Syspeace 2.7.0

April 03, 2017

Detection improvements

• Added a way for Syspeace to do enhanced IP address detection of SSL-based RDP communication, which would otherwise not be detected, on Windows Server 2008 and 2008 R2. This workaround is off by default but can be turned on in Settings → Rules → General.
• Improved the part of Syspeace’s engine responsible for correlating Windows logon audit events without IP addresses with RDPCore event logs for better accuracy in detecting RDP-related successful and failed login attempts on Windows Server 2012 and 2012 R2.
• Added the setting “Coalesce repetitive Windows network login success entries” to mitigate repetitive “success” login entries issued by file servers on every file operation.
• Fixed a rare race condition in the Windows login detector logic that would cause Syspeace to crash when matching events while new events are being read.

Other changes and bug fixes

• Improved database design to drastically reduce the size of the Syspeace database, especially when many blocks are present and/or blocks are added, removed or changed often.
• Added the ability to export entries out of the local blacklist in a simple format by selecting them and copying them.
• Added the ability to import entries into the local blacklist by pasting them into the list in the same format as when copying.
• Attempt to use TLS 1.2 when .NET Framework 4.5 or later is installed.
• Fixed an incompatibility issue with newer versions of SQL Server that would prevent Syspeace from starting.
• Fixed an incompatibility issue with a Syspeace dependency.