From 8f7706bce651685aaf70e4df8731a36ca8a89376 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Mon, 5 May 2025 16:12:28 -0400 Subject: [PATCH] Retroactively updates known issues for Defend and Security (#6813) * First draft * Update docs/release-notes/8.16.asciidoc Co-authored-by: Gabriel Landau <42078554+gabriellandau@users.noreply.github.com> * Update docs/release-notes/8.16.asciidoc Co-authored-by: Gabriel Landau <42078554+gabriellandau@users.noreply.github.com> * Update docs/release-notes/8.16.asciidoc Co-authored-by: Gabriel Landau <42078554+gabriellandau@users.noreply.github.com> * Update docs/release-notes/8.16.asciidoc Co-authored-by: Gabriel Landau <42078554+gabriellandau@users.noreply.github.com> * Update docs/release-notes/8.16.asciidoc Co-authored-by: Gabriel Landau <42078554+gabriellandau@users.noreply.github.com> * Update docs/release-notes/8.16.asciidoc Co-authored-by: Gabriel Landau <42078554+gabriellandau@users.noreply.github.com> * Adds known issue to other releases * Adds more resolution details * Update docs/release-notes/8.16.asciidoc Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * periods * Update docs/release-notes/8.16.asciidoc Co-authored-by: Gabriel Landau <42078554+gabriellandau@users.noreply.github.com> * gabe's feedback --------- Co-authored-by: Gabriel Landau <42078554+gabriellandau@users.noreply.github.com> Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> (cherry picked from commit f4efddce6987cc9c9df9ae035bde533f60447e63) --- docs/release-notes/8.16.asciidoc | 318 +++++++++++++++++++++++++++++++ docs/release-notes/8.17.asciidoc | 276 +++++++++++++++++++++++++++ docs/release-notes/8.18.asciidoc | 45 +++++ 3 files changed, 639 insertions(+) diff --git a/docs/release-notes/8.16.asciidoc b/docs/release-notes/8.16.asciidoc index 40d4eab78a..bdddafa030 100644 --- a/docs/release-notes/8.16.asciidoc +++ b/docs/release-notes/8.16.asciidoc @@ -42,6 +42,51 @@ To resolve this issue, before you add an {elastic-defend} integration to a polic ==== // end::known-issue[] +// tag::known-issue[] +[discrete] +.Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck +[%collapsible] +==== +*Details* + + +An `IRQL_NOT_LESS_EQUAL` https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-checks--blue-screens-[bugcheck] in the {elastic-defend} driver happens due to an interaction with Trellix Access Protection (`mfehidk.sys`). This issue can occur when `elastic-endpoint-driver.sys` calls https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmtransactionbegin0[`FwpmTransactionBegin0`] to initialize its network driver. `FwpmTransactionBegin0` performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix's driver intercepts this service's operations, causing `FwpmTransactionBegin0` to hang or slow significantly. This delay prevents {elastic-defend} driver from properly initializing in a timely manner. Subsequent system activity can invoke {elastic-defend}'s driver before it has fully initialized, leading to a `IRQL_NOT_LESS_EQUAL` bugcheck. This issue affects {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, either disable Trellix Access Protection or add a https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-client-interface-reference-guide-windows/page/GUID-6AC245A1-5E5D-4BAF-93B0-FE7FD33571E6.html[Trellix Access Protection exclusion] for the Base Filtering Engine service (`C:\Windows\System32\svchost.exe`). + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Unbounded kernel non-paged memory growth issue in Elastic Defend's kernal driver causes slow down on Windows systems +[%collapsible] +==== +*Details* + + +An unbounded kernel non-paged memory growth issue in {elastic-defend}'s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on very busy Windows Server systems running {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, turn off the relevant event source at the kernel level using your {elastic-defend} <>: + +* Network Events - Set the `windows.advanced.kernel.network` advanced setting to `false`. +* Registry Events - Set the `windows.advanced.kernel.registry` advanced setting to `false`. + + +NOTE: Clearing the corresponding checkbox under <> is insufficient, as {elastic-defend} may still process these event sources internally to support other features. + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + + +==== +// end::known-issue[] + [discrete] [[bug-fixes-8.16.6]] ==== Bug fixes @@ -82,6 +127,51 @@ On November 12, 2024, it was discovered that manually running a custom query rul ==== // end::known-issue[] +// tag::known-issue[] +[discrete] +.Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck +[%collapsible] +==== +*Details* + + +An `IRQL_NOT_LESS_EQUAL` https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-checks--blue-screens-[bugcheck] in the {elastic-defend} driver happens due to an interaction with Trellix Access Protection (`mfehidk.sys`). This issue can occur when `elastic-endpoint-driver.sys` calls https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmtransactionbegin0[`FwpmTransactionBegin0`] to initialize its network driver. `FwpmTransactionBegin0` performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix's driver intercepts this service's operations, causing `FwpmTransactionBegin0` to hang or slow significantly. This delay prevents {elastic-defend} driver from properly initializing in a timely manner. Subsequent system activity can invoke {elastic-defend}'s driver before it has fully initialized, leading to a `IRQL_NOT_LESS_EQUAL` bugcheck. This issue affects {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, either disable Trellix Access Protection or add a https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-client-interface-reference-guide-windows/page/GUID-6AC245A1-5E5D-4BAF-93B0-FE7FD33571E6.html[Trellix Access Protection exclusion] for the Base Filtering Engine service (`C:\Windows\System32\svchost.exe`). + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Unbounded kernel non-paged memory growth issue in Elastic Defend's kernal driver causes slow down on Windows systems +[%collapsible] +==== +*Details* + + +An unbounded kernel non-paged memory growth issue in {elastic-defend}'s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on very busy Windows Server systems running {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, turn off the relevant event source at the kernel level using your {elastic-defend} <>: + +* Network Events - Set the `windows.advanced.kernel.network` advanced setting to `false`. +* Registry Events - Set the `windows.advanced.kernel.registry` advanced setting to `false`. + + +NOTE: Clearing the corresponding checkbox under <> is insufficient, as {elastic-defend} may still process these event sources internally to support other features. + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + + +==== +// end::known-issue[] + [discrete] [[bug-fixes-8.16.5]] ==== Bug fixes @@ -116,6 +206,51 @@ On November 12, 2024, it was discovered that manually running a custom query rul ==== // end::known-issue[] +// tag::known-issue[] +[discrete] +.Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck +[%collapsible] +==== +*Details* + + +An `IRQL_NOT_LESS_EQUAL` https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-checks--blue-screens-[bugcheck] in the {elastic-defend} driver happens due to an interaction with Trellix Access Protection (`mfehidk.sys`). This issue can occur when `elastic-endpoint-driver.sys` calls https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmtransactionbegin0[`FwpmTransactionBegin0`] to initialize its network driver. `FwpmTransactionBegin0` performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix's driver intercepts this service's operations, causing `FwpmTransactionBegin0` to hang or slow significantly. This delay prevents {elastic-defend} driver from properly initializing in a timely manner. Subsequent system activity can invoke {elastic-defend}'s driver before it has fully initialized, leading to a `IRQL_NOT_LESS_EQUAL` bugcheck. This issue affects {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, either disable Trellix Access Protection or add a https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-client-interface-reference-guide-windows/page/GUID-6AC245A1-5E5D-4BAF-93B0-FE7FD33571E6.html[Trellix Access Protection exclusion] for the Base Filtering Engine service (`C:\Windows\System32\svchost.exe`). + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Unbounded kernel non-paged memory growth issue in Elastic Defend's kernal driver causes slow down on Windows systems +[%collapsible] +==== +*Details* + + +An unbounded kernel non-paged memory growth issue in {elastic-defend}'s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on very busy Windows Server systems running {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, turn off the relevant event source at the kernel level using your {elastic-defend} <>: + +* Network Events - Set the `windows.advanced.kernel.network` advanced setting to `false`. +* Registry Events - Set the `windows.advanced.kernel.registry` advanced setting to `false`. + + +NOTE: Clearing the corresponding checkbox under <> is insufficient, as {elastic-defend} may still process these event sources internally to support other features. + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + + +==== +// end::known-issue[] + [discrete] [[features-8.16.4]] ==== New features @@ -171,6 +306,51 @@ On November 12, 2024, it was discovered that manually running a custom query rul ==== // end::known-issue[] +// tag::known-issue[] +[discrete] +.Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck +[%collapsible] +==== +*Details* + + +An `IRQL_NOT_LESS_EQUAL` https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-checks--blue-screens-[bugcheck] in the {elastic-defend} driver happens due to an interaction with Trellix Access Protection (`mfehidk.sys`). This issue can occur when `elastic-endpoint-driver.sys` calls https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmtransactionbegin0[`FwpmTransactionBegin0`] to initialize its network driver. `FwpmTransactionBegin0` performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix's driver intercepts this service's operations, causing `FwpmTransactionBegin0` to hang or slow significantly. This delay prevents {elastic-defend} driver from properly initializing in a timely manner. Subsequent system activity can invoke {elastic-defend}'s driver before it has fully initialized, leading to a `IRQL_NOT_LESS_EQUAL` bugcheck. This issue affects {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, either disable Trellix Access Protection or add a https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-client-interface-reference-guide-windows/page/GUID-6AC245A1-5E5D-4BAF-93B0-FE7FD33571E6.html[Trellix Access Protection exclusion] for the Base Filtering Engine service (`C:\Windows\System32\svchost.exe`). + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Unbounded kernel non-paged memory growth issue in Elastic Defend's kernal driver causes slow down on Windows systems +[%collapsible] +==== +*Details* + + +An unbounded kernel non-paged memory growth issue in {elastic-defend}'s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on very busy Windows Server systems running {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, turn off the relevant event source at the kernel level using your {elastic-defend} <>: + +* Network Events - Set the `windows.advanced.kernel.network` advanced setting to `false`. +* Registry Events - Set the `windows.advanced.kernel.registry` advanced setting to `false`. + + +NOTE: Clearing the corresponding checkbox under <> is insufficient, as {elastic-defend} may still process these event sources internally to support other features. + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + + +==== +// end::known-issue[] + [discrete] [[bug-fixes-8.16.3]] ==== Bug fixes @@ -219,6 +399,51 @@ On November 12, 2024, it was discovered that manually running a custom query rul ==== // end::known-issue[] +// tag::known-issue[] +[discrete] +.Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck +[%collapsible] +==== +*Details* + + +An `IRQL_NOT_LESS_EQUAL` https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-checks--blue-screens-[bugcheck] in the {elastic-defend} driver happens due to an interaction with Trellix Access Protection (`mfehidk.sys`). This issue can occur when `elastic-endpoint-driver.sys` calls https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmtransactionbegin0[`FwpmTransactionBegin0`] to initialize its network driver. `FwpmTransactionBegin0` performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix's driver intercepts this service's operations, causing `FwpmTransactionBegin0` to hang or slow significantly. This delay prevents {elastic-defend} driver from properly initializing in a timely manner. Subsequent system activity can invoke {elastic-defend}'s driver before it has fully initialized, leading to a `IRQL_NOT_LESS_EQUAL` bugcheck. This issue affects {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, either disable Trellix Access Protection or add a https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-client-interface-reference-guide-windows/page/GUID-6AC245A1-5E5D-4BAF-93B0-FE7FD33571E6.html[Trellix Access Protection exclusion] for the Base Filtering Engine service (`C:\Windows\System32\svchost.exe`). + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Unbounded kernel non-paged memory growth issue in Elastic Defend's kernal driver causes slow down on Windows systems +[%collapsible] +==== +*Details* + + +An unbounded kernel non-paged memory growth issue in {elastic-defend}'s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on very busy Windows Server systems running {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, turn off the relevant event source at the kernel level using your {elastic-defend} <>: + +* Network Events - Set the `windows.advanced.kernel.network` advanced setting to `false`. +* Registry Events - Set the `windows.advanced.kernel.registry` advanced setting to `false`. + + +NOTE: Clearing the corresponding checkbox under <> is insufficient, as {elastic-defend} may still process these event sources internally to support other features. + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + + +==== +// end::known-issue[] + [discrete] [[bug-fixes-8.16.2]] ==== Bug fixes @@ -324,6 +549,51 @@ On November 12, 2024, it was discovered that manually running threshold rules co *Details* + On November 12, 2024, it was discovered that manually running a custom query rule with suppression could incorrectly inflate the number of suppressed alerts. +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck +[%collapsible] +==== +*Details* + + +An `IRQL_NOT_LESS_EQUAL` https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-checks--blue-screens-[bugcheck] in the {elastic-defend} driver happens due to an interaction with Trellix Access Protection (`mfehidk.sys`). This issue can occur when `elastic-endpoint-driver.sys` calls https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmtransactionbegin0[`FwpmTransactionBegin0`] to initialize its network driver. `FwpmTransactionBegin0` performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix's driver intercepts this service's operations, causing `FwpmTransactionBegin0` to hang or slow significantly. This delay prevents {elastic-defend} driver from properly initializing in a timely manner. Subsequent system activity can invoke {elastic-defend}'s driver before it has fully initialized, leading to a `IRQL_NOT_LESS_EQUAL` bugcheck. This issue affects {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, either disable Trellix Access Protection or add a https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-client-interface-reference-guide-windows/page/GUID-6AC245A1-5E5D-4BAF-93B0-FE7FD33571E6.html[Trellix Access Protection exclusion] for the Base Filtering Engine service (`C:\Windows\System32\svchost.exe`). + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Unbounded kernel non-paged memory growth issue in Elastic Defend's kernal driver causes slow down on Windows systems +[%collapsible] +==== +*Details* + + +An unbounded kernel non-paged memory growth issue in {elastic-defend}'s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on very busy Windows Server systems running {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, turn off the relevant event source at the kernel level using your {elastic-defend} <>: + +* Network Events - Set the `windows.advanced.kernel.network` advanced setting to `false`. +* Registry Events - Set the `windows.advanced.kernel.registry` advanced setting to `false`. + + +NOTE: Clearing the corresponding checkbox under <> is insufficient, as {elastic-defend} may still process these event sources internally to support other features. + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + + ==== // end::known-issue[] @@ -464,9 +734,57 @@ NOTE: These instructions only apply to the Google Chrome browser. Modify the ste . Search for the `siem..pageFilters` key, right-click on the value, then click *Delete*. If you have multiple non-default spaces, do this for each space. . Refresh the **Alerts** page to reload it. +*Resolved* + +This issue is fixed in {stack} version 8.16.1. + ==== // end::known-issue-53[] +// tag::known-issue[] +[discrete] +.Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck +[%collapsible] +==== +*Details* + + +An `IRQL_NOT_LESS_EQUAL` https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-checks--blue-screens-[bugcheck] in the {elastic-defend} driver happens due to an interaction with Trellix Access Protection (`mfehidk.sys`). This issue can occur when `elastic-endpoint-driver.sys` calls https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmtransactionbegin0[`FwpmTransactionBegin0`] to initialize its network driver. `FwpmTransactionBegin0` performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix's driver intercepts this service's operations, causing `FwpmTransactionBegin0` to hang or slow significantly. This delay prevents {elastic-defend} driver from properly initializing in a timely manner. Subsequent system activity can invoke {elastic-defend}'s driver before it has fully initialized, leading to a `IRQL_NOT_LESS_EQUAL` bugcheck. This issue affects {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, either disable Trellix Access Protection or add a https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-client-interface-reference-guide-windows/page/GUID-6AC245A1-5E5D-4BAF-93B0-FE7FD33571E6.html[Trellix Access Protection exclusion] for the Base Filtering Engine service (`C:\Windows\System32\svchost.exe`). + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Unbounded kernel non-paged memory growth issue in Elastic Defend's kernal driver causes slow down on Windows systems +[%collapsible] +==== +*Details* + + +An unbounded kernel non-paged memory growth issue in {elastic-defend}'s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on very busy Windows Server systems running {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, turn off the relevant event source at the kernel level using your {elastic-defend} <>: + +* Network Events - Set the `windows.advanced.kernel.network` advanced setting to `false`. +* Registry Events - Set the `windows.advanced.kernel.registry` advanced setting to `false`. + + +NOTE: Clearing the corresponding checkbox under <> is insufficient, as {elastic-defend} may still process these event sources internally to support other features. + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + + +==== +// end::known-issue[] + [discrete] [[breaking-changes-8.16.0]] ==== Breaking changes diff --git a/docs/release-notes/8.17.asciidoc b/docs/release-notes/8.17.asciidoc index 46bbca68ff..51154249b4 100644 --- a/docs/release-notes/8.17.asciidoc +++ b/docs/release-notes/8.17.asciidoc @@ -42,6 +42,51 @@ To resolve this issue, before you add an {elastic-defend} integration to a polic ==== // end::known-issue[] +// tag::known-issue[] +[discrete] +.Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck +[%collapsible] +==== +*Details* + + +An `IRQL_NOT_LESS_EQUAL` https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-checks--blue-screens-[bugcheck] in the {elastic-defend} driver happens due to an interaction with Trellix Access Protection (`mfehidk.sys`). This issue can occur when `elastic-endpoint-driver.sys` calls https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmtransactionbegin0[`FwpmTransactionBegin0`] to initialize its network driver. `FwpmTransactionBegin0` performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix's driver intercepts this service's operations, causing `FwpmTransactionBegin0` to hang or slow significantly. This delay prevents {elastic-defend} driver from properly initializing in a timely manner. Subsequent system activity can invoke {elastic-defend}'s driver before it has fully initialized, leading to a `IRQL_NOT_LESS_EQUAL` bugcheck. This issue affects {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, either disable Trellix Access Protection or add a https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-client-interface-reference-guide-windows/page/GUID-6AC245A1-5E5D-4BAF-93B0-FE7FD33571E6.html[Trellix Access Protection exclusion] for the Base Filtering Engine service (`C:\Windows\System32\svchost.exe`). + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Unbounded kernel non-paged memory growth issue in Elastic Defend's kernal driver causes slow down on Windows systems +[%collapsible] +==== +*Details* + + +An unbounded kernel non-paged memory growth issue in {elastic-defend}'s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on very busy Windows Server systems running {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, turn off the relevant event source at the kernel level using your {elastic-defend} <>: + +* Network Events - Set the `windows.advanced.kernel.network` advanced setting to `false`. +* Registry Events - Set the `windows.advanced.kernel.registry` advanced setting to `false`. + + +NOTE: Clearing the corresponding checkbox under <> is insufficient, as {elastic-defend} may still process these event sources internally to support other features. + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + + +==== +// end::known-issue[] + [discrete] [[enhancements-8.17.5]] ==== Enhancements @@ -98,6 +143,51 @@ To resolve this issue, before you add an {elastic-defend} integration to a polic ==== // end::known-issue[] +// tag::known-issue[] +[discrete] +.Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck +[%collapsible] +==== +*Details* + + +An `IRQL_NOT_LESS_EQUAL` https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-checks--blue-screens-[bugcheck] in the {elastic-defend} driver happens due to an interaction with Trellix Access Protection (`mfehidk.sys`). This issue can occur when `elastic-endpoint-driver.sys` calls https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmtransactionbegin0[`FwpmTransactionBegin0`] to initialize its network driver. `FwpmTransactionBegin0` performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix's driver intercepts this service's operations, causing `FwpmTransactionBegin0` to hang or slow significantly. This delay prevents {elastic-defend} driver from properly initializing in a timely manner. Subsequent system activity can invoke {elastic-defend}'s driver before it has fully initialized, leading to a `IRQL_NOT_LESS_EQUAL` bugcheck. This issue affects {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, either disable Trellix Access Protection or add a https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-client-interface-reference-guide-windows/page/GUID-6AC245A1-5E5D-4BAF-93B0-FE7FD33571E6.html[Trellix Access Protection exclusion] for the Base Filtering Engine service (`C:\Windows\System32\svchost.exe`). + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Unbounded kernel non-paged memory growth issue in Elastic Defend's kernal driver causes slow down on Windows systems +[%collapsible] +==== +*Details* + + +An unbounded kernel non-paged memory growth issue in {elastic-defend}'s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on very busy Windows Server systems running {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, turn off the relevant event source at the kernel level using your {elastic-defend} <>: + +* Network Events - Set the `windows.advanced.kernel.network` advanced setting to `false`. +* Registry Events - Set the `windows.advanced.kernel.registry` advanced setting to `false`. + + +NOTE: Clearing the corresponding checkbox under <> is insufficient, as {elastic-defend} may still process these event sources internally to support other features. + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + + +==== +// end::known-issue[] + [discrete] [[bug-fixes-8.17.4]] @@ -137,6 +227,51 @@ On November 12, 2024, it was discovered that manually running a custom query rul ==== // end::known-issue[] +// tag::known-issue[] +[discrete] +.Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck +[%collapsible] +==== +*Details* + + +An `IRQL_NOT_LESS_EQUAL` https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-checks--blue-screens-[bugcheck] in the {elastic-defend} driver happens due to an interaction with Trellix Access Protection (`mfehidk.sys`). This issue can occur when `elastic-endpoint-driver.sys` calls https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmtransactionbegin0[`FwpmTransactionBegin0`] to initialize its network driver. `FwpmTransactionBegin0` performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix's driver intercepts this service's operations, causing `FwpmTransactionBegin0` to hang or slow significantly. This delay prevents {elastic-defend} driver from properly initializing in a timely manner. Subsequent system activity can invoke {elastic-defend}'s driver before it has fully initialized, leading to a `IRQL_NOT_LESS_EQUAL` bugcheck. This issue affects {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, either disable Trellix Access Protection or add a https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-client-interface-reference-guide-windows/page/GUID-6AC245A1-5E5D-4BAF-93B0-FE7FD33571E6.html[Trellix Access Protection exclusion] for the Base Filtering Engine service (`C:\Windows\System32\svchost.exe`). + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Unbounded kernel non-paged memory growth issue in Elastic Defend's kernal driver causes slow down on Windows systems +[%collapsible] +==== +*Details* + + +An unbounded kernel non-paged memory growth issue in {elastic-defend}'s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on very busy Windows Server systems running {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, turn off the relevant event source at the kernel level using your {elastic-defend} <>: + +* Network Events - Set the `windows.advanced.kernel.network` advanced setting to `false`. +* Registry Events - Set the `windows.advanced.kernel.registry` advanced setting to `false`. + + +NOTE: Clearing the corresponding checkbox under <> is insufficient, as {elastic-defend} may still process these event sources internally to support other features. + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + + +==== +// end::known-issue[] + [discrete] [[bug-fixes-8.17.3]] ==== Bug fixes @@ -177,6 +312,51 @@ On November 12, 2024, it was discovered that manually running a custom query rul ==== // end::known-issue[] +// tag::known-issue[] +[discrete] +.Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck +[%collapsible] +==== +*Details* + + +An `IRQL_NOT_LESS_EQUAL` https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-checks--blue-screens-[bugcheck] in the {elastic-defend} driver happens due to an interaction with Trellix Access Protection (`mfehidk.sys`). This issue can occur when `elastic-endpoint-driver.sys` calls https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmtransactionbegin0[`FwpmTransactionBegin0`] to initialize its network driver. `FwpmTransactionBegin0` performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix's driver intercepts this service's operations, causing `FwpmTransactionBegin0` to hang or slow significantly. This delay prevents {elastic-defend} driver from properly initializing in a timely manner. Subsequent system activity can invoke {elastic-defend}'s driver before it has fully initialized, leading to a `IRQL_NOT_LESS_EQUAL` bugcheck. This issue affects {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, either disable Trellix Access Protection or add a https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-client-interface-reference-guide-windows/page/GUID-6AC245A1-5E5D-4BAF-93B0-FE7FD33571E6.html[Trellix Access Protection exclusion] for the Base Filtering Engine service (`C:\Windows\System32\svchost.exe`). + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Unbounded kernel non-paged memory growth issue in Elastic Defend's kernal driver causes slow down on Windows systems +[%collapsible] +==== +*Details* + + +An unbounded kernel non-paged memory growth issue in {elastic-defend}'s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on very busy Windows Server systems running {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, turn off the relevant event source at the kernel level using your {elastic-defend} <>: + +* Network Events - Set the `windows.advanced.kernel.network` advanced setting to `false`. +* Registry Events - Set the `windows.advanced.kernel.registry` advanced setting to `false`. + + +NOTE: Clearing the corresponding checkbox under <> is insufficient, as {elastic-defend} may still process these event sources internally to support other features. + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + + +==== +// end::known-issue[] + [discrete] [[features-8.17.2]] ==== New features @@ -224,6 +404,9 @@ This issue was discovered on February 6, 2025. *Workaround* + To resolve this issue, upgrade to 8.17.2. Alternatively, increase {kib}'s RAM to 2 GB. +*Resolved* + +This issue is fixed in {stack} version 8.17.2. + ==== // end::known-issue[] @@ -247,6 +430,51 @@ On November 12, 2024, it was discovered that manually running a custom query rul ==== // end::known-issue[] +// tag::known-issue[] +[discrete] +.Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck +[%collapsible] +==== +*Details* + + +An `IRQL_NOT_LESS_EQUAL` https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-checks--blue-screens-[bugcheck] in the {elastic-defend} driver happens due to an interaction with Trellix Access Protection (`mfehidk.sys`). This issue can occur when `elastic-endpoint-driver.sys` calls https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmtransactionbegin0[`FwpmTransactionBegin0`] to initialize its network driver. `FwpmTransactionBegin0` performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix's driver intercepts this service's operations, causing `FwpmTransactionBegin0` to hang or slow significantly. This delay prevents {elastic-defend} driver from properly initializing in a timely manner. Subsequent system activity can invoke {elastic-defend}'s driver before it has fully initialized, leading to a `IRQL_NOT_LESS_EQUAL` bugcheck. This issue affects {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, either disable Trellix Access Protection or add a https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-client-interface-reference-guide-windows/page/GUID-6AC245A1-5E5D-4BAF-93B0-FE7FD33571E6.html[Trellix Access Protection exclusion] for the Base Filtering Engine service (`C:\Windows\System32\svchost.exe`). + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Unbounded kernel non-paged memory growth issue in Elastic Defend's kernal driver causes slow down on Windows systems +[%collapsible] +==== +*Details* + + +An unbounded kernel non-paged memory growth issue in {elastic-defend}'s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on very busy Windows Server systems running {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, turn off the relevant event source at the kernel level using your {elastic-defend} <>: + +* Network Events - Set the `windows.advanced.kernel.network` advanced setting to `false`. +* Registry Events - Set the `windows.advanced.kernel.registry` advanced setting to `false`. + + +NOTE: Clearing the corresponding checkbox under <> is insufficient, as {elastic-defend} may still process these event sources internally to support other features. + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + + +==== +// end::known-issue[] + [discrete] [[bug-fixes-8.17.1]] ==== Bug fixes @@ -289,6 +517,9 @@ This issue was discovered on February 6, 2025. *Workaround* + To resolve this issue, upgrade to 8.17.2. Alternatively, increase {kib}'s RAM to 2 GB. +*Resolved* + +This issue is fixed in {stack} version 8.17.2. + ==== // end::known-issue[] @@ -377,6 +608,51 @@ On November 12, 2024, it was discovered that manually running threshold rules co *Details* + On November 12, 2024, it was discovered that manually running a custom query rule with suppression could incorrectly inflate the number of suppressed alerts. +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck +[%collapsible] +==== +*Details* + + +An `IRQL_NOT_LESS_EQUAL` https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-checks--blue-screens-[bugcheck] in the {elastic-defend} driver happens due to an interaction with Trellix Access Protection (`mfehidk.sys`). This issue can occur when `elastic-endpoint-driver.sys` calls https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmtransactionbegin0[`FwpmTransactionBegin0`] to initialize its network driver. `FwpmTransactionBegin0` performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix's driver intercepts this service's operations, causing `FwpmTransactionBegin0` to hang or slow significantly. This delay prevents {elastic-defend} driver from properly initializing in a timely manner. Subsequent system activity can invoke {elastic-defend}'s driver before it has fully initialized, leading to a `IRQL_NOT_LESS_EQUAL` bugcheck. This issue affects {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, either disable Trellix Access Protection or add a https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-client-interface-reference-guide-windows/page/GUID-6AC245A1-5E5D-4BAF-93B0-FE7FD33571E6.html[Trellix Access Protection exclusion] for the Base Filtering Engine service (`C:\Windows\System32\svchost.exe`). + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Unbounded kernel non-paged memory growth issue in Elastic Defend's kernal driver causes slow down on Windows systems +[%collapsible] +==== +*Details* + + +An unbounded kernel non-paged memory growth issue in {elastic-defend}'s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on very busy Windows Server systems running {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, turn off the relevant event source at the kernel level using your {elastic-defend} <>: + +* Network Events - Set the `windows.advanced.kernel.network` advanced setting to `false`. +* Registry Events - Set the `windows.advanced.kernel.registry` advanced setting to `false`. + + +NOTE: Clearing the corresponding checkbox under <> is insufficient, as {elastic-defend} may still process these event sources internally to support other features. + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + + ==== // end::known-issue[] diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc index d25bc6198f..01506efc6b 100644 --- a/docs/release-notes/8.18.asciidoc +++ b/docs/release-notes/8.18.asciidoc @@ -47,6 +47,51 @@ To resolve this issue, before you add an {elastic-defend} integration to a polic ==== // end::known-issue[] +// tag::known-issue[] +[discrete] +.Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck +[%collapsible] +==== +*Details* + + +An `IRQL_NOT_LESS_EQUAL` https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-checks--blue-screens-[bugcheck] in the {elastic-defend} driver happens due to an interaction with Trellix Access Protection (`mfehidk.sys`). This issue can occur when `elastic-endpoint-driver.sys` calls https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmtransactionbegin0[`FwpmTransactionBegin0`] to initialize its network driver. `FwpmTransactionBegin0` performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix's driver intercepts this service's operations, causing `FwpmTransactionBegin0` to hang or slow significantly. This delay prevents {elastic-defend} driver from properly initializing in a timely manner. Subsequent system activity can invoke {elastic-defend}'s driver before it has fully initialized, leading to a `IRQL_NOT_LESS_EQUAL` bugcheck. This issue affects {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, either disable Trellix Access Protection or add a https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-client-interface-reference-guide-windows/page/GUID-6AC245A1-5E5D-4BAF-93B0-FE7FD33571E6.html[Trellix Access Protection exclusion] for the Base Filtering Engine service (`C:\Windows\System32\svchost.exe`). + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Unbounded kernel non-paged memory growth issue in Elastic Defend's kernal driver causes slow down on Windows systems +[%collapsible] +==== +*Details* + + +An unbounded kernel non-paged memory growth issue in {elastic-defend}'s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on very busy Windows Server systems running {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, turn off the relevant event source at the kernel level using your {elastic-defend} <>: + +* Network Events - Set the `windows.advanced.kernel.network` advanced setting to `false`. +* Registry Events - Set the `windows.advanced.kernel.registry` advanced setting to `false`. + + +NOTE: Clearing the corresponding checkbox under <> is insufficient, as {elastic-defend} may still process these event sources internally to support other features. + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + + +==== +// end::known-issue[] + [discrete] [[deprecations-8.18.0]] ==== Deprecations