensing issue

- Fixed a data issue with the Vulnerability report

- Fixed an issue with the Web Console App Pool

- Fixed an SSRS email notification issue

- Fixed an issue on changing passwords from the Managed Accounts grid

- Fixed an issue with RDP sessions freezing and disconnecting

- Fixed an audit issue

- Fixed a performance issue with the PBW Rollup grid

- Fixed an issue with Dedicated Account Smart Rules

- Fixed a Radius authentication issue

- Fixed a PBW Session Monitoring display issue

- Fixed an issue displaying applications within the PBPS portal

- Fixed an issue with the daily sync

- Fixed a Users & Groups permission issue

6.4.4

- Prevent organizations from using reserved names (Global, Everyone)

- Fixed a connection issue for an Oracle Database instance

- Fixed an issue with failed scans

- Fixed an issue with managed Retina credentials

- Fixed Vulnerability last found / last updated date to display in local time

-Fixed an issue loading AD users for a given group

- Fixed an issue with displaying incorrect Domain data

- Fixed an issue with updating the Retina Host Security Scanner queue

- Fixed an issue displaying assets for VMWare cloud connector

- Fixed an issue with the BeyondInsight website getting stuck in initializing

- Fixed a login issue when BeyondInsight is FIPS enabled

- Fixed an issue scheduled tasks disappearing from the asset grid

- Fixed an issue with Smart Rules reverting to a previously saved version

- Fixed an issue with updating AD Group changes

- Fixed an issue with displaying non-version information in the version field

- Fixed an out of memory issue for Class A Network Scans

- Fixed a display issue for disabled user accounts

- Fixed an issue with deleted assets incorrectly displaying under Scan Job Information

- Fixed an issue with incorrect IP addresses

- Fixed a Smart Rule counts issue

- Fixed a display issue with custom smart rules

- Fixed an issue displaying long Smart Rule name

- Fixed an RTD import issue

- Fixed an issue with Audit upgrades

- Fixed an excess CPU issue

- Fixed an issue with the way vulnerabilities get auto marked as fixed in BeyondInsight with the auto aging logic

- Fixed a timeout issue for long running Analytics and Reporting reports

- Fixed an issue with a vulnerability not being associated with an asset

- Fixed an issue with applying WSUS approved patches

- Fixed an issue with deleting PowerBroker for Windows user policies

- Fixed an issue with moving Policies between Policy groups under Protection Policies

- Fixed an issue with SOLR searches

- Fixed an issue with "Unknown" PowerBroker for Windows events displaying in custom reports

- Fixed a display issue for the PowerBroker for Windows/PowerBroker for Mac Rollup and All grids

- Fixed a sorting issue with the PowerBroker for Windows grid

- Fixed an issue with inserting Event data in bulk

- Fixed an issue with the PowerBroker for Password Safe import scan template displaying multiple values for changed attributes

- Fixed an issue where PBSMD consumes excess CPU

- Fixed an issue with trying to delete Cloud assets

- Fixed an issue using ALT characters in a password

- Fixed an issue with Password and Session Activity Report misreporting RDP requests

- Fixed a default port issue for the Smart Rule Action "Manage Assets using Password Safe"

- Fixed an issue to remove deleted Assets from Favorite tab of the PowerBroker Password Safe portal

- Fixed an issue with Password change options for Scheduled tasks

- Fixed an issue that could potentially lead to passwords getting out of sync with managed systems

- Fixed an issue where Direct Connect SSH failed for users due to a timeout in authentication

- Fixed an issue with password changes on AD functional accounts under Auto Management

- Fixed a CA Service desk connector issue

- Fixed an issue with RDP output displaying a dark screen

- Fixed an issue changing passwords for Oracle accounts

- Fixed an issue with inactive Smart Rules

- Fixed a keyboard language issue with RDP Direct Connect

- Fixed an issue launching an application session

- Fixed an issue with Application sessions connecting using DNS

- Fixed a permission issue with a member belonging to multiple groups

- Fixed a mouse lag issue with enhanced session monitoring

- Fixed an issue with removing a policy user

- Fixed an input issue on the Admin Session tab of the PowerBroker Password Safe portal

- Fixed an issue with managing MYSQL accounts

- Fixed a Telenet logon issue

- Fixed a display issue of Remote Applications

- Fixed a Smart Rules processing issue

- Fixed a concurrency error for password changes

- Fixed an issue that prevented custom platforms from working when connecting to systems on non-standard ssh ports

- Fixed an issue with changing passwords on for AD managed accounts that do not have a SID

- Fixed a date format issue with connection profile alert emails

- Fixed an issue with sending email release notifications

- Fixed an issue with launching RDP sessions via PowerBroker for Password Safe when PowerBroker for Password Safe is FIPS enabled

- Fixed an issue with changing passwords on Linux machines

- Fixed an issue with deleted managed accounts

- Fixed an issue with scheduled password changes when using PowerBroker for Windows agents

- Fixed an issue with password checkouts using PowerBroker for Windows agents

 

6.3.1

- Fixed a performance issue with the vulnerabilities grid

- Fixed a duplication issue with Active Directory users

- Fixed a deadlock issue while processing scan data

- Fixed an Audit Group setting issue

- Fixed a sorting issue with Assigned Policies

- Fixed a duplicate asset issue generated from PBEPP 8.1 data

- Fixed an issue with purging stale email records

- Fixed in issue with scheduled tasks

- Fixed an issue with TempDB usage

- Fixed a purging issue

- Fixed an issue with loading Domain Linked accounts for Password Safe

- Fixed an issue with the Domain Joined Single Sign-On login page

- Fixed a custom platforms issue around functional accounts with elevated privileges

- Fixed a mapping issue with dedicated accounts

- Fixed an issue with the Auto Management failing on AD functional accounts

6.3

- Fixed an upgrade issue overwriting SAML configuration

- Fixed an issue with creating assets with the same name under different workgroups

- Fixed an issue with creating duplicate assets in error

- Fixed an issue with displaying duplicate assets in the Asset Grid

- Fixed an issue with Audit settings

- Fixed an issue with high CPU usage

- Fixed an issue with PBW processing of events

- Fixed an issue with replaying PBUL IO logs

- Fixed an issue with creating WSUS certificates

- Fixed a timeout issue on the Audit Viewer for Analytics and Reporting

- Fixed an issue with the print button not working for Analytics and Reporting

- Fixed a login issue when the user is part of multiple groups for Analytics and Reporting

- Fixed an issue with displaying HTML tags on the pre-login banner for Analytics and Reporting

- Fixed an issue with the Download logs button for Analytics and Reporting

- Fixed a data issue and timeout issue with the Password Safe Activity report within Analytics and Reporting

- Fixed an issue report options displaying blank values for Analytics and Reporting

- Fixed an SSH Connection issue with FIPS enabled

- Fixed an invalid credential error during the check-in of SSH requests

- Fixed an issue with creating Account smart rules

- Fixed an issue executing Account smart rules

- Fixed an issue with deleting cloud systems when the Managed Account is linked to a remote application

- Fixed an issue with black screens displaying on RDP logout/disconnect

- Fixed an issue with users with the Auditor role being unable to request passwords or perform session management activities

- Fixed an issue with a display issue with dedicated accounts in the Password Safe grid

6.2.2

- Fixed an issue with Linked Accounts with applications being added to Database Assets

- Fixed an issue with onboarding Account Smart Rules

- Fixed an issue overwriting the web config file for Active Directory Federation Services when using the BeyondInsight Configuraiton tool

- Fixed an issue with upgrading Favourites on the Password Safe Portal grid

- Fixed an access issue with Favorites under the Password Safe Portal grid

- Fixed an authentication issue using the Active Directory Short Name

- Fixed an access issue for Cloud Accounts under the Password Safe Portal grid

 

Date of Release: 19 March 2018

Product Name: BeyondInsight

Updated Version: 6.4.7

Superseded Versions: 1.0.0-6.4.6

Table of Contents

1. Installation Prerequisite

2. What's New in This Release

3. Known Issues

4. General Notes

5. Release Availability

6. Current and Historical Issues Resolved

1. Installation/Upgrade Prerequisites

=======================================================================

PowerBroker for Windows users, prior to installing 6.4.6 please review the following knowledge base article:

https://beyondtrustsecurity.force.com/customer/articles/KB_Article/PBW-Policy-Editor-and-BI-6-4-4-ampersand-issue

BeyondTrust Partners can access the article from this link:

https://beyondtrustsecurity.force.com/partner/articles/KB_Article/PBW-Policy-Editor-and-BI-6-4-4-ampersand-issue

If BeyondInsight is installed on the BeyondTrust Security Management Virtual Appliances UVMv20 that were shipped between June 2014 and October 2016(versions 1.2 - 1.5.9) that have NOT been updated to 2.2.4 or higher,

the following steps are required prior to installing BeyondInsight version 6.4.4 if upgrading from a version prior to 6.3.1:

1. RDP to UVMv20 (versions 1.2 - 1.5.9)

2. Start | Run | c:\oracle\uninstall.bat all myhome

3. Upgrade to 6.4.4

4. Reboot

Should you require the RDP code to access the UVMv20 (versions 1.2 - 1.5.9) and/or additional assistance please contact BeyondTrust Customer Support

2. What's New in 6.4.7

=======================================================================

GENERAL:

- Added a Single Sign-In page for BeyondInsight, Analytics and Reporting, and PowerBroker Password Safe

- Added a new Dashboard

- Added a new Navigation menu

- Added Create Date and Last Update Date to the Asset API

- Added API PUT <base>/Assets/{id}

- Added Operating System property to API Post assets

- Added Purging improvements for PowerBroker Unix/Linux

- Added purging of PowerBroker Identity Services data

- Additional files added to the BeyondInsight Support Package

- Added EventServer 4.0.3.6 to the BeyondInsight installation

- Added Installation improvements

- Added Clarity processing improvements

- Added purging improvements

- Added Database improvements

- Added Smart rule processing improvements

- Added performance improvements to the Vulnerability grid

- Added performance improvements to Asset Details

- Added Vulnerability based smart rules processing improvements

- Added Asset matching improvements

- Added Power Broker for Windows grid improvements

- Added PowerBroker for Windows processing improvements

- Added ability to create User AD queries for PowerBroker for Windows licenses

- Added Host Scanner Grid Improvements

- Added ability on install to an existing database

- Added All Policy Users smart rule

- Added PowerBroker for Windows User Policy smart rule

- Added User Based Policy Support for PowerBroker for Mac

- Added filtering to Smart Rules Grid

- Added ability to display top 100 Smart Groups

- Added ability to display top 100 User Groups

- Added ability to install BeyondInsight onto an existing database.

- Added Support for Windows Server 2016

- Added CVSS V3 Support

- Added Authentication Alerts to the Asset Grid

- Added a Label/Slot Selection under the Hardware Security Module configuration

- Added a Smart rule action to remove Remote Host Security Scan agents from a Host Scan Group

- Added a new template named Vulnerabilities Express Report

- Added support for Retina Network Security Scans Web Application scanning

- Added ability to change the web console URL

- Added Operating System information from PowerBroker for Windows Agents

- Added password reset to the BeyondInsight console

- Enhanced third party data imports to support new CSV formats from other vulnerability assessment vendors

- Enhanced third party imports to mark vulnerabilities as fixed as indicated per import

- Added warning to the Asset grid when a Retina Network Security Scanner is running on an unsupported operating system

- Added state validation to the ServiceNow Ticket system integration

ANALYTICS and REPORTING:

- Removed Classic Analytics and Reporting (Silverlight) website from BeyondInsight

- Added PowerBroker for Windows Policy and Policy XML to PowerBroker for Windows Rule data

- Removed PowerBroker for Windows UAC response from Analytics and Reporting

- Added user based policy data into Analytics and Reporting

- Added Login IDs to the PowerBroker for Windows True Up License Report

- Added Windows Event Description to the Windows Event Report

- Added CVSS v3 data to Analytics and Reporting

- Added a User Details Drill-through section which is available by clicking on username in reports for PowerBroker for Mac and PowerBroker for Windows

- Added Events by User and Rule for PowerBroker for Mac report

- Added Events by User and Rule for PowerBroker for Windows report

- Added Audit Group filter to Consolidated Remediation report

- Added Authentication Alert Summary report

- Added Authentication Alert by Smart Group report

- Changed the Password and Session activity report to display the Y axis values of the graph with whole numbers

- Added Asset Smart Rule details to the section displaying Entitlements by Smart Rule in the Entitlement by Group report

- Added ability to maintain SQL Max Concurrent Connections settings value after upgrade

- Improved diagnostic logging for A&R database

- Improved performance for A&R daily sync process

- Added User Clustering for Password Management to Clarity

- Pivot Grid Improvements:

- Optionally enable charts

- Pivot on data (swap rows/columns)

- Export Pivot Grid charts

- Apply sorting to saved JSON file

- Indented columns

- Added Collapsible filters

- Added PBSudo reports

 

PowerBroker Password Safe:

-Added support for an encrypted connection to Oracle databases

- Added localization to the Password Safe for portal for: Korean, Spanish, Portuguese, Japanese,

- PowerBroker Password Safe smart rule performance improvements

- Added the Max Concurrent Requests support to the Database platforms

- Added improvement to the Account Smart Rule Action

- Performance Improvements to Managed Account Smart Rule processing

- Added a Smart Rule information tab to the Managed Account area

- Added ability to select multiple accounts on the Accounts Grid

- Added Quick Groups to Existing Smart Rule Editor

- Added 3 tags to the 'Password change failure notification' email

- Added the ability to Audit copy and pasting of text via Session Management

- Improved SSH and RDP Session termination for Session Management

- Re-enabled X11 forwarding if required

- Added Support to manage PostgreSQL Accounts

- Added Support to allow for Identical Forest Names in different Organizations

- Added auditing for creation of and changes to Access Policies

- Added the ability to configure the "From" email address for email notifications

- Added Managed Account Description to the Account Cache

- Enabled Font Smoothing by default for RDP Sessions

- Added support for dependent services when managing service accounts

- Added option to allow bulk operation to unlink accounts in the Accounts grid

- Added option to allow bulk operation to delete accounts in the Accounts grid

- Added countdown timer to display on RDP and SSH Active Sessions

- Added support for Remote Proxy

- Added ‘Session Initialization Timeout’ attribute defaulted to 60 seconds to determine usable time of an RDP file

- Added the ability to specify the format of the username used when interacting with managed systems

- Added improvements for displaying Active Sessions

- Added support for SamAccount and User Principal Name for Functional Accounts

- Added option to turn off keystroke recordings

- Added option to enhanced session auditing

- Added 2 Factor Authentication support for DirectConnect

- Added ability to terminate SSH and RDP sessions

- Increased password rotation maximum limit to 999 days

- Added New reprocessing limits in the Smart Rule configuration for 1 hour, 6 hours, and 12 hours

- Added Reprocessing limit column to the Account Smart Rule tab and the Smart Rule Editor

- Added Reprocessing limit as a mouse-over to the Smart Group panel

- Added ability to perform concurrent requests for Cloud accounts

- Added permissions to the Password Safe menus and buttons

- Added ability to pass DNS for Applications

- Added support to use PowerBroker Password Safe Managed accounts when creating directory queries

- Added Unix/Linux host key verification

- Added Support for TLS Authentication for Proxy connections

- Added Auto-it token Pass Through

- Disabled SSH Session Multiplexing

- Added RDP Smart Card Redirect

- Suppressed operation emails for Password Cache

- Added ability for multiple application launches from checked out account

- Added Account description column to PBPS Portal

- Added 2 pre-defined Access Policies Connection Profiles: Lateral Movement and Suspicious Activity

- For API enhancements please see the API release notes

 

3. Known Issues

=======================================================================

 

- If a user is using Firefox 55 or newer, they may encounter a black screen upon their first visit to one of the Flex pages within the BeyondInsight web application. It may not be apparent that there is any user action possible from this black screen.

Resolution - When encountering this black screen, the user must click on the black area to show the "Activate Adobe Flash" link, and click it to allow the content to show. This activation step only needs to be done the first time a user visits a Flex area within the BeyondInsight web application.

- If Event Server 4.1.0.0 is missing from Programs and Features after the a completed BeyondInsight 6.4.4 upgrade / install and re-boot, re-launch the "BeyondInsight_6.4.4.222.exe" installer, which will re-install Event Server as one of its first actions, after this, when the BeyondInsight Setup window appears with the options for "Repair" or "Remove", close the window instead (using the 'X' in the top right hand corner) and confirm that you want to close / cancel.

- PowerBroker for Windows - File Integrity Monitor events triggered by specific users always shown as system user or empty

- The audit group screen will allows editing a smart rule driven audit group but the "Update" and other buttons are disabled.

This is as intended; but if changes are made and then click on another audit group it will offer to save the changes, saving them will work and overwrite the audits picked by the smart rule.

- Reports run against live data with changes to exclusions will not show if running against stored data and selecting a earlier/specific report.

The history of the exclusions is not being stored and will always show the latest regardless of report on existing data past report selections.

- Japanese - Unable to process data in ThirdParty Feed handler log

- The associated vulnerability or asset will not get inserted into the Remedy AR System when the exported data exceeds the default character form field length in Remedy.

-Workaround: Increase the form field length in Remedy

- PBW Privileged Rule Impact Dashboard low level drill through is missing Argument data

when multiple PBW events take place in the same second, only the arguments from the first event found in the

database will show in the lowest level drill-through.

- Using the certificate installation MSI and then running the uninstall in "Add/Remove Programs" does not uninstall the certificate. This is by design

and only uninstalls the certificate deployer.

- Scheduled scans in Chrome can be off by an hour. Disabling Chrome'sPPAPI version of flash plugin will workaround the issue (see

chrome://plugins). The issue is not observed in Internet Explorer 9 or Firefox 15.

- When launching a Retina scan in BeyondInsight and host names are specified as targets, if any target host name cannot be resolved by the scanner the job status may be reported

as "Job Did Not Start" when, in fact, some of the targets were successfully scanned.

- Cloning a SmartRule with a Patch action in it will succeed but silently drop the Patch Action.

- Adding a second organization and then removing it will leave an "All Assets" SmartRule for "Default Organization". User can remove it manually.

- Organization information is not available on the Report screen.

- Users for which all the smart rules they have access to are either inactive or donÕt have the Smart Group action for a particular organization will be shown the choice of that organization on the

Smart Group browser on the left but if selected the browser will appear empty and the last accessible smart ruleÕs asset will remain showing on the Asset grid.

- When editing the last remaining Smart Rule for an organization, and marking that Smart Rule as inactive, the Assets page will continue to display assets for that organization.

- Due to a dependency in the Local Publishing portion of the WSUS API,it is necessary for all WSUS resources (servers and consoles) to be at the same Service Pack level for WSUS. If not,

the following error may appear in the ThirdPartyPatchSvc.txt log file: System.InvalidOperationException: Publishing operation failed because the console and remote server versions do not match.

- If a scheduled job includes a report and the associated smart rule is changed to use a set scanner action with two or more scanners, each scanner will produce a report for the

portion of the scan it handled.

- If you have a scan job setup for a smart rule that is set to "Rule Level" distribution but only contains 1 scanner you can setup the scan job with a report associated. If you later add additional

scanners to the smart rule the job will work but separate reports will appear for each scanner and may contain incomplete data.

- When connecting to a WSUS server that already has third party patches the Community edition will display these patches in addition to the free ones supported by the Community Edition.

- Choosing the option to modify the Products and Classifications for third party patches, the changes are made to all WSUS servers and not just the selected WSUS Server.

- Attempting to scan cloud assets with scanners that do not support cloud scanning will result in those cloud assets being ignored by the scanner.

- Recurring scheduled Benchmark Compliance reports will show historical data.

- A user who has duplicated a report template and for which other users have scheduled scan§reports for cannot be deleted.

- Patch Management: If WSUS and BeyondInisght are not installed on the C: drive, the Approved, Installed and Required Patches reports fail to generate.

- Patch Management: Smart groups that contain a large number of assets or patches may take a long time to render or may encounter a timeout error when retrieving data from the WSUS server when the patch view

option is selected. In this situation it may serve better to use the asset view and drill into the patches on the asset level as needed.

- When viewing reports in Internet Explorer with script debugging enabled, you may occasionally see the JavaScript error message "'this._docMapSplitter' is null or not an object", but the report will continue to work normally.

- When using an IAVA license and running on existing data with the Non-Vulnerable audit status selected, for large groups of assets the report may fail with an "out of memory" error.

- When running a Ticket Report that returns a large number of Tickets and the option to include Assets and Notes has been selected, an "out of memory" error may result.

- When selecting report parameters and performing several selections and re-selections, parameters listed in grids may disappear. To restore missing parameters, click on the "Clear Filter" icon for

that grid, or cancel the screen and re-enter.

- Smart Rules: Emailing alerts on smart rules that return extremely large asset counts (exact count will vary) may generate an email that exceeds what the email server will send. If this occurs the

user is not given and notice that the email wasn't sent.

- Assets Tab: The Assets and Agents grids are not able to filter on Protection Policy Name.

- Scan Restrictions: Changes made to Scan Restrictions in the scan agent UI are not reflected in the BeyondInsight UI.

- Scan: If a Protection Agent is installed on the same asset as a scanning agent, only the scan agent will be listed as a scanner in the run on existing data report parameters. However, scans from both will still be selectable.

- Benchmark Scan: If the scanning agent fails to complete a Benchmark scan for an asset, no xccdf-output.xml will be created, and no asset information will be displayed in the report.

- Benchmark Scans: Very large result files may not successfully be transferred from the scanner to BeyondInsight. The result files will still be available on the scanner agent file system. This

will be fixed in a later release.

- When using Quick Scan Credentials for reports that have Job Metrics, the Credential Description will display as a GUID.

- Community: if a report returns more assets than the 256 allowed,the report may stay in the processing state.

- BeyondInsight may install on SQL Servers configured with a server that is not set to Latin Case Insensitive but BeyondInsight do not support operating in that configuration and may not work correctly.

- The NT Authority\System account does not exist with SQL Server 2012, as a result an invalid license message will appear when attempting to authenticate with an NT Authority\System

- Scheduled Benchmark Compliance Display No Data After an Upgrade and Needs Rescheduling

- Windows Server 2012 is a 64bit only Operating System. When WSUS is installed, suscomp.dll is defined globally and loaded in every application pool. The BeyondInsight application pool

is 32bit and will result in the above error when the 64bit suscomp.dll attempts to load.

Solution:

 

Option 1

-> Take IIS backup.

-> Open IIS Manager

-> Click on server module node at the top of the left hand tree and choose "Modules".

-> Right click on DynamicCompressionModule and choose "Unlock"

-> Right click on StaticCompressionModule and choose "Unlock".

-> Open Default Web Site -> Open Modules.

-> Right click on DynamicCompressionModules and choose Remove".

-> Right click on StaticCompressionModule and choose "Remove".

-> Do IISRESET from an elevated/administrative command prompt.

 

Option 2

Install BeyondInsight and WSUS on separate 2012 servers

 

- Viewing a Report in IE 11 - Can't scroll to see all of report

- A Re-Start of SSAS is required if the SQL 2012 Servers do not have the .NET framework 4.5 installed prior to installing 5.X and the database has an instance name

- Error seen accessing web site on 2012R2 and 2012 server due to Asp.Net v4.0 restriction, which can not be fixed running register command, To install ASP.NET 4.5 on Windows Server 2012, use one of the following options:

Run the following command from an administrative command prompt: dism /online /enable-feature /featurename:IIS-ASPNET45

For Windows Server 2012 computers, enable "IIS-ASPNET45" using Server Manager, under "Web Server (IIS) -> Web Server ->Application Development -> ASP.NET 4.5".

- Scanner selection doesn't work in multi-tenant mark old scanners as inactive

- Updated permission changes to a logged in account will not be applied until the user is logged off

- Trying to create a smart rule with the same name as one that already exists as a different type (Asset/Vulnerability/Account) will give the following error

"This Smart Rule was not saved because an error occurred: Sequence contains no matching element"

- Patch Management - A user may receive a generic Error message in the BeyondInsight UI when using the Apply Patch Now Button,

the workaround is to use the Approve button or right-click menu option when selecting patches

- Password Safe - HP Ilo and Idrac accounts are not currently discoverable, these accounts have to be manually added.

- Password Safe - Deprecated Change password options will still appear in Smart Rules containing the Managed Password Safe Accounts action.

The change password options in question are: Retrieve password, Allow SSH Connection, Allow RDP Connection, Record session.

These options have been migrated to password safe roles. However they may still appear is inan upgraded smart rule.

Removing the Manage Password Safe Account action and re-adding it will rectify the display issue.

- Password Safe - In situations where accounts are discovered and brought under automatic management via Password Safe Smart Rule actions with the "use current password to change password"

option enabled the password will never change due to the absence of the initial password. It is recommended that this option only be enabled in smart rules that are not using discovery options.

- Password Safe - In situations where the "Link domain accounts to managed systems" smart rule action is enabled in a Smart Rule containing the Active Directory query filter with the discover accounts option enabled,

the Smart Rule may get stuck in a processing state. It is recommended that the "Link domain accounts to managed systems" action only be enabled in Smart Rules that are not utilizing the discover accounts option.

- Password Safe - The SAP asset cannot be managed via the smart rule. The asset can only be managed manually

 

- Password Safe - The Sybase.Charset archive may fail to decompress during install or upgrade on some environments. If using the Sysbase Platform for Password Safe management, the archive can be manually decompressed if needed.

- Scanning with DSS Keys using Retina Network Security Scanner version 5.23 and 5.23.1 will fail as a result of a public key authentication issue in Retina Network Security Scanner.

- Password Safe - if Functional Account is tied to a remote client asset (PBW), Functional Account password will not change

- Password Safe - SSHDirectConnect - unable to create sessions 1 minute 59 seconds before the Access Schedule expires, the Access Policy must extend to the current time plus the default request duration

- Password Safe - SSHDirectConnect - when Access Policy is set to Restrict Location the User is able to login from another location

- Password Safe - Using non-incremental keys in DSA or RSA causes auto managed key change to fail

- Passowrd Safe - Keystrokes - Ctrl+Action (Ctrl+C) is being capture as ^C and attached to the beginning of the next keystroke

- Password Safe - Cannot delete cloud systems when the managed account is linked to a remote application. Workaround is to remove the link between the managed account and the remote application via the Managed Account Settings screen and then delete the cloud system.

- Password Safe - On occasion, proxy sessions will not fully release the request and the sessions remained as active and was view able within Active Sessions. Workaround: Within the BI server, locate all pbsmd.exe *32 processes and select End Process for each. This will remove the inactive sessions and remove them from the Active Sessions grid.

- Password Safe - a deleted system, if previously marked as a Favorite, will still display under Favorites until the system is removed from Favorites

- Password Safe - Cloud Applications sessions are not displaying within Active/Replay for an Administrator

- Password Safe - The new smart rule action called Account Name Format drop-down is not available for existing smart rules, if the action is required, then delete and re-add the Smart Rule Action

- Password Safe - OneClick button and PS no longer works/clickable after first use for SSH within Win10/IE11

4. General Notes

=======================================================================

- BeyondInsight requires Adobe Flash Player 22.0 or higher

 

5. Release Availability

========================================================================

- This release is available by download from BeyondTrust customers

(https://beyondtrustsecurity.force.com/customer/login) and using the BeyondTrust Auto-Updater.

The MD5 signature is: 8981c8f9124bcec0725525416f3d0144

The SHA-1 signature is: d93e6ddd5e9a6a4328175d284f4289bb749d5141

The SHA-256 signature is: 287b6531ce2db492bf50850e88b5ae358dbd0ba2055aead0cdee02a14917f113

6. Issues Resolved

========================================================================

6.4.7

- Fixed an issue with the Analytics and Reporting daily job

- Fixed an issue with Analytics and Reporting displaying pages with no data

- Fixed an issue with 2 factor authentication using the API

- Fixed an issue with RDP session failures when Microsoft patches are installed

- Fixed an issue with pbsmd where remote applications failed to launch with spaces in parameter path

6.4.6

- Fixed a logging issue

- Fixed a functional account multi-tenancy issue

- Fixed an issue with Asset Metadata

- Fixed an issue with faded text in reports

- Fixed an issue with AD query availability

- Fixed an issue with the Date Picker for Subscriptions

- Fixed an access issue for administrators

- Fixed an issue with the built-in platform for Fortinet

- Fixed a licensing issue

- Fixed a data issue with the Vulnerability report

- Fixed an issue with the Web Console App Pool

- Fixed an SSRS email notification issue

- Fixed an issue on changing passwords from the Managed Accounts grid

- Fixed an issue with RDP sessions freezing and disconnecting

- Fixed an audit issue

- Fixed a performance issue with the PBW Rollup grid

- Fixed an issue with Dedicated Account Smart Rules

- Fixed a Radius authentication issue

- Fixed a PBW Session Monitoring display issue

- Fixed an issue displaying applications within the PBPS portal

- Fixed an issue with the daily sync

- Fixed a Users & Groups permission issue

6.4.4

- Prevent organizations from using reserved names (Global, Everyone)

- Fixed a connection issue for an Oracle Database instance

- Fixed an issue with failed scans

- Fixed an issue with managed Retina credentials

- Fixed Vulnerability last found / last updated date to display in local time

-Fixed an issue loading AD users for a given group

- Fixed an issue with displaying incorrect Domain data

- Fixed an issue with updating the Retina Host Security Scanner queue

- Fixed an issue displaying assets for VMWare cloud connector

- Fixed an issue with the BeyondInsight website getting stuck in initializing

- Fixed a login issue when BeyondInsight is FIPS enabled

- Fixed an issue scheduled tasks disappearing from the asset grid

- Fixed an issue with Smart Rules reverting to a previously saved version

- Fixed an issue with updating AD Group changes

- Fixed an issue with displaying non-version information in the version field

- Fixed an out of memory issue for Class A Network Scans

- Fixed a display issue for disabled user accounts

- Fixed an issue with deleted assets incorrectly displaying under Scan Job Information

- Fixed an issue with incorrect IP addresses

- Fixed a Smart Rule counts issue

- Fixed a display issue with custom smart rules

- Fixed an issue displaying long Smart Rule name

- Fixed an RTD import issue

- Fixed an issue with Audit upgrades

- Fixed an excess CPU issue

- Fixed an issue with the way vulnerabilities get auto marked as fixed in BeyondInsight with the auto aging logic

- Fixed a timeout issue for long running Analytics and Reporting reports

- Fixed an issue with a vulnerability not being associated with an asset

- Fixed an issue with applying WSUS approved patches

- Fixed an issue with deleting PowerBroker for Windows user policies

- Fixed an issue with moving Policies between Policy groups under Protection Policies

- Fixed an issue with SOLR searches

- Fixed an issue with "Unknown" PowerBroker for Windows events displaying in custom reports

- Fixed a display issue for the PowerBroker for Windows/PowerBroker for Mac Rollup and All grids

- Fixed a sorting issue with the PowerBroker for Windows grid

- Fixed an issue with inserting Event data in bulk

- Fixed an issue with the PowerBroker for Password Safe import scan template displaying multiple values for changed attributes

- Fixed an issue where PBSMD consumes excess CPU

- Fixed an issue with trying to delete Cloud assets

- Fixed an issue using ALT characters in a password

- Fixed an issue with Password and Session Activity Report misreporting RDP requests

- Fixed a default port issue for the Smart Rule Action "Manage Assets using Password Safe"

- Fixed an issue to remove deleted Assets from Favorite tab of the PowerBroker Password Safe portal

- Fixed an issue with Password change options for Scheduled tasks

- Fixed an issue that could potentially lead to passwords getting out of sync with managed systems

- Fixed an issue where Direct Connect SSH failed for users due to a timeout in authentication

- Fixed an issue with password changes on AD functional accounts under Auto Management

- Fixed a CA Service desk connector issue

- Fixed an issue with RDP output displaying a dark screen

- Fixed an issue changing passwords for Oracle accounts

- Fixed an issue with inactive Smart Rules

- Fixed a keyboard language issue with RDP Direct Connect

- Fixed an issue launching an application session

- Fixed an issue with Application sessions connecting using DNS

- Fixed a permission issue with a member belonging to multiple groups

- Fixed a mouse lag issue with enhanced session monitoring

- Fixed an issue with removing a policy user

- Fixed an input issue on the Admin Session tab of the PowerBroker Password Safe portal

- Fixed an issue with managing MYSQL accounts

- Fixed a Telenet logon issue

- Fixed a display issue of Remote Applications

- Fixed a Smart Rules processing issue

- Fixed a concurrency error for password changes

- Fixed an issue that prevented custom platforms from working when connecting to systems on non-standard ssh ports

- Fixed an issue with changing passwords on for AD managed accounts that do not have a SID

- Fixed a date format issue with connection profile alert emails

- Fixed an issue with sending email release notifications

- Fixed an issue with launching RDP sessions via PowerBroker for Password Safe when PowerBroker for Password Safe is FIPS enabled

- Fixed an issue with changing passwords on Linux machines

- Fixed an issue with deleted managed accounts

- Fixed an issue with scheduled password changes when using PowerBroker for Windows agents

- Fixed an issue with password checkouts using PowerBroker for Windows agents

 

6.3.1

- Fixed a performance issue with the vulnerabilities grid

- Fixed a duplication issue with Active Directory users

- Fixed a deadlock issue while processing scan data

- Fixed an Audit Group setting issue

- Fixed a sorting issue with Assigned Policies

- Fixed a duplicate asset issue generated from PBEPP 8.1 data

- Fixed an issue with purging stale email records

- Fixed in issue with scheduled tasks

- Fixed an issue with TempDB usage

- Fixed a purging issue

- Fixed an issue with loading Domain Linked accounts for Password Safe

- Fixed an issue with the Domain Joined Single Sign-On login page

- Fixed a custom platforms issue around functional accounts with elevated privileges

- Fixed a mapping issue with dedicated accounts

- Fixed an issue with the Auto Management failing on AD functional accounts

6.3

- Fixed an upgrade issue overwriting SAML configuration

- Fixed an issue with creating assets with the same name under different workgroups

- Fixed an issue with creating duplicate assets in error

- Fixed an issue with displaying duplicate assets in the Asset Grid

- Fixed an issue with Audit settings

- Fixed an issue with high CPU usage

- Fixed an issue with PBW processing of events

- Fixed an issue with replaying PBUL IO logs

- Fixed an issue with creating WSUS certificates

- Fixed a timeout issue on the Audit Viewer for Analytics and Reporting

- Fixed an issue with the print button not working for Analytics and Reporting

- Fixed a login issue when the user is part of multiple groups for Analytics and Reporting

- Fixed an issue with displaying HTML tags on the pre-login banner for Analytics and Reporting

- Fixed an issue with the Download logs button for Analytics and Reporting

- Fixed a data issue and timeout issue with the Password Safe Activity report within Analytics and Reporting

- Fixed an issue report options displaying blank values for Analytics and Reporting

- Fixed an SSH Connection issue with FIPS enabled

- Fixed an invalid credential error during the check-in of SSH requests

- Fixed an issue with creating Account smart rules

- Fixed an issue executing Account smart rules

- Fixed an issue with deleting cloud systems when the Managed Account is linked to a remote application

- Fixed an issue with black screens displaying on RDP logout/disconnect

- Fixed an issue with users with the Auditor role being unable to request passwords or perform session management activities

- Fixed an issue with a display issue with dedicated accounts in the Password Safe grid

6.2.2

- Fixed an issue with Linked Accounts with applications being added to Database Assets

- Fixed an issue with onboarding Account Smart Rules

- Fixed an issue overwriting the web config file for Active Directory Federation Services when using the BeyondInsight Configuraiton tool

- Fixed an issue with upgrading Favourites on the Password Safe Portal grid

- Fixed an access issue with Favorites under the Password Safe Portal grid

- Fixed an authentication issue using the Active Directory Short Name

- Fixed an access issue for Cloud Accounts under the Password Safe Portal grid

 

Date of Release: 14 December 2017

Product Name: BeyondInsight

Updated Version: 6.4.4

Superseded Versions: 1.0.0-6.4.3

Table of Contents

1. Installation Prerequisite

2. What's New in This Release

3. Known Issues

4. General Notes

5. Release Availability

6. Current and Historical Issues Resolved

1. Installation/Upgrade Prerequisites

=======================================================================

PowerBroker for Windows users, prior to installing 6.4.4 please review the following knowledge base article:

https://beyondtrustsecurity.force.com/customer/articles/KB_Article/PBW-Policy-Editor-and-BI-6-4-4-ampersand-issue

BeyondTrust Partners can access the article from this link:

https://beyondtrustsecurity.force.com/partner/articles/KB_Article/PBW-Policy-Editor-and-BI-6-4-4-ampersand-issue

If BeyondInsight is installed on the BeyondTrust Security Management Virtual Appliances UVMv20 that were shipped between June 2014 and October 2016(versions 1.2 - 1.5.9) that have NOT been updated to 2.2.4 or higher,

the following steps are required prior to installing BeyondInsight version 6.4.4 if upgrading from a version prior to 6.3.1:

1. RDP to UVMv20 (versions 1.2 - 1.5.9)

2. Start | Run | c:\oracle\uninstall.bat all myhome

3. Upgrade to 6.4.4

4. Reboot

Should you require the RDP code to access the UVMv20 (versions 1.2 - 1.5.9) and/or additional assistance please contact BeyondTrust Customer Support

2. What's New in 6.4.4

=======================================================================

GENERAL:

- Added a Single Sign-In page for BeyondInsight, Analytics and Reporting, and PowerBroker Password Safe

- Added a new Dashboard

- Added a new Navigation menu

- Added Create Date and Last Update Date to the Asset API

- Added API PUT <base>/Assets/{id}

- Added Operating System property to API Post assets

- Added Purging improvements for PowerBroker Unix/Linux

- Added purging of PowerBroker Identity Services data

- Additional files added to the BeyondInsight Support Package

- Added EventServer 4.0.3.6 to the BeyondInsight installation

- Added Installation improvements

- Added Clarity processing improvements

- Added purging improvements

- Added Database improvements

- Added Smart rule processing improvements

- Added performance improvements to the Vulnerability grid

- Added performance improvements to Asset Details

- Added Vulnerability based smart rules processing improvements

- Added Asset matching improvements

- Added Power Broker for Windows grid improvements

- Added PowerBroker for Windows processing improvements

- Added ability to create User AD queries for PowerBroker for Windows licenses

- Added Host Scanner Grid Improvements

- Added ability on install to an existing database

- Added All Policy Users smart rule

- Added PowerBroker for Windows User Policy smart rule

- Added User Based Policy Support for PowerBroker for Mac

- Added filtering to Smart Rules Grid

- Added ability to display top 100 Smart Groups

- Added ability to display top 100 User Groups

- Added ability to install BeyondInsight onto an existing database.

- Added Support for Windows Server 2016

- Added CVSS V3 Support

- Added Authentication Alerts to the Asset Grid

- Added a Label/Slot Selection under the Hardware Security Module configuration

- Added a Smart rule action to remove Remote Host Security Scan agents from a Host Scan Group

- Added a new template named Vulnerabilities Express Report

- Added support for Retina Network Security Scans Web Application scanning

- Added ability to change the web console URL

- Added Operating System information from PowerBroker for Windows Agents

- Added password reset to the BeyondInsight console

- Enhanced third party data imports to support new CSV formats from other vulnerability assessment vendors

- Enhanced third party imports to mark vulnerabilities as fixed as indicated per import

- Added warning to the Asset grid when a Retina Network Security Scanner is running on an unsupported operating system

ANALYTICS and REPORTING:

- Removed Classic Analytics and Reporting (Silverlight) website from BeyondInsight

- Added PowerBroker for Windows Policy and Policy XML to PowerBroker for Windows Rule data

- Removed PowerBroker for Windows UAC response from Analytics and Reporting

- Added user based policy data into Analytics and Reporting

- Added Login IDs to the PowerBroker for Windows True Up License Report

- Added Windows Event Description to the Windows Event Report

- Added CVSS v3 data to Analytics and Reporting

- Added a User Details Drill-through section which is available by clicking on username in reports for PowerBroker for Mac and PowerBroker for Windows

- Added Events by User and Rule for PowerBroker for Mac report

- Added Events by User and Rule for PowerBroker for Windows report

- Added Audit Group filter to Consolidated Remediation report

- Added Authentication Alert Summary report

- Added Authentication Alert by Smart Group report

- Changed the Password and Session activity report to display the Y axis values of the graph with whole numbers

- Added Asset Smart Rule details to the section displaying Entitlements by Smart Rule in the Entitlement by Group report

- Added ability to maintain SQL Max Concurrent Connections settings value after upgrade

- Improved diagnostic logging for A&R database

- Improved performance for A&R daily sync process

- Added User Clustering for Password Management to Clarity

- Pivot Grid Improvements:

- Optionally enable charts

- Pivot on data (swap rows/columns)

- Export Pivot Grid charts

- Apply sorting to saved JSON file

- Indented columns

- Added Collapsible filters

 

PowerBroker Password Safe:

-Added support for an encrypted connection to Oracle databases

- Added localization to the Password Safe for portal for: Korean, Spanish, Portuguese, Japanese,

- PowerBroker Password Safe smart rule performance improvements

- Added the Max Concurrent Requests support to the Database platforms

- Added improvement to the Account Smart Rule Action

- Performance Improvements to Managed Account Smart Rule processing

- Added a Smart Rule information tab to the Managed Account area

- Added ability to select multiple accounts on the Accounts Grid

- Added Quick Groups to Existing Smart Rule Editor

- Added 3 tags to the 'Password change failure notification' email

- Added the ability to Audit copy and pasting of text via Session Management

- Improved SSH and RDP Session termination for Session Management

- Re-enabled X11 forwarding if required

- Added Support to manage PostgreSQL Accounts

- Added Support to allow for Identical Forest Names in different Organizations

- Added auditing for creation of and changes to Access Policies

- Added the ability to configure the "From" email address for email notifications

- Added Managed Account Description to the Account Cache

- Enabled Font Smoothing by default for RDP Sessions

- Added support for dependent services when managing service accounts

- Added option to allow bulk operation to unlink accounts in the Accounts grid

- Added option to allow bulk operation to delete accounts in the Accounts grid

- Added countdown timer to display on RDP and SSH Active Sessions

- Added support for Remote Proxy

- Added ‘Session Initialization Timeout’ attribute defaulted to 60 seconds to determine usable time of an RDP file

- Added the ability to specify the format of the username used when interacting with managed systems

- Added improvements for displaying Active Sessions

- Added support for SamAccount and User Principal Name for Functional Accounts

- Added option to turn off keystroke recordings

- Added option to enhanced session auditing

- Added 2 Factor Authentication support for DirectConnect

- Added ability to terminate SSH and RDP sessions

- Increased password rotation maximum limit to 999 days

- Added New reprocessing limits in the Smart Rule configuration for 1 hour, 6 hours, and 12 hours

- Added Reprocessing limit column to the Account Smart Rule tab and the Smart Rule Editor

- Added Reprocessing limit as a mouse-over to the Smart Group panel

- Added ability to perform concurrent requests for Cloud accounts

- Added permissions to the Password Safe menus and buttons

- Added ability to pass DNS for Applications

- Added support to use PowerBroker Password Safe Managed accounts when creating directory queries

- For API enhancements please see the API release notes

 

3. Known Issues

=======================================================================

- If a user is using Firefox 55 or newer, they may encounter a black screen upon their first visit to one of the Flex pages within the BeyondInsight web application. It may not be apparent that there is any user action possible from this black screen.

Resolution - When encountering this black screen, the user must click on the black area to show the "Activate Adobe Flash" link, and click it to allow the content to show. This activation step only needs to be done the first time a user visits a Flex area within the BeyondInsight web application.

- If Event Server 4.1.0.0 is missing from Programs and Features after the a completed BeyondInsight 6.4.4 upgrade / install and re-boot, re-launch the "BeyondInsight_6.4.4.222.exe" installer, which will re-install Event Server as one of its first actions, after this, when the BeyondInsight Setup window appears with the options for "Repair" or "Remove", close the window instead (using the 'X' in the top right hand corner) and confirm that you want to close / cancel.

- PowerBroker for Windows - File Integrity Monitor events triggered by specific users always shown as system user or empty

- The audit group screen will allows editing a smart rule driven audit group but the "Update" and other buttons are disabled.

This is as intended; but if changes are made and then click on another audit group it will offer to save the changes, saving them will work and overwrite the audits picked by the smart rule.

- Reports run against live data with changes to exclusions will not show if running against stored data and selecting a earlier/specific report.

The history of the exclusions is not being stored and will always show the latest regardless of report on existing data past report selections.

- Japanese - Unable to process data in ThirdParty Feed handler log

- The associated vulnerability or asset will not get inserted into the Remedy AR System when the exported data exceeds the default character form field length in Remedy.

-Workaround: Increase the form field length in Remedy

- PBW Privileged Rule Impact Dashboard low level drill through is missing Argument data

when multiple PBW events take place in the same second, only the arguments from the first event found in the

database will show in the lowest level drill-through.

- Using the certificate installation MSI and then running the uninstall in "Add/Remove Programs" does not uninstall the certificate. This is by design

and only uninstalls the certificate deployer.

- Scheduled scans in Chrome can be off by an hour. Disabling Chrome'sPPAPI version of flash plugin will workaround the issue (see

chrome://plugins). The issue is not observed in Internet Explorer 9 or Firefox 15.

- When launching a Retina scan in BeyondInsight and host names are specified as targets, if any target host name cannot be resolved by the scanner the job status may be reported

as "Job Did Not Start" when, in fact, some of the targets were successfully scanned.

- Cloning a SmartRule with a Patch action in it will succeed but silently drop the Patch Action.

- Adding a second organization and then removing it will leave an "All Assets" SmartRule for "Default Organization". User can remove it manually.

- Organization information is not available on the Report screen.

- Users for which all the smart rules they have access to are either inactive or donÕt have the Smart Group action for a particular organization will be shown the choice of that organization on the

Smart Group browser on the left but if selected the browser will appear empty and the last accessible smart ruleÕs asset will remain showing on the Asset grid.

- When editing the last remaining Smart Rule for an organization, and marking that Smart Rule as inactive, the Assets page will continue to display assets for that organization.

- Due to a dependency in the Local Publishing portion of the WSUS API,it is necessary for all WSUS resources (servers and consoles) to be at the same Service Pack level for WSUS. If not,

the following error may appear in the ThirdPartyPatchSvc.txt log file: System.InvalidOperationException: Publishing operation failed because the console and remote server versions do not match.

- If a scheduled job includes a report and the associated smart rule is changed to use a set scanner action with two or more scanners, each scanner will produce a report for the

portion of the scan it handled.

- If you have a scan job setup for a smart rule that is set to "Rule Level" distribution but only contains 1 scanner you can setup the scan job with a report associated. If you later add additional

scanners to the smart rule the job will work but separate reports will appear for each scanner and may contain incomplete data.

- When connecting to a WSUS server that already has third party patches the Community edition will display these patches in addition to the free ones supported by the Community Edition.

- Choosing the option to modify the Products and Classifications for third party patches, the changes are made to all WSUS servers and not just the selected WSUS Server.

- Attempting to scan cloud assets with scanners that do not support cloud scanning will result in those cloud assets being ignored by the scanner.

- Recurring scheduled Benchmark Compliance reports will show historical data.

- A user who has duplicated a report template and for which other users have scheduled scan§reports for cannot be deleted.

- Patch Management: If WSUS and BeyondInisght are not installed on the C: drive, the Approved, Installed and Required Patches reports fail to generate.

- Patch Management: Smart groups that contain a large number of assets or patches may take a long time to render or may encounter a timeout error when retrieving data from the WSUS server when the patch view

option is selected. In this situation it may serve better to use the asset view and drill into the patches on the asset level as needed.

- When viewing reports in Internet Explorer with script debugging enabled, you may occasionally see the JavaScript error message "'this._docMapSplitter' is null or not an object", but the report will continue to work normally.

- When using an IAVA license and running on existing data with the Non-Vulnerable audit status selected, for large groups of assets the report may fail with an "out of memory" error.

- When running a Ticket Report that returns a large number of Tickets and the option to include Assets and Notes has been selected, an "out of memory" error may result.

- When selecting report parameters and performing several selections and re-selections, parameters listed in grids may disappear. To restore missing parameters, click on the "Clear Filter" icon for

that grid, or cancel the screen and re-enter.

- Smart Rules: Emailing alerts on smart rules that return extremely large asset counts (exact count will vary) may generate an email that exceeds what the email server will send. If this occurs the

user is not given and notice that the email wasn't sent.

- Assets Tab: The Assets and Agents grids are not able to filter on Protection Policy Name.

- Scan Restrictions: Changes made to Scan Restrictions in the scan agent UI are not reflected in the BeyondInsight UI.

- Scan: If a Protection Agent is installed on the same asset as a scanning agent, only the scan agent will be listed as a scanner in the run on existing data report parameters. However, scans from both will still be selectable.

- Benchmark Scan: If the scanning agent fails to complete a Benchmark scan for an asset, no xccdf-output.xml will be created, and no asset information will be displayed in the report.

- Benchmark Scans: Very large result files may not successfully be transferred from the scanner to BeyondInsight. The result files will still be available on the scanner agent file system. This

will be fixed in a later release.

- When using Quick Scan Credentials for reports that have Job Metrics, the Credential Description will display as a GUID.

- Community: if a report returns more assets than the 256 allowed,the report may stay in the processing state.

- BeyondInsight may install on SQL Servers configured with a server that is not set to Latin Case Insensitive but BeyondInsight do not support operating in that configuration and may not work correctly.

- The NT Authority\System account does not exist with SQL Server 2012, as a result an invalid license message will appear when attempting to authenticate with an NT Authority\System

- Scheduled Benchmark Compliance Display No Data After an Upgrade and Needs Rescheduling

- Windows Server 2012 is a 64bit only Operating System. When WSUS is installed, suscomp.dll is defined globally and loaded in every application pool. The BeyondInsight application pool

is 32bit and will result in the above error when the 64bit suscomp.dll attempts to load.

Solution:

 

Option 1

-> Take IIS backup.

-> Open IIS Manager

-> Click on server module node at the top of the left hand tree and choose "Modules".

-> Right click on DynamicCompressionModule and choose "Unlock"

-> Right click on StaticCompressionModule and choose "Unlock".

-> Open Default Web Site -> Open Modules.

-> Right click on DynamicCompressionModules and choose Remove".

-> Right click on StaticCompressionModule and choose "Remove".

-> Do IISRESET from an elevated/administrative command prompt.

 

Option 2

Install BeyondInsight and WSUS on separate 2012 servers

 

- Viewing a Report in IE 11 - Can't scroll to see all of report

- A Re-Start of SSAS is required if the SQL 2012 Servers do not have the .NET framework 4.5 installed prior to installing 5.X and the database has an instance name

- Error seen accessing web site on 2012R2 and 2012 server due to Asp.Net v4.0 restriction, which can not be fixed running register command, To install ASP.NET 4.5 on Windows Server 2012, use one of the following options:

Run the following command from an administrative command prompt: dism /online /enable-feature /featurename:IIS-ASPNET45

For Windows Server 2012 computers, enable "IIS-ASPNET45" using Server Manager, under "Web Server (IIS) -> Web Server ->Application Development -> ASP.NET 4.5".

- Scanner selection doesn't work in multi-tenant mark old scanners as inactive

- Updated permission changes to a logged in account will not be applied until the user is logged off

- Trying to create a smart rule with the same name as one that already exists as a different type (Asset/Vulnerability/Account) will give the following error

"This Smart Rule was not saved because an error occurred: Sequence contains no matching element"

- Patch Management - A user may receive a generic Error message in the BeyondInsight UI when using the Apply Patch Now Button,

the workaround is to use the Approve button or right-click menu option when selecting patches

- Password Safe - HP Ilo and Idrac accounts are not currently discoverable, these accounts have to be manually added.

- Password Safe - Deprecated Change password options will still appear in Smart Rules containing the Managed Password Safe Accounts action.

The change password options in question are: Retrieve password, Allow SSH Connection, Allow RDP Connection, Record session.

These options have been migrated to password safe roles. However they may still appear is inan upgraded smart rule.

Removing the Manage Password Safe Account action and re-adding it will rectify the display issue.

- Password Safe - In situations where accounts are discovered and brought under automatic management via Password Safe Smart Rule actions with the "use current password to change password"

option enabled the password will never change due to the absence of the initial password. It is recommended that this option only be enabled in smart rules that are not using discovery options.

- Password Safe - In situations where the "Link domain accounts to managed systems" smart rule action is enabled in a Smart Rule containing the Active Directory query filter with the discover accounts option enabled,

the Smart Rule may get stuck in a processing state. It is recommended that the "Link domain accounts to managed systems" action only be enabled in Smart Rules that are not utilizing the discover accounts option.

- Password Safe - The SAP asset cannot be managed via the smart rule. The asset can only be managed manually

- Password Safe - The Sybase.Charset archive may fail to decompress during install or upgrade on some environments. If using the Sysbase Platform for Password Safe management, the archive can be manually decompressed if needed.

- Scanning with DSS Keys using Retina Network Security Scanner version 5.23 and 5.23.1 will fail as a result of a public key authentication issue in Retina Network Security Scanner.

- Password Safe - if Functional Account is tied to a remote client asset (PBW), Functional Account password will not change

- Password Safe - SSHDirectConnect - unable to create sessions 1 minute 59 seconds before the Access Schedule expires, the Access Policy must extend to the current time plus the default request duration

- Password Safe - SSHDirectConnect - when Access Policy is set to Restrict Location the User is able to login from another location

- Password Safe - Using non-incremental keys in DSA or RSA causes auto managed key change to fail

- Passowrd Safe - Keystrokes - Ctrl+Action (Ctrl+C) is being capture as ^C and attached to the beginning of the next keystroke

- Password Safe - Cannot delete cloud systems when the managed account is linked to a remote application. Workaround is to remove the link between the managed account and the remote application via the Managed Account Settings screen and then delete the cloud system.

- Password Safe - On occasion, proxy sessions will not fully release the request and the sessions remained as active and was view able within Active Sessions. Workaround: Within the BI server, locate all pbsmd.exe *32 processes and select End Process for each. This will remove the inactive sessions and remove them from the Active Sessions grid.

- Password Safe - a deleted system, if previously marked as a Favorite, will still display under Favorites until the system is removed from Favorites

- Password Safe - Cloud Applications sessions are not displaying within Active/Replay for an Administrator

- Password Safe - The new smart rule action called Account Name Format drop-down is not available for existing smart rules, if the action is required, then delete and re-add the Smart Rule Action

-

4. General Notes

=======================================================================

- BeyondInsight requires Adobe Flash Player 22.0 or higher

 

5. Release Availability

========================================================================

- This release is available by download from BeyondTrust customers

(https://beyondtrustsecurity.force.com/customer/login) and using the BeyondTrust Auto-Updater.

The MD5 signature is: f810f975aebf770b979aeb7b419b2b44

The SHA-1 signature is: 3200c5ddd337dcabc245ee8c1cf2f3fd34045b48

The SHA-256 signature is: 1b3f4b439bccfe80dbfe6688300e51a12c8b60e2d665391243b1be6c61cf502c

6. Issues Resolved

========================================================================

6.4.4

- Prevent organizations from using reserved names (Global, Everyone)

- Fixed a connection issue for an Oracle Database instance

- Fixed an issue with failed scans

- Fixed an issue with managed Retina credentials

- Fixed Vulnerability last found / last updated date to display in local time

-Fixed an issue loading AD users for a given group

- Fixed an issue with displaying incorrect Domain data

- Fixed an issue with updating the Retina Host Security Scanner queue

- Fixed an issue displaying assets for VMWare cloud connector

- Fixed an issue with the BeyondInsight website getting stuck in initializing

- Fixed a login issue when BeyondInsight is FIPS enabled

- Fixed an issue scheduled tasks disappearing from the asset grid

- Fixed an issue with Smart Rules reverting to a previously saved version

- Fixed an issue with updating AD Group changes

- Fixed an issue with displaying non-version information in the version field

- Fixed an out of memory issue for Class A Network Scans

- Fixed a display issue for disabled user accounts

- Fixed an issue with deleted assets incorrectly displaying under Scan Job Information

- Fixed an issue with incorrect IP addresses

- Fixed a Smart Rule counts issue

- Fixed a display issue with custom smart rules

- Fixed an issue displaying long Smart Rule name

- Fixed an RTD import issue

- Fixed an issue with Audit upgrades

- Fixed an excess CPU issue

- Fixed an issue with the way vulnerabilities get auto marked as fixed in BeyondInsight with the auto aging logic

- Fixed a timeout issue for long running Analytics and Reporting reports

- Fixed an issue with a vulnerability not being associated with an asset

- Fixed an issue with applying WSUS approved patches

- Fixed an issue with deleting PowerBroker for Windows user policies

- Fixed an issue with moving Policies between Policy groups under Protection Policies

- Fixed an issue with SOLR searches

- Fixed an issue with "Unknown" PowerBroker for Windows events displaying in custom reports

- Fixed a display issue for the PowerBroker for Windows/PowerBroker for Mac Rollup and All grids

- Fixed a sorting issue with the PowerBroker for Windows grid

- Fixed an issue with inserting Event data in bulk

- Fixed an issue with the PowerBroker for Password Safe import scan template displaying multiple values for changed attributes

- Fixed an issue where PBSMD consumes excess CPU

- Fixed an issue with trying to delete Cloud assets

- Fixed an issue using ALT characters in a password

- Fixed an issue with Password and Session Activity Report misreporting RDP requests

- Fixed a default port issue for the Smart Rule Action "Manage Assets using Password Safe"

- Fixed an issue to remove deleted Assets from Favorite tab of the PowerBroker Password Safe portal

- Fixed an issue with Password change options for Scheduled tasks

- Fixed an issue that could potentially lead to passwords getting out of sync with managed systems

- Fixed an issue where Direct Connect SSH failed for users due to a timeout in authentication

- Fixed an issue with password changes on AD functional accounts under Auto Management

- Fixed a CA Service desk connector issue

- Fixed an issue with RDP output displaying a dark screen

- Fixed an issue changing passwords for Oracle accounts

- Fixed an issue with inactive Smart Rules

- Fixed a keyboard language issue with RDP Direct Connect

- Fixed an issue launching an application session

- Fixed an issue with Application sessions connecting using DNS

- Fixed a permission issue with a member belonging to multiple groups

- Fixed a mouse lag issue with enhanced session monitoring

- Fixed an issue with removing a policy user

- Fixed an input issue on the Admin Session tab of the PowerBroker Password Safe portal

- Fixed an issue with managing MYSQL accounts

- Fixed a Telenet logon issue

- Fixed a display issue of Remote Applications

- Fixed a Smart Rules processing issue

- Fixed a concurrency error for password changes

- Fixed an issue that prevented custom platforms from working when connecting to systems on non-standard ssh ports

- Fixed an issue with changing passwords on for AD managed accounts that do not have a SID

- Fixed a date format issue with connection profile alert emails

- Fixed an issue with sending email release notifications

- Fixed an issue with launching RDP sessions via PowerBroker for Password Safe when PowerBroker for Password Safe is FIPS enabled

- Fixed an issue with changing passwords on Linux machines

- Fixed an issue with deleted managed accounts

- Fixed an issue with scheduled password changes when using PowerBroker for Windows agents

- Fixed an issue with password checkouts using PowerBroker for Windows agents

 

6.3.1

- Fixed a performance issue with the vulnerabilities grid

- Fixed a duplication issue with Active Directory users

- Fixed a deadlock issue while processing scan data

- Fixed an Audit Group setting issue

- Fixed a sorting issue with Assigned Policies

- Fixed a duplicate asset issue generated from PBEPP 8.1 data

- Fixed an issue with purging stale email records

- Fixed in issue with scheduled tasks

- Fixed an issue with TempDB usage

- Fixed a purging issue

- Fixed an issue with loading Domain Linked accounts for Password Safe

- Fixed an issue with the Domain Joined Single Sign-On login page

- Fixed a custom platforms issue around functional accounts with elevated privileges

- Fixed a mapping issue with dedicated accounts

- Fixed an issue with the Auto Management failing on AD functional accounts

6.3

- Fixed an upgrade issue overwriting SAML configuration

- Fixed an issue with creating assets with the same name under different workgroups

- Fixed an issue with creating duplicate assets in error

- Fixed an issue with displaying duplicate assets in the Asset Grid

- Fixed an issue with Audit settings

- Fixed an issue with high CPU usage

- Fixed an issue with PBW processing of events

- Fixed an issue with replaying PBUL IO logs

- Fixed an issue with creating WSUS certificates

- Fixed a timeout issue on the Audit Viewer for Analytics and Reporting

- Fixed an issue with the print button not working for Analytics and Reporting

- Fixed a login issue when the user is part of multiple groups for Analytics and Reporting

- Fixed an issue with displaying HTML tags on the pre-login banner for Analytics and Reporting

- Fixed an issue with the Download logs button for Analytics and Reporting

- Fixed a data issue and timeout issue with the Password Safe Activity report within Analytics and Reporting

- Fixed an issue report options displaying blank values for Analytics and Reporting

- Fixed an SSH Connection issue with FIPS enabled

- Fixed an invalid credential error during the check-in of SSH requests

- Fixed an issue with creating Account smart rules

- Fixed an issue executing Account smart rules

- Fixed an issue with deleting cloud systems when the Managed Account is linked to a remote application

- Fixed an issue with black screens displaying on RDP logout/disconnect

- Fixed an issue with users with the Auditor role being unable to request passwords or perform session management activities

- Fixed an issue with a display issue with dedicated accounts in the Password Safe grid

6.2.2

- Fixed an issue with Linked Accounts with applications being added to Database Assets

- Fixed an issue with onboarding Account Smart Rules

- Fixed an issue overwriting the web config file for Active Directory Federation Services when using the BeyondInsight Configuraiton tool

- Fixed an issue with upgrading Favourites on the Password Safe Portal grid

- Fixed an access issue with Favorites under the Password Safe Portal grid

- Fixed an authentication issue using the Active Directory Short Name

- Fixed an access issue for Cloud Accounts under the Password Safe Portal grid

 

Date of Release: 13 June 2017

Product Name: BeyondInsight

Updated Version: 6.3.1

Superseded Versions: 1.0.0-6.3.0

Table of Contents

1. Installation Prerequisite

2. What's New in This Release

3. Known Issues

4. General Notes

5. Release Availability

6. Current and Historical Issues Resolved

1. Installation/Upgrade Prerequisites

=======================================================================

If BeyondInsight is installed on the BeyondTrust Security Management Virtual Appliances UVMv20 that were shipped between June 2014 and October 2016(versions 1.2 - 1.5.9)

the following steps are required prior to installing BeyondInsight version 6.3.1:

1. RDP to UVMv20 (versions 1.2 - 1.5.9)

2. Start | Run | c:\oracle\uninstall.bat all myhome

3. Upgrade to 6.3.1

4. Reboot

Should you require the RDP code to access the UVMv20 (versions 1.2 - 1.5.9) and/or additional assistance please contact BeyondTrust Customer Support

2. What's New in 6.3.1

=======================================================================

GENERAL:

- Adding API registration for BeyondInsight licenses

- The following APIS will be available for BeyondInsight licenses

- Access Levels

- Assets

- Attribute Types

- Environmental Metrics

- Imports

- Smart Rules - also added OrganizationID in response body

- User Groups

- Users

- Vulnerabilities

- Vulnerability References

- Workgroups

- Added Kenna enhancements

- Added PowerBroker for Windows User Based Policy Smart Rule

- Added the ability to assign PowerBroker for Windows Policies to Users

- Added a Policy tab containing PowerBroker for Windows policies

- Additional purging improvements

- Added performance improvements to the User Audits screen

- Error Messaging Improvements

- Removed Send Feedback link from the Help menu

- Installation and Upgrade improvements

- Reduced message traffic for scans

- Central Policy caching improvements

- Added functionality that prevents the deletion of child Smart Rules

 

ANALYTICS and REPORTING:

- Added Workstation Hardening Security report

- Added Superseded Patches report

- Added Managed Services Provider Usage Summary

- Added User type and password fields to the Account Password Age Report

- Added an optional "Parameters" section to the Extended Vulnerability Export report and the Vulnerability Delta by Month report

- Added filter for Severity to the Vulnerability Risk report and the Exploit Details Export report

- Added Error Messaging improvements

- Added HTML 5 Pivot Grid Functionality

- Added HTML 5 Threat Analyzer

- Added Report Styling

- Added Navigation Improvements

PowerBroker Password Safe:

- Added Multi-Account Checkout functionality for Admin Sessions

- Added 'Node' column to the PowerBroker Password Safe Portal

- PowerBroker Password Safe Active Sessions User Interface Improvements

- Added functionality to Manage Windows Scheduled Tasks

- Performance Improvements made to BeyondInsight console for the Managed Accounts grid, Linked Accounts grid and, Synced Accounts grid

- Performance Improvements made to the 'Recent Assets not in Password Safe' Smart Rule

- Performance Improvements made to RDP file sessions

- Added messaging to Direct Connect (RDP/SSH)

- Disabled Weak Legacy SSH Ciphers as default settings, see PowerBroker Password Safe documentation to re-enable if required.

- API - Added paging to APIs - Get Assets and Get ManagedSystems

- API - Added MaxConcurent Property to Post\Get Managed Accounts

- Added a ServiceNow JAR file to access the API

- RDP Direct Connect 2 Factor Authentication

- Database Optimizations

- Added support for an encrypted connection to Oracle's databases

 

3. Known Issues

=======================================================================

- PowerBroker for Windows - File Integrity Monitor events triggered by specific users always shown as system user or empty

- The audit group screen will allows editing a smart rule driven audit group but the "Update" and other buttons are disabled.

This is as intended; but if changes are made and then click on another audit group it will offer to save the changes, saving them will work and overwrite the audits picked by the smart rule.

- Reports run against live data with changes to exclusions will not show if running against stored data and selecting a earlier/specific report.

The history of the exclusions is not being stored and will always show the latest regardless of report on existing data past report selections.

- Japanese - Unable to process data in ThirdParty Feed handler log

- The associated vulnerability or asset will not get inserted into the Remedy AR System when the exported data exceeds the default character form field length in Remedy.

-Workaround: Increase the form field length in Remedy

- Analytics and Reporting: When configuring Retina Insight on a UVM20, if you receive a "The specified network name is no longer available" error then you may need to reboot the appliance to

apply a necessary configuration change.

- Analytics and Reporting: In the unlikely event that the source BeyondInsight

database is changed, please delete your Retina Insight database

before running the Configuration Wizard in Retina Insight to

ensure correct functionality.

- Attempting to configure Retina Insight on a server without the

"Server" service running can result in a network related error

message while validating credentials. To work around this issue,

either run the Server service for the duration of configuring

Analytics and Reporting, or prefix the username with an invalid

machine or domain name. (e.g. invalid\Administrator)

- Analytics and Reporting: In IE10, some of the bars do not have a link to the sub-report.

When compatibility mode is enabled in IE10, there are no issues with clicking the bars to see the sub-report.

- PBW Privileged Rule Impact Dashboard low level drill through is missing Argument data

when multiple PBW events take place in the same second, only the arguments from the first event found in the

database will show in the lowest level drill-through.

- Using the certificate installation MSI and then running the uninstall in "Add/Remove Programs" does not uninstall the certificate. This is by design

and only uninstalls the certificate deployer.

- Scheduled scans in Chrome can be off by an hour. Disabling Chrome'sPPAPI version of flash plugin will workaround the issue (see

chrome://plugins). The issue is not observed in Internet Explorer 9 or Firefox 15.

- When launching a Retina scan in BeyondInsight and host names are specified as targets, if any target host name cannot be resolved by the scanner the job status may be reported

as "Job Did Not Start" when, in fact, some of the targets were successfully scanned.

- Cloning a SmartRule with a Patch action in it will succeed but silently drop the Patch Action.

- Adding a second organization and then removing it will leave an "All Assets" SmartRule for "Default Organization". User can remove it manually.

- Organization information is not available on the Report screen.

- Users for which all the smart rules they have access to are either inactive or donÕt have the Smart Group action for a particular organization will be shown the choice of that organization on the

Smart Group browser on the left but if selected the browser will appear empty and the last accessible smart ruleÕs asset will remain showing on the Asset grid.

- When editing the last remaining Smart Rule for an organization, and marking that Smart Rule as inactive, the Assets page will continue to display assets for that organization.

- Due to a dependency in the Local Publishing portion of the WSUS API,it is necessary for all WSUS resources (servers and consoles) to be at the same Service Pack level for WSUS. If not,

the following error may appear in the ThirdPartyPatchSvc.txt log file: System.InvalidOperationException: Publishing operation failed because the console and remote server versions do not match.

- If a scheduled job includes a report and the associated smart rule is changed to use a set scanner action with two or more scanners, each scanner will produce a report for the

portion of the scan it handled.

- If you have a scan job setup for a smart rule that is set to "Rule Level" distribution but only contains 1 scanner you can setup the scan job with a report associated. If you later add additional

scanners to the smart rule the job will work but separate reports will appear for each scanner and may contain incomplete data.

- When connecting to a WSUS server that already has third party patches the Community edition will display these patches in addition to the free ones supported by the Community Edition.

- Choosing the option to modify the Products and Classifications for third party patches, the changes are made to all WSUS servers and not just the selected WSUS Server.

- Attempting to scan cloud assets with scanners that do not support cloud scanning will result in those cloud assets being ignored by the scanner.

- Recurring scheduled Benchmark Compliance reports will show historical data.

- Upgrades may prevent Saved Report Views from rendering if parameters have changed. You can delete and then re-create the Saved Report View to address this.

- A user who has duplicated a report template and for which other users have scheduled scan§reports for cannot be deleted.

- Patch Management: If WSUS and BeyondInisght are not installed on the C: drive, the Approved, Installed and Required Patches reports fail to generate.

- Patch Management: Smart groups that contain a large number of assets or patches may take a long time to render or may encounter a timeout error when retrieving data from the WSUS server when the patch view

option is selected. In this situation it may serve better to use the asset view and drill into the patches on the asset level as needed.

- When viewing reports in Internet Explorer with script debugging enabled, you may occasionally see the JavaScript error message "'this._docMapSplitter' is null or not an object", but the report will continue to work normally.

- When using an IAVA license and running on existing data with the Non-Vulnerable audit status selected, for large groups of assets the report may fail with an "out of memory" error.

- When running a Ticket Report that returns a large number of Tickets and the option to include Assets and Notes has been selected, an "out of memory" error may result.

- When selecting report parameters and performing several selections and re-selections, parameters listed in grids may disappear. To restore missing parameters, click on the "Clear Filter" icon for

that grid, or cancel the screen and re-enter.

- Smart Rules: Emailing alerts on smart rules that return extremely large asset counts (exact count will vary) may generate an email that exceeds what the email server will send. If this occurs the

user is not given and notice that the email wasn't sent.

- Assets Tab: The Assets and Agents grids are not able to filter on Protection Policy Name.

- Scan Restrictions: Changes made to Scan Restrictions in the scan agent UI are not reflected in the BeyondInsight UI.

- Scan: If a Protection Agent is installed on the same asset as a scanning agent, only the scan agent will be listed as a scanner in the run on existing data report parameters. However, scans from both will still be selectable.

- Benchmark Scan: If the scanning agent fails to complete a Benchmark scan for an asset, no xccdf-output.xml will be created, and no asset information will be displayed in the report.

- Benchmark Scans: Very large result files may not successfully be transferred from the scanner to BeyondInsight. The result files will still be available on the scanner agent file system. This

will be fixed in a later release.

- When using Quick Scan Credentials for reports that have Job Metrics, the Credential Description will display as a GUID.

- Community: if a report returns more assets than the 256 allowed,the report may stay in the processing state.

- BeyondInsight may install on SQL Servers configured with a server that is not set to Latin Case Insensitive but BeyondInsight do not support operating in that configuration and may not work correctly.

- The NT Authority\System account does not exist with SQL Server 2012, as a result an invalid license message will appear when attempting to authenticate with an NT Authority\System

- Scheduled Benchmark Compliance Display No Data After an Upgrade and Needs Rescheduling

- Windows Server 2012 is a 64bit only Operating System. When WSUS is installed, suscomp.dll is defined globally and loaded in every application pool. The BeyondInsight application pool

is 32bit and will result in the above error when the 64bit suscomp.dll attempts to load.

Solution:

 

Option 1

-> Take IIS backup.

-> Open IIS Manager

-> Click on server module node at the top of the left hand tree and choose "Modules".

-> Right click on DynamicCompressionModule and choose "Unlock"

-> Right click on StaticCompressionModule and choose "Unlock".

-> Open Default Web Site -> Open Modules.

-> Right click on DynamicCompressionModules and choose Remove".

-> Right click on StaticCompressionModule and choose "Remove".

-> Do IISRESET from an elevated/administrative command prompt.

 

Option 2

Install BeyondInsight and WSUS on separate 2012 servers

 

- Viewing a Report in IE 11 - Can't scroll to see all of report

- A Re-Start of SSAS is required if the SQL 2012 Servers do not have the .NET framework 4.5 installed prior to installing 5.X and the database has an instance name

- Error seen accessing web site on 2012R2 and 2012 server due to Asp.Net v4.0 restriction, which can not be fixed running register command, To install ASP.NET 4.5 on Windows Server 2012, use one of the following options:

Run the following command from an administrative command prompt: dism /online /enable-feature /featurename:IIS-ASPNET45

For Windows Server 2012 computers, enable "IIS-ASPNET45" using Server Manager, under "Web Server (IIS) -> Web Server ->Application Development -> ASP.NET 4.5".

- Scanner selection doesn't work in multi-tenant mark old scanners as inactive

- Updated permission changes to a logged in account will not be applied until the user is logged off

- Trying to create a smart rule with the same name as one that already exists as a different type (Asset/Vulnerability/Account) will give the following error

"This Smart Rule was not saved because an error occurred: Sequence contains no matching element"

- Patch Management - A user may receive a generic Error message in the BeyondInsight UI when using the Apply Patch Now Button,

the workaround is to use the Approve button or right-click menu option when selecting patches

- Password Safe - HP Ilo and Idrac accounts are not currently discoverable, these accounts have to be manually added.

- Password Safe - Deprecated Change password options will still appear in Smart Rules containing the Managed Password Safe Accounts action.

The change password options in question are: Retrieve password, Allow SSH Connection, Allow RDP Connection, Record session.

These options have been migrated to password safe roles. However they may still appear is inan upgraded smart rule.

Removing the Manage Password Safe Account action and re-adding it will rectify the display issue.

- Password Safe - In situations where accounts are discovered and brought under automatic management via Password Safe Smart Rule actions with the "use current password to change password"

option enabled the password will never change due to the absence of the initial password. It is recommended that this option only be enabled in smart rules that are not using discovery options.

- Password Safe - In situations where the "Link domain accounts to managed systems" smart rule action is enabled in a Smart Rule containing the Active Directory query filter with the discover accounts option enabled,

the Smart Rule may get stuck in a processing state. It is recommended that the "Link domain accounts to managed systems" action only be enabled in Smart Rules that are not utilizing the discover accounts option.

- Password Safe - The SAP asset cannot be managed via the smart rule. The asset can only be managed manually

- Password Safe - The Sybase.Charset archive may fail to decompress during install or upgrade on some environments. If using the Sysbase Platform for Password Safe management, the archive can be manually decompressed if needed.

- Scanning with DSS Keys using Retina Network Security Scanner version 5.23 and 5.23.1 will fail as a result of a public key authentication issue in Retina Network Security Scanner.

- Password Safe - if Functional Account is tied to a remote client asset (PBW), Functional Account password will not change

- Password Safe - SSHDirectConnect - unable to create sessions 1 minute 59 seconds before the Access Schedule expires, the Access Policy must extend to the current time plus the default request duration

- Password Safe - SSHDirectConnect - when Access Policy is set to Restrict Location the User is able to login from another location

- Password Safe - Using non incremental keys in DSA or RSA causes auto managed key change to fail

- Passowrd Safe - Keystrokes - Ctrl+Action (Ctrl+C) is being capture as ^C and attached to the beginning of the next keystroke

- Password Safe - Cannot delete cloud systems when the managed account is linked to a remote application. Workaround is to remove the link between the managed account and the remote application via the Managed Account Settings screen and then delete the cloud system.

- Password Safe - On occasion proxy sessions will not fully release the request and the sessions remained as active and was view able within Active Sessions. Workaround: Within the BI server, locate all pbsmd.exe *32 processes and select End Process for each. This will remove the inactive sessions and remove them from the Active Sessions grid.

- Password Safe - a deleted system, if previously marked as a Favorite, will still display under Favorites until the system is removed from Favorites

- Password Safe - Cloud Applications sessions are not displaying within Active/Replay for an Administrator

- If the Pre Login Banner is set to Show Banner, but no message is configured, the Accept button will not show up. Workaround: be sure to configure both a title and a message before setting Show Banner = Yes.

- Analytics and Reporting (Pivot Grid) - Clearing or manually removing a mesaure from the pivot grid does not reset the measure group filter. As a result the available dimensions may be limited. Workaround: Choose another measure group to reload the list of available dimensions, or reload the pivot grid.

- Analytics and Reporting (Pivot Grid) - If you attempt to save a custom report with only rows and columns selected, but no measure selected, the save action will error out with a message stating "Invalid Request". Workaround: add a measure to the grid and try saving the report again.

- BeyondInsight Permissions, clicking a Group Read\Write check box is checking a different box

- Password Safe - After upgrading BeyondInsight / Password Safe 6.3.1 on some older virtual UVMs, a 500 error may occur in the browser when attempting to connect to the BeyondInsight or Password Safe web sites.

Reboot after 6.3.1 upgrade (if not already done)

Remove Oracle – RDP to appliance Start | Run | c:\oracle\uninstall.bat all myhome.

Should you require the RDP code to access the UVMv20 (versions 1.4 - 1.5.9) and/or additional assistance please contact BeyondTrust Customer Support

4. General Notes

=======================================================================

- BeyondInsight requires Adobe Flash Player 10 or later.

- Classic Analytics and Reporting requires Microsoft Silverlight 5.0 or later.

5. Release Availability

========================================================================

- This release is available by download from BeyondTrust customers

(http://www.eeye.com/clients) and using the BeyondTrust Auto-Updater.

The MD5 signature is: 209a54ade1997b44ff437832091e3bfb

The SHA-1 signature is: e9b7befb5cdeb64bc430d6bb6c307f48ed0140b0

The SHA-256 signature is: 425c9f3ea696d3fbffa2ba9a820b5b46774aac7786200e76fc1a128a5e00b1af

6. Issues Resolved

========================================================================

6.3.1

- Fixed a performance issue with the vulnerabilities grid

- Fixed a duplication issue with Active Directory users

- Fixed a deadlock issue while processing scan data

- Fixed an Audit Group setting issue

- Fixed a sorting issue with Assigned Policies

- Fixed a duplicate asset issue generated from PBEPP 8.1 data

- Fixed an issue with purging stale email records

- Fixed in issue with scheduled tasks

- Fixed an issue with TempDB usage

- Fixed a purging issue

- Fixed an issue with loading Domain Linked accounts for Password Safe

- Fixed an issue with the Domain Joined Single Sign-On login page

- Fixed a custom platforms issue around functional accounts with elevated privileges

- Fixed a mapping issue with dedicated accounts

- Fixed an issue with the Auto Management failing on AD functional accounts

6.3

- Fixed an upgrade issue overwriting SAML configuration

- Fixed an issue with creating assets with the same name under different workgroups

- Fixed an issue with creating duplicate assets in error

- Fixed an issue with displaying duplicate assets in the Asset Grid

- Fixed an issue with Audit settings

- Fixed an issue with high CPU usage

- Fixed an issue with PBW processing of events

- Fixed an issue with replaying PBUL IO logs

- Fixed an issue with creating WSUS certificates

- Fixed a timeout issue on the Audit Viewer for Analytics and Reporting

- Fixed an issue with the print button not working for Analytics and Reporting

- Fixed a login issue when the user is part of multiple groups for Analytics and Reporting

- Fixed an issue with displaying HTML tags on the pre-login banner for Analytics and Reporting

- Fixed an issue with the Download logs button for Analytics and Reporting

- Fixed a data issue and timeout issue with the Password Safe Activity report within Analytics and Reporting

- Fixed an issue report options displaying blank values for Analytics and Reporting

- Fixed an SSH Connection issue with FIPS enabled

- Fixed an invalid credential error during the check-in of SSH requests

- Fixed an issue with creating Account smart rules

- Fixed an issue executing Account smart rules

- Fixed an issue with deleting cloud systems when the Managed Account is linked to a remote application

- Fixed an issue with black screens displaying on RDP logout/disconnect

- Fixed an issue with users with the Auditor role being unable to request passwords or perform session management activities

- Fixed an issue with a display issue with dedicated accounts in the Password Safe grid

6.2.2

- Fixed an issue with Linked Accounts with applications being added to Database Assets

- Fixed an issue with onboarding Account Smart Rules

- Fixed an issue overwriting the web config file for Active Directory Federation Services when using the BeyondInsight Configuraiton tool

- Fixed an issue with upgrading Favourites on the Password Safe Portal grid

- Fixed an access issue with Favorites under the Password Safe Portal grid

- Fixed an authentication issue using the Active Directory Short Name

- Fixed an access issue for Cloud Accounts under the Password Safe Portal grid

6.2.1

- Fixed an issue with updating the Always group on all scanners

- Fixed an issue with viewing reports in the Report viewer

- Fixed an issue with displaying the correct Address group

- Fixed an issue with connection details for the ActiveSync connector

- Fixed an issue with the Extended Vulnerability Report

- Fixed an issue with Retina RTD imports

- Fixed an issue with the Splunk asset importer connector

- Fixed an issue with refreshing the Active and Scheduled tabs

- Fixed an issue with nested Asset Selection criteria for Smart Rules

- Fixed an issue with a white bar displaying on the bottom of BeyondInsight console after re-sizing the window using the Chrome browser

- Fixed an issue with using special characters in a password for authenticated scans

- Fixed an issue with the order of viewing screenshots for PowerBroker for Windows Session Monitoring

- Fixed an issue with exporting data from the PowerBroker for Windows Events Grid

- Fixed an issue with the Password and Session Activity report

- Fixed an issue with Windows events when the BeyondInsight database is offline

- Fixed an issue with SQL deadlocks on PowerBroker Password Safe API calls

- Fixed an issue with the re-ordering of columns on the PowerBroker Password Safe portal

- Fixed an issue with the Print button not working with Internet Explorer when BeyondInsight is installed on a server with SQL Server 2012 installed

6.2

- Improved performance on the PowerBroker PasswordSafe Request Details screen

- Fixed an issue with opening a PowerBroker PasswordSafe SSH Session

- Fixed an issue with Managed Accounts with Linux machines under PowerBroker PasswordSafe management

- Fixed an issue initiating Retina Host Security Scans

- Fixed an issue with Analytics and Reporting Daily jobs failing

- Fixed a formatting issue with IBM QRadar

- Fixed an issue with aliases for the PowerBroker PasswordSafe cache

- Fixed a font display issue on the BeyondInsight console

- Fixed handling of an invalid character in the Path field

- Fixed an issue with inactive Smart Rules and deleted asset Smart Rules

- Fixed an issue with updating an existing Account Smart Rule

- Fixed an issue with slow loading Smart Rules

- Fixed an issue with configuring round robin scans from Beyond Insight

- Fixed an issue with RTD imports

- Fixed an issue with specifying HTTPS URL for proxy in the BeyondInsight console

- Fixed issue with was viewing the Imports grid from the Job screen

- Fixed an issue of adding a SAP system with Instance number 00 under PowerBroker PasswordSafe

- Fixed an issue with testing and password changes for SAP accounts

- Fixed issues with event processing

- Fixed issues with normalization of PowerBroker for Windows events

- Fixed an issue with API POST Assets for asset matching

- Fixed an issue with Asset APIs returning latest MacAddress

- Fixed an issue with API POST FunctionalAccounts and ElevationCommand validation

- Fixed an issue with API POST ManagedAccounts validation

- Fixed an issue with API POST Auth/SignAppin

- Fixed an issue with missing PowerBroker for Unix/Linus events

- Fixed an issue with smart rule processing of PowerBroker for Windows events

- Fixed an issue with Dedicated Account Smart Rule using similar usernames causing 'Multiple Matches Error'

- Fixed a configuration issue of Functional Accounts

- Fixed a configuration issue with Active Directory and the Use SSL option

- Fixed a concurrency error with managing Oracle accounts

- Fixed an issue with deleting a cloned custom platform

- Fixed a messaging issue with the configuration of Active Directory groups

- Fixed an issue with special characters in PowerBroker for Unix/Linus events

- Fixed an issue with creating and deleting address groups

- Fixed an issue with purging PowerBroker for Unix/Linus events

- Fixed the Cluster Analysis report drill-through

6.0.2

- Fixed an issue Keystroke for router devices not being consumed

- Fixed an issue with PBMac report

- Fixed an SSHKey enumeration issue

- Fixed a login issue with Analytics and Reporting and Clarity Login issue

- Fixed a Clarity Edge Browser issue

- Fixed a Clarity indexing issue

- Fixed an issue with adding AD users when 2 factor auth is enabled

- Configuration fix for disabling Management console

- Fixed an issue with Benchmark Syncing

- Fixed a Retina Host Scanner Upgrade issue

- Fixed an issue with Retina Host Scanner Scanners group

- Central Policy v2 value fix for RNSS 5.25.1

- Fixed a 3rd party import issue with Operating System Name

- Fixed an issue with Command line enumeration

- Fixed an upgrade issue with Remedy connector

- Fixed a Custom platform issue

- Workday fix

- Fixed a display issue with Request Grid along with optimizations

- Fixed an issue with dedicated account smart rules

- AD login optimizations

- Fixed an AD test prior to the RDP session

- Removed the SSH Application Managed Account Credential check

- Additional fixes for CA Service Desk

- Fixed false positive Managed account test results

6.0.1

- Fixed issues around VMware scanning

- Fixed an issue around displaying Malware for non-Vulnerability Management licenses

- Fixed an issue around Smart Rule names containing special characters

- Fixed an issue around Exclusion Reporting

- Fixed an issue Chart Area Data

- Fixed an issue around options for "Upgrades" in Patch Management not being available

- Fixed an issue around Vulnerability status not updating after scans completed

- Fixed an issue around exporting PowerBroker for Windows events

- Fixed an issue around viewing IP addresses scanned from AWS

- Fixed an issue around filtering on multi-tenant/organization

- Fixed an issue around Multi-factor Authentication tokens

- Fixed issues around PowerBroker for Windows events processing

- Fixed issues around purging

- Fixed issues around 3rd Party imports

- Fixed issue with possible vulnerability duplicates on the Vulnerability Export report

- Fixed issue with displaying ticket system for a request

- Fixed display issue under Password Safe System configuration

- Fixed a usability issue for Access Policy user configuration

- Fixed an issue on item context for adding Functional Accounts

- Fixed an issue displaying User's time on Password Safe Session Recordings

- Fixed an issue displaying LDAP user telephone numbers

- Fixed Time-zone issues with Password Safe Access Policy

- Improved Password Safe API error messaging

- Fixed display issue with Audit information

- Fixed duplicate assets issues

- Error Messaging improvements

- Fixed multiple display issues with PowerBroker for Unix/Linux reports

- Fixed multiple issues with Clarity\Top 10 threat level reports

- Fixed a paging issue with Account\Account Delta by Month

- Fixed data issue with the Vulnerability Delta by Month Report

- Fixed issue around displaying correct values for duration for reporting jobs

- Fixed an issue with the Account Password Age report timing out

- Fixed an issue with missing MAC Addresses from Vulnerability Export report

5.8.2

- Fixed an issue with creating an SSH ticket through the public API

- Fixed an issue with Password Safe - Reset Password for Forgot Password

- Fixed an issue with selecting date parameters for reporting

- Fixed an issue with the BeyondSaaS connector

- Fixed an issue with the audit export functionality

- Fixed an issue with displaying Requestor on the Password Session and Activity report.

- Fixed an issue with displaying duplicate PowerBroker for Windows events

- Fixed an issue with adding PasswordSafe Aliases

- Fixed an issue with the Clarity - Top 10 Users by Threat Level PowerBroker for Windows events drillthrough

- Fixed an issue with downloading the Support package

- Fixed a timeout issue when testing an HPUX account

- Fixed an issue with Password Safe proxy where RDP session to a 2012 standard server caused session to hang

- Fixed an issue where user was unable to copy and paste text from local system to Password Safe proxy RDP session

- Fixed an issue with Password Safe proxy RDP redraw issue

- Fixed an issue with Password Safe proxy screen Artifacts when workstation is win7 mstsc (6.1.7601) connecting to windows 2008 system (6.3.9600/6.1.7601)

- Fixed a custom audits refresh issue in the Audit Manager tab

- Fixed an OS information issue from File Integrity Monitoring Events