Digital Guardian Agent for Windows

April 2024

Version: 8.0.0

April, 2024

New Features and Enhancements

• MIP SDK has been upgraded from v1.12 to v1.13.182. MIP SDK 1.13 introduces support for consuming files and emails protected with AES256-CBC generated by Word, Excel, PowerPoint, Outlook, Exchange Online, SharePoint Online, and MIP SDK-enabled applications that have opted into CBC publishing. It is imperative to update your application to MIP SDK 1.13 if it uses the File SDK to consume any of the above-mentioned formats. Microsoft 365 Apps, Exchange Online, and SharePoint Online will all start using AES256-CBC encryption by default in the second half of 2023. For more information, refer to Microsoft Information Protection SDK Documentation.

  UseCBCForOfficeFileEncryption "UseCBCForOfficeFileEncryption" determines if the AES256-CBC algorithm is used to encrypt when Office files are protected by MIP. This is enabled by default in 8.0.0. Admins can disable this option by pushing custom configuration XML from DGMC if that is not the desired behavior: <mipUseCBCForOfficeFileEncryption>0</mipUseCBCForOfficeFileEncryption>

• In version 8.0.0, the new feature DGFS implements a new file system filtering option using the Microsoft mini-filtering driver as recommended by Microsoft. When DGFS is enabled, the DG DGMinFlt file system mini-filter will be used instead of the legacy file system filters. Although the MSFT legacy driver continues to be the default, DG now provides a configuration option allowing users to switch between the MSFT legacy driver and the MSFT mini-filter driver. For more information, please contact Fortra Support.

  NOTE: Despite these changes, all functionalities of the DG Windows Agent remain unchanged.

• Digital Guardian release version 8.0.0 and later introduces a range of new capabilities. The enhancements and updates implemented in DG Scanner are as follows:

  • Enhancements in Directory Control: In 8.0.0 and later, full support for mixed cases in path entries is provided. This facilitates more comprehensive file path descriptions. The new version allows the utilization of wildcard characters in the Exclude section, offering enhanced flexibility in specifying files to be excluded from scanning. Moreover, these versions offer support for Windows environment variables in both the scan Include and Exclude sections of the Directory Control file. This expanded capability enhances the versatility of defining inclusion and exclusion criteria. Additionally, it is recommended to exclusively use full paths, eliminating the need for short format paths. This promotes a more consistent and reliable configuration.

  • Improved DGScanner Integration with Sentry.io: Integrated DGScanner seamlessly with Sentry.io for automated crash dump reporting. For more information, refer section DG Agent Crash Dump Reporting Automation of the DigitalGuardian_8_6_1_Management_Console_Users_Guide.

  • MIP Label Reading and Reporting Enhancement: Enhanced DGScanner functionality to read and report MIP labels in inventory report with precision, providing comprehensive insights into the scanned data.

  • Automatic Service Restart and Schedule Resumption: Implement an automatic restart feature for DGScanner in the event of unexpected termination. It Ensures the scanner seamlessly resumes its operations according to the predefined schedule.

  • Improved DG Scanner Progress Report: The improved DGScanner Progress Report now features a streamlined scanning Start/Stop message in dg.log, enhancing tracking and analysis. It also provides information on the Current Scan Status (Current Info and Current Errors) and most recent scan results (last info and last error) for a concise overview of any scanning issues.

  • Scan on Uninstall: Upon uninstallation, this feature ensures the removal of DGStreams from all classified files, enhancing the uninstallation process by clearing any residual traces of files classified by Agent and Scanner.

  • Streamlined Log Management with New Log File: We've optimized log management in DGScanner, directing logs to a dedicated file named dgscan.log for improved traceability and efficient analysis.

  • Ignore List Management via DGDiag File Access: Enabling the management of the ignore list through DGDiag. This feature enhances the configurability and control over DGScanner's scanning parameters.

  • Scanner Reset Enhancement: In this release, the reset command is initiated through the DGMC, that will reset the scanning process and initiate a new scan based on the predefined configuration.

  • Support for Microsoft Office 365 Outlook New UI: Agent for Windows now supports capturing Send Mail operations within the new user interface of New Microsoft Office 365 Outlook. To enable this functionality, it is necessary to deploy the Digital Guardian addin for Outlook. In this deployment model, administrators must initiate the deployment of the Digital Guardian Outlook add-in through the Microsoft 365 Admin Center. For details on prerequisite steps, deployment methods for the Outlook add-in and User-Removable Addin, as well as limitations of the New Outlook UI add-in and observations on Smart Alert Notifications within the Digital Guardian Outlook Add-in, see the DigitalGuardian_Agent_for_Windows_8.0.0_Release_Notes.

Fixes

• The Lua script modification addresses the problem of slow file uploads for larger files (greater than 200MB) to Google Drive. The Lua script adjustment resolves the issue.

• A previous change to DG Agent failed to validate parameters properly and led to a crash of Internet Explorer Compatibility Mode. Parameter validation is added to prevent this problem, and the issue is now resolved. Refer to Resolved Issues section in DigitalGuardian_Agent_for_Windows_8.0.0_Release_Notes.

• The user encountered difficulties uploading files in the client AWS application when the file size exceeded 24MB. Without the AWS fix, any file upload wouldn't trigger an NTU event, as NTUs weren't being reported for AWS S3. This problem has been resolved.

• When a customer adds a file path to exclude from the DirCtrl.dat files ACI sections and the number of paths exceeds an internal limit, those extra paths used to be ignored and will not be included in any directory control processing. The DGAgent was altered so, it no longer has that limit anymore. This issue is resolved.

• DG Agent for Windows release version 8.0.0 has now introduced a new custom configuration wipMaxHttp2StreamsPerConnection. Previously, users faced challenges with navigating sites hosted on NGINX that utilized a single HTTP/2 connection to handle a large number of requests. Since NGINX has implemented a non-standard limit of 1000 requests that can ever be served using single http2 connection, a similar limit has been implemented to have a smooth browsing experience for end-users, ensuring seamless navigation across these sites.

• RME devices occasionally failed to be recognized as RME devices upon insertion or at boot time and failed to encrypt or decrypt files. This issue has been resolved.

• A customer encountered problems where DGAgent Send Mail events lacked the 'To' recipient field. To address this issue, the DGAgent was modified to accommodate an undocumented Microsoft Outlook Old UI email distribution setting that was discovered.

• DG Agent's Network Transfer Upload event is not able to detect Google drive website's response header 'XGuploader- UploadID'. This issue has been resolve.

• Network Transfer Upload rules were not firing due to a bug in file identification hash values during uploads. This issue has been addressed and resolved.

• The issue AG-49712 was reopened because the previously implemented solution was incompatible with Office 365. This issue has been resolved now. Refer to Resolved Issues section in DigitalGuardian_Agent_for_Windows_8.0.0_Release_Notes.

• A customer performed a drag-and-drop operation to transfer several files into a CD/DVD folder, and subsequently, these files were burnt to the disc. The customer was expecting to be able to view CD/DVD burning events for each file (one event per file) in their local forensic analysis. However, they encountered an issue where an inconsistent number of burn events was displayed. The DgAgent has been modified to ensure that all the expected burn events are now accurately reported.

• The installation process of the custom MSI Installer, which included an embedded configuration, encountered a problem due to elevated User Account Control (UAC) levels. This issue has been resolved.

• Resolved crashes of applications that were being monitored by Digital Guardian Agent and Citrix Application Protection.

• When using Microsoft Teams, users have the option to choose "Copy Link" for a file located within the file tab of their chat sessions. If a user has configured their Outlook settings such that pasting a link results in Outlook attaching a copy of the file, rather than just the link, the following behavior occurs: After copying the link, if the user proceeds to create a new email in Outlook, paste the link, and then send that email, the SendMail event displayed on the DGMC Servers Local Forensic screen will not only report details about the copied file but also include an entry describing the original link. This issue has been resolved.

• DgScanner was accessing files listed within the "Exclude" section of the Scan in the dirctrl.dat resource file. This issue has been resolved, and the files specified in the "Exclude" section are now skipped from scanning.

• When using the scanner monitor for scanner service installation, the tool now correctly points to the installed dgscan executable located within the dgagent installation directory.

February 2024

Version: 7.9.6

February, 2024

Fixes

• Network Transfer Upload rules were not firing due to a bug in file identification hash values during uploads. This issue has been addressed and resolved.

• DG Agent's Network Transfer Upload event is not able to detect Google drive website's response header 'XGuploader-UploadID'. This issue has been resolve.

November 2023

Version: 7.9.4

Nov, 2023

Fixes

• A third-party company conducted a security vulnerability assessment on the DGAgent MSI installer, during which they were able to find a way to view the uninstall key stored in memory. This issue has been resolved and the DGAgent installer has been modified to address this vulnerability.

• The current screen lock page image gets locked upon the installation of the Windows Agent and cannot be modified through a GPO. If the Agent is uninstalled, and the image is updated, the new one will take effect. However, should you install a new Agent, the image will once again become locked. To address this issue, a warning note has been added to the 'Digital Guide Installation and Upgrade'guide under section "Before Installing the DG Agent".

• A customer encountered a blue screen error while attempting to install DGAgent on a Windows Server 2016-based system. To address this issue, modifications have been made to the DGAgent installer to prevent installation on unsupported systems. As a result, the problem has been resolved.

• In the troubleshooting session, the customer encountered issues when stopping the DG processes. The computer would freeze, and the Windows search bar would not work. Additionally, Excel would occasionally hang when the DGAgent process crashed or abruptly terminated. This issue has been resolved now.

• A customer faced performance problems related to the slow enabling of the MIP feature, leading to frequent restarts of internal software. To address this issue, adjustments have been made to the DGAgent to ensure a swift resolution. As a result, the problem has been resolved.

• The customer encountered an issue with the propagation of permanent classification tags. When they cut text from a source file with permanent tags and pasted it into a new Outlook email message the tags were propagated. Subsequently, when the customer performed another cut operation from a source file without any permanent tags into another new Outlook email, the tags were still being carried over, even though they should not have been transferred. This issue has been resolved now.

• The DG Agent was unable to detect the NTU event when a file was uploaded to the AWS support website. The issue has been resolved after modifying the rules to capture the NTU events.

• A customer experienced a problem where Bookmarks were generated when performing a Ctrl-C operation within Word.exe while using Office 365. This issue has now been resolved.

• A customer reported that printing was not blocked when using the .PrintOut() method of Microsoft Word in PowerShell using a COM object. This issue has been resolved with a code fix, which also applies to Microsoft Excel and PowerPoint.

• The customer was running an Excel macro that involved a significant amount of cut and paste actions to fill a Word document. During the execution, it was noticed that certain data was missing in the Word document. The DGAgent was impacting the functioning of this macro. However, the problem with DGAgent has been resolved, allowing the macro to now execute and complete successfully.

• When a customer selects over 1000 files and generates a zip file via the File Explorer menu, previously, the DGAgent would generate a single File Archive event, which could be viewed through the DGMC's Local Forensic pages. However, this File Archive event would only capture and report the first 1001 files, leaving the rest unreported. To address this, the DGAgent has been modified to produce multiple File Archive events, each containing a maximum of 1001 files.

• Initially, the server agreed to accept HTTP/2; however, when the user attempted to access the server through HTTP/2, it returnd an HTTP1_1_required error. Unfortunately, WIP is unable to communicate this error to the user. This issue has been addressed by introducing the HTTP1_1_ONLY domain flag. WIP now reports an operational alert when this error is encountered, and the customer is advised to configure the new domain flag.

• A request was made to allow the DGAgent MSI installer to execute uninstallation without requiring an uninstall key. However, this request has been declined as this would result in security vulnerabilities. The DGAgent product documentation has been updated to reflect that this feature will not be offered.

September 2023

Version: 7.9.3

Sep, 2023

Fixes

• A BSOD with bugcheck "ATTEMPTED_SWITCH_FROM_DPC (b8)" was seen when the agent displayed prompts on some network events. However, this issue has now been resolved. problem arose because DGWIP was initiating buffer inspections for all logs and diagnostics that Google uploaded to their servers. This issue has been resolved now by identifying the URLs associated with these buffer uploads and excluding them from buffer inspection.

• During the installation or upgrade of DGAgent, certain agent DLL files undergo ACL/access permissions updates. Previously, this process encountered issues on systems with a non en-US foreign language locale set for display language and for the Windows welcome screen. However, this problem has now been resolved.

• When a system allows multiple users to log in, there is a scenario where the DGAgent will attempt Content Inspection on a file using incorrect access permissions. This issue has been resolved now.

• A customer encountered an issue while using a web browser and attempting to print a network-based file (i.e., a file with a URL starting with https://). They noticed that when using the "Microsoft Print to PDF" printer option, the printed file's size was reported as 0 bytes in the Print Event on the DGMC's Local Forensic page. As a result, any rule utilizing the DG_CaptureFile function failed to capture the file due to its zero length.
  
  To resolve this issue, a fix has been implemented in the DGAgent. However, it is necessary for the customer to define a specific rule for cases involving the USER_FILE_PRINT event, where they intend to have DG_ FileCapture capture the file when the selected printer type is "Microsoft Print to PDF." For this particular rule, the "Run Rule after operation" setting must be configured as "YES."

• The problem of customers encountering a crash dump while closing PowerPoint or Microsoft Project has now been successfully resolved.

• After a customer carries out a cut operation from a file that has a permanent classification tag and subsequently closes that file, the following sequence of actions occurs: If the customer later opens a new file for editing, minutes after the initial action, and then pastes text taken from the first file, subsequently executing a cut of that pasted text and pasting it into yet another new file; when the final file is saved, the customer anticipates utilizing DGCIApp.exe to inspect the linked Alternate Data Stream (ADS). However, in this instance, the anticipated permanent tag is not present. The DGAgent has been fixed and this issue is now ensuring the tag is now present

 

July 2023

Version: 7.9.2

July, 2023

New Features

• Enhancement of the Buffer Classification Details for the ADE Paste Event: Agent now has the ability to generate the Buffer Classification Details for the ADE PASTE event. When a user performs an ADE PASTE operation, the agent generates the content of the clipboard’s buffer. The content inspection’s result can be used to write control rules against the ADE PASTE event. The Local Forensic Report for the ADE Paste event that has classified information will now have an additional row named Buffer Details. This new row will present the user with the capability to analyze the clipboard’s buffer information. This information can be viewed on both the DGMC server and the ARC server. This can also be -used in conjunction with the sample match feature.

Fixes

• The user experience was affected when pasting into Google Sheets due to its slow performance. This problem arose because DGWIP was initiating buffer inspections for all logs and diagnostics that Google uploaded to their servers. This issue has been resolved now by identifying the URLs associated with these buffer uploads and excluding them from buffer inspection.

• The issue was related to the user cache not fully reloading upon restart, leading to some users being mistakenly identified as new users during their first login after a restart. This issue has been resolved now. The agent will now perform regular checks to detect and register new users whenever they are encountered.

• Certain files on OneDrive lost the "Always keep on disk" attribute despite being initially set. The problem was identified as DG Agent temporarily modifying file attributes to write a DG Stream. During the restoration process of the original attributes, the "keep on disk" attribute was unintentionally skipped. This issue has been resolved now.

• Previously, users encountered significant delays while navigating through folders in OneDrive. Decrease in responsiveness was seen in the explorer pane while refreshing the list of files. The problem was related to the unpinned files and recall on data access were being downloaded by DG Agent action. This issue has now been resolved.

• The customer reported an issue where the process hung on the exit. This issue was addressed by adding a defensive code to handle the new use case.

• The customer reported a performance issue when opening directories with a large number of files. The issue has been addressed by enhancing Windows Explorer's enumeration.

• There was a gap in the Agent functionality; the Buffer Classification Details were not seen in ARC. Now, an additional row, "Buffer Details", has been included in the Local Forensic Report for the ADE Paste event that has classified information. This new row will present the user with the capability to analyse the clipboard’s buffer information.

• The DGAgent has encountered an issue on Windows operating systems with foreign languages. When customers utilize an Office Application, they have the option to save a file either through the SaveAs screen or the Save Icon. The DGAgent needs to differentiate between these two methods in order to extract the provided file path, name, and extension accurately. This issue has been resolved now.

• When using Outlook to attach a file from OneDrive or SharePoint to an email, the application could prompt to attach the file as a copy of the original file. The Local Forensic will have information about the copied file. To meet the customer's request, the Send Mail event has been modified to include details of the original file, showing OneDrive or SharePoint information. This issue is resolved now and the Agent has been updated accordingly.

• When the customer copied and pasted text from a browser screen to another application, it was noticed that the ADE Paste event sent to the DGMC Server did not accurately reflect the URL in SRC_FILE_NAME and SRC_FILE_DIRECTORY fields from which the text was copied. This issue is now resolved and the URL in these fields are displayed correctly.

• The customer reported that the DocXTool Word plugin stopped functioning correctly. The problem was due to the DGAgent's interactions with the Clipboard, which caused interoperability issues with DocXTool. However, this issue has been resolved now.

• An isolated code path failed to copy one structure member to another. The new archive analysis code later accessed this null value causing an exception. This issue is now resolved by adding the required copy operation and validating parameters.

• It was discovered that the DGAgent had difficulty starting under certain conditions due to a corrupted configuration file. As a result, necessary improvements have been made and the issue is now resolved.

• A security loophole was discovered by a customer that could replace the DGCleaner.exe executable. To prevent this scenario, the DGCleaner.exe is now modified to remove non-system/non-admin user/file access rights and add system-level user/file access. As a result, only system or admin level users, who are more trusted, are allowed to execute the DGCleaner.exe.

• There were missing source file classification details on NTU events and an inability to control NTU events based on source file classification when the source file was from a remote drive and DgMinFlt was in use. However, the issue is now resolved.

• After a customer selects text while editing a Word application and uses Ctrl-C to copy it, they noticed that Bookmarks with the prefix "OLE_LINK" were being generated by the DGAgent. However, the issue with the DGAgent creating these Bookmarks is now resolved.

• Previously, the DG Agent would try to reclassify any file accessed via Chrome or Edge browsers on remote shares by copying it to a temporary location and back, even if it did not meet the reclassification process. To address this issue, the DG Agent has been modified to check whether the file qualifies the reclassification criteria before proceeding with the reclassification process.

• An issue with performance was reported during the content inspection of an XML document that resulted from using a text reader to filter it. However, this issue is now resolved.

• In version 7.9.2, domain flag and script pack resource file modifications were made to enhance the efficiency and to decrease the need for excessive content inspection and classification.

 

May 2023

Version: 7.9.1

May, 2023

New Features

• DG Agent for Windows 7.9.1 ships with version 12.12 of the Micro Focus KeyView and Eduction Engine SDKs.
  

• The Agent 7.9.1 release introduces performance enhancements to Adaptive Content Inspection (ACI). The Agent 7.9.1 release also introduces the aciMatchTimeout configuration setting to speed up content pattern matching. In addition to doing its own timeout monitoring, the Agent now also has the EDK monitor the timeout. The default setting is one second.

• The Agent 7.9.1 release introduces performance improvement for IPv6 fail-over handling.

• In the Agent 7.9.1 release, a new configuration parameter called "wipMinFltEnable" has been added. By default, this parameter is set to true and enables WIP to establish test connections.

• Two new protocol types, constProtocolUDP6 and constProtocolTCP6, are added to support IPv6.

• For more information on Forcepoint ONE Endpoint enhancement please contact Digital Guardian Product Support.

Fixes

• The memory leak issue in the DG Agent occurs when handling processes for start and stop notifications. This issue is fixed in this release.

• The user encountered specific issues related to copying and pasting within Power Point, including shapes, slides, and text. They also experienced difficulties when pasting images from external sources, such as Teams. Although the logs did not capture any instances of Power Point crashes, the user did encounter crashes while using the application. These issues have been successfully resolved in the latest update, version 7.9.1.

• The customer experienced an issue wherein connecting to a site using IPv6 resulted in a 10-30 second delay before the site could be accessed. However, after the delay, the site would automatically refresh and load the page correctly. This issue has been addressed and resolved in version 7.9.1.

• The Digital Guardian directory "C:\ProgramData\DGAgent\mip" has an excessively permissive ACL, allowing regular users to write privileges. This privilege leads to an arbitrary file or folder deletion vulnerability that can be utilized to achieve privilege escalation and denial of service attacks on affected machines. This issue has been resolved. DgUpdate.exe now validates signatures of side-by-side .zip files during the DGupdate execution and prevents the installation of any corrupted .zip files.

• In release 7.9.1, WIP configuration has been updated to no longer support side-by-side package (dgwip_config.zip/dgwip_proxyscripts). To incorporate an updated version of domainflags.txt, onecrl.json, onecrl.json or proxyscripts.zip for fresh installations, customers should use the DgMsiTool.hta tool to embed these files into the distributed MSI.

• Previously, when attempting to capture attachments from Sendmail events using a rule in Legacy File Capture, the process would fail if the message was saved and then sent from the Outlook Drafts folder. However, this issue has now been resolved and the attachment can be successfully captured.

• The DGMC Local Forensic Report and ARC Events indicate that certain mail events were sent with no sender or receiver information, resulting in blank data. According to the logs, these events were identified as "Not a supported Outlook item!" However, this problem has been resolved and the events display accurate data.

• There was an issue of Office application crashes/hangs after opening files from OneDrive, which was triggered by sending email notifications upon tagging users while adding comments to the file. This issue has been resolved now.

• The control rules for MIP did not activate when using equivalentTags for print operations. This modification enables the agent to evaluate the print operation for equivalentTags.

• There was an issue of short delays and unresponsiveness seen when copying and pasting in Microsoft Office documents using the Microsoft Office File Collaboration feature. This issue has been fixed.

• Previously, when a user dragged a classified file into Word, the classification propagation did not occur. However, this issue has been resolved, and now the tags can be correctly propagated to the Word file.

• The Network Transfer Upload (NTU) was not detected for the google.translate.co.kr website. With a code fix in DG Agent, NTU is now detected.

• Previously, uploading a source file from a network share would result in the NTU File Capture Details displaying zero bytes. The issue has been resolved, and now the files can be uploaded successfully with accurate file size displayed in the File Capture Details. The DGAgent was found to have a security vulnerability in its cleanup process for C:\ProgramData\DGAgent\mip and C:\ProgramData\kv temporary folders. The DGAgent failed to check all folders and sub-folders being malicious symbolic links or mounting points in the temp file cleaner thread and would effectively utilize the folders when it shouldn’t. To address this issue, the DGAgent has been modified to check for and delete any mounting points or symbolic links in the temp files, and to recreate the temp folders if necessary. Additionally, the DGAgent now ensures that the folders are only cleaned up if they are in the expected state, or if all temp folders are in good condition.

• Enabling DG Agent caused Windows Defender updates to fail, even when manually downloaded. This issue has been resolved by modifying the process flags entry, allowing for successful updates with the inclusion of "mprecovery.exe, SK+PR."

• File Capture rules fail to capture the file when forwarding an email. When files are forwarded, only the file name without the path was displayed, resulting in an empty path. As a result, the code was unable to utilize the recreated file in Outlook. To fix this issue, the media ID values used with SendMail events were corrected, enabling the code to use the recreated file even when the path was invalid. Additionally, the file name for a recreated file in this forwarded file scenario was adjusted.

• DG Agent causing office applications mainly Outlook crashing on multiple machines while sending an email. Dropping-off RC3 build to the customer resolved this issue.

• Opening a Microsoft Excel file attachment in Outlook resulted in a system crash during processing of corrupted classification information. This issue has been resolved and an error message is written to the log when corruption is encountered.

• Users have reported experiencing performance issues, mainly with Teams and Outlook locking up/hanging/freezing for a short periods of time. To address this issue, customers are recommended to use 7.8.5 / hotfix.

• On systems using Removable Media Encryption (RME), when a user opens an unencrypted file on a removable device, the DG Agent determines whether that file should be encrypted. To prevent this behavior, disable the registry value DmkAnalyzeFileDispositionOnCreate by adding the following line to the Agent's Custom Configuration resource.
  <DmkAnalyzeFileDispositionOnCreate pushDuringUpdate="1"
  regHive="HKLM"regKey="SYSTEM\CurrentControlSet\Services\
  regName="DmkAnalyzeFileDispositionOnCreate"
  regType="DWOR">0</DmkAnalyzeFileDispositionOnCreate>

• After the change has been deployed, reboot the Agent computers.

• When attempting to install the DG Agent from the msiexec command line, the user entered an escape character within the INSTALLDIR property but did not close the string correctly. As a result, the DG Agent was not able to parse the individual parameters within the msiexec command and the installation failed. The DG Agent code has been altered to handle this scenario and complete the installation successfully.

• The DG Agent fails to inject IBM Notes application processes when Kaspersky is deployed to a machine therefore, failing to detect SendMail, MailAttach and other events. The problem occured due to an incompatibility between Kaspersky Endpoint Security software and DG Agent. A code fix has been implemented in the DGAgent to resolve this issue.

• Outlook stops working when an email containing multiple embedded URL links is sent while the DG Agent is running. The issue was resolved by adding the NC+ND flags to Outlook.exe. (outlook.exe,SB+WS+AS+DWNG+DWSP+NC+ND)

• A user cut some text from a file that had a permanent classification tag and pasted into a new document, then cut text from the new document and pasted it into another new document. When the user saved the new documents, the Agent failed to propagate the permanent tags from the unsaved documents to the new documents. This issue has been fixed.

• When users with a USB read exception attempt to read a file from a USB drive, they receive a pop-up message that should not appear. To resolve this issue set “DmkAnalyseFileDispositionOnCreate” registry value to zero via custom config and rebooting the agent machines.

• The DG Agent uses the Boldon James Classifier API to obtain Boldon James User Classification tags from files. Although the Agent supports Microsoft Hardware-enforced Stack Protection, it was discovered that the Classifier API does not. This incompatibility caused the Agent to crash on hardware platforms with this stack-protection feature. DG now prevents the Agent from using this feature if Boldon James User Classification is enabled.

• A user cut some text from a file that had a permanent classification tag, closed the application they cut the text from, and after a delay of several minutes pasted the text into a new document. When the user saved the new document, the permanent tag was not propagated. A fix to the DG Agent now ensures the permanent tag gets propagated.

• A DG Agent configuration was deployed to a system that contained multiple occurrences of one of the settings. As a result the Agent configuration was not in the desired state, and it was not possible to remove the duplicate settings. The DG Agent now retains the first occurrence of a configuration setting and filters out any duplicates. Note: DG recommends reviewing your DG Diag file, and if a setting does not match your expectations, check your Core Settings configuration or your Custom configuration to ensure there are no duplicates.

• When DG-classified files were zipped (compressed) from a remote drive to a network share or a roaming profile location using the native Windows 10 zip capability, in certain cases the remote archives did not propagate tags from the classified input files. This resulted from an incompatibility between the SentinelOne endpoint security agent and the DG Agent. This issue has been fixed.

• When Microsoft Information Protection (MIP) was enabled, and an enterprise proxy was configured in the Core Settings configuration resource, MIP labels were correctly recognized, but the DG Agent log files constantly filled up with HTTP operation failures due to Microsoft telemetry data not going through the enterprise proxy. This issue has been fixed.

• If the DG Agent for Windows was not restarted regularly (daily or weekly), the dgwip log increased in size until it filled the disk, causing user machines to stop working. To address this issue, DG now dumps DG WIP error logs into a specific file and automatically cycles the logs at a reasonable upper limit.

• The DG Agent sent an invalid domain name to the DGMC, causing DGMC users to be ejected from the console. DG added logging to dg.log to improve Agent debugging when this situation occurs.

• The file capture function, when used in email events (SendMail and AttachMail), is broken and does not have the ability to capture multiple files. This issue is resolved by fixing medid ID values used with SendMail events.

• DG resolved an issue that occurred on Microsoft Outlook, where a SendMail file capture rule failed to capture a file attachment when the recipient forwarded the email.

 

February 2023

Version: 7.9.0

February, 2023

New Features

• Agent for Windows 7.9.0, with DG Server 8.6.0 or later, extends the Digital Guardian Microsoft Information Protection (MIP) feature by prompting users to apply MIP labels manually to sensitive files when they attempt to transfer the files outside of local fixed storage (for example, to a removable drive or remote network share).

• You configure the following settings for user-applied MIP labeling in your Core Settings configuration resource in the DGMC:

  • Allow Egress On Failed MIP Labeling. Determines whether a user will be blocked from transferring a file

  • Show All Recommended MIP Labels. Determines whether all recommended MIP labels will be displayed to the user, or only the MIP label with the highest ranking.

• Sample Match is an optional add-on feature that allows analysts to quickly assess events sent from the DG Agent to the DGMC and DG ARC consoles in order to identify false positives or decide to escalate an incident.

• Starting with DG Agent for Windows 7.9.0, you can use IPv6 addresses in rules and component lists and in URL-based network operation events (events that block access to IPv6 addresses). Rule properties whose names end with "v6" or "6" are used in rules with IPv6 addresses. Properties whose names end without a version are used in rules with IPv4 addresses.

• Agent for Windows 7.9.0 introduces the wipAutoSkipEnableMask setting that allows you to fine-tune which DG WIP auto-skip capabilities are enabled. Values for wipAutoSkipEnableMask can be configured only in a Custom Configuration resource.

• DG Agent for Windows 7.9.0 ships with version 12.12 of the Micro Focus KeyView and Eduction Engine SDKs.

Fixes

• When using DG Adaptive Content Inspection (ACI), a random delay of up to 60 seconds occurred before classified files were content inspected. This was resolved with an update to the Micro Focus KeyView and a change to the way the Agent manages the KeyView process.

• When operations such as NTU or SaveAs were performed, if the overall number of entities and classification tag data exceeded an internal buffer size check limit, the DG Agent was prevented from returning any classification tags that might have been applied to the file. This issue has been resolved.

• In a DG environment using Adaptive Content Inspection (ACI), after an upgrade to DG Agent 7.8.3, customers experienced hangs in Microsoft Outlook when sending email. To resolve this issue, install the Micro Focus KeyView patch 12.12.6.8405 provided with the 7.9.0 Agent.

• Some web applications require exact capitalization of their custom HTTP headers and may fail to behave as expected because DG WIP normalizes the HTTP headers as a request is proxied. DG has added the wipHeaderDenormalizeEnable custom configuration option to allow DG WIP to maintain the HTTP/1.1 header capitalization that was received when it proxies a request or response. Some standard headers cannot be denormalized due to their importance to the operation of the DG WIP http stack, but all nonstandard headers can be denormalized. wipHeaderDenormalizeEnable is disabled by default.

• DG Agent 7.8.0 or 7.8.2 on Microsoft Windows Servers experienced excessive CPU consumption generated by the DG Agent and DGAdmin processes. This was resolved by updating the GO runtime library. In some cases DG WIP was not using the customer’s corporate web proxy to send Online Certificate Status Protocol (OCSP) requests that DG WIP requires but that do not originate from the browser. This was resolved so that all outgoing requests now go through the corporate proxy.

January 2023

Version: 7.8.5

January, 2023

New Features

• When DG upgraded to Micro Focus KeyView and Eduction Engine SDKs version 12.12 in DG Agent 7.8.3, some customers using Adaptive Content Inspection (ACI) experienced ACI application performance issues. These issues will be resolved in the next release of the SDKs. To assure expected application performance when using ACI with DG Agent 7.8.5, version 12.9 SDKs will be installed by the Agent 7.8.5 installer. Agent for Windows 7.9.0, with DG Server 8.6.0 or later, extends the Digital Guardian Microsoft Information Protection (MIP) feature by prompting users to apply MIP labels manually to sensitive files when they attempt to transfer the files outside of local fixed storage (for example, to a removable drive or remote network share).

Fixes

• Log file rotation was not working properly in certain DG Agent releases. DG fixed the log file code to assure that all backup log files (.bak) get updated as expected and contain current log information.

• Text that was cut or copied from the address bar in Google Chrome or Microsoft Edge could not be pasted into an application. This issue was addressed with changes to the DG Agent code.

• When DG upgraded to Micro Focus KeyView and Eduction Engine SDKs version 12.12 in DG Agent 7.8.3, some customers using Adaptive Content Inspection (ACI) experienced brief, intermittent application performance issues. To assure expected application performance when using ACI with DG Agent 7.8.5, version 12.9 SDKs will be installed by the Agent 7.8.5 installer.

• In the following scenario, tag propagation failed after some customers upgraded Microsoft Office 365 to Microsoft 365 Current Channel v2210, build 15726.20202. When using an Office app to open a file that has a permanent DG classification tag, if you cut text from the file and then create a new document, the text you enter on the first line becomes the filename when you save the new document. In this case, after cutting text from a permanently classified file, the user created a new document, entered text after the first line, and tried to use the Save icon to save the new document. A "Save this file" dialog box was shown, and the user entered the requested information and saved the new document. Due to a change in the implementation of the dialog box in the v2210 Office 365 app, however, the DG Agent was unable to perform tag propagation. This issue was addressed with changes to the Agent code.

• When a Microsoft Outlook email with a file attachment was sent, the DG Agent incorrectly reported a SendMail event. This issue has been addressed. When a web browser was redirected to DG WIP while trying to connect to a server at its IPv6 address, and DG WIP was unable to connect to that address, IPv6 to IPv4 fallback sometimes required that the page be reloaded. In some cases multiple reloads would be required to fully load a website. This issue has been addressed by testing connectivity prior to redirection.

• A FileRename block rule triggered and blocked a FileRename event when a file was renamed, but failed to do so when a folder was renamed. This was resolved with a change to the Agent that allows blocking of FileRename operations on folders.

• When a classified file was attached to an Outlook email using drag and drop, and the email was sent, the recipient saved the file attachment. During the save operation, however, the saved file was not updated to include the permanent classification tags that DG embedded into the email as an X-header due to an error in determining the path to the source file. This issue has been addressed.

• When Microsoft Office files were set to the Chinese language, and a previously classified Word or Excel document was copied and pasted into a new Word or Excel document, and then saved using a provided short-cut path, the classification tags were not propagated to the new document. This happened because the Save operation produced a short-cut path, instead of a full path, in the Chinese language. To resolve this issue, DG added logic to map Chinese short-cut paths to full paths.

• When users tried to update a file from their BOX application's sync folder to the BOX in a browser, their machines hung, and sometimes required a reboot, due to incompatibility between the DG Agent and the BOX driver. DG Agent code was modified to fix the issue.

• When a clipboard cut/copy was used to perform a copy operation on the address bar in Microsoft Edge or Google Chrome, a rule to block any paste operation was incorrectly triggered because the Agent did not detect the cut/copy as a copy operation and misreported it as an ADE paste event in the Local Forensic Report. This has been addressed so that when cut/copy is used, and there is only a paste rule, the Agent will not report an event.

• When a user cut text from a classified file that was opened in the Microsoft Edge browser and then clicked within the body of a web page in the Google Chrome browser, the DG Agent failed to update the Address Bar field. As a result, the ADE Paste event reported an incorrect value for the Source File Path field. This issue has been addressed.

October 2022

Version: 7.8.4

Oct, 2022

New Features

• Enhancement to WIP Auto-Skip Operational Alert: The WIP Auto Skip Domain Detected Operational Alert now reports the URL of the website where an Auto-Skip event is detected as a result of an HTTP request.

  The Op Alert details for Auto-Skip cf or imp, and sometimes tls-reneg, display the URL for the Auto-Skip event. Auto-skips that are detected when a connection is being established, such as mtls and, in some cases, tls-reneg, have no URL that can be reported.

  This enhancement currently applies only to Cloudflare, Imperva, and TLS renegotiation. For more information, see "Operational Alerts Report" in Digital Guardian Management Console User's Guide.

• Boldon James Classifier Updates:

  The following newer versions of Boldon James software have been certified with Agent for Windows 7.8.4:

  • Classifier Administration Server 3.19.2

  • Email and Office Classifier 3.18.22

  • File Classifier 3.16.7.1

• Documentation Changes: Information about the Sub rule operator has been changed in the "Rule Variables" chapter of Digital Guardian Rule Implementation Guide:

  • The topic "Subtracting Variables With Sub" has been edited to remove information that no longer applies. The text now reads: "Sub removes a stored value from an array."

  • The topic "Using Sub To Declare a Rule Variable" no longer applies and has been removed.

Fixes

• When a DG Agent upgrade was performed using Microsoft Endpoint Configuration Manager (formerly System Center Configuration Manager, or SCCM), the DGMC, or an interactive MSI installer, the value of the enableStatus Windows Registry key in HKEY_LOCAL_MACHINE\SOFTWARE\VDG/status) did not change when the user expected it to. This is resolved with an update to DG documentation. See Critical Notice "Agent Upgrade Status in Registry Linked to Query Interval" on page 1" and "Agent Upgrade Status in Registry" in Digital Guardian Management Console User's Guide, v8.5.1.

• DG added a cache to its process for validating server certificates for storing the results of attempts to resolve missing intermediate certificates. This should help reduce repeated connection timeouts that occurred when a missing intermediate certificate could not be retrieved and the attempt to locate it required a fairly long time before failing.

• A rule that uses address bar value in the web browser to detect and block access to unapproved external websites was incorrectly triggered on Mozilla Firefox due to an error in the DG plug-in for Firefox. A change to the plug-in code resolved the issue.

• Using a USB device with Removable Media Encryption (RME) sometimes caused a system crash due to a race condition during USB mounting. A code change resolved the issue.

• When WinRAR extracted an XZ compressed archive containing a .rar file, the DG Agent triggered a FileArchive event, and the Local Forensic Report showed a few of the source files as files extracted from the archive and showed the destination file as the .rar file extracted from the archive. A code fix now allows the Agent to differentiate between compression and extraction processes.

• Multiple rules containing the constOpFileSaveAs constant all executed on a File > Save As operation, regardless of their priority or the fact that Continue Rule Evaluation was set to No. This caused failures in control rules that had an action other than Alert. DG had the customer upgrade to an Agent version where the issue does not exist.

September 2022

Version: 7.8.3

Sep, 2022

New Features

• Enhancement to DGCipher Utility:

  The DGCipher utility allows users to decrypt files they encrypted with RME password encryption on machines that do not have a DG Agent. The DG Agent for Windows 7.8.3 release introduces a new configuration setting for RME that extends the use of DGCipher to RME-enabled Linux and macOS computers. This setting is enabled by default so that when you copy files to a USB device, Linux and macOS ciphers are copied to the USB device, along with the Windows cipher:

  <rme-CopyLinuxAndMacCiphers>1</rme-CopyLinuxAndMacCiphers>

  If you do not need the Linux and macOS ciphers, you can change the configuration parameter to disabled (0) in the custom configuration file. This reverts DGCipher to "legacy" mode, where only the Windows DGCipher is copied to the USB device:

  <rme-CopyLinuxAndMacCiphers>0</rme-CopyLinuxAndMacCiphers>

  For more information on DGCipher, see Digital Guardian Utilities Guide.

• Upgrade of Micro Focus EDK and KeyView Engines:

  DG Agent for Windows 7.8.3 uses version 12.12 of the Micro Focus KeyView and Eduction Engine SDKs. These components are required for using the Adaptive Content Inspection (ACI) feature. The version 12.12 content inspection engines are installed by default with fresh installations and upgrades of Agent for Windows 7.8.3.

  Agent for Windows 7.8.3 continues to support the 41 DG built-in ACI entities listed on the DGMC ManageClassification - Adaptive Inspection Resources page (Policies > Content Patterns > ACI Resources). Micro Focus documentation for version 12.12 is provided with Agent for Windows 7.8.3 and later in the Third-Party Documentation folder.

• Bolden James Classifier Updates:The following newer versions of Boldon James Classifiers have been certified with Agent for Windows 7.8.3:

  • Email & Office Classifier 3.17.1023.1

  • File Classifier 3.16.7.1.

Fixes

• A deployment issue prevented rules based on MIP label information from document properties from working. The topic "Enabling Extraction of Document Properties for Office and PDF Documents" in Digital Guardian Management Console User's Guide now makes clear that at least one control rule and one content classification rule must be deployed to the Agent.

• DG resolved an issue where an internal user was blocked from downloading a file from the Azure DevOps website (dev.azure.com) because DG incorrectly identified the site as a restricted removable device.

• A rule that looks for a specific document property/value pairing did not consistently block attempts to print a Microsoft Word file from a local folder that was synchronized with Microsoft OneDrive because Word detected the block action and retried printing from the remote location. The DG Agent now successfully detects the retry and switches back to the original source location.

• When you use drag-and-drop to attach a file that contains unicode characters or special characters to a new email in Microsoft Outlook, the Agent now captures the correct file and folder paths.

• DG made a change to the way connections redirected to the DG web inspection proxy (DG WIP) are handled when the original destination of the connection cannot be reached. The change fixes connection issues that prevented browser fallback from a server’s IPv6 address to the server’s IPv4 address, and fixes scenarios where a system is configured with a Proxy Auto Configuration (PAC) file that returns multiple connection methods but the first method does not connect successfully.

• When the DG Agent attempted to reclassify files uploaded to a remote share so the latest classification data would be available, the attempt failed due to inappropriate permissions used when accessing the file. A change to the DG Agent now ensures appropriate access permissions are used.

• When a file archive operation was performed using either WinRAR or Windows Archive utility, .pst files in the archive were not reported in the Local Forensic Report for the archive event. This has been resolved so that now all file types included in the archive are reported in the forensic report.

• When a user saved a Microsoft Outlook email message file (.msg) to a folder, the message file opened successfully the first time the user tried to open it, but subsequent attempts resulted in the Outlook error message "It's possible the file is already open, or you don't have permission to open it." Subsequent attempts are now successful.

• When text from a Microsoft Word document that had a header and footer was copied and pasted into a new Word document, only the text body was pasted. This has been fixed so that the header, footer, and body are retained in this scenario.

• When an image in a Microsoft Word document was copied and pasted into another section of that document or into a new Word document, the paste failed. This has been fixed so that the image is pasted in this scenario.

• DG resolved an issue where the Investigation Module screen capture feature did not capture the full screen if a user changed the screen size setting to either 125 or 150%.

• When a drag and drop action was used to move a classified JPEG file (.jpeg or .jpg) into a Microsoft Word document, the classification tag was not propagated to the Word document. The DG Agent has been changed to propagate the classified tags following the drag and drop.

• DG resolved an inconsistency in NTU event reporting on all Agent types that resulted in duplicate or incorrect filenames being reported when multiple matching files were part of the same event. Now, if two files have matching hash values (as would happen, for example, if File Y is a copy of File X), and both files are uploaded simultaneously, separate events are reported.

August 2022

Version: 7.8.2

Aug, 2022

New Features

• Enhancements to DG WIP Configuration:

  This DG Agent for Windows release contains enhancements to DG WIP processing to improve the customer experience. Previously, when a configuration error was found in one resource — such as a bad onecrl.json resource, a bad template.pem resource, or a domain flag in domainflags.txt that DG WIP could not understand — DG WIP would treat the error as a critical problem and return to its default configuration. Now DG WIP can ignore certain problems in its configuration, while continuing to process all other parts of the configuration.

  Configuration errors not critical to DG WIP processing trigger a WIP configuration warning. If the problem is a bad onecrl.json resource or a bad template.pem resource, DG WIP ignores the entire bad resource and uses an alternate resource. For non-critical errors in domainflags.txt, DG WIP ignores just the flag that it cannot understand, or just the line that it cannot parse, and still uses the rest of the domain flags file. If critical configuration errors occur, such as a bad proxyscripts.zip file or a bad config.json file, DG WIP still falls back to its default configuration.

  For more details on sample op alerts refer to Digital_Guardian_Agent_for_Windows_7.8.2_Release_Notes.

   

Fixes

• On some DG Agent computers, the DG MSI installer tool (DgMSITool.hta ) failed to create a custom MSI that had feature packages embedded in the MSI due to a permissions issue that prevented saving the file using SaveAs. DG resolved this by keeping the original database open in read-only mode during a SaveAs.

• System performance was degraded after the DG Agent was upgraded from version 7.6.4 to version 7.8.1. This occurred because a MIP SDK dependency preceded the DgAgent\mip folder in the DLL loading search order. The search order has been adjusted to correct this issue.

• Non-critical errors in a domainflags.txt entry resulted in DG Agents reverting to the default domain flags file instead of the last working version. This issue was resolved as part of enhancements to DG WIP, including domainflags.txt processing. For details, see "Enhancements to DG WIP Configuration." Refer to "Digital_Guardian_Agent_for_Windows_7.8.2_Release_Notes" on page 16.

• DG now truncates the file paths of Microsoft Outlook email attachments that are stored for internal usage to 259 characters if the file path is greater than 260 characters to ensure that email attachments that are 1 MB or larger do not cause Outlook to shut down.

• When formatted text was copied and pasted within the same Microsoft Word document or from one Word document to another, the pasted text lost its formatting. This occurred only when the "Pasting from other programs" option was set to "Keep Text Only" (File > Options > Advanced > Pasting from other programs). This has been fixed so that the formatting data is retained in this scenario.

• The DG Agent default Process Flag Resource file (prcsflgs.dat) has been updated with changes to the flag settings that apply to how the DG Agent interacts with the Cylance Smart AntiVirus software product. For details, refer to "Resource File Changes" on page 18.

• When presenting prompts that contain links intended to open a web browser, the DGPrompt process now calls the browser that is set as the default to display and/or redirect the information.

• A rule was not triggering correctly on a file being added to an archive using the File Explorer context menu (right click). The rule now triggers correctly.

• A customer with DG Adaptive Content Inspection (ACI) enabled encountered extremely slow operations when deleting hundreds of thousands of files because the DG Agent was attempting to classify the files. A recycle-bin path in the ACI2 section of the Directory Control File (dirctrl.dat) now ensures that the Agent does not attempt to classify files going to the recycle bin.

• DG made a change to the DG Agent to correct an issue with Adaptive Content Inspection (ACI) in which incorrect conversion of multibyte characters in the body of emails resulted in faulty classification of words and phrases.

• DG made changes to ensure that the DG WIP logs (dgwip0.log, dgwip1.log, and so on) will no longer be created in the disk root folder (for example, C:\) when there is a error retrieving the DG Agent installation folder from the Windows registry.

July 2022

Version: 7.8.1

July, 2022

New Features

• Label Prompt Type:

  The Label prompt type has been added to the list of basic prompts in the DGMC. When a rule is configured with the Prompt action and a Label prompt is selected, the user is shown an informational message while the applicable file is being labeled. The Label prompt type is optional for labeling actions.

  When configured, the Label prompt is presented whether or not labeling eventually succeeds. When creating the prompt message, you can include the optional <ruleLabel/> prompt variable, which resolves to the text of the MIP label.

  The Label prompt is useful in cases where a file extension is changed by MIP labeling. For example, with AutoCAD .dwg files, the act of labeling with protection changes the file extension to .dwg.pfile. To prevent confusion, you may want to prompt users so they do not assume their file has disappeared or been deleted. File extensions that are not changed by MIP labeling, such as Microsoft Word .docx files, are less likely to cause confusion, so in those cases you may decide prompting is not necessary.

  For more information, refer to "User Prompt Messages" in Digital Guardian Management Console User's Guide.

• DG Agent Crash Dump Reporting Automation:

  DG Agent for Windows now supports crash dump reporting automation, whereby the Agent collects information about crashes of DG processes when they occur. The Agent safely uploads the information to a secure cloud repository for analysis by DG personnel. Uploaded crash dump data is purged from the cloud repository after 90 days, but selected data can be moved to Atlassian Jira and remain there longer.

  NOTE: DG Agent for Windows 7.8.1 collects crash dump data for the DGAgent.exe process only.

  Crash dump reporting automation replaces parts of the previous manual process, thereby reducing customer effort, decreasing the need to involve other personnel at the customer site, and allowing debugging information that is often critical to resolving an issue to be accessed instantaneously. In many cases, automating crash dump reporting notably reduces the time required to resolve an incident. The Agent crash dump reporting automation feature uses an established open-source component to provide crash dump collection, and uses the SDK of a popular commercial application-monitoring and error-tracking vendor to upload the data to the secure cloud repository. For more details on the crash dump automation feature, refer to Digital Guardian Management Console User's Guide.

• Bolden James Classifier Updates: The following Boldon James Classifiers have been certified with Agent for Windows 7.8.1:

  • Email & Office Classifier 3.17.0

  • Classifier Administration Server (CAS) 3.19.0

Fixes

• DG resolved a sharing violation on a locked folder that was causing Microsoft Office applications to stop responding.

• When proxying TLS connections between a browser and a server, DG WIP did not inform the server of the minimum TLS version that the browser supported, which could result in the server negotiating a TLS version that the browser did not support (ERR_SSL_VERSION_OR_CIPHER_MISMATCH). Now DG WIP uses the browser’s minimum version as the WIP minimum version when negotiating with the server.

• A change was made to DG Agent code to make sure there is no performance impact when customers use the Boldon James User Classification feature and/or the Document Properties feature through the Microsoft Remote Desktop Protocol (RDP).

• When using Microsoft Outlook to send or reply to an email that contains multiple recipients, a crash occurred. This has been resolved.

• A third-party library file has been altered to treat xml files as regular text. This change allows file types: document/xml to be classified.

• An additional check has been added to prevent memory from being accessed beyond the end of a buffer.

• In some cases DG WIP was not using the customer’s corporate web proxy to send Online Certificate Status Protocol (OCSP) requests that DG WIP requires but that do not originate from the browser. This was resolved so that all outgoing requests now go through the corporate proxy.

• When you edited a file’s document property values in a Microsoft Office application and then saved the file, control rules were not seeing the expected values for thE evtSrcDocPropertyString and evtDestDocPropertyString rule variables. The DG Agent now reports the expected values after the Save operation.

• You can now configure DG Agent rules that will act on the evtSrcFileType value in Print events.

May 2022

Version: 7.7.6

May, 2022

Fixes

• DG failed to detect an NTU when a file greater than 1MB was uploaded to Google Drive. The DG WIP proxy script pack has been updated so that NTU actions are detected when large files are uploaded to Google Drive.

• A timing issue around when a process acquires or creates an item to monitor in the Windows Registry cause certain rule evaluation to fail when acquiring that registry item. DG resolved the timing issue.

• Changes were made to the DG Web Inspection Proxy (DG WIP) to expedite the processing of a serverinitiated connection close. This fixed an issue with some authenticated web connections when the web server was configured to close the initial connection that did not start the authentication negotiation.

• When a customer used drag and drop to move some text from a classified file to the body of a Microsoft Outlook email message and then sent the email, the Send Mail event does not show that the message body was classified. DG resolved this so that in the drag and drop scenario, a Send Mail event is shown in the Local Forensic report with the permanent classified tag that was applied to the file the text was dragged from.

• When DG Agent monitored connections originating from a third-party proxy using the wipThirdPartyProxyExec configuration setting, the Agent did not fall back to the standard monitoring

• mechanism of monitoring browser-originated connections when the proxy process was stopped, resulting in loss of web visibility. DG now provides a fallback mechanism when wipThirdPartyProxyExec is configured and the third-party proxy process is stopped.

• In an environment using roaming profiles, a customer wanted document properties for MIP support to be processed on network shares and consequently enabled the option to "Classify files on network shares" — <classifyFileOnNetworkShare<1>/classifyFileOnNetworkshare> — in a custom configuration resource file. When attempting to perform a Save or Save As operation from a Microsoft Office application, the customer encountered a very long delay before the operation was completed. DG resolved this issue with changes to the DG Agent code.

• If you cut and pasted text from a classified file to a draft email in Microsoft Outlook and then attempted to print the draft, any control rules set up to block the print operation based on the classification tags failed to trigger. DG Agent code has been altered so that rules trigger and the print operation gets blocked based on the classification tags.

• Internal websites using an IP address to reference a server that had a proxy in front of it were prevented from loading even though domain flags had been applied to the IP addresses of the sites so DG WIP would bypass them. This occurred on Google Chrome, Microsoft Edge, and Mozilla Firefox. DG resolved this issue with changes to the DG Agent code.

• In a very few cases, DGMCs managed by DG MSP showed orphan tags, policies, and rules as unknown. To assist the affected customers, DG implemented a utility MSP can use to remove unknown tags so they do not get shown in the DGMC.

• When copying and pasting files to local desktop computers from VDI machines running DG on VMware Horizon, file transfer worked properly on DG connections to VMware Horizon using RDP, but hangs occurred before copying the file on DG connections using VMware Blast or PCoIP. DG now optimizes requests during close to reduce overhead in VMware Blast or PCoIP.

• If a user attempted to modify the Implicit Filter XML file when Tamper Resistant Mode was active, the change would not be completed. Specifically, the new impflt.xml file would be downloaded to the DG Agent, but the new impflt.bin file would not be generated. The issue was resolved with a code change.

• A computer running the DG Agent shut down unexpectedly when a signaled event was missed due to a race condition that occurred during an unmount of a removable volume. The issue would occur when the system monitor (sysmon) driver was running and monitoring any deletes on the removable volume. This was addressed with changes to the DG Agent driver.

Version: 7.8.0

May, 2022

New Features

• MIP Enhancements:

  DG Agent for Windows 7.8 extends the Digital Guardian Microsoft Information Protection (MIP) feature toenable the Agent to apply MIP labels when file operations such as file copy, file move, and network transfer download violate (trigger) control rules on files transferred to or from sensitive locations. This pertains to files sourced from a known sensitive location and moved onto the local system and files sourced from the local system and moved to a sensitive network location. This enhancement helps ensure appropriate controls can be applied to documents kept in sensitive locations. You can enable DLP rules from the MIP Policy Pack or create control rules for this purpose in the DGMC or manually.

  For details about applying MIP labels, refer to "User Classification With MIP" in Digital Guardian Management Console User's Guide.

• MIP SDK Version Update:

  DG has updated its MIP SDK version to 1.11.72.

• Core DLP Support for IPv6 Traffic:

  The DG Agent for Windows 7.8 release adds core DLP support for IPv6 traffic as it is added to the customer's network. Currently, support is provided in DG WIP, including domain flag support for IPv6 addresses and domains resolving to them, and visibility and control of NTUs and NTDs resolving to IPv6. In both cases, DG support for IPv4 has been maintained.

  In addition, the constOpNetworkEx symbolic constant is supported in rules targeting URL-based activities, but support is not provided yet for using IPv6 addresses in rules and component lists or in URL-based network operation events (events that block access to IPv6 addresses). IPv6 reporting is now included in the DG ARC and DGMC consoles.

• DG WIP Auto-Skip Enhancements

  DG added support for new types of DG WIP auto-skip websites to the 7.8 Agent for Windows and the 8.2 Agent for macOS to resolve website incompatibilities. (The DG WIP auto-skip feature will be supported in a future release of the Agent for Linux.) These Agents generate WIP Auto Skip Domain Detected operational alerts with a code that identifies the reason the website is eligible to be auto-skipped. If auto-skip is enabled, DG WIP automatically skips the inspection of those websites. The currently supported reason codes are:

  • "mtls" — Indicates sites that attempt to use mTLS client certification authentication

  • "tls-reneg — Indicates sites that attempt to use TLS renegotiation

  • "imp"— Indicates sites where access is blocked by CDN or WAF security rules (since 7.7.4 Agent for Windows)

  • "cf" — Indicates sites where access is blocked by CDN or WAF security rules (since 7.7.3 Agent for Windows)

  The following example shows the "mtls" reason code used in op alerts generated when a website attempts to use mTLS client certificate authentication:

  wip automatic skip eligible domain detected: "example.com" reason:"mtls"

  For more information, refer to "Digital Guardian Web Inspection Proxy" in Digital Guardian Installation and Upgrade Guide.

• Auto-Detection of NTUs and NTDs for Certain Non-Browser Applications

  DG WIP can now auto-detect NTUs and NTDs for applications that use different process IDs to perform network operations and file operations. The MPO_USE_CASSINI (CASS) process flag forces an application’s network traffic to go through DG WIP. When applied in conjunction with other DG flags and settings, the CASS flag enables DG WIP to generate NTUs and NTDs for certain non-browser applications. This has been validated with Microsoft Teams and Slack.

  You must apply configuration changes to enable DG WIP to generate NTUs and NTDs for these applications. For details, refer to "Generating NTUs and NTDs for Non-Browser Apps" in Digital Guardian Installation and Upgrade Guide.

Fixes

• DG failed to detect an NTU when a file greater than 1MB was uploaded to Google Drive. The DG WIP proxy script pack has been updated so that NTU actions are detected when large files are uploaded to Google Drive.

• A timing issue around when a process acquires or creates an item to monitor in the Windows Registry cause certain rule evaluation to fail when acquiring that registry item. DG resolved the timing issue.

• Changes were made to the DG Web Inspection Proxy (DG WIP) to expedite the propagation of a connection close initiated by a web server to the paired browser connection. This fixed an issue with some authenticated web connections when the web server was configured to close the initial connection that did not start the authentication negotiation.

• When a customer used drag and drop to move some text from a classified file to the body of a Microsoft Outlook email message and then sent the email, the Send Mail event does not show that the message body was classified. DG resolved this so that in the drag and drop scenario, a Send Mail event is shown in the Local Forensic report with the permanent classified tag that was applied to the file the text was dragged from.

• When DG Agent monitored connections originating from a third-party proxy using the wipThirdPartyProxyExec configuration setting, the Agent did not fall back to the standard monitoring mechanism of monitoring browser-originated connections when the proxy process was stopped, resulting in loss of web visibility. DG now provides a fallback mechanism when wipThirdPartyProxyExec is configured and the third-party proxy process is stopped.

• In an environment using roaming profiles, a customer wanted document properties for MIP support to be processed on network shares and consequently enabled the option to "Classify files on network shares" — <classifyFileOnNetworkShare<1>/classifyFileOnNetworkshare> — in a custom configuration resource file. When attempting to perform a Save or Save As operation from a Microsoft Office application, the customer encountered a very long delay before the operation was completed. DG resolved this issue with changes to the DG Agent code.

• If you cut and pasted text from a classified file to a draft email in Microsoft Outlook and then attempted to print the draft, any control rules set up to block the print operation based on the classification tags failed to trigger. DG Agent code has been altered so that rules trigger and the print operation gets blocked based on the classification tags.

• Internal websites using an IP address to reference a server that had a proxy in front of it were prevented from loading even though domain flags had been applied to the IP addresses of the sites so DG WIP would bypass them. This occurred on Google Chrome, Microsoft Edge, and Mozilla Firefox. DG resolved this issue with changes to the DG Agent code.

• Attempts to access websites that engage in TLS renegotiation fail because DG intentionally disabled support for TLS renegotiation due to security vulnerabilities. (Note that TLS 1.3 standards no longer support TLS renegotiation.) DG will fail user attempts to access such sites and will generate WIP Auto Skip Domain Detected operational alerts with the "tls-reneg" reason code. Upon noticing this operational alert and based on data egress risk, you can either add a SK domain flag for sites using TLS renegotiation or enable autoskip so the sites will work.

• DG WIP logging (dgwip.log) was reporting some errors that were not true errors. The logging has been changed to report certain errors as informational.

• In a very few cases, DGMCs managed by DG MSP showed orphan tags, policies, and rules as unknown. To assist the affected customers, DG implemented a utility MSP can use to remove unknown tags so they do not get shown in the DGMC.

• DG WIP logging (dgwip.log) was reporting some errors that were not true errors. The logging has been changed to report certain errors as informational.

• When copying and pasting files to local desktop computers from VDI machines running DG on VMware Horizon, file transfer worked properly on DG connections to VMware Horizon using RDP, but hangs occurred before copying the file on DG connections using VMware Blast or PCoIP. DG now optimizes requests during close to reduce overhead in VMware Blast or PCoIP.

• DG has resolved a known issue where NTDs of MIP-labeled .pdf files and some other file types were downloaded despite a block control rule because the Agent could not detect the file extension added by the browser. This caused MIP labeling reading to fail, thereby preventing the rule from being triggered.

• If a user attempted to modify the Implicit Filter XML file when Tamper Resistant Mode was active, the change would not be completed. Specifically, the new impflt.xml file would be downloaded to the DG Agent, but the new impflt.bin file would not be generated. The issue was resolved with a code change.

• A computer running the DG Agent shut down unexpectedly when a signaled event was missed due to a race condition that occurred during an unmount of a removable volume. The issue would occur when the system monitor (sysmon) driver was running and monitoring any deletes on the removable volume.This was addressed with changes to the DG Agent driver.

April 2022

Version: 7.7.5

April, 2022

Fixes

• When the DG Agent and the SentinelOne anti-virus application were both running, the anti-virus code accessed a file the Agent was performing content inspection on, causing Microsoft Office applications to slow down, effectively making them unusable. The fix to "AG-43419 " on helped resolve this issue (refer to DigitalGuardian_Agent_for_Windows_7.7.5_Release_Notes). The Agent now uses specific flags when processing a file to notify other applications to wait for the Agent to finish processing

• The httpProxySupportFlags configuration option, which allows you to specify a PAC URL of a proxy server, instead of a direct proxy for communication with other servers and websites, did not work with the 7.7.3 Agent. Although the new option was set correctly in the administrator's custom configuration file, a variable within the Agent code was not returned properly, and consequently the Agent did not attempt to look up the configured proxy PAC site. This was resolved with code changes to the Agent.

• Websites protected by Incapsula did not work when DG WIP is enabled.

• Files were getting translated without any NTU events being detected when Google Translate introduced a new feature identified by "Powered By Google Cloud." This happened on Google Chrome, Mozilla Firefox, and Microsoft Edge and was addressed with a change to the Script Pack (proxyscripts.zip) in the 7.7.5 Agent. If you distributed the Script Pack resource from the DGMC to some or all of your Agent computers, you will need to import the new script pack into the DGMC and push it to those computers. This is necessary because the version distributed from the DGMC overrides whatever version may have been shipped with the release. The new script pack works with older Agent releases and fixes the Google translate issue for them as well.

• An SSL certificate error would occur when users were browsing with Google Chrome or Microsoft Edge if the optional Windows registry setting RequireOnlineRevocationChecksForLocalAnchors" was enabled. This issue was addressed by modifying DG WIP to provide a TLS Certificate Status Request extension ("OCSP staple") on every SSL certificate that it issues.

• An interoperability problem between DG WIP and Palo Alto GlobalProtect app 5.2.8 on Windows causes network browsing failure to sites whose domains are configured for Global Protect domain-based split tunneling. Palo Alto has provided a fix for this issue in GlobalProtect app 5.2.11, which is expected to be available at the end of March, 2022.

• A defect in the DG Agent prevented the Seclore third-party plugin from being loaded in Microsoft Office applications. DG has fixed the issue.

• When a user had multiple Microsoft Excel files open, performed edits on them and saved the edits, but did not close the files, the DG Agent prevented Excel from saving the files. Consequently, when the user closed a file and then re-opened that file, the edits were missing. To resolve this, the Agent now uses specific file attribute flags that prevent applications such as Excel from accessing the same file while the Agent is actively processing it. This forces Excel to wait for the Agent to finish processing the file before performing a Save operation.

• Customers using a certain content delivery network (CDN) or web application firewall (WAF) were blocked from accessing some websites with DG WIP. DG WIP can now automatically skip websites when it detects that a certain CDN or WAP has decided to block access to the websites due to the security rules it applied.

• Windows Task Manager (taskmgr.exe) failed to open due to DG injection. Task Manager is a Microsoft Universal Platform app (formerly Metro), and DG does not support UWP DLLs used in Task Manager. To resolve this issue, DG no longer loads UWP-sensitive DLLs into taskmgr.exe.

• A rule that evaluates a file operation could not use the rule properties evtSrcEncryptionType and evtDestEncrytionType. DG made a code change to address the issue.

• When a request to capture a file to the DGMC was made, the Agent did not check the file's size and disallow capture requests for files larger than the configured value for the Max Capture File Size setting in the DGMC. This was resolved with a change to the Agent code.

• Saving a file from a Microsoft Office application to a network share took an unusually long time. This occurred because when the detectPathChangesForClassifiedFile configuration setting was in the off state (0 - Disabled), it failed to prevent the Agent from reinspecting a file after the Save operation was completed. The DG Agent has been fixed so that detectPathChangesForClassifiedFile works properly when set to 0 (disabled).

• A fatal error occurred on a single DG Agent-equipped computer due to a reference counting issue that destroyed an object before the call to the Windows registry hive unload post handler was invoked. An additional add reference on the objects has been added to extend their lifespan across this call.

• When you ran the Microsoft System Configuration Utility (MSConfig) with the DG Agent in stealth mode, the DG services were displayed, despite the Agent being in stealth mode. DG addressed the issues with a code change.

• DG Agent computers shut down unexpectedly due to an invalid config.xml file that was not replaced with a valid backup due to the backup functionality not operating. This issue was addressed with a code change that reenabled the backup functionality.

February 2022

Version: 7.7.4

Feb, 2022

New Features

• Adding an HTTP Proxy PAC URL List in the Registry:

  DG has provided an enhancement to the httpProxySupportFlags Agent configuration setting that allows the Agent to establish a connection to an alternate proxy PAC URL if it cannot connect to the proxy PAC URL value configured in your custom config.xml file. To use this option, you need to edit the Windows registry, as follows:

  1. Locate \HKEY_LOCAL_ MACHINE\SOFTWARE\VDG.

  2. Add a new key named httpProxyPacURLList of type REG_ MULTI_SZ.

  3. Enter a list of proxy PAC URLs and save your changes.

  If the Agent cannot connect to the proxy PAC URL specified in your config.xml file, it will walk through the registry entries to find a PAC URL that works. For more information on httpProxySupportFlags and associated configuration settings, refer to DG Agent 7.7.3 for Windows Release Notes.

• evtUrlPath Length Extended

  The maximum path length for the evtUrlPath rule property, which specifies the URL for network operations only, has been extended from 260 characters to 2000 characters. This change applies to DG Agent 7.7.3 and later.

Fixes

• The configured settings for Max Per Volume Storage Size and File Record Expires (File Capture to DGMC feature) were not observed when the DG Server was unreachable. As a result, large numbers of captured files accumulated in the pending folder such that the actual file store size exceeded the configured store size. DG added code to the Agent to purge the file store to handle this situation.

• The DG Agent encountered an exception when requesting the Boldon James User Classification software to initialize itself, which caused the DG Agent to crash. The DG Agent software has been fixed to handle and recover from such exceptions without crashing.

• Outlook, Excel, and other Microsoft Office apps sometimes experienced long hangs when performing operations such as opening or saving files if ACI was enabled. This was resolved with a code change to the Agent.

January 2022

Version: 7.7.3

Jan, 2022

New Features

• Support for TLS 1.3:

  The DG Agent for Windows now is capable of intercepting TLS1.3 encrypted web traffic. This allows DG to detect NTU/NTD operations for websites that use TLS1.3 encryption protocol.

• httpProxySupportFlags

  DG added the httpProxySupportFlags setting in DG Agent 7.7.3 to allow customers to specify in httpProxyServerName the Proxy Auto-Configuration (PAC) URL of a proxy server, instead of a direct proxy, for communication with the DGMC. The descriptions of associated HTTP proxy configuration settings have been updated accordingly. To use the PAC URL of your proxy server, you must add the following entries to your custom configuration resource:

  <httpProxySupportFlags>4</httpProxySupportFlags>

  <httpProxySupportLevel>3</httpProxySupportLevel>

  <httpProxyServerName>http://proxypac.example.com/proxy.cgi</httpProxyServerName>

  <httpProxyServerPort></httpProxyServerPort> For more details,refer to New features section ofDigitalGuardian_Agent_for_Windows_7.7.3_Release_Notes.

• WIP Auto-Skip Operational Alert

  DG added the WIP Auto Skip Domain Detected (#89) operational alert in Agent 7.7.3 for Windows, and in Agent 8.1 for macOS, to present a notification when DG WIP detects a website incompatibility and could skip the website automatically. Currently, WIP can auto-skip websites that are hosted by Cloudflare and trigger either a block or a CAPTCHA challenge. For more details, refer to New features section ofDigitalGuardian_Agent_for_Windows_7.7.3_Release_Notes

• wipAutoSkipEnable Configuration Setting

  DG added the wipAutoSkipEnable setting in Agent 7.7.3 for Windows, and in Agent 8.1 for macOS, so you can configure DG WIP to automatically skip websites that use specific technologies that are incompatible with DG WIP. For more details, refer to New features section ofDigitalGuardian_Agent_for_Windows_7.7.3_Release_Notes

• enableWinHttpAndSPDYHooks Configuration Setting

  DG added the enableWinHttpAndSPDYHooks configuration setting in Agent 7.7.3 for Windows so that customers can enable or disable the WinHttp API and the SPDY/HTTP2 protocol analysis hooks. In the initial release of Agent 7.7.3 Release Notes the description of this setting was missing important information. For more details, refer to New features section ofDigitalGuardian_Agent_for_Windows_7.7.3_Release_Notes as well as in the DigitalGuardian_Agent_for_Windows_7.7.4_Release_Notes on page 20.

• Upgrade of Adaptive Content Inspection Engines

  This release of the DG Agent provides the Micro Focus Autonomy Keyview Filter SDK 12.9 and Micro Focus Autonomy Eduction SDK 12.9 content inspection engines. The upgraded SDKs are required for using the DG Adaptive Content Inspection (ACI) feature with DG Agent 7.7.3 and later and DG Server 8.4 and 8.5.

  The DG Agent supports the 41 DG built-in ACI entities listed on the Manage Classification - Adaptive Inspection Resources page in the DGMC (Policies > Content Patterns > ACI Resources).

  A zip file used for installing the content inspection engines is included by default in the Agent MSI and EXE files, as well as in the Agent upgrade package. The required files are installed on fresh installs and upgrades of the Agent. Documentation for the KeyView and Eduction engines is provided with v7.7.3 and later Agents.

Fixes

• A number of websites that use a content delivery network (CDN) did not serve up requested web pages, or prompted for CAPTCHA before doing so, if DG WIP was inspecting the traffic to the server. DG handled the issue for many of the reported CDN-hosted sites without needing to skip inspecting the traffic (refer to AG- 43848 in the resolved issues section of DigitalGuardian_Agent_for_Windows_7.7.2_Release_Notes. DG now provides the wipAutoSkipEnable Agent configuration setting so you can configure DG WIP to automatically skip websites that use specific technologies that are incompatible with DG WIP. For more details refer to page 15 of "DigitalGuardian_Agent_for_Windows_7.7.3_Release_Notes" .

• In certain cases, some third-party Microsoft Excel add-ins were causing compatibility issues with the Digital Guardian Agent, which resulted in Excel crashing on exit. This problem has been addressed.

• When a user opened an existing email in Microsoft Outlook, selected the appropriate menu options for using the "Resend this message" action, and then sent the email, the DG Agent did not execute rules against the resend action. As a result, emails that should have been blocked were re-sent. The DG Agent now detects resend attempts and executes the block rules as expected.

• When a single classified file was attached to an email in Microsoft Outlook, several Attach Mail events were reported in the DGMC. This issue was addressed with a code fix to ensure that the number of Attach Mail events reported matches the number of classified file attachments.

• When buffer inspection rules (rules that use evtBufferEntityFrequency) were applied to the DG Agent, and the user copied text from a classified file, the rule engine could not detect that the file was classified in the ADE Paste event. As a result, neither the classified icon nor the fact that the ADE paste was not blocked were shown in the Local Forensic report. DG has resolved this issue.

• If you defined a control rule that would apply a unique, non-permanent tag to a Microsoft Office file based on meeting specific rule requirements during a file SaveAs operation, and you altered the data within the file so that the requirements that resulted in applying the non-permanent tag were no longer met, the Agent applied the non-permanent tag after the SaveAs operation. This issue is now fixed for SaveAs operations on Microsoft Office files.

• Customers who ran the MicroFocus KeyView filter.exe and extract.exe files from the command line were presented with a license expiration error. These files each had an embedded license that had expired. This issue is resolved with the DG upgrade to the KeyView 12.9 ACI engines, and the Agent now embeds the latest KeyView license file within its code.

• No Send Mail event was reported in the DGMC or DG ARC when three classified file attachments were emailed, even though the associated rule was triggered as expected. This issue was addressed with code changes.

• Sporadically, on reboots of computers running DG Agent 7.6.1, the Agent stopped communicating with the DGMC, and other networking issues occurred. The problems were addressed by upgrading the computers to Agent 7.6.5 and to a later build of the Windows 10 OS. Also, an alternate DG rule that was tried was reverted to the original, as the alternate rule did not apply to the customer's situation.

• Copying of crash dump information on larger files was extremely slow at the end of the copy operation. The DG Agent was not checking the target file size or extension before reading document properties from the dump file, and the timeout setting was not properly enforced when document properties were being read. The Agent now checks the file size and extension to determine whether to read document properties and checks the timeout when reading document properties.

• A DG Agent upgrade was scheduled to be deployed by a Distribution Server during a specified time period. The upgrade was successful on the great majority of computers, but failed on several because the Agent on those systems incorrectly identified the schedule as a bad parameter. DG addressed this issue by making changes to the Agent software.

• Websites using only the TLS 1.3 protocol to provide secure communication between the client and server were not accessible on client computers running the DG Agent because the Agent only supported TLS 1.2. DG addressed this issue by adding support for TLS 1.3 in Agent for Windows 7.7.3

• DG WIP failed to populate web browser destination file details for NTUs properly to the Rule Engine. As a result, destination file event details were missing from the Local Forensic Report. Destination file event details are now reported as expected from all DG-supported browsers.

December 2021

Version: 7.7.2

Dec, 2021

New Features

• Microsoft Windows 11 Certification:

  Digital Guardian has certified Windows 11 with DG Agent 7.7.1 for Windows. DG officially supports using Agent v 7.7.1 or later with Windows 11. DG recommends upgrading to DG Agent 7.7.1 for Windows before upgrading to Windows 11. If you upgrade to Windows 11 first, there is a possibility that either pre-7.7.1 versions of the Agent or Windows 11 will not work properly

Fixes

• DG esolved a sharing violation on a locked folder that was causing Microsoft Office applications to stop responding. System failures occurred on systems running DG Agent 7.6.8.0020 or 7.6.8.0032 for Windows in the following scenarios:

  • When a policy contained a rule that referenced the evtBufferEntityFrequency property, and the rule involved ADE (application data exchange) operations.

  • A copy/paste was done from an application with open, classified files (permanent tags). This is a regular copy/paste without rule triggering. Here is a code snippet showing the property in a rule:

  <greaterThan>

  <evtBufferEntityFrequency name="custom_ssn"/>

  <int value="0" />

  </greaterThan>

  The issue was resolved in the DG Agent 7.6.9 for Windows release, and a Support Notice was sent to DG customers alerting them to the issue with Agent 7.6.8 for Windows.

• Opening a Japanese-language, password-protected Microsoft Office file resulted in a lengthy delay before the password prompt appeared. The delay was observed in either of the following scenarios, which caused repeated attempts to classify the password-protected file.

  • The function to create a file ID could not handle unicode-character file names correctly when called from the Classification library.

  • If the Microsoft Information Protection (MIP) feature was enabled, the decision to re-classify the file was not calculated properly.

  The issue was resolved with code changes.

• Some web security products erroneously block or challenge web traffic proxied through the DG Web Inspection Proxy (DG WIP) as coming from a bot. DG has made code changes that reduce the incidence of such traffic being flagged.

• Incompatibility between Windows BitDefender and DG Agent software, in certain circumstances, could cause the Windows Explorer process (explorer.exe) to crash and to display a black screen when a user attempted to log in. The issue is fixed in new code.

• If you define a control rule that will apply a unique, non-permanent tag to a file based on meeting specific rule requirements during a file SaveAs operation, and you alter the data within the file so that the requirements that resulted in applying the non-permanent tag are no longer met, the Agent no longer applies the non-permanent tag after a SaveAs operation.

• When the DG_SetProcessFlags rule function was used in a rule to set a process flag and clear a component hooking flag, the process flag was set, but the component hooking flag was not cleared. DG has enhanced the documentation about process flag and component hooking flag functions to ensure that customers can make correct function calls to achieve their objectives. For details, see “Process Flag and Component Hooking Flag Functions” in Digital Guardian Rule Implementation Guide and "Process Flags" in Digital Guardian Management Console User’s Guide.

• A customer using the Windows Robocopy command-line utility experienced extremely slow downloads and uploads when transferring files to and from a network share in an AWS environment. This did not occur in the customer's existing network-attached storage (NAS) environment. The issue was resolved by having the customer use the simpleJitFilterPaths configuration to prevent the DG Agent from classifying network files, making changes to the Agent code, and using an alternative method to fetch attributes when the JIT (justin-time) filter is applied.

• A compatibility issue between DG and third-party USB devices occurred when DG was attempting to read USB device information. The issue was resolved using a configuration parameter to add the device to a list of devices for which the corresponding device information is retrieved using an alternative method.

November 2021

Version: 7.7.1

Nov, 2021

New Features

• Microsoft Windows 11 Certification:

  Digital Guardian has certified Windows 11 with DG Agent 7.7.1 for Windows. DG officially supports using Agent v 7.7.1 or later with Windows 11. DG recommends upgrading to DG Agent 7.7.1 for Windows before upgrading to Windows 11. If you upgrade to Windows 11 first, there is a possibility that either pre-7.7.1 versions of the Agent or Windows 11 will not work properly

Fixes

• Changes to the DG Agent to enable DG to integrate with Microsoft Information Protection (MIP) caused some properties in rules in the Windows DLP Content Pack v 3.0 to operate incorrectly if MIP integration was not enabled and configured. DG made changes to the Agent code so that rules from the v 3.0 Content Pack work properly whether or not MIP integration is enabled.

• Application failures occurred during network traffic inspection due to an edge case buffer overrun. DG modified the DG Agent code to avoid buffer overruns and also removed an obsolete AIM plugin.

• A system failure occurred at a customer installation due to the DG Agent accessing a transient data structure after the data structure was deleted. The Agent code was modified to use a permanent data structure, which prevents the system failure.

• When content was copied from classified files, pasted into a new message in Microsoft Outlook, and sent, during the send mail operation, the file was not detected as classified and a control rule to block sending classified files failed to trigger. This issue was addressed with a code fix.

• Tag propagation failed when text from a file with permanent classification tags was pasted into a file being edited in Notepad++ and also when text was cut and pasted between files being edited using Notepad++ tabs. The DG Agent was altered so that tag propagation now occurs in these scenarios.

• When saving a file using the Save As option in Microsoft Office applications, if you selected SharePoint Sites as the location where you wanted to save your file, and then selected a SharePoint folder, the file was saved in SharePoint, but the DGMC did not show an event. This issue was addressed with a code fix.

• When a large number of files were being copied to an external drive, a NULL pointer error occurred, resulting in a system failure. This issue was addressed with a code fix.

• Some DG Agent sensors that track software and user activities are activated within a process when it starts and deactivated when it exits. To activate and deactivate these sensors, the Agent software must be able to modify executable memory. Some processes might disable Agent sensors at runtime, such as the latest releases of Microsoft Teams. When that happened DG was able to deactivate Agent sensors only partially, causing the Agent computer to fail during the process exit. DG resolved the problem so that now Agent sensors are deactivated properly under all circumstances.

• A highly sensitive timing issue during system shutdown and certain process exits caused an object to be prematurely deleted. DG improved this area of code to minimize the possibility of this occurring.

• Digital Guardian has made enhancements to the device tracking internal database to address unrecoverable errors affecting some Windows Servers.

• When the wipThirdPartyProxyExec custom configuration setting was configured to interoperate with thirdparty proxies, such as Cisco AnyConnect, Sophos, and others, DG was generating network transfer upload (NTU) events against the third-party proxy instead of the Firefox browser. This did not occur with Edge Chromium or Chrome. DG now ensures that NTU events are generated against the Firefox browser.

• When a customer performed an action that resulted in a DGPrompt and then locked their system (for example, using Ctrl+Alt+Del), the DgPrompt was sometimes displayed over the lock screen. This occurred most frequently on Windows 10 Pro systems. The DGAgent code now detects the locked state and adjusts the display of the DgPrompt accordingly. When the system is unlocked, the DGPrompt is brought to the forefront.

August 2021

Version: 7.7.0

Aug, 2021

New Features

• Microsoft Information Protection:

  This DG Agent release introduces User Classification with Microsoft Information Protection (MIP). By using this feature, you can apply the capabilities of the Digital Guardian solution to ensure that your MIPlabeled documents are appropriately controlled and that relevant events related to the use of MIP-labeled documents are reported to the DLP administrator.

  Microsoft Information Protection helps you discover, classify, and protect sensitive information wherever it lives or travels. Integrating MIP with your DG implementation further enhances those capabilities. For example, when you configure a MIP integration with DG ARC:

  • DG uses the MIP SDK to read the MIP labels applied to files and can use those labels in DG rules running on DG Agents. Thus, the DG Agent acts as an enforcement mechanism, ensuring that MIP is used consistently and appropriately within your organization.

  • You can use the MIP labels in filters and detection rules in ARC to collect events and alerts that contain MIP labeled files.

  • In the ARC console or the DGMC, you can assign the MIP labels to DG rule actions to enable DGsupplied rules to trigger on the MIP information.

  • In the DGMC, you can craft rules and policies that reference MIP labels. On DG Agent computers, you can control egress of documents using rules based on the MIP labels applied to documents.

  • On DG Agent computers, you can control egress of documents using rules based on the MIP labels applied to documents.

  DG User Classification With MIP requires the following DG versions:

  • DG ARC 3.3 and later

  • DG Server 8.4 and later

  • DG Agent 7.7 and later for Windows

  Digital Guardian supports MIP in both ARC subscription installations and installations with an ARC Lite entitlement. The ARC Lite entitlement enables DGMC customers who do not have ARC subscriptions to use MIP with DG DLP. The MIP SDK supports a large number of file types. Some file types are supported for both MIP classification and protection, while others are supported for MIP classification only. A list of supported file types is provided in "Critical Notices" on page 1 in DigitalGuardian_Agent_for_Windows_7.9.1_Release_Notes

  NOTE: Currently, the DG Agent is not able to read labels from emails that have MIP labels or from any Microsoft Outlook item saved as a message file (.msg). This is expected behavior.

  To manage MIP-labeled files, you can obtain control rules from the Windows DLP Control Policy Pack (v3.0 and later), as well as create MIP control rules in the DGMC. If you use the Policy Pack, DG recommends mapping your MIP labels to DG rule actions. Mapping makes it easier to manage DG-provided MIP control rules. Both ARC and the DGMC provide the same drag-and-drop interface for this purpose.

  Events related to MIP-labeled documents are reported to the DGMC and DG ARC, allowing all existing alerting, reporting, and analytical tools to provide a single unified view of all DLP events, regardless of whether or not the events are associated with MIP-labeled documents.

  For detailed information on configuring and using Microsoft Information Protection with DG, refer to the following documents:

  • "User Classification With MIP" in Digital Guardian Management Console User's Guide

  • Digital Guardian Analytics & Reporting Cloud User's Guide

• Amazon S3 Storage for Captured Files The File Capture to Network Storage feature now supports storing packages containing captured files in

  Amazon Simple Storage Service (S3). You must have an S3 storage bucket (a container for files and file metadata). When you create a an S3 bucket, you also choose a bucket name and region. For complete information about buckets and regions and instructions for creating an S3 bucket, refer to the Amazon S3 documentation. Amazon S3 storage requires DG Agent 7.7 or later with DG Server 8.4 or later.

  To capture files to S3 storage, select AWS S3 in the Storage Location field when you configure your selected Core Settings resource. Refer to DigitalGuardian_Agent_for_Windows_7.7.0_Release_Notes.

  NOTE: Note: Typically, you configure your selected Core Settings configuration resource to have the DG Agent write to an existing folder in the S3 bucket. If you configure your Core Settings configuration resource to write directly to the S3 bucket root, make sure to use two slash characters (//) after the bucket name, for example, <bucket_name>//.

  For field descriptions and other details on configuring the File Capture feature, see "Capturing Files to Network Storage" in Digital Guardian Management Console User's Guide. To enable decryption of packages stored in an S3 bucket, DG has added S3 command options to the File Extractor Utility. For details, see "DG File Extractor Utility" in Digital Guardian Utilities Guide.

• DG WIP File System Driver

  DG now provides a new file system driver to allow the DG web inspection proxy (DG WIP) to detect file system activity from web browsers. The DG file system driver aligns with the newer Microsoft mini-filter driver architecture. The DGMC UI has been enhanced to allow customers using DG WIP to enable the file system driver and try it out, while still having the ability to switch back to the legacy driver.

  The file system driver requires DG Agent 7.7 or later. The Enable File System Driver radio box was added to the DGMC Core Settings Resource page (Browser tab) in DG Server 8.4 so that you can enable or disable the file system driver in the DGMC UI. You can also change the file system driver setting from the Override Agent Default Configuration wizard when you update Agent settings.

  Additionally, the wipFsDriverEnable setting, which corresponds to the Enable File System Driver UI setting, can be configured in the Agent config.xml file so that you can enable the file system driver in previous versions of the DGMC. This requires creating a custom configuration resource and setting wipFsDriverEnable to 1 (enabled): <wipFsDriverEnable>1</wipFsDriverEnabled>

• Upgrade of Micro Focus Autonomy Engines

  This release of the DG Agent provides the Micro Focus Autonomy Keyview Filter SDK 12.8 and Micro Focus Autonomy Eduction SDK 12.8 content inspection engines. The upgraded SDKs are required for using the DG Adaptive Content Inspection (ACI) feature with DG Agent 7.7.0 and later and DG Server 8.4 and later.

  The DG Agent supports the 41 DG built-in ACI entities listed on the Manage Classification - Adaptive Inspection Resources page in the DGMC (Policies > Content Patterns > ACI Resources). A zip file used for installing the content inspection engines is included by default in the Agent MSI and EXE files, as well as in the Agent upgrade package. The required files are installed on fresh installs and upgrades of the Agent. Documentation for the KeyView and Eduction engines is provided with the v7.7.0 Agent.

• Improved ACI Thread Pool Size Configuration:

  Starting with DG Agent v7.7.0 and DG Server 8.4, DG has increased the ACI thread pool size configuration defaults to ensure that applications open promptly after an Agent reboot. The updated configuration is as follows: <aciThreadPoolSize>4,6,10,12</aciThreadPoolSize> where:

  • 4 is the thread pool size on a single CPU system

  • 6 is the thread pool size on a two-CPU system

  • 10 is the thread pool size on a four-CPU system

  • 12 is the thread pool size on an eight-CPU system

  For fresh DG Server installations, the default custom configuration resource will have the updated values, so you only need to apply the custom configuration resource to your dynamic groups.

  For DG Server upgrades, you must update the default ACI thread pool size values in your custom configuration resource and then apply the edited custom configuration resource to your dynamic groups. If you do not update the default values, DG Agent 7.7.0 and later might not work properly.

• enableDocPropertiesInMemory Config.xml Setting

  The enableDocPropertiesInMemory config.xml setting was added in DG Agent 7.7.0 to allow more precise control over the DG document properties functionality. DigitalGuardian_Agent_for_Windows_7.7.0_Release_Notes

Fixes

• Application failures occurred after a DG Agent upgrade when Soft Camp DRM third-party security software was also present on the Agent computer. A small code change to alleviate an interoperability timing issue has resolved this case.

• Digital Guardian has made an enhancement to the Agent code to address an issue that was causing the rule engine to trigger when you left-clicked a search bar or text field within Edge Chromium.

• When a new email is created in Microsoft Outlook, and text is copied from a classified file and pasted into the email body, the expected behavior is that a permanent classification tag will be applied, and the email will be detected as being classified. In this case, the permanent tag was lost because the classified file already had permanent classification tags, but there was no longer an active rule associated with those tags. Code changes were applied to resolve this issue.

• A VDI environment experienced reduced performance on VDI boots because the DG Scanner was performing a new scan of files protected by Windows File Protection (WFP) on each new VDI boot and every eight hours thereafter. To improve performance, DG changed the thread priority to "background" when scanning for WFPs and now allows a configuration to control the scanning. The scan mode settings are 0 – Disable scanning, 1 – Always (default for a standard configuration), or 3 – One time (default for a VDI configuration).

• Due to a race condition during initial startup, the DG web inspection proxy (DG WIP) was not able to detect network transfer uploads (NTUs) after an upgrade to DG Agent 7.6.5.0025. This race condition was addressed by moving to a push model subscription for events instead of a pull model subscription.

• When a new email is created in Microsoft Outlook and text is copied from a classified file and pasted into the email body, the expected behavior is that a permanent classification tag will be applied, and the email will be detected as being classified. The permanent tag is no longer applied by means of an active rule. In this case when a rule to block sending the email was triggered, the first attempt to send the email was blocked, but attempts to re-send it succeeded when they should also have been blocked. Code changes were applied to resolve this issue.

• Agent-equipped computers no longer stop communicating with the Server when the artifacts returned by the dg_scan function include a command line in the artifact XML. Command lines are optional return information when scanning computers.

• DG hardened its memory management subsystem to better detect and prevent a certain class of memory allocation problems.

• A customer's in-house application that also accesses the Microsoft Excel Automation API sometimes hung and subsequently triggered an Excel crash when DG document property rules were enabled. DG resolved this issue so that the application functions as expected with document property rules enabled.

• In a customer's control rule intended to block uploading a file to a specific Google Drive folder, the curProcessWindowTitle rule property used in the rule to match against the name of the Google Drive folder where the file was being uploaded was not being set correctly by the Agent if the upload was performed using Firefox. A change to the Agent resolved this issue.

• A customer using a custom domainflags.txt configuration file received DG WIP operational alerts indicating that the DG WIP configuration was bad and that WIP would be running with the default configuration. To respond to this issue, DG made processing of DG WIP configuration files more robust so that those files will be protected from becoming corrupted in case of a system crash.

• Attempting to upgrade from DG Agent 7.6.3 to Agent 7.6.4, 7.6.5 , or 7.6.6 using a DG Distribution Server failed due to a signing issue with the package downloader (DownloaderClient.dll). This issue is resolved in the Agent 7.6.7 release. Use the Agent MSI Installer or the Agent upgrade ZIP package to upgrade from Agents 7.6.3, 7.6.4, or 7.6.5, or 7.6.6 to Agent 7.6.7. After upgrading to Agent 7.6.7, you can resume using a Distribution Server for future Agent upgrades.

• DG now ensures that the DG Agent properly reports events even when using an Agent in role mode when Windows UAC (User Account Control) prompting is enabled and when NTFS permissions require a UAC prompt (for example, when copying files to a USB disk). Note that no Agent roles are provided in the DGMC

• A conflict with the Winsock API hook used by DG caused Censornet security software to fail. This happened because Microsoft changed the function definition of WSPAccept and DG was not aware of the change. DG updated the code in the hook for WSPAccept (WSPAcceptHook) to reflect the revised definition, which resolved the problem.

• On a Windows computer with both the DG Agent and the TrustView third-party application installed, there was a situation in which Microsoft Excel would hang when you used the spreadsheet options panel (accessed by clicking the File tab) to save your spreadsheets, and you attempted to browse or save the spreadsheets to the PC. DG has implemented a fix so that Excel no longer hangs when you attempt to save spreadsheets on an Agent computer that also uses TrustView.

• When DG attempted to connect to a customer's Netapp SMB share to upload a captured file, a handshake error occurred, preventing the file from being uploaded. The connection failed because DG uses ASN.1 encoding and Netapp uses BER encoding. DG made a change to its encoding and can now decode BERencoded messages.

• The EICAR test file is a legitimate DOS program designed to make most antivirus products react to it as if it were a real virus. It does not contain real viral code. The EICAR file is used to determine whether antivirus software is running properly. When a customer created an EICAR test file using a .bat file and used it to test Microsoft Windows Defender on a computer that also had the DG Agent process runnng, Windows Defender did not immediately detect the test file. DG resolved this issue, so now when the Agent is running, Windows Defender immediately detects the EICAR test file.

• (Resolved in AG-36601.) IBM Spectrum Protect (VM in-guest backup software) occasionally caused system crashes when it tried to mount a volume on a VMWare ESXi VM that had a DG Agent installed. Hardening the DG Agent code and disabling low-level file I/O calls on volumes that had not been mounted yet resolved the problem.

• A fatal system error occurred when a user tried to add a file to an existing ZIP file containing classified files, and one of the files in the ZIP container was 0 bytes. Now, when a user tries to add a new file to an existing ZIP container, DG verifies that the stream size of the existing ZIP container is greater than zero before validating its stream contents.

• When a user copied or cut text from an AIP protected .docx source file created in Word 365 and tried to paste it into an unprotected .docx destination file, the customer's user decision prompt rule, which triggers on AdePaste operations, displayed the user decision prompt correctly. When the user canceled the prompt, however, instead of being blocked, the paste operation succeeded, and the Alerts Report and Local Forensic Report showed the AdePaste incorrectly as BLOCKED. This happened because the Word 365 internal clipboard state was not refreshed when the copy operation took place. DG addressed the issue with code changes to refresh the public clipboard when a copy operation occurs, which, in turn, triggers Word 365 to refresh its internal clipboard state

• When you paste some text from a classified file into the message body of a new email created with Microsoft Outlook, and then send the email, the classified policies and tags in the classified file's Alternate Data Stream (ADS) are now propagated and visible in the Send Mail event. When you view the event in the Local Forensic Report, the DGMC now includes a message body file reference that has the expected classified data.

• When writing a rule, the first thing a customer assigned to a rule variable was a property that was not in the event data for the particular event. This caused attempts to assign additional properties to the rule variable to fail. DG now detects the case that causes this issue and initializes the rule variable to contain an empty string, which allows you to assign additional properties to the rule variable successfully.

• Due to a documentation error, a customer expected the first clause of a rule that referenced properties with empty values to be evaluated as true by the rule engine and for the rule engine to continue its evaluation and execute the rule action. Instead, the first clause evaluated as false and the rule engine immediately exited, which is the intended behavior in such cases. The documentation has been corrected accordingly.

• A customer experienced a system failure while closing a file in Microsoft Windows. The close operation caused the failure when it interacted with the Windows file clean-up routine. Code changes were made to resolve this issue

• A customer experienced a system hang when attempting to open a Microsoft Word file that resided on a network share. This was caused by a race condition where more than one DG Agent thread was attempting to process the file. The Agent now detects when a thread is already working on a file and prevents additional threads from attempting to process the file.

• A customer experienced excessively high CPU utilization during the dgagent.exe process startup. The issue was diagnosed, reproduced in-house, and remediated by a code change. This change should not affect the user experience.

• The DG Agent could not detect ADE (application data exchange) paste operations to the Dropbox application or the Move to Dropbox operation in File Explorer, so control rules for Dropbox were not triggered and events were not detected. This was resolved by updating the process flags for Dropbox in the default process flags file (prcsflgs.dat), as shown here: dropbox.exe,NV+NN+CSS+NF

• If Webcast.com/webrtc was accessed using Google Chrome or Microsoft Edge, the microphone and camera tests failed with an error due to an issue with Digital Guardian web inspection proxy (DG WIP). DG added code to the DG Agent to resolve this.

• When the wipThirdPartyProxyExec custom configuration setting was configured to interoperate with thirdparty proxies, such as Cisco AnyConnect, Sophos, and others, DG was generating network transfer upload (NTU) events against the third-party proxy instead of the Firefox browser. This did not occur with Edge Chromium or Chrome. DG now ensures that NTU events are generated against the Firefox browser.

• A customer running both the DG Agent and Sentinel One antivirus software encountered frequent hangs with Microsoft Excel when trying to save files to local or mapped drives. This was resolved with a code change.

• A file operation (such as a SaveAs or Move) on a classified file with permanent policy tags caused a rule to trigger and execute the DG_RemoveFileClassificationTags rule function. Because the number of policy tags did not match the number of policy IDs, the rule function considered the file to be invalid and stopped acting on it, leaving the tags that should have been removed. The DG Agent software has been corrected to determine which tags have valid IDs and act on those. Policy tags without an ID are removed from the file.

• This release has dramatically reduced the amount of DG Agent overhead on starting processes (such as builds), which was noticeable when many short-lived processes launched rapidly. Agent overhead in handling temporary files has also been greatly reduced.

• When you move DG Agents from a customer-managed (on-premises) environment to a DG Managed Security Program (MSP) environment, and in the new environment, if the Agents are configured to connect to the DGComm server through a proxy instead of connecting directly, you can initiate Agent communication to the DGComm server through the proxy either by rebooting your target Agent computers or restarting the DG Service. This functionality works as designed.