Telemetry and debug additions for tracking WAF and RASP rule behavior

Support for terminating a new variant of in memory PHP malware

Better management support for cloud initiated scans

Cleaned up an edge case where delta scans were starting up too early

Improved memory management during bursts of activity from protect (our zend extension)

Reducing redundant processing from our auditD integration

Introduced more robust settings management for WAF / RASP functionality

Introduction of new cloud <> agent file handoff

Further iteration of communication path between the agent and zend extension

Iterative reduction in memory pressure - reducing the number of redundant routines

Bug fixed in the communication between the auditD extension and the monarx-agent

Cleaned up the telemetry collected from our zend extension to track it's performance more reliably

Bug fixed where we'd keep a file handle open for longer than needed

Resolved an issue with communicating to AWS could fail intermittently

Bug fixed when communicating traffic tracking capabilities back to our backend services (introduced in our prior build)

Hardening around our agents heartbeat communication - we were getting some null values that should never be null...

Implementing improved traffic tracking capabilities to enable termination of anomalous requests down the road via the monarx-protect zend/php extension

Further improvement of retry logic when an encountering network issues during file upload.

Fixed a bug introduced in 4.2.4 causing memory usage to grow in some cases.

Improved logging telemetry (large messages were being truncated, which isn't helpful)

Improved retry logic when encountering network issues interacting with our backend services

Tidy up error handling when repeated uploads of file content for analysis fails

Communication structure for enabling WAF rules to be communicated to both monarx-agent and the monarx-protect zend extension

Additional context captured when monitoring php in-memory malware

Improved communication between monarx-agent and monarx-protect

Memory footprint optimization quick wins

Reduced noise coming from a prior blindspot mitigation

Improved UDS connection between the monarx-agent process and monarx-protect zend extension.

Improvements to how the agent handles newly added user_base values following initial configuration.

Improvements to the recently introduced WAF rules and interactions between our monarxprotect zend extension and our agent

Further reduction of unnecessary communication with our cloud endpoints

New method of communication between the agent and protect (zend / php extension)

Reduction of unnecessary communication with our cloud endpoints

New pattern for managing WAF rules

Changes to how we update locally stored filters to allow for faster time-to-remediation

First pass of Ubuntu 24 support (Noble Numbat)

Updating a few references to our backend API's (boring maintenance work, really)

Ability to selectively enable / disable out use of file attributes

Resolved a bug in communication between the agent and zend extension

Implemented a lightweight reconciliation mechanism to enable faster detection of deleted files

Resolved a number or routines that could potentially block

Fixed a bug where local filters were slow to update and general performance improvement

Reduced cycling of agent registration events when critical configuration updates were encountered

Removed unnecessary reads for file metadata slightly reducing IO pressure

Fixed an issue when processing regex where it includes path separator characters

Hardening in the agent when initial authentication errors occur (I.E. make the failure more clear)

More telemetry capturing from the zend extension for tracking malicious activity

Improvements to reduce remediation blindspots

Additional telemetry for tracking unlinked files / php processes via the monarx-protect zend extension

Improved handling of inbound traffic from the monarx-protect zend extension to maintain lower CPU utilization

Further tuning of malicious cron entry remediation

Moving more persistent files out of /var/cache/ (reducing re-registrations of agents)

Improved error visibility when an agent fails to register (i.e. invalid monarx-agent.conf entries)

Further tuning of agent support for coming zend extension release with additional attack vector telemetry and remediation capability

Initial implementation of malicious cron entry remediation

Further tuning in the new time-to-remediation mechanism introduced in 4.1.372

Agent support for coming zend extension release with additional attack vector telemetry and remediation capability

Tuning to our AuditD event ingest to improve performance and reduce our time-to-detection.

Further improvements to memory usage

General maintenance and dependency updates

Hardening around failed (or extremely long running) system calls in problematic environments

Bug fix causing memory to grow - we'll now flush things more aggressively (introduced in 4.1.380 with the malicious process termination changes)

Bugs cleaned up from previously implemented mechanism to speed up time to remediation

Initial release of new mechanism improve time to remediation for malicious process'

Optimizations to our quarantine directory cleanup process, when configured

Further tuning of the mechanism to increase time to remediation speed

Reduction of file cache impact in our higher volume scan paths

Initial release of new mechanism to improve time to remediation speed
​

Optimization of our global quarantine directory cleanup, when defined

Introduction of more accurate method of maintaining the count of users scanned

First pass of Ubuntu 23 Support (Lunar Lobster)

Various bug fixes involving agent configuration

Package maintenance / updates

Updates to our site cleanup tooling

Changes to our logging mechanism to reduce verbosity where it isn't needed (monarx-agent.log was running away in some instances)

Reduced traffic between monarx-agent and our zend/php extension

Removing prior changes to our global exclusions

Debian 12 / Bookworm support

Bug fix causing a race condition in our global exclusions

Bug fix closing an open file handle on a rotated log file

Reduction in redundant reporting of malicious process activity

Improvements to our error handling and reporting

Refining our user count collection for billing metrics

Optimization around agent / cloud communication

Bug fix in out configuration parsing logic to better handle empty keys

Further refinement of local agent filtering logic

Started signing our RPM packages with GPG keys (it's about time)

Bug fix causing partial file uploads following a file deposited via php engine

Introducing support for Debian 11 (install details here)

Bug fix in adaptive throttling logic in heavily resource constrained environments

General maintenance (i.e. dependency / package update)

Bug fix in adaptive throttling improvements introduced in 4.1.301

Improved handling of persistent malware

Adaptive throttling improvements (faster reaction to system load)

Optimizations in agent scan to reduce CPU pressure

Introduces adaptive scan throttling based on system load

Minor optimization reducing bytes read during delta scans

Pruning of unneeded health check listeners (fewer useless CPU cycles)

Improvements on handling unexpected moanrx-agent process killing more gracefully

Updated handling of local agent settings

Better handled edge cases in file cleaning workkflows / file replacement

Optimized filtering functionality introduced in the prior build for more granular control.

Further enhancement to our process monitoring features introduced in the prior release (beginning to sound like a broken record)

Introducing additional filtering for to reduce noise / faster remediation turnaround.

Further enhancement to our process monitoring features introduced in the prior release.

Initial support for Debian 10 (Buster)

Improved process profiling enabling future performance enhancement

Reduced overhead of our debug info reporting (i.e. not pulling up unnecessary junk)

Enhancements to our process monitoring functionality for in-memory malware

Initial support for AlmaLinux 9 / Rocky Linux 9

Improved handling of error conditions encountered when authenticating with our cloud services

Improved handling of unexpected scan base / user base configuration

Reduction in unnecessarily noisy scan status updates being reported (less work for the agent and our cloud 🎉)

More graceful flushing of buffers during agent shutdown / restart

Expanded visibility into malicious process monitoring functions, shipping additional telemetry to our cloud for analysis

RPM install changes to install scripts enabling monarx-agent to survive server reboot

Improvements in handling horizontally scaled containerized environments

Optimizations for auditd environments, reducing redundant reporting to our agent

Performance improvements to our file collator mechanism

General housekeeping / dependency updates

Initial implementation of iptables support

Enhanced integrity checks reducing the amount un unnecessary sha256 calculations

Agent scan optimization for environments supporting extended attributes, reducing unnecessary trips to disk

Auditd file discovery events to include backtrace info when available from the monarx-protect extension

Reducing unnecessarily verbose backtrace messages to 1st, 2nd, last items only

Fixed a bug where processing file state would trigger and unhandled error

Fixed a bug causing the agent to exit without grace following a service stop request

Fixed a bug causing the agent to respond with success:false when everything worked just fine.

Agent support for improved php process monitoring (collecting data from our protect extension to help inform remediation)

General maintenance of our cloud <> agent authentication

Resolved a bug causing files to remain "Active" in our UI, despite no longer being on disk.

Improved handling of cross-volume file operations

Additional scan throttling control for environments with limited disk IO and a variety of tuning to reduce disk pressure

Various bug fixes for environments supporting extended attributes

Remediation capability for short lived / frequently regenerating files

File cleaning optimization - resolved an edge case causing repeat clean requests being sent to our agent

Bug fix for scanning in environments without extended attribute support (better error handling, really)

Scan improvements to better handle agent restarts

Improved visibility into long running php process'

Resolved a bug causing failed heartbeat messages (causing agents to report as offline)

Delta scan optimizations when evaluating if a file has changed since we last saw it

Reduce open file handles during debug message creation

Closed a number of blindspots in scans when running in lesser-resourced env's

Only save quarantined files locally when a quarantine.global or quarantine.user value is set in configuration

Run systemd daemon reload on deb package installation

Performance improvements in environments running auditd

Improved error handling when unable to communicate with the protect module

Optimized agent message batching (less latency on our cloud understanding things)

Bug fix effecting WHM and Cpanel plugin authentication

Optimized file read / write for environments supporting extended attributes

Initial implementation of auditd event consumption, reducing the frequency of delta scans where configured.

Optimizations in the cloud command consumption, increasing remediation speed.

Reduced impact on disk utilization with further tuning of fadvise use.
​

Revised error handling / log message copy when encountering failed agent authorization

Resolved agent panic due to global maps

Optimized the use of regex scan bases in quarantine mode

Improved error handling in a number of edge cases resulting in agent restarts

Optimized activation count efficiency

Scan optimizations including:

Optimized fast moving cache file scanning processes

Closed gaps with unhandled error cases in the communication with our protect php extension

Handling scanning of problematic binary files with magic byte mismatch

Prevent scheduled scans from interfering with already running cloud initiated scans

Introduced additional safeguards preventing a manually initiated scan from interfering with a running delta scan.

Streamlined resource handling along all 3 axis: ram, disk and the network.

Removed an instance of unnecessary heap utilization which was causing garbage collection to kick off more than it should

Improved support for the cpanel plugin integration

Optimization for environments with mixed extended attribute support

Removed edge case allowing for duplicate concurrent scans causing disk IO pressure

systemd launch agent as a nice'd process

Detect and flush memory/resources of completed tasks

Improved statistic visibility in agent heartbeats

Updates to rpm / deb install scripts to remove unused OOM policies and PID files

Altered deposit upload workflow to reduce traffic leaving the agent

Additional visibility into scan start and end

Prevent ability to run multiple agent processes on a single instance, causing high load

Resolved bug causing causing the agent to cycle during high deposit or activation activity

Additional safeguards to file replace workflow

Resolved bug causing intermittent failure to report malicious file activations

Resolved bug causing debug reports to fail

Resolved bug causing intermittent failure to report malicious file activations

Resolved but causing debug reports to fail

Additional handling of potential panics and more verbose logging visibility

Tuning of our ingest filter for magic byte / file type mis-match

Resolved intermittent issue with sparse data being returned from the monarx-protect php module

Handle file paths with non-utf8 characters

Additional visibility into signals sent to the agent

Revisions to Cent + Cloudlinux RPM install scripts

Updated our ingest filter for .jpg / .jpeg file extensions with non-matching content.

Include monarx-sample-upload script in the monarx-agent package, written to /usr/bin. Usage here.

Tightened our file deposit filter to exclude events that were in no way deposits

Better handling of non-utf8 characters found in paths and file names

Resolved udp connection health check failure causing agents to shut down when they shouldn't

Resolved issue resulting in sparse file attributes being written on deposits

Removing oom configuration from Centos 6 variants... for good this time

Increased visibility into quarantine error cases

Resolved edge case resulting in no file owners being reported

Excluded deposits that weren't actually deposits, causing useless load / noise

Removing oom configuration from Centos 6 variants... for good this time

Initial agent support for per user remediation

Removal of "watchist" for maintaining local file state

Multiple bug fixes / streamlining (really, deleted a bunch of code)

Removing oom configuration from Centos 6 install scripts

Additional visibility into edge case quarantine error failures.

Removing any remaining possibility of enabling experimental mail function tracking.

Stricter enforcement of sha validation during quarantine restore

Resolved bug with file and directory permissions in per-user quarantine directory configurations

Resolved intermittent connection bug on CentOS6 and Cloudlinux 6

Protocol update in preparation for watchlist depreciation

Resolved bug causing too many open file handles with "suspicious" files

Resolved bug causing the agent to get stuck on certain files during a scan

Agent changes in support of protect version 4.2.56

Bug fix for intermittent cloud/agent communication errors on ubuntu variants

Agent support for spam filtering enablement

Including file owner context (currently missing in some cases)

Increased agent logging statements for local state synchronization

Resolved leaking file handle on file downloads

Revised our interaction with curl (surfaced form increased visibility with last build)

Increased error context on http errors forwarded to our cloud

Implemented a mechanism to flush agent queue directories at agent startup

Hardening to out agent communication protocol, resolving intermittent reconnection issues

Hardening out interactions with curl and increasing error visibility

Resolved bug causing deposits to be intermittently dropped due to a data integrity issue

Resolved bug causing file uploads to fail intermittently due to too many file handles open

File remediation hardening - capturing additional additional context in error cases so we can resolve accordingly

Improved identification and handling of frequently mutating files

Fixed a bug causing "unique" agent fingerprints to be... not unique

Agent support to manage additional function tracking coming from the protect module, including metrics around php mailer.