Syspeace 2.7.0

April 03, 2017

Detection improvements

  • Added a way for Syspeace to do enhanced IP address detection of SSL-based RDP communication, which would otherwise not be detected, on Windows Server 2008 and 2008 R2. This workaround is off by default but can be turned on in Settings → Rules → General.
  • Improved the part of Syspeace’s engine responsible for correlating Windows logon audit events without IP addresses with RDPCore event logs for better accuracy in detecting RDP-related successful and failed login attempts on Windows Server 2012 and 2012 R2.
  • Added the setting “Coalesce repetitive Windows network login success entries” to mitigate repetitive “success” login entries issued by file servers on every file operation.
  • Fixed a rare race condition in the Windows login detector logic that would cause Syspeace to crash when matching events while new events are being read.

Other changes and bug fixes

  • Improved database design to drastically reduce the size of the Syspeace database, especially when many blocks are present and/or blocks are added, removed or changed often.
  • Added the ability to export entries out of the local blacklist in a simple format by selecting them and copying them.
  • Added the ability to import entries into the local blacklist by pasting them into the list in the same format as when copying.
  • Attempt to use TLS 1.2 when .NET Framework 4.5 or later is installed.
  • Fixed an incompatibility issue with newer versions of SQL Server that would prevent Syspeace from starting.
  • Fixed an incompatibility issue with a Syspeace dependency.