diff --git a/docs/release-notes/8.16.asciidoc b/docs/release-notes/8.16.asciidoc index 738d6195ea..9564611fa6 100644 --- a/docs/release-notes/8.16.asciidoc +++ b/docs/release-notes/8.16.asciidoc @@ -42,6 +42,51 @@ To resolve this issue, before you add an {elastic-defend} integration to a polic ==== // end::known-issue[] +// tag::known-issue[] +[discrete] +.Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck +[%collapsible] +==== +*Details* + + +An `IRQL_NOT_LESS_EQUAL` https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-checks--blue-screens-[bugcheck] in the {elastic-defend} driver happens due to an interaction with Trellix Access Protection (`mfehidk.sys`). This issue can occur when `elastic-endpoint-driver.sys` calls https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmtransactionbegin0[`FwpmTransactionBegin0`] to initialize its network driver. `FwpmTransactionBegin0` performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix's driver intercepts this service's operations, causing `FwpmTransactionBegin0` to hang or slow significantly. This delay prevents {elastic-defend} driver from properly initializing in a timely manner. Subsequent system activity can invoke {elastic-defend}'s driver before it has fully initialized, leading to a `IRQL_NOT_LESS_EQUAL` bugcheck. This issue affects {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, either disable Trellix Access Protection or add a https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-client-interface-reference-guide-windows/page/GUID-6AC245A1-5E5D-4BAF-93B0-FE7FD33571E6.html[Trellix Access Protection exclusion] for the Base Filtering Engine service (`C:\Windows\System32\svchost.exe`). + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Unbounded kernel non-paged memory growth issue in Elastic Defend's kernal driver causes slow down on Windows systems +[%collapsible] +==== +*Details* + + +An unbounded kernel non-paged memory growth issue in {elastic-defend}'s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on very busy Windows Server systems running {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, turn off the relevant event source at the kernel level using your {elastic-defend} <>: + +* Network Events - Set the `windows.advanced.kernel.network` advanced setting to `false`. +* Registry Events - Set the `windows.advanced.kernel.registry` advanced setting to `false`. + + +NOTE: Clearing the corresponding checkbox under <> is insufficient, as {elastic-defend} may still process these event sources internally to support other features. + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + + +==== +// end::known-issue[] + [discrete] [[bug-fixes-8.16.6]] ==== Bug fixes @@ -82,6 +127,51 @@ On November 12, 2024, it was discovered that manually running a custom query rul ==== // end::known-issue[] +// tag::known-issue[] +[discrete] +.Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck +[%collapsible] +==== +*Details* + + +An `IRQL_NOT_LESS_EQUAL` https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-checks--blue-screens-[bugcheck] in the {elastic-defend} driver happens due to an interaction with Trellix Access Protection (`mfehidk.sys`). This issue can occur when `elastic-endpoint-driver.sys` calls https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmtransactionbegin0[`FwpmTransactionBegin0`] to initialize its network driver. `FwpmTransactionBegin0` performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix's driver intercepts this service's operations, causing `FwpmTransactionBegin0` to hang or slow significantly. This delay prevents {elastic-defend} driver from properly initializing in a timely manner. Subsequent system activity can invoke {elastic-defend}'s driver before it has fully initialized, leading to a `IRQL_NOT_LESS_EQUAL` bugcheck. This issue affects {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, either disable Trellix Access Protection or add a https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-client-interface-reference-guide-windows/page/GUID-6AC245A1-5E5D-4BAF-93B0-FE7FD33571E6.html[Trellix Access Protection exclusion] for the Base Filtering Engine service (`C:\Windows\System32\svchost.exe`). + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Unbounded kernel non-paged memory growth issue in Elastic Defend's kernal driver causes slow down on Windows systems +[%collapsible] +==== +*Details* + + +An unbounded kernel non-paged memory growth issue in {elastic-defend}'s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on very busy Windows Server systems running {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, turn off the relevant event source at the kernel level using your {elastic-defend} <>: + +* Network Events - Set the `windows.advanced.kernel.network` advanced setting to `false`. +* Registry Events - Set the `windows.advanced.kernel.registry` advanced setting to `false`. + + +NOTE: Clearing the corresponding checkbox under <> is insufficient, as {elastic-defend} may still process these event sources internally to support other features. + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + + +==== +// end::known-issue[] + [discrete] [[bug-fixes-8.16.5]] ==== Bug fixes @@ -116,6 +206,51 @@ On November 12, 2024, it was discovered that manually running a custom query rul ==== // end::known-issue[] +// tag::known-issue[] +[discrete] +.Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck +[%collapsible] +==== +*Details* + + +An `IRQL_NOT_LESS_EQUAL` https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-checks--blue-screens-[bugcheck] in the {elastic-defend} driver happens due to an interaction with Trellix Access Protection (`mfehidk.sys`). This issue can occur when `elastic-endpoint-driver.sys` calls https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmtransactionbegin0[`FwpmTransactionBegin0`] to initialize its network driver. `FwpmTransactionBegin0` performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix's driver intercepts this service's operations, causing `FwpmTransactionBegin0` to hang or slow significantly. This delay prevents {elastic-defend} driver from properly initializing in a timely manner. Subsequent system activity can invoke {elastic-defend}'s driver before it has fully initialized, leading to a `IRQL_NOT_LESS_EQUAL` bugcheck. This issue affects {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, either disable Trellix Access Protection or add a https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-client-interface-reference-guide-windows/page/GUID-6AC245A1-5E5D-4BAF-93B0-FE7FD33571E6.html[Trellix Access Protection exclusion] for the Base Filtering Engine service (`C:\Windows\System32\svchost.exe`). + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Unbounded kernel non-paged memory growth issue in Elastic Defend's kernal driver causes slow down on Windows systems +[%collapsible] +==== +*Details* + + +An unbounded kernel non-paged memory growth issue in {elastic-defend}'s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on very busy Windows Server systems running {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, turn off the relevant event source at the kernel level using your {elastic-defend} <>: + +* Network Events - Set the `windows.advanced.kernel.network` advanced setting to `false`. +* Registry Events - Set the `windows.advanced.kernel.registry` advanced setting to `false`. + + +NOTE: Clearing the corresponding checkbox under <> is insufficient, as {elastic-defend} may still process these event sources internally to support other features. + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + + +==== +// end::known-issue[] + [discrete] [[features-8.16.4]] ==== New features @@ -171,6 +306,51 @@ On November 12, 2024, it was discovered that manually running a custom query rul ==== // end::known-issue[] +// tag::known-issue[] +[discrete] +.Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck +[%collapsible] +==== +*Details* + + +An `IRQL_NOT_LESS_EQUAL` https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-checks--blue-screens-[bugcheck] in the {elastic-defend} driver happens due to an interaction with Trellix Access Protection (`mfehidk.sys`). This issue can occur when `elastic-endpoint-driver.sys` calls https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmtransactionbegin0[`FwpmTransactionBegin0`] to initialize its network driver. `FwpmTransactionBegin0` performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix's driver intercepts this service's operations, causing `FwpmTransactionBegin0` to hang or slow significantly. This delay prevents {elastic-defend} driver from properly initializing in a timely manner. Subsequent system activity can invoke {elastic-defend}'s driver before it has fully initialized, leading to a `IRQL_NOT_LESS_EQUAL` bugcheck. This issue affects {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, either disable Trellix Access Protection or add a https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-client-interface-reference-guide-windows/page/GUID-6AC245A1-5E5D-4BAF-93B0-FE7FD33571E6.html[Trellix Access Protection exclusion] for the Base Filtering Engine service (`C:\Windows\System32\svchost.exe`). + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Unbounded kernel non-paged memory growth issue in Elastic Defend's kernal driver causes slow down on Windows systems +[%collapsible] +==== +*Details* + + +An unbounded kernel non-paged memory growth issue in {elastic-defend}'s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on very busy Windows Server systems running {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, turn off the relevant event source at the kernel level using your {elastic-defend} <>: + +* Network Events - Set the `windows.advanced.kernel.network` advanced setting to `false`. +* Registry Events - Set the `windows.advanced.kernel.registry` advanced setting to `false`. + + +NOTE: Clearing the corresponding checkbox under <> is insufficient, as {elastic-defend} may still process these event sources internally to support other features. + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + + +==== +// end::known-issue[] + [discrete] [[bug-fixes-8.16.3]] ==== Bug fixes @@ -219,6 +399,51 @@ On November 12, 2024, it was discovered that manually running a custom query rul ==== // end::known-issue[] +// tag::known-issue[] +[discrete] +.Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck +[%collapsible] +==== +*Details* + + +An `IRQL_NOT_LESS_EQUAL` https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-checks--blue-screens-[bugcheck] in the {elastic-defend} driver happens due to an interaction with Trellix Access Protection (`mfehidk.sys`). This issue can occur when `elastic-endpoint-driver.sys` calls https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmtransactionbegin0[`FwpmTransactionBegin0`] to initialize its network driver. `FwpmTransactionBegin0` performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix's driver intercepts this service's operations, causing `FwpmTransactionBegin0` to hang or slow significantly. This delay prevents {elastic-defend} driver from properly initializing in a timely manner. Subsequent system activity can invoke {elastic-defend}'s driver before it has fully initialized, leading to a `IRQL_NOT_LESS_EQUAL` bugcheck. This issue affects {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, either disable Trellix Access Protection or add a https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-client-interface-reference-guide-windows/page/GUID-6AC245A1-5E5D-4BAF-93B0-FE7FD33571E6.html[Trellix Access Protection exclusion] for the Base Filtering Engine service (`C:\Windows\System32\svchost.exe`). + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Unbounded kernel non-paged memory growth issue in Elastic Defend's kernal driver causes slow down on Windows systems +[%collapsible] +==== +*Details* + + +An unbounded kernel non-paged memory growth issue in {elastic-defend}'s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on very busy Windows Server systems running {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, turn off the relevant event source at the kernel level using your {elastic-defend} <>: + +* Network Events - Set the `windows.advanced.kernel.network` advanced setting to `false`. +* Registry Events - Set the `windows.advanced.kernel.registry` advanced setting to `false`. + + +NOTE: Clearing the corresponding checkbox under <> is insufficient, as {elastic-defend} may still process these event sources internally to support other features. + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + + +==== +// end::known-issue[] + [discrete] [[bug-fixes-8.16.2]] ==== Bug fixes @@ -324,6 +549,51 @@ On November 12, 2024, it was discovered that manually running threshold rules co *Details* + On November 12, 2024, it was discovered that manually running a custom query rule with suppression could incorrectly inflate the number of suppressed alerts. +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck +[%collapsible] +==== +*Details* + + +An `IRQL_NOT_LESS_EQUAL` https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-checks--blue-screens-[bugcheck] in the {elastic-defend} driver happens due to an interaction with Trellix Access Protection (`mfehidk.sys`). This issue can occur when `elastic-endpoint-driver.sys` calls https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmtransactionbegin0[`FwpmTransactionBegin0`] to initialize its network driver. `FwpmTransactionBegin0` performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix's driver intercepts this service's operations, causing `FwpmTransactionBegin0` to hang or slow significantly. This delay prevents {elastic-defend} driver from properly initializing in a timely manner. Subsequent system activity can invoke {elastic-defend}'s driver before it has fully initialized, leading to a `IRQL_NOT_LESS_EQUAL` bugcheck. This issue affects {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, either disable Trellix Access Protection or add a https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-client-interface-reference-guide-windows/page/GUID-6AC245A1-5E5D-4BAF-93B0-FE7FD33571E6.html[Trellix Access Protection exclusion] for the Base Filtering Engine service (`C:\Windows\System32\svchost.exe`). + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Unbounded kernel non-paged memory growth issue in Elastic Defend's kernal driver causes slow down on Windows systems +[%collapsible] +==== +*Details* + + +An unbounded kernel non-paged memory growth issue in {elastic-defend}'s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on very busy Windows Server systems running {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, turn off the relevant event source at the kernel level using your {elastic-defend} <>: + +* Network Events - Set the `windows.advanced.kernel.network` advanced setting to `false`. +* Registry Events - Set the `windows.advanced.kernel.registry` advanced setting to `false`. + + +NOTE: Clearing the corresponding checkbox under <> is insufficient, as {elastic-defend} may still process these event sources internally to support other features. + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + + ==== // end::known-issue[] @@ -464,9 +734,57 @@ NOTE: These instructions only apply to the Google Chrome browser. Modify the ste . Search for the `siem..pageFilters` key, right-click on the value, then click *Delete*. If you have multiple non-default spaces, do this for each space. . Refresh the **Alerts** page to reload it. +*Resolved* + +This issue is fixed in {stack} version 8.16.1. + ==== // end::known-issue-53[] +// tag::known-issue[] +[discrete] +.Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck +[%collapsible] +==== +*Details* + + +An `IRQL_NOT_LESS_EQUAL` https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-checks--blue-screens-[bugcheck] in the {elastic-defend} driver happens due to an interaction with Trellix Access Protection (`mfehidk.sys`). This issue can occur when `elastic-endpoint-driver.sys` calls https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmtransactionbegin0[`FwpmTransactionBegin0`] to initialize its network driver. `FwpmTransactionBegin0` performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix's driver intercepts this service's operations, causing `FwpmTransactionBegin0` to hang or slow significantly. This delay prevents {elastic-defend} driver from properly initializing in a timely manner. Subsequent system activity can invoke {elastic-defend}'s driver before it has fully initialized, leading to a `IRQL_NOT_LESS_EQUAL` bugcheck. This issue affects {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, either disable Trellix Access Protection or add a https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-client-interface-reference-guide-windows/page/GUID-6AC245A1-5E5D-4BAF-93B0-FE7FD33571E6.html[Trellix Access Protection exclusion] for the Base Filtering Engine service (`C:\Windows\System32\svchost.exe`). + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Unbounded kernel non-paged memory growth issue in Elastic Defend's kernal driver causes slow down on Windows systems +[%collapsible] +==== +*Details* + + +An unbounded kernel non-paged memory growth issue in {elastic-defend}'s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on very busy Windows Server systems running {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, turn off the relevant event source at the kernel level using your {elastic-defend} <>: + +* Network Events - Set the `windows.advanced.kernel.network` advanced setting to `false`. +* Registry Events - Set the `windows.advanced.kernel.registry` advanced setting to `false`. + + +NOTE: Clearing the corresponding checkbox under <> is insufficient, as {elastic-defend} may still process these event sources internally to support other features. + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + + +==== +// end::known-issue[] + [discrete] [[breaking-changes-8.16.0]] ==== Breaking changes diff --git a/docs/release-notes/8.17.asciidoc b/docs/release-notes/8.17.asciidoc index 46bbca68ff..51154249b4 100644 --- a/docs/release-notes/8.17.asciidoc +++ b/docs/release-notes/8.17.asciidoc @@ -42,6 +42,51 @@ To resolve this issue, before you add an {elastic-defend} integration to a polic ==== // end::known-issue[] +// tag::known-issue[] +[discrete] +.Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck +[%collapsible] +==== +*Details* + + +An `IRQL_NOT_LESS_EQUAL` https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-checks--blue-screens-[bugcheck] in the {elastic-defend} driver happens due to an interaction with Trellix Access Protection (`mfehidk.sys`). This issue can occur when `elastic-endpoint-driver.sys` calls https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmtransactionbegin0[`FwpmTransactionBegin0`] to initialize its network driver. `FwpmTransactionBegin0` performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix's driver intercepts this service's operations, causing `FwpmTransactionBegin0` to hang or slow significantly. This delay prevents {elastic-defend} driver from properly initializing in a timely manner. Subsequent system activity can invoke {elastic-defend}'s driver before it has fully initialized, leading to a `IRQL_NOT_LESS_EQUAL` bugcheck. This issue affects {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, either disable Trellix Access Protection or add a https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-client-interface-reference-guide-windows/page/GUID-6AC245A1-5E5D-4BAF-93B0-FE7FD33571E6.html[Trellix Access Protection exclusion] for the Base Filtering Engine service (`C:\Windows\System32\svchost.exe`). + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Unbounded kernel non-paged memory growth issue in Elastic Defend's kernal driver causes slow down on Windows systems +[%collapsible] +==== +*Details* + + +An unbounded kernel non-paged memory growth issue in {elastic-defend}'s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on very busy Windows Server systems running {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, turn off the relevant event source at the kernel level using your {elastic-defend} <>: + +* Network Events - Set the `windows.advanced.kernel.network` advanced setting to `false`. +* Registry Events - Set the `windows.advanced.kernel.registry` advanced setting to `false`. + + +NOTE: Clearing the corresponding checkbox under <> is insufficient, as {elastic-defend} may still process these event sources internally to support other features. + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + + +==== +// end::known-issue[] + [discrete] [[enhancements-8.17.5]] ==== Enhancements @@ -98,6 +143,51 @@ To resolve this issue, before you add an {elastic-defend} integration to a polic ==== // end::known-issue[] +// tag::known-issue[] +[discrete] +.Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck +[%collapsible] +==== +*Details* + + +An `IRQL_NOT_LESS_EQUAL` https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-checks--blue-screens-[bugcheck] in the {elastic-defend} driver happens due to an interaction with Trellix Access Protection (`mfehidk.sys`). This issue can occur when `elastic-endpoint-driver.sys` calls https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmtransactionbegin0[`FwpmTransactionBegin0`] to initialize its network driver. `FwpmTransactionBegin0` performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix's driver intercepts this service's operations, causing `FwpmTransactionBegin0` to hang or slow significantly. This delay prevents {elastic-defend} driver from properly initializing in a timely manner. Subsequent system activity can invoke {elastic-defend}'s driver before it has fully initialized, leading to a `IRQL_NOT_LESS_EQUAL` bugcheck. This issue affects {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, either disable Trellix Access Protection or add a https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-client-interface-reference-guide-windows/page/GUID-6AC245A1-5E5D-4BAF-93B0-FE7FD33571E6.html[Trellix Access Protection exclusion] for the Base Filtering Engine service (`C:\Windows\System32\svchost.exe`). + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Unbounded kernel non-paged memory growth issue in Elastic Defend's kernal driver causes slow down on Windows systems +[%collapsible] +==== +*Details* + + +An unbounded kernel non-paged memory growth issue in {elastic-defend}'s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on very busy Windows Server systems running {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, turn off the relevant event source at the kernel level using your {elastic-defend} <>: + +* Network Events - Set the `windows.advanced.kernel.network` advanced setting to `false`. +* Registry Events - Set the `windows.advanced.kernel.registry` advanced setting to `false`. + + +NOTE: Clearing the corresponding checkbox under <> is insufficient, as {elastic-defend} may still process these event sources internally to support other features. + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + + +==== +// end::known-issue[] + [discrete] [[bug-fixes-8.17.4]] @@ -137,6 +227,51 @@ On November 12, 2024, it was discovered that manually running a custom query rul ==== // end::known-issue[] +// tag::known-issue[] +[discrete] +.Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck +[%collapsible] +==== +*Details* + + +An `IRQL_NOT_LESS_EQUAL` https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-checks--blue-screens-[bugcheck] in the {elastic-defend} driver happens due to an interaction with Trellix Access Protection (`mfehidk.sys`). This issue can occur when `elastic-endpoint-driver.sys` calls https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmtransactionbegin0[`FwpmTransactionBegin0`] to initialize its network driver. `FwpmTransactionBegin0` performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix's driver intercepts this service's operations, causing `FwpmTransactionBegin0` to hang or slow significantly. This delay prevents {elastic-defend} driver from properly initializing in a timely manner. Subsequent system activity can invoke {elastic-defend}'s driver before it has fully initialized, leading to a `IRQL_NOT_LESS_EQUAL` bugcheck. This issue affects {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, either disable Trellix Access Protection or add a https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-client-interface-reference-guide-windows/page/GUID-6AC245A1-5E5D-4BAF-93B0-FE7FD33571E6.html[Trellix Access Protection exclusion] for the Base Filtering Engine service (`C:\Windows\System32\svchost.exe`). + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Unbounded kernel non-paged memory growth issue in Elastic Defend's kernal driver causes slow down on Windows systems +[%collapsible] +==== +*Details* + + +An unbounded kernel non-paged memory growth issue in {elastic-defend}'s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on very busy Windows Server systems running {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, turn off the relevant event source at the kernel level using your {elastic-defend} <>: + +* Network Events - Set the `windows.advanced.kernel.network` advanced setting to `false`. +* Registry Events - Set the `windows.advanced.kernel.registry` advanced setting to `false`. + + +NOTE: Clearing the corresponding checkbox under <> is insufficient, as {elastic-defend} may still process these event sources internally to support other features. + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + + +==== +// end::known-issue[] + [discrete] [[bug-fixes-8.17.3]] ==== Bug fixes @@ -177,6 +312,51 @@ On November 12, 2024, it was discovered that manually running a custom query rul ==== // end::known-issue[] +// tag::known-issue[] +[discrete] +.Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck +[%collapsible] +==== +*Details* + + +An `IRQL_NOT_LESS_EQUAL` https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-checks--blue-screens-[bugcheck] in the {elastic-defend} driver happens due to an interaction with Trellix Access Protection (`mfehidk.sys`). This issue can occur when `elastic-endpoint-driver.sys` calls https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmtransactionbegin0[`FwpmTransactionBegin0`] to initialize its network driver. `FwpmTransactionBegin0` performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix's driver intercepts this service's operations, causing `FwpmTransactionBegin0` to hang or slow significantly. This delay prevents {elastic-defend} driver from properly initializing in a timely manner. Subsequent system activity can invoke {elastic-defend}'s driver before it has fully initialized, leading to a `IRQL_NOT_LESS_EQUAL` bugcheck. This issue affects {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, either disable Trellix Access Protection or add a https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-client-interface-reference-guide-windows/page/GUID-6AC245A1-5E5D-4BAF-93B0-FE7FD33571E6.html[Trellix Access Protection exclusion] for the Base Filtering Engine service (`C:\Windows\System32\svchost.exe`). + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Unbounded kernel non-paged memory growth issue in Elastic Defend's kernal driver causes slow down on Windows systems +[%collapsible] +==== +*Details* + + +An unbounded kernel non-paged memory growth issue in {elastic-defend}'s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on very busy Windows Server systems running {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, turn off the relevant event source at the kernel level using your {elastic-defend} <>: + +* Network Events - Set the `windows.advanced.kernel.network` advanced setting to `false`. +* Registry Events - Set the `windows.advanced.kernel.registry` advanced setting to `false`. + + +NOTE: Clearing the corresponding checkbox under <> is insufficient, as {elastic-defend} may still process these event sources internally to support other features. + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + + +==== +// end::known-issue[] + [discrete] [[features-8.17.2]] ==== New features @@ -224,6 +404,9 @@ This issue was discovered on February 6, 2025. *Workaround* + To resolve this issue, upgrade to 8.17.2. Alternatively, increase {kib}'s RAM to 2 GB. +*Resolved* + +This issue is fixed in {stack} version 8.17.2. + ==== // end::known-issue[] @@ -247,6 +430,51 @@ On November 12, 2024, it was discovered that manually running a custom query rul ==== // end::known-issue[] +// tag::known-issue[] +[discrete] +.Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck +[%collapsible] +==== +*Details* + + +An `IRQL_NOT_LESS_EQUAL` https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-checks--blue-screens-[bugcheck] in the {elastic-defend} driver happens due to an interaction with Trellix Access Protection (`mfehidk.sys`). This issue can occur when `elastic-endpoint-driver.sys` calls https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmtransactionbegin0[`FwpmTransactionBegin0`] to initialize its network driver. `FwpmTransactionBegin0` performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix's driver intercepts this service's operations, causing `FwpmTransactionBegin0` to hang or slow significantly. This delay prevents {elastic-defend} driver from properly initializing in a timely manner. Subsequent system activity can invoke {elastic-defend}'s driver before it has fully initialized, leading to a `IRQL_NOT_LESS_EQUAL` bugcheck. This issue affects {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, either disable Trellix Access Protection or add a https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-client-interface-reference-guide-windows/page/GUID-6AC245A1-5E5D-4BAF-93B0-FE7FD33571E6.html[Trellix Access Protection exclusion] for the Base Filtering Engine service (`C:\Windows\System32\svchost.exe`). + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Unbounded kernel non-paged memory growth issue in Elastic Defend's kernal driver causes slow down on Windows systems +[%collapsible] +==== +*Details* + + +An unbounded kernel non-paged memory growth issue in {elastic-defend}'s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on very busy Windows Server systems running {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, turn off the relevant event source at the kernel level using your {elastic-defend} <>: + +* Network Events - Set the `windows.advanced.kernel.network` advanced setting to `false`. +* Registry Events - Set the `windows.advanced.kernel.registry` advanced setting to `false`. + + +NOTE: Clearing the corresponding checkbox under <> is insufficient, as {elastic-defend} may still process these event sources internally to support other features. + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + + +==== +// end::known-issue[] + [discrete] [[bug-fixes-8.17.1]] ==== Bug fixes @@ -289,6 +517,9 @@ This issue was discovered on February 6, 2025. *Workaround* + To resolve this issue, upgrade to 8.17.2. Alternatively, increase {kib}'s RAM to 2 GB. +*Resolved* + +This issue is fixed in {stack} version 8.17.2. + ==== // end::known-issue[] @@ -377,6 +608,51 @@ On November 12, 2024, it was discovered that manually running threshold rules co *Details* + On November 12, 2024, it was discovered that manually running a custom query rule with suppression could incorrectly inflate the number of suppressed alerts. +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck +[%collapsible] +==== +*Details* + + +An `IRQL_NOT_LESS_EQUAL` https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-checks--blue-screens-[bugcheck] in the {elastic-defend} driver happens due to an interaction with Trellix Access Protection (`mfehidk.sys`). This issue can occur when `elastic-endpoint-driver.sys` calls https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmtransactionbegin0[`FwpmTransactionBegin0`] to initialize its network driver. `FwpmTransactionBegin0` performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix's driver intercepts this service's operations, causing `FwpmTransactionBegin0` to hang or slow significantly. This delay prevents {elastic-defend} driver from properly initializing in a timely manner. Subsequent system activity can invoke {elastic-defend}'s driver before it has fully initialized, leading to a `IRQL_NOT_LESS_EQUAL` bugcheck. This issue affects {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, either disable Trellix Access Protection or add a https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-client-interface-reference-guide-windows/page/GUID-6AC245A1-5E5D-4BAF-93B0-FE7FD33571E6.html[Trellix Access Protection exclusion] for the Base Filtering Engine service (`C:\Windows\System32\svchost.exe`). + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Unbounded kernel non-paged memory growth issue in Elastic Defend's kernal driver causes slow down on Windows systems +[%collapsible] +==== +*Details* + + +An unbounded kernel non-paged memory growth issue in {elastic-defend}'s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on very busy Windows Server systems running {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, turn off the relevant event source at the kernel level using your {elastic-defend} <>: + +* Network Events - Set the `windows.advanced.kernel.network` advanced setting to `false`. +* Registry Events - Set the `windows.advanced.kernel.registry` advanced setting to `false`. + + +NOTE: Clearing the corresponding checkbox under <> is insufficient, as {elastic-defend} may still process these event sources internally to support other features. + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + + ==== // end::known-issue[]