**UPDATE 09JUN2021**
**UPDATE 22FEB2021**
**END UPDATE**
** - New Capabilities; these do not exist in 4.x
Planned - These features are in development and coming soon (PM would tase me if I unilaterally announce some non-GA feature before it's actually GA, so coming soon is the best I can do for these ones...)
Future - These features are in the backlog and need to be evaluated for development in upcoming cycles/product releases (**EDIT 23FEB2021** -- PM has tased me for this verbiage, so removing it **END EDIT**)
Feature |
Comments |
Insights |
Advanced |
Operating Systems Support |
Release |
|||
Windows |
MacOS |
Linux |
||||||
Basic scans |
Inventor |
|
|
|
11.3 |
4.x |
||
Tracking scans |
Continuous file,network,process,thread monitors Registry monitor(Specific to windows) |
11.3 |
4.x |
|||||
Anomaly detection |
Inline hooks, kernel hooks,suspicious threads,registry discrepancies |
11.3 |
4.x |
|||||
Windows Log Collection |
Collect Windows Event Logs |
11.3** |
||||||
Threat Detection Content |
Detection Rules /Reports |
11.3 |
||||||
Risk score |
Based on Threat Content Pack |
11.3 |
4.x |
|||||
File Reputation Service |
File Intel ( 3rd Party Lookup) |
11.3 |
4.x |
|||||
Live Connect |
Community Intel |
11.3 |
4.x |
|||||
Automatic File Download |
Analysis of downloaded file |
11.3 |
4.x |
|||||
Analyze module |
Analysis of downloaded file |
11.3 |
4.x |
|||||
Blocking |
Block an executable |
11.3 |
4.x |
|||||
Agent Protection |
Driver Registry Protection / User Mode Kill Protection |
11.3** |
||||||
Powershell, Command-line ( input) |
Report user interactions within a console session |
11.3** |
||||||
Process Visualization |
Unique identifier (VPID) for process that uniquely identifies the entire process event chain |
11.3** |
||||||
Agent Scan Snapshots |
Agents maintain history of unique and separate snapshots for all scans (manual & scheduled) |
11.3** |
||||||
Agent Management via Group Policy |
Easily manage configuration and setting options for groups of endpoint agents by specifying policies |
11.3** |
||||||
Endpoint APIs |
A set of REST APIs for hosts and files. Additional APIs are available in later 11.x releases. |
11.3.2 11.4 11.5 11.6 |
4.x | |||||
Remote Access Relay (RAR) Server |
Maintain contact with and control of off-network agents through RAR server |
11.4 |
4.x | |||||
Host Isolation / Containment |
Control the spread of an attack by isolating the host from the network. While isolated, all events are still reported to the Endpoint Server. |
11.4 |
4.x | |||||
Automatic File Download |
Automatically download new modules when first seen |
11.4 |
4.x | |||||
MFT Download (C drive only) |
Download Master File Table for analysis |
11.4 |
4.x | |||||
MFT Viewer |
View downloaded MFTs, with potential time stomping highlighted |
11.4 |
4.x | |||||
System Memory Dump |
Download entire host memory for analysis |
11.4 |
4.x | |||||
Process Memory Dump |
Download memory for specific process for analysis |
11.4 |
4.x | |||||
Flat File Log Collection |
Collect Windows flat file logs |
11.4** |
||||||
Extended Linux OS Support |
Extended Linux agent support for additional operating systems (Ubuntu 16.04+ LTS; SUSE 12 SP5+) |
11.5** |
||||||
Manual File Download |
Download _any_ file(s) present on host by full file path/filename |
11.5 |
4.x | |||||
Wildcard File Download |
Download _any_ file(s) present on host with wildcards (*) for filepath and/or filename |
11.5 |
4.x | |||||
Agent History |
View history of commands issued to and processed by agents |
11.5 |
4.x | |||||
Throttle Network Bandwidth for Log Collection |
Limit network bandwidth usage for agents when collection/sending Windows & Flat File logs |
11.5** |
||||||
Enhanced Network Visibility (ENV) |
Network events enriched with endpoint data, such as source host and process, username, risk score, and other host details |
11.5** |
||||||
Throttle CPU for Manual Scans |
Analysts can use CPU Maximum slider to select CPU percentage so that the agent can limit the usage to the specified range |
11.5.1** |
||||||
Extended Windows OS Support |
Extended agent support for Windows Server & Windows 10 20H2 (32- and 64-bit) |
11.5.2 | 4.x | |||||
Agent Proxy Support |
Windows agents can communicate to the Endpoint server through proxy connections when no direct connection is available |
11.5.3 | 4.x | |||||
Extended Mac OS Support |
Extended agent support for Mac Big Sur (version 11) |
11.5.3** | ||||||
MFT Download (all drives) |
Download and view MFT for all drives |
11.6 |
4.x |
|||||
Upgrade/Uninstall agent via UI |
Upgrade and/or uninstall agents from NetWitness UI |
11.6 |
4.x |
|||||
Yara Scans |
Perform yara scans on automatically-downloaded files/modules |
11.6 |
4.x |
|||||
Create and Group by Custom Tags |
Create tags for _any_ specific agent(s), and leverage those tags in Endpoint Groups/Policies |
11.6** |
|
|||||
Save multiple local copies of downloaded files at once |
Analysts can download and save multiple files from the UI at once |
11.6** |
|
|||||
Forward Windows/File logs to custom IP:PORT |
Administrators can collect Windows and File logs on non-VLC systems by forwarding to a custom system |
11.6** |
|
|||||
Full Disk Scans |
Analyst can request for full scan of Disk. | 11.7.1 |
4.x |
|||||
Opswat Metascan Integration |
Opswat Metascan Integration provides the ability to perform simultaneous analysis of files with Multiple Anti-Malware Engines. | 11.6.1 |
4.x |
|||||
Standalone Scans |
Analyst can scan systems which are in airgap network and upload the scans back to the netwitness server. | 11.7.1 |
4.x |
|||||
Yara scan on endpoint agent |
Analyst can trigger Yara scan on selected endpoint agents. | 12.1** |
|
|||||
Send Alerts to External Syslog Server |
4.x |
|||||||
Machine Categorization (i.e.: Gold Image) |
4.x |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.