Softpedia >Windows >System >System Info >Sysmon >  Changelog

Sysmon Changelog

What's new in Sysmon 15.14

Feb 14, 2024
  • This update to Sysmon resolves a service crash on configuration change and a rare system crash.

New in Sysmon 15.11 (Nov 14, 2023)

  • This update to Sysmon resolves a bug resulting in spurious error events.

New in Sysmon 15.1 (Nov 9, 2023)

  • This update to Sysmon improves file hash and delete performance, adds a summary message on events dropped due to high system load, fixes a crash during uninstall, and fixes a system hang.

New in Sysmon 15.0 (Jun 27, 2023)

  • This update to Sysmon, an advanced host security monitoring tool, sets the service to run as a protected process, hardening it against tampering, adds a new event, FileExecutableDetected, for when new executable images are saved to files, and fixes a system hang occurring in certain situations due to an interaction between network and file system events.

New in Sysmon 14.16 (Apr 13, 2023)

  • This Sysmon update fixes a regression on older versions of Windows.

New in Sysmon 14.15 (Apr 11, 2023)

  • This update to Sysmon sets and requires system integrity on ArchiveDirectory (FileDelete and ClipboardChange events). Every existing ArchiveDirectory needs to be first deleted so that Sysmon can create it with the expected integrity and permissions

New in Sysmon 14.1.4 (Jan 25, 2023)

  • This update to Sysmon, an advanced host monitoring tool, fixes a timeout occurring with FileDelete and FileDeleteDetected events on low-speed media.

New in Sysmon 14.1.2 (Nov 11, 2022)

  • This update to Sysmon fixes a bug related to volumes without file system security.

New in Sysmon 14.1.1 (Oct 26, 2022)

  • This update to Sysmon, an advanced host monitoring tool, fixes a bug preventing FileDeleteDetected events reporting and adds support for ARM64.

New in Sysmon 14.1 (Sep 30, 2022)

  • This update to Sysmon, an advanced host monitoring tool, adds a new event type, FileBlockShredding that prevents wiping tools such as Sysinternals SDelete from corrupting and deleting files.

New in Sysmon 14.0 (Aug 16, 2022)

  • This major update to Sysmon, an advanced host monitoring tool, adds a new event type, FileBlockExecutable that prevents processes from creating executable files in specified locations. It also includes several performance improvements and bug fixes.

New in Sysmon 13.33 (Feb 17, 2022)

  • This Sysmon update fixes a crash occurring on Windows Server 2012 and improves memory handling for the service.

New in Sysmon 13.32 (Jan 28, 2022)

  • What's New:
  • ZoomIt v5.0:
  • ZoomIt, a screen zoom and annotation tool, now supports Windows 11 and antialiased line drawing. Note that under Windows 11 and Windows Server 2022 some UI elements might not react to mouse clicks when zoomed. The temporary workaround until a future Windows update is to store the ZoomIt executable under the Windows or the Program Files directories.
  • RDCMan v2.90:
  • RDCMan, a tool for managing and connecting to Remote Desktop sessions, receives support for Restricted Admin (/restrictedAdmin from mstsc) and Remote Credential Guard (/remoteGuard from mstsc) and bug fixes.

New in Sysmon 13.31 (Dec 16, 2021)

  • This Sysmon release improves handle management in the service code and restores event ID 16 contents.

New in Sysmon 13.30 (Oct 27, 2021)

  • This Sysmon update adds user fields for events, fixes a series of crash-causing bugs - for example with the Visual Studio debugger - and improves memory usage and management in the driver.

New in Sysmon 13.24 (Aug 19, 2021)

  • This Sysmon update improves the handling of FileDelete and FileDeleteDetected events which solves systems becoming unresponsive under certain conditions.

New in Sysmon 13.23 (Jul 28, 2021)

  • This Sysmon update fixes a bug where rules with long names were incorrectly processed and a rare out of memory crash occurring on 32-bit systems.

New in Sysmon 13.22 (Jun 22, 2021)

  • This Sysmon update improves performance for rule processing and fixes a bug that may truncate large sub-rule expressions.

New in Sysmon 13.21 (Jun 1, 2021)

  • This update to Sysmon fixes a rare crash on process startup on x86 systems.

New in Sysmon 13.20 (May 26, 2021)

  • This update to Sysmon, an advanced system security monitor, adds "not begin with" and "not end with" filter conditions and fixes a regression for rule include/exclude logic.

New in Sysmon 13.10 (Apr 22, 2021)

  • This update to Sysmon adds a FileDeleteDetected rule that logs when files are deleted but doesn't archive, deletes clipboard archive if event is excluded and fixes an ImageLoad event bug.

New in Sysmon 13.01 (Jan 13, 2021)

  • This bugfix update to Sysmon resolves a series of config parsing issues.

New in Sysmon 13.00 (Jan 11, 2021)

  • This update to Sysmon adds a process image tampering event that reports when the mapped image of a process doesn’t match the on-disk image file, or the image file is locked for exclusive access. These indicators are triggered by process hollowing and process herpaderping. This release also includes several bug fixes, including fixes for minor memory leaks.

New in Sysmon 12.0 (Sep 18, 2020)

  • In addition to several bug fixes, this major update to Sysmon adds support for capturing clipboard operations to help incident responders retrieve attacker RDP file and command drops, including originating remote machine IP addresses.

New in Sysmon 11.11 (Jul 15, 2020)

  • This update to Sysmon fixes a bug that prevented USB media from being ejected, an issue that could stop network event logging and a resulting memory leak, and logs file delete events for delete-on-close files.

New in Sysmon 11.0 (Apr 29, 2020)

  • This major update to Sysmon includes file delete monitoring and archive to help responders capture attacker tools, adds an option to disable reverse DNS lookup, replaces empty fields with ‘-‘ to work around a WEF bug, fixes an issue that caused some ProcessAccess events to drop, and doesn’t hash main data streams that are marked as being stored in the cloud.

New in Sysmon 10.41 (Oct 2, 2019)

  • Resolves a config parsing issue with 10.4.

New in Sysmon 10.4 (Oct 2, 2019)

  • This major update to Sysmon, a security event monitoring service, adds nested rule support to rule groups and “contains any” and “contains all” rule conditions for more flexible filtering, as well as several bug fixes.

New in Sysmon 10.1 (Jun 16, 2019)

  • This update to Sysmon fixes a memory leak in image load events that v10.0 introduced.

New in Sysmon 10.0 (Jun 12, 2019)

  • This release of Sysmon adds DNS query logging, reports OriginalFileName in process create and load image events, adds ImageName to named pipe events, logs pico process creates and terminates, and fixes several bugs.

New in Sysmon 8.02 (Dec 10, 2018)

  • This Sysmon release fixes several filtering bugs, resolves a handle leak and high CPU usage for certain filters when on Windows 7 and Windows Server 2008, and fixes a bug that could cause the service process to crash.

New in Sysmon 8.00 (Jul 6, 2018)

  • This update to Sysmon adds rule tagging, which results in tags appearing in event log entries they generate. It also greatly expands the command-line length logged, fixes a GUID printing bug for parent process GUIDs, and prints friendly registry path names for rename operations.

New in Sysmon 7.03 (May 14, 2018)

  • This update to Sysmon fixes a service executable crash that could result from long file names, and does not hash files larger than 2GB to avoid causing performance issues with SQL Server’s large alternate data streams it places on database files.

New in Sysmon 7.02 (Apr 30, 2018)

  • Fixes memory leaks in its thread and process tracking callbacks.

New in Sysmon 7.01 (Jan 6, 2018)

  • This release fixes a bug in v7.01 that could cause the sysmon config change event to be corrupt, as well as one that prevented registry keys from being reported with abbreviated root key names (e.g. HKLM).

New in Sysmon 7.00 (Jan 3, 2018)

  • Sysmon v7.0 Sysmon now logs file version information, and the option to dump the configuration schema adds the ability to dump an older schema or dump all historical schemas.

New in Sysmon 6.10 (Sep 13, 2017)

  • This update to Sysmon, a background monitor that records activity to the event log for use in security incident detection and forensics, adds monitoring of WMI filters and consumers, an autostart mechanism commonly used by malware, and fixes a bug in image load filtering.

New in Sysmon 6.03 (Jun 19, 2017)

  • This release of Sysmon fixes a bug that prevented imageload include filters from working in some configurations.

New in Sysmon 4.12 (Aug 29, 2016)

  • This release of Sysmon, an advanced background monitor that records process-related activity to the event log for use in intrusion detection and forensics, introduces more powerful filtering capabilities, now reports the status of CRL checking and fixes a bug where certain configuration files could cause the driver to blue screen.

New in Sysmon 4.0 (Apr 28, 2016)

  • This release of Sysmon, an advanced background monitor that records process-related activity to the event log for use in intrusion detection and forensics, introduces more powerful filtering capabilities, allowing for both include and exclude rules to be specified for specific events types, as well as complex matching on different event fields.

New in Sysmon 3.21 (Feb 3, 2016)

  • This update fixes a paged pool leak of token objects when image logging is enabled.

New in Sysmon 3.20 (Jan 6, 2016)

  • This release of Sysmon, a background service that logs security-relevant process and network activity to the Windows event log, now has the option of logging raw disk and volume accesses, operations commonly performed by malicious toolkits to read information by bypassing higher-level security features.

New in Sysmon 3.0 (Apr 21, 2015)

  • This release of Sysmon, an advanced background monitor that records process-related activity to the event log for use in intrusion detection and forensics, adds the process name to process terminate events, reports remote thread creation events, and improves the simplicity and flexibility of filter settings.

New in Sysmon 2.0 (Jan 20, 2015)

  • This major update to Sysmon, a service that records process activity to the Windows event log for use by incident detection and forensic analysis, includes driver load and image load events with signature information, configurable hashing algorithm reporting, flexible filters for including and excluding events, and support for supplying configuration via a configuration file instead of the command line.

New in Sysmon 1.01 (Aug 20, 2014)

  • This fixes the manifest registration so that Sysmon event logs can be interpreted without installing Sysmon, and now includes unique UDP connections within 15-minute intervals.