CylanceGATEWAY release notes Skip Navigation

CylanceGATEWAY
release notes

What's new in the management console

Feature
Description
Date added
Change to network anomaly detection of users' traffic patterns
CylanceGATEWAY
has deprecated support for behavioral risk detections based on unusual user behavior such as upload volume and download volume that is not consistent with past behavior.
January 2024
DGA detection
CylanceGATEWAY
now proactively detects domains that have been created using a Domain Generation Algorithm (DGA) when users attempt to access the domain. Identified DGA events are labelled as Zero Day Detection and categorized as a Dynamic Risk and subcategorized as DGA. The anomaly detection threat events are sent to the Alerts view, the Events page, and the SIEM solution or syslog server, if configured. This feature provides a continued evolution of
CylanceGATEWAY
network protection capabilities.
November 2023
Safe Mode enhancements
CylanceGATEWAY
now extends Machine Learning-based network protection to Safe Mode. In addition to applying the tenant's ACL rules, the Network Protection settings applied to Safe Mode have, therefore, expanded from Destination Reputation to include the following types:
  • DNS Tunneling
  • Zero Day
This feature provides additional protection to endpoints against newly emerging network threats and malicious destinations based on the network protection settings that you specify.
November 2023
Control the network traffic detections that are sent to the Alerts view
On the Network Protection settings screen, you can now specify the following detections that you want to enable and be displayed in the Alerts view:
  • Signature detections: Blocked and allowed events
  • Destination reputation: Blocked and allowed events based on the minimum risk level that you set
  • DNS tunneling: Based on the minimum risk level that you set
  • Zero Day: Based on the minimum risk level that you set
Blocked and allowed ACL events are not shared to the Alerts view. This feature introduces a more granular control over the events that are shared to the Alerts view.
For more information, see Configure network protection settings in the
Cylance Endpoint Security
Setup content.
November 2023
Evaluate the risk level of a network destination
You can use the management console to evaluate the risk level and identify the category and subcategory of a network destination, as analyzed, and determined by the
CylanceGATEWAY
cloud services. This feature provides you with insight into how
CylanceGATEWAY
would classify and assign a risk level to a destination. For example, when you configure your access control list (ACL) rules and network protection settings to allow or block destinations and you want to know how a specific destination might be categorized, you can now safely determine the category and risk level that
CylanceGATEWAY
has assigned to the destination.
For more information, see Evaluate the risk level of a network destination page in the
Cylance Endpoint Security
Setup content.
November 2023
Domain classification enhancements
CylanceGATEWAY
uses Machine Learning that applies categorization to previously uncategorized English destinations. This feature has been expanded to now classify previously uncategorized French, German, Italian, and Spanish-language web destinations (for example, General Interest – Business or Security Risk).
For more information, see Destination content categories page in the
Cylance Endpoint Security
Setup content.
November 2023
Event Details page enhancements
  • DNS request and response
    : If the Events page displays a DNS event, the Events Details page will display the DNS request and all the response details for the event. This feature allows you to view the entire path that is associated with a DNS query. DNS request and responses are sent to the Alerts view and the SIEM solution or syslog server, if configured.
  • Safe Mode telemetry enhancements
    : The Events Details page now displays additional metadata; process ID (PID) and process name (Pathname) to help administrators and SOC Analysts in their threat hunting and post incident review. The PID and pathname are sent to the Alerts view and the SIEM solution or syslog server, if configured.
For more information, see Viewing the Event Details in the
Cylance Endpoint Security
Administration content.
November 2023
Support for multiple private network configurations
You can now configure
CylanceGATEWAY
to allow access to resources on more than one private network (for example, segments, data centers, and VPCs) both in on-premises and cloud environments. You can view the
CylanceGATEWAY Connector
s that are associated with each specified Connector Group. This feature allows you to deploy multiple
CylanceGATEWAY Connector
s from one
Cylance Endpoint Security
tenant and provides an aggregated view of the connectors for each private network.
This feature is enabled by default on new tenants. Existing tenants can be upgraded to support multiple private network configurations. You must contact
BlackBerry
Technical Support if you want to enable this feature.
UI updates
  • The left “Network Routing” navigation menu has been renamed to “Connector Groups”.
  • The “Health Check” and “Source IP restriction” configuration screens have been moved to “Connector Groups".
  • In the "Gateway Connectors" navigation menu, the “Tunnel”, “DNS”, and “HTTP” columns have been combined into the “Health Check Status” column. You can click the Health Check Status column to view additional connector information (for example, whether a tunnel is established and the DNS server IP address).
July 2023
Improved control of network traffic settings
The updated Network Protections settings introduce more granular control over the detection and protection mode of features of
CylanceGATEWAY
, the respective details that you want to have reported and displayed in the Network Events screen, and the level of details shared to your integrated SIEM solution or syslog server, if configured.
  • The current "Network Protection" settings have moved to the
    Protect
    tab. The Network protection action “Enable intrusion protection” has been renamed to “Enable Signature detection”. 
  • The new
    Report
    tab allows you to specify the details that will appear in the Network Events page as detections or normal traffic.
  • The new
    Share
    tab allows you to specify the details that are sent to the SIEM solution or syslog server, if configured. By default, blocked detections are always sent. Optionally, you can choose to also send allowed detections.
For more information, see Configuring network protection in the
Cylance Endpoint Security
Setup content.
July 2023
Enhancements
On the
CylanceGATEWAY
Events page,
  • New category
    : Previously the "Security Risk" category was applied as both a content category for destinations that were deemed non-malicious (for example, destinations that teach about malware), as well as an anomaly category for destinations that are considered malicious (for example, destinations that distribute malware). Now when
    CylanceGATEWAY
    detects an IP reputation, the IP reputation will be categorized as one of the following:
    • Dynamic Risk
      : This new category is applied to destinations that are identified to contain potentially malicious threats by using a combination of ML models and IP Reputation database which continuously changes to add or remove destination entries.
    • Security Risk
      : This category is now applied only as a content category to non-malicious destinations.
  • New BlackBerry source IP address filter capability
    : You can now filter events based on the
    CylanceGATEWAY
    tunnel IP address. The "BlackBerry source IP" identifies the tunnel IP address users used to access external destinations. This feature provides administrators with added visibility in the tunnel that was used when an event has occurred.
July 2023
Enable Split DNS
In the Gateway Service policy, you can now enable Split DNS after Split tunneling is enabled. For more information on split DNS tunneling, see "Split tunneling enhancements" below.
June 2023
HTTP content logging
In the ACL rules, you can now specify whether network events should include unencrypted, plain-text HTTP connection data. When enabled, a summary of the request and response details of an event are displayed in the Events Details page. The Events details page displays the first three HTTP events of the total events. You have the option to view all the events and the details that are associated with each one. This feature allows unencrypted HTTP network traffic to be reviewed and analyzed more deeply while further enabling threat hunting.
June 2023
Safe Mode DNS protection support on
Windows
In the Gateway Service policy, you can configure users to use Safe Mode.
This feature extends the tenant’s ACL rules and endpoint protection for devices when Work Mode is not enabled ensuring that devices are always protected. With Safe Mode,
CylanceGATEWAY
blocks users from accessing potentially malicious destinations and enforces acceptable use policy (AUP) by intercepting DNS requests. The
CylanceGATEWAY
Cloud services evaluate each DNS query against the configured ACL rules and network protection settings, and then instructs the agent to allow or block the request in real time. If allowed, the network DNS query is allowed to complete over the bearer network. Otherwise, the
CylanceGATEWAY
agent overrides the normal response and prevents access.
When enabled, Safe Mode automatically takes effect when Work Mode is disabled. Enabling Safe Mode does not prevent users from enabling or disabling Work Mode, if the users' policy allows such operations. Safe Mode events appear in the
CylanceGATEWAY
Events screen and are sent to the SIEM solution or syslog server, if configured. 
This feature is not supported in environments that use secure DNS with DoT (DNS-over-TLS) and DoH (DNS-over-HTTPS) protocols. DNS queries sent using DoT or DoH cannot be viewed by CylanceGATEWAY.
This feature is supported on
CylanceGATEWAY
agent for
Windows
version 2.8 or later.
For more information, see the Gateway Service policy parameters in the
Cylance Endpoint Security
Setup content.
June 2023
OS-specific ACL support
In the ACL rules, you can create rules and specify which OS that the ACL rule applies to must match. This feature allows you to unify the ACL rules. For example, you have content sensitive resources that you only want desktop devices (
macOS
and
Windows
) to access. In this scenario, your ACL rule would specify the desktop devices which are allowed access to the resource.
For more information, see the ACL parameters in the
Cylance Endpoint Security
Setup content.
June 2023
Split tunneling enhancements
Now when you enable split tunneling, split DNS queries allow lookups for the domains that are listed in the Private Network > DNS > Forward Lookup Zone configuration to be performed through the tunnel where network access controls are applied. All other DNS lookups are performed using your local DNS server.
Android
and 64-bit
Chromebook
devices do not support split DNS queries and the DNS lookups are performed through the tunnel.
This feature allows you to further ensure user traffic privacy and geographical locality of the DNS queries, enhancing the Split Routing feature of Gateway. Split DNS is disabled by default. If you enabled Safe Mode, DNS traffic that does not use the Gateway tunnel is protected by Safe Mode.
For more information, see the Gateway Service policy parameters in the
Cylance Endpoint Security
Setup content.
June 2023
Enhancements
On the
CylanceGATEWAY
Events page,
  • UI Update
    : The “Platform” column has been renamed to “OS”.  
On the Events Details page,
  • UI Update
    : The “Platform” column has been renamed to “OS”.
June 2023

CylanceGATEWAY
component versions

  • CylanceGATEWAY Connector
    version 2.9.0.895
  • CylanceGATEWAY
    agent for
    Windows
    version 2.9.0.7
  • CylanceGATEWAY
    agent for
    macOS
    version 2.9.14
To download the agent, go to the BlackBerry Website and scroll down to the Download
CylanceGATEWAY
section.

What's new in
CylanceGATEWAY Connector

Feature
Description
Release date and version
Support for future in-place upgrade of the
CylanceGATEWAY Connector
You can perform future in-place upgrades of your
CylanceGATEWAY Connector
and your configurations will be retained. This feature is supported on
CylanceGATEWAY Connector
version 2.9 or later. This feature provides enhanced user experience in reducing the time required to upgrade the connector.
The DEB file for the in-place upgrade will be available for download from
my
Account
with the next release of the
CylanceGATEWAY Connector
that is currently scheduled to be released in early 2024.
For more information, see Update a CylanceGATEWAY Connector in the
Cylance Endpoint Security
Setup content.
November 2023
2.9.0.895
Verify the
CylanceGATEWAY Connector
connectivity
Administrators can use a command line tool to initiate a connectivity test to verify the connection between the
CylanceGATEWAY Connector
and
BlackBerry Infrastructure
when the connector is enrolled, but its tunnel is not connected to the
BlackBerry Infrastructure
. This feature verifies whether the UDP packets sent from your private network have reached the
BlackBerry Infrastructure
and the UDP packets sent from the
BlackBerry Infrastructure
have been received by your private network.
For more information, see Update a CylanceGATEWAY Connector in the
Cylance Endpoint Security
Setup content.
November 2023
2.9.0.895
General updates
The June release rebrands the "blackberry-gateway-connector" debian package to "cylance-gateway-connector" installation files. This updated version is required to enable enhanced features in future releases.
June 2023
2.8.0.848
Enhancements
The
CylanceGATEWAY Connector
now provides additional information on TCP and UDP flows that flow through the tunnel to the private network (for example, the Private NAT Source IP and Private NAT Source Port) after the Network Address Translation (NAT) is applied. When events traverse the private network, the Private NAT Source IP and Private NAT Source Port are displayed on the Events Details page for each event. If the Private NAT Source IP and Private NAT Source Port events are not available or the feature is not enabled, the Events Details page displays "Unknown". Events that are identified as a potentially malicious or blocked based on your network protection settings are sent to the SIEM solution or syslog server, if configured. Health check and DNS events are not sent to SIEM solution or syslog server.
For more information, see the Viewing the Event Details page in the
Cylance Endpoint Security
Administration content.
June 2023
2.8.0.848

What's new in
CylanceGATEWAY
agent for
macOS

Feature
Description
Release date and version
Activation enhancements
You can now include the custom domain when the installation process of the
CylanceGATEWAY
agent is controlled by enterprise device management tools, requiring users to only enter their username and password to activate the agent. This feature provides enhanced user experience by allowing the agent to be activated with minimal user interaction.
For more information, see Installing the CylanceGATEWAY agent in the
Cylance Endpoint Security
Setup content.
November 2023
2.9.14
Bug fixes
Bug fixes that are described in the CylanceGATEWAY fixed issues section.
August 2023
2.8.14

What's new in
CylanceGATEWAY
agent for
Windows

Feature
Description
Release date and version
Activation enhancements
You can now include the custom domain when the installation process of the
CylanceGATEWAY
agent is controlled by enterprise device management tools, requiring users to only enter their username and password to activate the agent. This feature provides enhanced user experience by allowing the agent to be activated with minimal user interaction.
For more information, see Installing the CylanceGATEWAY agent in the
Cylance Endpoint Security
Setup content.
November 2023
2.9.0.7
Enhancements to “Automatically start CylanceGATEWAY when user signs in” and “Enable Work Mode Automatically” and Safe Mode policy settings
In the Gateway Service policy, when you configure the
CylanceGATEWAY
agent to automatically start and enable Work mode or enable Safe Mode, the agent is minimized in the system tray when it launches. This feature does not prevent users from opening the agent and enabling or disabling Work Mode after the agent starts or close the agent.
November 2023
2.9.0.7