Latest (v8)
We will cover a running list of new features and releases with the latest always placed at the top.
Last updated
We will cover a running list of new features and releases with the latest always placed at the top.
Last updated
**IMPORTANT**
Please upgrade your Linked Account Roles to v1.14.001 or later BEFORE upgrading your console/agent to v8.
If you do not upgrade your Linked Account Roles then you could experience problems when using EventBridge. to learn more about Linked Account Updates.
Please also note, you'll also need to upgrade your console/agent to the you're currently on before you can upgrade to the next major version.
For example, if you are on v6, you'll need to upgrade to the latest version of v6, then upgrade to the latest of v7, then finally upgrade to v8.
If you are deployed using public subnets then you are most likely using our cloudstoragesecapp.com subdomain to connect to your Management Console. The SSL Certificate associated with that domain name was renewed as of v8.07.002. Please upgrade to the latest console version to avoid any SSL browser errors.
In this release:
Patch to update AWS Marketplace listings. There is no need to update to this version as there are no infrastructure changes.
In this release:
Updated our SSL Certificate. Be sure to update to this version to avoid SSL browser errors!
Various Improvements and Bug Fixes
Fixed a bug where the Proxy option in the CFT caused issues with deployment
Migrated certain logs to Trace level to avoid excessive logging
Modify the LOG_LEVEL environment variable to 'Trace' in the Console's task definition to access these logs
In this release:
Various Improvements and Bug Fixes
UI improvements on the Schedules page
Fixed a bug where completed jobs were incorrectly being marked as being in an invalid status
Fixed a bug where 'Suspicious' findings by the Sophos engine didn't surface in the Findings page when multiple engines were being used
Fixed a bug where users could access certain API actions outside of their group assignment
In this release:
Updated Console Navigation
We've updated the Console's navigation page to make it more intuitive.
Updated Protection UI
Protection columns have now been moved to the left-hand side.
API Agent Hardening
API Agent has been hardened to prevent against server-side request forgery (SSRF) attacks
API Agent has been hardened to prevent against path traversal attacks
Improved Reporting Times
Improving reporting time for the following sections to make it more real-time
Malware Found Last Week dashboard
Total Number of Infected Files dashboard
Findings page
Engine Rename
ClamAV has been renamed CSS Secure in the Console
Various Improvements and Bug Fixes
Fixed a bug where Azure Blobs were failing to update in the Console
Fixed a bug where the Findings page occasionally failed to load
GCP Retro Scanning Fixes
UI fixes for the EFS Protection page
In this release:
Various Improvements and Bug Fixes
Fixed a bug impacting GCP on-demand scanning
Fixed a bug impacting the API Scanning Agent's ability to process certain URLs
In this release:
Quarantine Error and Unscannable Files
We now offer the option to quarantine Error and / or Unscannable files
Set it in the Configuration > Scan Settings page
AWS FIPS Endpoint Setting
CSS can now use FIPS endpoints for its calls to AWS services. Enable this feature in the CloudFormation template.
Available in both commercial cloud and GovCloud
Works in U.S. Regions only
No FIPS for the following API calls:
S3 ListBuckets
Marketplace MeterUsage
Application Auto Scaling (unavailable in commercial cloud, ASG FIPS endpoints are available in GovCloud)
Storage Protection Status and Malware Found Dashboards
Storage Protection Status UI panel added
Shows total / potected storage container ratio for AWS, Azure, and GCP
Malware Found Last Week UI panel added
Shows malware found in the last week
Custom KMS key usage for DynamoDB, SNS, and SQS
Enable feature in the CloudFormation Template
Various Improvements and Bug Fixes
Sophos AV engine updated to version 3.93.1
Sophos Content Analysis engine updated to version 3.51.0
Fixed a bug where EventBridge-protected buckets connected to Proactive Notifications were unable to provide an accurate VersionId field
Fixed a bug where ECS tasks were failing to end
API Scanning fixes
In this release:
Various Improvements and Bug Fixes
Retro scans with ScanResult Proactive Notifications now include the VersionId field
GCP Fixes
Azure Fixes
UI Fixes
In this release:
CrowdStrike Engine Removal
We have removed CrowdStrike as a scanning due to low usage
GCP Object Scheduled Scanning
Users can now link and perform scheduled and on-demand scans on GCP buckets!
GCP Scanning supports all scanning engines currently offered
The Console generates a Terraform file to deploy scanning architecture into GCP
Daily Email Updates
Users can set up daily email reports of data scanned
See findings and problematic at a glance
Configure in Configuration > Proactive Notifications
SSO User Roles and Groups Assignment
Users provisioned via SSO can be assigned to a default role and group prior to creation to remove the need of manual configuration
CloudFormation EBS, EFS, FSx Opt-Out
Added the ability to opt-out of accessing and ingesting EBS, EFS, and FSx volumes
Configure in the updated CloudFormation Template
Error Log Dashboard Improvement
Added new Error Logs page to assist with troubleshooting
URL Redirect Prevention
Added mechanisms preventing Console URL manipulation to guard against user redirect attacks
Various Improvements and Bug Fixes
For GovCloud deployments launched in AV mode, DC can now be enabled in the License Management page.
New console deployments will launch with Sophos and CSS Premium as default scanning engines
Sophos AV Engine updated to 3.92.0
Fixed a bug where folders were being moved in a 2 bucket system
Proactive Notification Fixes
Permissions Fixes
ClamAV Engine Fixes
Azure Fixes
UI Fixes
In this release:
General Availability for Azure Blob Scanning
All scanning engines are available to use for Azure blob scanning
New CSS Premium Scanning Engine Available
We've added a new premium antivirus scanning engine to our solution allowing you to scan files up to 5TB in size
Use it as your primary scanning engine or as a secondary scanning engine to increase the efficacy of your scan
This new scanning engine is available for scanning both AWS and Azure storage volumes
Linked Account Role Updates to v1.14.001
Make sure to update your Linked Account roles to the latest version
Various Improvements and Bug Fixes
FSx fix
Sophos definition improvements
Scan Settings page fix
API Scanning fix
EventBridge scanning fix
AWS MarketplaceMetering improvements
In this release:
Verbose Logs
Capturing S3 Request IDs can now be activated for troubleshooting purposes
In the Console's task definition, modifying the LOG_LEVEL environment variable to 'Debug' will now allow the Console to deposit S3 Request IDs into the Console.Buckets log group
Various Improvements and Bug Fixes
Logging Fixes
Console UI Fixes and Improvements
Large File Scanning Fixes
In this release:
Azure Event-based Scanning and Updates (early access)
Updated Threat Map includes Azure data
Event protection now enabled in the Console for Blob storage
Azure event-based containers now have autoscaling capabilities depending on queue size
Azure event agent settings are now partitioned by accounts
Agent configuration is now stored in the same storage account to reduce infrastructure costs
Added customization for SNS topic policy
Terraform module now includes the ability to append statements to the SNS Topic Policy
IAM Improvements
We've tightened the permissions in the CloudStorageSecRemotePolicy, removing excessive wildcard permissions with more granularity
Various Improvements and Bug Fixes
ClamAV Private Mirror functionality fixed
Fixed a bug where lack of ability to reach CloudTrail Lake endpoint was preventing console login
API agents can now be properly stood up in il-central-1
Azure fixes and improvements
UI fixes and improvements
Event-based scanning fixes
Retro/on-demand scanning fixes
Large file scanning fixes
Security Hub Findings fixes
In this release:
Malware History Report
For users that want to get a visual understanding of how malware has been found over time, we’ve added a new page in our Console UI to track historic malware findings
We leverage Amazon Bedrock to interpret the malware finding to provide a human-readable summary and description of the malware found
As a result, Amazon Bedrock must be enabled for this feature
You can expand a specific identity and view more information around how often it was found
At this time, this report pulls data from the last 30 days of enabling it and will show information from that point onwards
Data Classification Quarantine
You can now quarantine files found to have PII
Reporting Bucket Secure Transport
We’ve removed HTTP Access to our Console Reporting bucket, which now only accepts HTTPS requests
Azure Improvements
In v8 we introduced Azure Blob Scheduled Scanning. We have a few improvements and fixes for Azure:
Scanning Improvements
Linked Account Fix
Virus Definition Update Fix
Various Improvements and Bug Fixes
Console UI Fixes
Console UI Improvements
Console API Improvements
Proactive Notifications Fix
Proactive Monitor now clean SQS queues left
In this release:
Azure Blob Scheduled Scanning (early access)
You can now link Azure accounts into your AV console and ingest any Azure blobs you have, allowing you to perform a scheduled retro scan on any pre-existing files stored within your Azure Blobs.
While we currently only support Retro scanning for Azure Blob we will expand to support event-based scanning in an upcoming release in the near future.
Minimized Permissions
We've updated our CloudFormation template to use customer managed IAM policies vs inline IAM policies. We've done this to ensure we're using the minimum permissions required to deploy our solution.
Threat Map UI Updates
Infection and Classification titles on the right panel were changed to "Malware" and "Sensitive Data".
Legend at the bottom left shows "No Malware or Sensitive Data", " "Malware Found", "Suspicious Files or Sensitive Data Found".
Legend icons view can be toggled by clicking on it.
Regional information drill-down option navigates to Problem Files/Findings page w/ filters applied when clicked on
Bucket Size and Object Count Metrics Fixed
We've improved how we calculate bucket size and object count for each S3 bucket that we ingest on the Bucket Protection page.
Various Improvements and Bug Fixes
EFS Volume Scanning Fixes
EBS Volume Fixes
API Scanning Fixes
TerraForm Module Fixes
Read more about our finding types .
Learn more about linking your GCP Account(s)
You can now scan new and pre-existing files stored in
Learn more about linking your Azure account(s)
Want to get early access to Azure Blob scanning? and we can assist!
If you have IAM policies or Service Control Policies that prevent creating customer managed policies, you'll need an exception for this upgrade. You can refer to for more information.
