v6
A list of features and releases for version 6 and prior.
We released v7.00.000 of our solution in July 2023. If you haven't already updated and are running an older version you can review release details for previous versions on this page.
We recommend you upgrade your deployment to the latest version to receive the latest features, improvements, and bug fixes. Please note you'll need to upgrade to the latest current version you're on before you can upgrade to the next major version.
If you need to find the release notes for v7 you can click here.
June 2023 - Console: v6.06.000, Agent: v6.06.000
In this release:
System Tagging for Resources
The System Tags feature allows you to apply your own custom tags to the resources deployed by Cloud Storage Security within your AWS environment. By applying descriptive tags to your resources, you gain the ability to categorize, search, and filter based on specific criteria.
API Scanning with ClamAV
API Scanning now supports both the ClamAV and Sophos scanning engines. When you create your API agent you'll be able to select the scanning engine you want to use. Both engines support the following functions:
API/Token
API/Scan
API/Scan/Upload
API/Scan/Existing
API/Scan/URL
Prefixes support for On Demand Scanning
You can now set prefixes for your buckets when performing a retro-based on demand scan.
Data scanned column added to Results page table
The results table located under Monitoring > Results now shows the amount of data scanned for each date across each type of breakdown.
Problem Files Page Improvements
Pagination is now available on the Problem Files page
You can now export data shown on the Problem Files page to a CSV for external analysis
Various Bug Fixes
Additional bug fixes and improvements for both Antivirus and Data Classification.
v6.06.000 CloudFormation Template
May 2023 - Console: NA, Agent: v6.05.006
In this release:
Various Bug Fixes:
Scan Queue improvement if crawling is still running
Agent environment improvements
May 2023 - Console: NA, Agent: v6.05.005
In this release:
Various Bug Fixes:
Ensuring files that cannot fit on disk are properly deleted
Agent Linked Account Role Assumption Error Handling Improvements
May 2023 - Console: v6.05.004, Agent: NA
In this release:
Various Bug Fixes:
Fix for bucket protection failing after console reboot
April 2023 - Console: 6.05.003, Agent: 6.05.002
In this release:
Various Bug Fixes:
Linked Account improvements
AWS Marketplace metering
April 2023 - Console: 6.05.002, Agent: NA
In this release:
Various Bug Fixes:
Fix API Agent security group deployment issue - when upgrading an existing API Endpoint the agent security group was modified to have no inbound rules (introduced in 6.05.001) - this release fixes that
v6.05.002 CloudFormation Template
April 2023 - Console: 6.05.001, Agent: 6.05.001
For those that have a larger ProblemFiles table in DynamoDB you may notice that this update will take longer than regular. Please DO NOT restart the console or disrupt the update as that may cause damage to your deployment.
In this release:
Specify your own Security Groups at deployment
We have had a number of requests to leverage existing Security Groups rather than having the solution create its own
You can now specify Security Groups when deploying from the CloudFormation Template
New Console User Role:
Read-only
You can now create console users that have read-only permissions throughout the console
These users will not be able to make any changes to any functioning aspect of the deployment
They will be able to download reporting information from: Results, Usage and Problem Files reporting
API Endpoint UI Enhancement
You can now easily specify separate sets of Subnets for the Load Balancer and the Scanning Agent independently
Event-based Scanning for Data Classification is now available
Long-awaited request delivered. On top of schedule based data classification, real-time event-based classification is publicly released
Simply click the shield to turn on event driven, rules-based classification of files
Pair AV and data classification scanning together off of the same event driven scanning
Create a 3 bucket system where you AV scan first, chain classification onto the clean files and after that only promote clean, non-sensitive files to production for consumption
Archive Handling Enhancements
No longer run into archive file issues where the archive uncompresses to larger than the available disk
True archive file size evaluated before scanning takes place - if true size is found to be too big it can trigger the Large File Scanning process or simply tag the file as
unscannable-too large
This is applicable to zip, 7zip and gz files as this time - reach out to us if more file types need to be supported sooner
Improved scanning performance with the Sophos engine
On average 3x faster than previous throughput
Updated SSL certificate for console when using default DNS
The current SSL certificate for the console will expire in June 2023. We suggest upgrading your console to avoid any expired SSL certificate errors.
v6.05.001 CloudFormation Template
March 2023 - Console: 6.04.007, Agent: 6.04.008
In this release:
Improved directions for setting up WorkDocs connections
Handling inability to connect to AWS Marketplace when looking for license
Fixed IDP support for Cognito in GovCloud
Fixed issue where included monthly GB is not properly provisioned
Handle Sophos error code
0070 disk full
For zip and 7z files when 0070 is found the scanner will either mark the file a
unscannable - too large
or send the file off for Large File Scanning (if enabled)
Improved logging on scanning Agent shutdown
v6.04.007 CloudFormation Template
March 2023 - Console: NA, Agent: 6.04.006
In this release:
Critical to update your scanning agent - Started March 2, 2023
Please upgrade your scanning agent to avoid scanning down time. If you are on Scanning Agent v6.04.000 or newer, you must upgrade your agent to avoid scanning down time.
If you think you have had a lapse of scanning, you can easily go back and scan data from the missing time frame with an On-demand Scan. It is easy to configure for a specific time frame and only scan the files that haven't already been scanned.
Various Bug Fixes
Addressed an update bug where the Sophos scan engine would crash after the signature update halting scanning.
March 2023 - Console: 6.04.006, Agent: 6.04.005
In this release:
Various Bug Fixes
ResultKind (sub scan result) added to the API response
Fixed a scheduled scanning bug caused by an out of band process deleting a bucket and the schedule not being updated accordingly causing the scheduled scan to error
Storage Assessment - new deployments will not automatically create disabled inventory configs on every bucket
Storage Assessment - defaulted to off for new installs and upgrades (will remain on if already on)
Fixed a strange/rare billing bug
v6.04.006 CloudFormation Template
February 2023 - Console NA, Agent: 6.04.004
In this release:
Upgrade your scanning agent.
A patch for the ClamAV scanning engine to address the following vulnerability - CVE-2023-20032. You can learn more about the upgrade on ClamAV's blog.
If you are using ClamAV we recommend you perform an upgrade of the agent immediately.
February 2023 - Console v6.04.005, Agent: NA
In this release:
License Mode Switcher
You now have the ability to change from BYOL <--> PAYG mode
For those times you started with one billing model and wanted to switch to the other without re-deploying the solution and losing the history
You must subscribe to the corresponding AWS Marketplace listing so the entitlement check passes appropriately. If you were on BYOL and want to switch to PAYG, you must subscribe to the PAYG listing.
Various Bug Fixes
Multi-region bucket crawling in Schedules
Storage Assessment fix for Linked Accounts
v6.04.005 CloudFormation Template
January 2023 - Console v6.04.004, Agent: NA
In this release:
CloudTrail Lake Integration released
With the newly launched PutAuditEvents API for AWS CloudTrail Lake, CSS has created a simple integration for you to capture user activity and events from the CSS console. In just a few steps, you can consolidate CSS activity logs together with AWS activity logs in CloudTrail Lake without having to build or manage the event data pipeline.
Check out the Integrations page for more details
Various Bug Fixes
v6.04.004 CloudFormation Template
January 2023 - Console: v6.04.003, Agent: v6.04.003
In this release:
Patch build to correct found vulnerabilities
Management Console moved to CentOS Stream 9
Various Bug Fixes
v6.04.003
v6.04.003 CloudFormation Template
January 2023 - Console: v6.04.002, Agent: v6.04.002
In this release:
EC2 Tagging
The EC2 instances that run for Large File Scanning can now be tagged
Tags are manually defined (at this time) by running a Stack update and filling in the EC2 Tags field
Export Problem Files report
Problem Files reporting can now be exported from the Problem Files page within the Console
Various Bug Fixes
read-only root file system fixes
crawling improvements
API scaling thresholds - reduced thresholds from 1000 to 200
v6.04.002 CloudFormation Template
January 2023 - Agent: v6.04.001
In this release:
Upgrade your Scanning Agents
Agent-only release
Fixed Storage Assessment data gathering bug where it would crawl and perform S3 Get calls more often than it should causing an increase in logging and potentially higher AWS costs
December 2022 - Console: v6.04.001, Agent: v6.04.000
In this release:
Must Upgrade Linked Account Role Please upgrade to the latest Linked Account Role. If you are prior to version 1.11.000, then you will have to upgrade each linked account's role manually (sorry). Going forward you will be able to update through the console.
Storage Assessment
The new Storage Assessment feature is the start of additional functionality we are adding to give you better intelligence around your data
This new functionality helps you answer the questions: what do I have? where is it located? what are my data trends? what coverage for scanning and encryption do I have for my storage?
Additional Costs - This feature is automatically turned on when you upgrade to this release through the standard console upgrade process. You can disable this feature at upgrade by manually updating the stack and turning the drop down selection to False
.
This feature will start by crawling all of your data to give you an initial overview to all of the files you have stored in Amazon S3. After that initial crawl, Storage Assessment will leverage S3 Inventory to continue to assess the data. Both the crawl and S3 Inventory have minimal charges associated with them.
Percent Scanned
requires the checking of S3 Tags to determine if the scan-result tags exist on the objects. GetObjectTagging
calls will be made against every inventoried S3 bucket
read-only root file system fix
Made it so the Fargate container root file systems are read-only
Various Bug Fixes
Improved unusual character handling in object key values - specifically those files that happen to have
//
in the key itself
v6.04.000 and v6.04.001 CloudFormation Template v6.04.001 CFT v6.04.000 CFT
November 2022 - Console: v6.03.000, Agent: v6.03.000
In this release:
EventBridge integration to solve event conflicts on buckets
There are 3 conflicts that can occur in respect to Amazon S3 bucket notifications: lambda, queue, and topics. Lambda and SQS created a scenario where the scanning engine and the existing workflow could not share events.
The EventBridge integration will allow existing Lambdas and Queues and AVforS3 to each receive the
All Object Create
event and perform the work needed.A new attribute, 'useEventBridge`, has been added to the Bucket-->Protect API call to allow you to specify whether or not to use EventBridge with a given bucket.
Setting This Up
The UI will allow you to simply protect a conflicted bucket as you do any other bucket, but in this release you must activate protection through the Management API. This is a very simple process by using the Swagger documentation we have attached to the AVforS3 Console (https://consoleURL/swagger)
Object Key added to the Scan Result filterable attributes
With the Key added to the Message Attributes, you can now filter the message by path or entire file name for advanced filtering
This is a great set of AWS doc pages that show the power of how message filtering can work: Amazon SNS subscription filter policies
Various bug fixes and improvements
Job crawling improvements - crawling in parallel and scanning is kicked off immediately as opposed to when crawling completed
Fixe public IP override for task definitions
Improve S3 registration with SNS Topic
Jobs status cleanup
Dashboard custom date selection fix
Deregister all task definitions upon service termination
Cleanup Notifications
AppConfig resources now created and cleaned up by the CFT
Permissions updates
October 2022 - Console: v6.02.005, Agent: v6.02.005
In this release:
Various bug fixes and improvements
Multiple proxy deployment related adjustments and fixes
September 2022 - Console: v6.02.002, Agent: v6.02.003
In this release:
Scanning Agents check updates over proxy
Private Mirror was required when deployed in
proxy mode
With this release the scanning agents can check for signature updates over the proxy
!!! note Ensure you have the proxy open to allow for the ClamAV traffic
Better handling for encrypted files
With this release we will identify more encrypted file types and mark them as
unscannable - encrypted
rather than letting them pass throughSophos Engine Only - ClamAV will still pass most of these through as
clean
!!! note SafeGuard encrypted file (self-extracting) Microsoft Office 2007 Encrypted Package (password protected) Microsoft Excel 2007 onwards [encrypted] Microsoft PowerPoint 2007 onwards [encrypted] Microsoft Word 2007 onwards [encrypted] Open Packaging Convention file format (OPC) [encrypted] Open Document Format for Office Applications [encrypted] PK ZIP archive [encrypted] SafeGuard encrypted file ACE archive [encrypted] Kremlin encrypted file xBase Database File (DBF) [encrypted] PGP encrypted file (binary) OpenPGP/GPG encrypted file AxCrypt Encrypted File SecurityBox encrypted file PGP encrypted message (ASCII-Armored)
Various bug fixes and improvements
Addressed inconsistency with establishing the S3 Client for us-east-1
September 2022 - Console: v6.02.000, Agent: v6.02.000
In this release:
Help enforce best practices throughout your Amazon S3 buckets:
Block Public Access - allows you to turn off the
public access
settingsReconcile Encryption - allows you to determine whether the objects in your bucket are encrypted or not and remediate by specifying an encryption key if so desired. Otherwise it will simply output the list of files that are not encrypted
Enable Logging - turn on logging for select Amazon S3 buckets
Deployment Improvements
One of the most secure ways to deploy any solution is to air-gap it as much as you can. Restrict the access in and even the access out. We fully support this option with the use of VPC Endpoints, a Proxy Server (of your choice) to limit the outbound and the ability to Private Mirror the signature updates
This update fully makes this a reality with a documented approach on how to do it
Admin API Additions
Added more functionality to simplify solution management: deployment, tear down, protection, etc
Type
/swagger
to the end of your deployment base URL for all the details on the available APIs
Object Tagging for Errors
Added details to objects there were unscannable due to error
Various bug fixes and improvements
June 2022 - Console: v6.01.000, Agent: v6.01.000
In this release:
Amazon WorkDocs Scanning
We're happy to announce
event-based scanning
for Amazon WorkDocsFollowing our simple-to-protect philosophy, you will easily be able to enable protection and quarantining of files stored and managed within Amazon WorkDocs
More details to come, look under
Configuration-->WorkDocs Connections
to configure within your Console
Various bug fixes and improvements
Fix race condition on v6 upgrade with entitlement
Fix uploadedBy required in the scan API
Fix API data tracking in dashboard and reports
June 2022 - Console: v6.00.001, Agent: v6.00.002
In this release:
SSL Certificate Update
Console and API Agent updates to support updated built-in SSL certificate
May 2022 - Console: v6.00.000, Agent: v6.00.001
In this release:
API bug fix introduced in v6.00.000
Agent-only release
May 2022 - Console: v6.00.000, Agent: v6.00.000
In this release:
Data Classification for Amazon S3
The initial release of our new
sensitive data discovery
functionalityData Classification for Amazon S3 is a cloud-based in-tenant solution that leverages the power of Sophos to identify sensitive data at petabyte scale across all S3 buckets. Knowing what sensitive data exists and where it exists enables you to proactively manage data privacy and protection as well as compliance with frameworks such as SOC 2, PCI DSS, and HIPAA.
Identifies hundreds of sensitive data types across a variety of file types and 11 regional localizations; looks at bucket configurations
Pinpoint Personally Identifiable Information (PII), financial data, health care information, government ID numbers and more, as well as where it resides, at scale
DC for Amazon S3 can be run stand-alone or in tandem with AV for Amazon S3
Free Trial - give it a go for 30 days! Trial extensions available when needed.
Various bug fixes and improvements
Last updated