From 639ec516e90ef79b775a4aa94dd36c09bdaa0f57 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Mon, 5 May 2025 19:58:59 -0400 Subject: [PATCH 1/2] 8.17.6 release notes (#6801) * First draft * Defend PRs * Revisions * Update docs/release-notes/8.17.asciidoc Co-authored-by: Gabriel Landau <42078554+gabriellandau@users.noreply.github.com> * Update docs/release-notes/8.17.asciidoc Co-authored-by: Gabriel Landau <42078554+gabriellandau@users.noreply.github.com> * Update docs/release-notes/8.17.asciidoc Co-authored-by: Gabriel Landau <42078554+gabriellandau@users.noreply.github.com> * Update docs/release-notes/8.17.asciidoc * Minor edits * attribute * Updates known issue summary for defend bug * Adds one more version * Periods * Update docs/release-notes/8.17.asciidoc Co-authored-by: Janeen Mikell Roberts <57149392+jmikell821@users.noreply.github.com> * Update docs/release-notes/8.17.asciidoc Co-authored-by: Janeen Mikell Roberts <57149392+jmikell821@users.noreply.github.com> * Update docs/release-notes/8.17.asciidoc Co-authored-by: Janeen Mikell Roberts <57149392+jmikell821@users.noreply.github.com> * Update docs/release-notes/8.17.asciidoc --------- Co-authored-by: Gabriel Landau <42078554+gabriellandau@users.noreply.github.com> Co-authored-by: Janeen Mikell Roberts <57149392+jmikell821@users.noreply.github.com> (cherry picked from commit 9c6fe1180b76e0e3c44e9d8a78a71d22ada3d1c6) # Conflicts: # docs/release-notes.asciidoc --- docs/release-notes.asciidoc | 6 ++++++ docs/release-notes/8.16.asciidoc | 4 ++++ docs/release-notes/8.17.asciidoc | 28 ++++++++++++++++++++++++++++ 3 files changed, 38 insertions(+) diff --git a/docs/release-notes.asciidoc b/docs/release-notes.asciidoc index 3c55d02817..06f591081f 100644 --- a/docs/release-notes.asciidoc +++ b/docs/release-notes.asciidoc @@ -3,6 +3,12 @@ This section summarizes the changes in each release. +<<<<<<< HEAD +======= +* <> +* <> +* <> +>>>>>>> 9c6fe118 (8.17.6 release notes (#6801)) * <> * <> * <> diff --git a/docs/release-notes/8.16.asciidoc b/docs/release-notes/8.16.asciidoc index 9564611fa6..b64851115a 100644 --- a/docs/release-notes/8.16.asciidoc +++ b/docs/release-notes/8.16.asciidoc @@ -39,6 +39,10 @@ When you install an {elastic-defend} integration or a new agent policy for this *Workaround* + To resolve this issue, before you add an {elastic-defend} integration to a policy in {fleet}, apply any pending prebuilt rule updates. This will prevent rule actions and exceptions from being overwritten. + +*Resolved* + +This issue is fixed in {stack} versions 8.17.6, 8.18.1, and 9.0.1. + ==== // end::known-issue[] diff --git a/docs/release-notes/8.17.asciidoc b/docs/release-notes/8.17.asciidoc index 51154249b4..023241e4fd 100644 --- a/docs/release-notes/8.17.asciidoc +++ b/docs/release-notes/8.17.asciidoc @@ -1,6 +1,26 @@ [[release-notes-header-8.17.0]] == 8.17 +[discrete] +[[release-notes-8.17.6]] +=== 8.17.6 + +[discrete] +[[enhancements-8.17.6]] +==== Enhancements +* Allows {elastic-defend} users to opt out of event-driven Memory Protection scanning using the advanced policy ({kibana-pull}218354[#218354]). + +[discrete] +[[bug-fixes-8.17.6]] +==== Fixes +* Fixes a bug that caused installed prebuilt detection rules to upgrade to their latest available versions when you installed a new {elastic-defend} integration or {agent} policy ({kibana-pull}217959[#217959]). +* Avoids an `IRQL_NOT_LESS_EQUAL` https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-checks\--blue-screens-[bugcheck] in the {elastic-defend} driver due to an interaction with Trellix Access Protection (`mfehidk.sys`). This issue can occur when `elastic-endpoint-driver.sys` calls https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmtransactionbegin0[`FwpmTransactionBegin0`] to initialize its network driver. `FwpmTransactionBegin0` performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix's driver intercepts this service's operations, causing `FwpmTransactionBegin0` to hang or slow significantly. This delay prevents {elastic-defend}'s driver from properly initializing in a timely manner. Subsequent system activity can invoke {elastic-defend}'s driver before it has fully initialized, leading to a `IRQL_NOT_LESS_EQUAL` bugcheck. ++ +If you can't upgrade, you can prevent this issue from occurring by either disabling Trellix Access Protection or adding a https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-client-interface-reference-guide-windows/page/GUID-6AC245A1-5E5D-4BAF-93B0-FE7FD33571E6.html[Trellix Access Protection exclusion] for the Base Filtering Engine service (`C:\Windows\System32\svchost.exe`). This issue affects {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. +* Resolves an unbounded kernel non-paged memory growth issue in {elastic-defend}'s kernel driver during extremely high event load situations on Windows. Systems affected by this issue would slow down or become unresponsive until the triggering event load (for example, network activity) subsided. We are only aware of this issue occurring on very busy Windows Server systems running {elastic-defend} 8.16.0 and later. +* Allows {elastic-defend} to detect and recover from a corrupt persistent cache database. Previously, such databases would be unusable, effectively turning off the persistent cache. +* Reduces {elastic-defend}'s CPU usage for registry events. + [discrete] [[release-notes-8.17.5]] === 8.17.5 @@ -39,6 +59,10 @@ When you install an {elastic-defend} integration or a new agent policy for this *Workaround* + To resolve this issue, before you add an {elastic-defend} integration to a policy in {fleet}, apply any pending prebuilt rule updates. This will prevent rule actions and exceptions from being overwritten. + +*Resolved* + +This issue is fixed in {stack} versions 8.17.6, 8.18.1, and 9.0.1. + ==== // end::known-issue[] @@ -140,6 +164,10 @@ When you install an {elastic-defend} integration or a new agent policy for this *Workaround* + To resolve this issue, before you add an {elastic-defend} integration to a policy in {fleet}, apply any pending prebuilt rule updates. This will prevent rule actions and exceptions from being overwritten. + +*Resolved* + +This issue is fixed in {stack} versions 8.17.6, 8.18.1, and 9.0.1. + ==== // end::known-issue[] From bcb09afa313cf37f5954c68c3861fb348aaac84e Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Mon, 5 May 2025 22:34:11 -0400 Subject: [PATCH 2/2] fix conflict --- docs/release-notes.asciidoc | 5 ----- 1 file changed, 5 deletions(-) diff --git a/docs/release-notes.asciidoc b/docs/release-notes.asciidoc index 06f591081f..76e40bf953 100644 --- a/docs/release-notes.asciidoc +++ b/docs/release-notes.asciidoc @@ -3,12 +3,7 @@ This section summarizes the changes in each release. -<<<<<<< HEAD -======= -* <> -* <> * <> ->>>>>>> 9c6fe118 (8.17.6 release notes (#6801)) * <> * <> * <>