CylanceOPTICS release notes Skip Navigation

CylanceOPTICS
release notes

With
CylanceOPTICS
version 3.0 and later, the
CylanceOPTICS
agent sends the device data that it collects to a centralized cloud architecture to be stored in a secure cloud database instead of storing the data locally on the device. This new architecture makes
CylanceOPTICS
cloud-enabled.
To manage this significant change for customers,
BlackBerry
is using the following approach to manage releases of the 3.x agent:
  • For customers who have already contacted
    BlackBerry
    and have been granted the entitlement for
    CylanceOPTICS
    3.x, the latest 3.x version of the agent is available in the management console.
  • For customers who have
    CylanceOPTICS
    agent 2.x and do not have the entitlement for
    CylanceOPTICS
    3.x, contact your
    BlackBerry
    Sales representative (or use the Contact Sales form) to request the latest 3.x agent and the entitlement for 3.x.
Agent version 2.5.x is still supported, but new features will require the latest 3.x agent. For more information about
CylanceOPTICS
agent 2.5.x, see the 2.5.x Administration Guide and Release Notes.

What's new in
CylanceOPTICS
(October 2022)

Feature
Description
CylanceOPTICS
agent versions
  • Windows
    : 3.2.1140.0
  • macOS
    : 3.2.1140.5000
  • Linux
    RHEL/CentOS 8: 3.2.1140-23000
  • Linux
    RHEL/CentOS 7: 3.2.1140-7000
  • Amazon
    Linux
    2: 3.2.1140-15000
  • Linux
    SLES15: 3.2.1140-29000
  • Linux
    SLES12: 3.2.1140-21000
  • Ubuntu
    20.04: 3.2.1140-25000
  • Ubuntu
    18.04: 3.2.1140-17000
  • Oracle
    Linux
    Server 8 / UEK 8: 3.2.1140-37000
For more information about supported operating systems, see the Cylance Endpoint Security compatibility matrix.
Customized partial lockdown
CylanceOPTICS
version 3.1 introduced the partial lockdown feature for Windows devices. This release introduces the ability to create custom partial lockdown configurations that allow you to specify additional communication channels that you want to allow during a partial lockdown.
For more information, see Lock a device in the
Cylance Endpoint Security
Administration content.
Additional
CylanceOPTICS
administrator permissions
The July 2022 update of
CylanceOPTICS
introduced new administrator permissions that you could assign to roles to control how administrators engage with
CylanceOPTICS
. This release introduces additional
CylanceOPTICS
permission groups and sub-permissions, offering a greater level of access control and customization.
If you previously granted an administrator role a
CylanceOPTICS
permission that was introduced in the July 2022 update, that role will be granted any associated sub-permissions that are introduced in this update. It is a best practice to review the
CylanceOPTICS
permissions that are introduced in this update so that you can make any adjustments that are appropriate for your organization's environment.
For more information, see Permissions for administrator roles in the
Cylance Endpoint Security
Setup content.
Syslog messages for the API sensor
The late October update of the
CylanceOPTICS
cloud services will add a new event type that can be reported to SIEM solutions and syslog servers, OpticsCaeApiEvent. This event type is used for events that are detected by the
CylanceOPTICS
agent’s optional API sensor. For more information about the API sensor, see CylanceOPTICS sensors in the
Cylance Endpoint Security
Setup content.
For more information this new event type, see the Cylance Syslog Guide.
New audit log values for device lockdown syslog messages
The mid-October update of the
CylanceOPTICS
cloud services adds new event name values to audit log messages that can be reported to SIEM solutions and syslog servers. The new Event Name fields are associated with the lockdown feature:
  • DeviceUnlock
  • DeviceChangeLockdownProfile
For more information about audit log events, see the Cylance Syslog Guide.

What's new in
CylanceOPTICS
(July 2022)

Feature
Description
New
CylanceOPTICS
administrator permissions
This update of the management console introduces new administrator permissions that you can configure and assign to administrator roles (Settings > Administrators > Roles), offering more granular access and management options for
CylanceOPTICS
features. Threat Protection > View, create, edit, delete
CylanceOPTICS
has been removed and replaced with a new Endpoint Detection Response section and new options under Users and Devices > View devices.
If you previously created custom roles with the Threat Protection > View, create, edit, delete
CylanceOPTICS
permission enabled, those custom roles will have the new
CylanceOPTICS
permissions enabled when this update is applied to your environment.
For more information, see Permissions for administrator roles in the
Cylance Endpoint Security
Setup content.
Navigation changes in the
Cylance
console
Changes have been made to the
CylanceOPTICS
menu navigation to make the experience consistent with other sections of the console and to make the
CylanceOPTICS
screens easier to access.
Enhancements to
CylanceOPTICS
syslog messages
The early August update of the
CylanceOPTICS
cloud services adds new fields to the
CylanceOPTICS
event types that can be reported to SIEM and syslog servers. The new fields are compatible with
CylanceOPTICS
agent 2.5.3000/3010 and agent 3.0 and later. For more information about the new fields, including example messages for each event type, see the Cylance Syslog Guide.
New fields added to every
CylanceOPTICS
event type (process, file, registry, WMI, network, PowerShell, DNS, memory, log):
  • Event Timestamp
  • Event Received Timestamp
  • Device Last Reported Users
  • Zone Ids
  • Detection Rule Id
  • Instigating Process Command Line
  • Instigating Process File Path
New fields added to process events:
  • Target Process Command Line
  • Target Process File Path
New fields added to network events:
  • Source IP
  • Source Port
Note that some fields will include command line values that can include commas and colons.
BlackBerry
recommends that you review and test the parsing of these values by your SIEM or syslog server.

Considerations when upgrading to from
CylanceOPTICS
2.5.x to 3.x

  • For configuration requirements for
    macOS
    Big Sur (11.x) or Monterey (12.x), see the setup instructions in the Cylance Endpoint Security Setup Guide.
  • If you do not set up a complete MDM profile for the
    CylanceOPTICS
    network extension on devices with
    macOS
    Big Sur (11.x) or later, data collection might not occur as expected. Verify that you satisfy the configuration requirements for MDM managed devices in the Cylance Endpoint Security Setup Guide.
  • BlackBerry
    recommends installing the latest available version of the
    CylancePROTECT
    agent. For more information, see the CylanceOPTICS requirements.
  • On
    macOS
    devices, after you upgrade the
    CylanceOPTICS
    agent you need to restart the device.
  • On
    macOS
    Catalina, Mojave, and High Sierra devices with the SelfProtection level set to LocalSystem, if you upgrade from
    CylanceOPTICS
    agent version 2.5.x to 3.x, the upgrade might not complete successfully. (EDR-7705)
    Workaround:
    Change the self protection level to LocalAdmin, then update the
    CylanceOPTICS
    agent.
  • If you upgrade the
    CylanceOPTICS
    agent on a CentOS/RHEL 8.0 or 8.1 device, you must restart the device after the upgrade is complete. (EDR-6750)
  • Upgrading the
    CylanceOPTICS
    agent on
    Linux
    from version 2.x to a newer version fails if Security-Enhanced Linux (SELinux) is enabled on the device. (EDR-6264)
    Workaround:
    Disable SELinux on the device before you upgrade the
    CylanceOPTICS
    agent and enable it again after the upgrade is complete.
  • When upgrading the
    CylanceOPTICS
    agent on
    Windows
    , to avoid an issue with the
    CylanceOPTICS
    shutdown time taking longer than usual, disable the TDT sensor in the device policy and enable it again after the upgrade is complete. This issue does not occur if you upgrade from
    CylanceOPTICS
    agent version 2.5.3010 or from
    CylanceOPTICS
    agent 3.0 to a later version. (EDR-6058)